diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/osdetection | 5 | ||||
-rw-r--r-- | include/tests_authentication | 2 | ||||
-rw-r--r-- | include/tests_boot_services | 3 | ||||
-rw-r--r-- | include/tests_filesystems | 15 | ||||
-rw-r--r-- | include/tests_kernel | 120 | ||||
-rw-r--r-- | include/tests_malware | 18 | ||||
-rw-r--r-- | include/tests_networking | 4 | ||||
-rw-r--r-- | include/tests_ports_packages | 2 | ||||
-rw-r--r-- | include/tests_ssh | 2 |
9 files changed, 105 insertions, 66 deletions
diff --git a/include/osdetection b/include/osdetection index a4d3aa41..c91c69ec 100644 --- a/include/osdetection +++ b/include/osdetection @@ -244,6 +244,11 @@ OS_NAME="Flatcar Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "funtoo") + LINUX_VERSION="Funtoo" + OS_FULLNAME="Funtoo Linux" + OS_VERSION="Rolling release" + ;; "garuda") LINUX_VERSION="Garuda" OS_FULLNAME="Garuda Linux" diff --git a/include/tests_authentication b/include/tests_authentication index 2712aa34..1718f99a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -916,7 +916,7 @@ LogText "Result: found one or more accounts without password" for I in ${FIND2}; do LogText "Account without password: ${I}" - Report "account_without_password=${I}" + Report "account_without_password[]=${I}" done Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "Found accounts without password" diff --git a/include/tests_boot_services b/include/tests_boot_services index 42efc80d..4a5fb3df 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -112,6 +112,9 @@ runit) SERVICE_MANAGER="runit" ;; + openrc-init) + SERVICE_MANAGER="openrc" + ;; *) CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") if [ -n "${CONTAINS_SYSTEMD}" ]; then diff --git a/include/tests_filesystems b/include/tests_filesystems index ce93b018..480ba40a 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -619,7 +619,6 @@ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW AddHP 4 5 else - # if if ContainsString "defaults" "${FOUND_FLAGS}"; then LogText "Result: marked ${FILESYSTEM} options as default (not hardened)" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_DEFAULT}" --color YELLOW @@ -838,13 +837,13 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then - Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN - LogText "Result: module ${FS} is blacklisted" - fi - fi + FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then + Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN + LogText "Result: module ${FS} is blacklisted" + fi + fi done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" diff --git a/include/tests_kernel b/include/tests_kernel index 610fd325..c1977985 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -368,14 +368,14 @@ # # Test : KRNL-5788 # Description : Checking availability new kernel - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || - [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then + FINDKERNEL="" HAS_VMLINUZ=0 LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then @@ -384,62 +384,69 @@ if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 if [ -f ${ROOTDIR}vmlinuz ]; then - FINDVMLINUZ=${ROOTDIR}vmlinuz + FINDVMLINUZ="${ROOTDIR}vmlinuz" else - FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + FINDVMLINUZ="${ROOTDIR}boot/vmlinuz" fi LogText "Result: found ${FINDVMLINUZ}" LogText "Test: checking readlink location of ${FINDVMLINUZ}" FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" + LogText "Test: checking relevant package using output from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e ${ROOTDIR}dev/grsec ]; then - FINDKERNEL=linux-image-$(uname -r) + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" elif [ -e ${ROOTDIR}etc/rpi-issue ]; then - FINDKERNEL=raspberrypi-kernel + FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then - FINDKERNEL=linux-image-$(uname -r) + elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else - LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi - LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - LogText "Kernel installed: ${FINDINST}" - LogText "Kernel candidate: ${FINDCAND}" - if IsEmpty "${FINDINST}"; then - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Exception occurred, no output from apt-cache policy" - if [ ${HAS_VMLINUZ} -eq 1 ]; then - ReportException "${TEST_NO}:01" - ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" - fi - LogText "Result: apt-cache policy did not return an installed kernel version" + + if IsEmpty "${FINDKERNEL}"; then + LogText "Result: could not check kernel update status as kernel is unknown" else - if [ "${FINDINST}" = "${FINDCAND}" ]; then - if [ -e /dev/grsec ]; then - Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN - LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" - ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" - else - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN - LogText "Result: no kernel update available" + LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" + LogText "Test: Using apt-cache policy to determine if there is an update available" + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + LogText "Kernel installed: ${FINDINSTALLED}" + LogText "Kernel candidate: ${FINDCANDIDATE}" + if IsEmpty "${FINDINSTALLED}"; then + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Exception occurred, no output from apt-cache policy" + if [ ${HAS_VMLINUZ} -eq 1 ]; then + ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy" + ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" fi + LogText "Result: apt-cache policy did not return an installed kernel version" else - Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW - LogText "Result: kernel update available according 'apt-cache policy'." - ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN + LogText "Result: no kernel update available" + fi + else + Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW + LogText "Result: kernel update available according 'apt-cache policy'." + ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + fi fi fi else - LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." + LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests." fi + unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ fi # ################################################################################# @@ -615,25 +622,29 @@ Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 - FILE="${ROOTDIR}var/run/reboot-required.pkgs" - LogText "Test: Checking presence ${FILE}" - if [ -f ${FILE} ]; then - LogText "Result: file ${FILE} exists" - FIND=$(${WCBINARY} -l < ${FILE}) - if [ "${FIND}" = "0" ]; then - LogText "Result: No reboot needed (file empty)" - REBOOT_NEEDED=0 + for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting" + do + LogText "Test: Checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + FIND=$(${WCBINARY} -l < ${FILE}) + if [ "${FIND}" = "0" ]; then + LogText "Result: No reboot needed (file empty)" + REBOOT_NEEDED=0 + break + else + PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) + LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" + for I in ${FIND}; do + LogText "Package: ${I}" + done + REBOOT_NEEDED=1 + break + fi else - PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) - LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" - for I in ${FIND}; do - LogText "Package: ${I}" - done - REBOOT_NEEDED=1 + LogText "Result: file ${FILE} not found" fi - else - LogText "Result: file ${FILE} not found" - fi + done # Check if /boot exists if [ -d "${ROOTDIR}boot" ]; then @@ -663,7 +674,10 @@ ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then - if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then + if [ -f ${ROOTDIR}boot/vmlinuz ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then diff --git a/include/tests_malware b/include/tests_malware index cb13ca96..40336fa5 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,6 +46,24 @@ # ################################################################################# # + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mcafeecl" + else + LogText "Result: McAfee VirusScan for Command Line not found" + fi + fi +# +################################################################################# +# # Test : MALW-3275 # Description : Check for installed tool (chkrootkit) Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" diff --git a/include/tests_networking b/include/tests_networking index c615e6d0..7faf7125 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -750,7 +750,7 @@ UNCOMMON_PROTOCOL_DISABLED=0 # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf) + DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then LogText "Result: found ${P} module disabled via modprobe.conf" UNCOMMON_PROTOCOL_DISABLED=1 @@ -759,7 +759,7 @@ # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then # Return file names (-l) and suppress errors (-s) - DATA=$(${GREPBINARY} -l -s "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*) + DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 2f0b98da..e757bd0a 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -296,7 +296,7 @@ # # Test : PKGS-7320 # Description : Check available of arch-audit - if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux"; fi + if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ] || [ "${OS_FULLNAME}" = "Garuda Linux" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux and Garuda Linux"; fi Register --test-no PKGS-7320 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking for arch-audit tooling" if [ ${SKIPTEST} -eq 0 ]; then if [ -z "${ARCH_AUDIT_BINARY}" ]; then diff --git a/include/tests_ssh b/include/tests_ssh index 7f31c348..de3209ee 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -74,7 +74,7 @@ LogText "Result: ${I}/sshd_config exists" if [ ${FOUND} -eq 1 ]; then ReportException "${TEST_NO}:01" - LogText "Result: we already had found another sshd_config file. Using this new file then." + LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one." fi FileIsReadable ${I}/sshd_config if [ ${CANREAD} -eq 1 ]; then |