From de18ddc2c01b2d53a21d48c8497a7a08a7386bf0 Mon Sep 17 00:00:00 2001 From: Kepi Date: Thu, 2 Jul 2020 22:14:38 +0200 Subject: [functions] ParseNginx: Support include on absolute paths Includes can be absolute paths too. This is quick fix counting on fact that absolute paths have slash at start. --- include/functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 4ff5b43a..39ae7c92 100644 --- a/include/functions +++ b/include/functions @@ -2305,7 +2305,8 @@ # Check for additional config files included as follows # "include sites-enabled/*.conf" elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then - for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do + if [ "$(echo ${VALUE} | ${CUTBINARY} -c1)" != "/" ]; then VALUE=${CONFIG_FILE%nginx.conf}; fi + for FOUND_CONF in $(ls ${VALUE%;*}); do FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi -- cgit v1.2.3 From a2e752a8db56032e38cc8c7b96830ceea90bf844 Mon Sep 17 00:00:00 2001 From: Kepi Date: Thu, 2 Jul 2020 22:22:34 +0200 Subject: [functions] ParseNginx: Ignore empty included wildcards Its ok to have empty directories included. We should not output errors with lsbinary unable to find anything there. --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 39ae7c92..36113531 100644 --- a/include/functions +++ b/include/functions @@ -2306,7 +2306,7 @@ # "include sites-enabled/*.conf" elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then if [ "$(echo ${VALUE} | ${CUTBINARY} -c1)" != "/" ]; then VALUE=${CONFIG_FILE%nginx.conf}; fi - for FOUND_CONF in $(ls ${VALUE%;*}); do + for FOUND_CONF in $(ls ${VALUE%;*} 2> /dev/null); do FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi -- cgit v1.2.3 From 48e794574a820072b06d194f739f88378213ccee Mon Sep 17 00:00:00 2001 From: Claudia Date: Sat, 8 Aug 2020 19:11:44 +0200 Subject: Add macOS EOL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apple doesn’t disclose when it stops providing security updates for macOS versions. There’s no consensus on when the exact EOL date is. Lacking that information, I applied the following ruleset, which is driven by what people have observed, and seems pragmatic enough: - From Mac OS X 10.0 through 10.4, a version 10.N would be considered EOL on the day the first patch-level update 10.(N+2).1 for its N+2 successor was released. - Starting with 10.5, Apple began to support three versions at the same time. For 10.5 itself, the EOL date is difficult to pin down so I went with 2011-06-23, the date given by the English-language Wikipedia. - From 10.6 through 10.11, a version 10.N would be considered EOL on the day the first patch-level update 10.(N+3).1 for its N+3 successor was released. - Starting with macOS Sierra (10.12), Lynis counts the patch level. Any version 10.N.P can be considered EOL on the day 10.N.(P+1) is released. If that hasn’t happened, the EOL date is the day 10.(N+3).1 is released. If neither has been released, 10.N.P has no EOL date. --- db/software-eol.db | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 2412a203..7a487d45 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -68,6 +68,51 @@ os:Linux Mint 18:2021-04-01:1617228000: os:Linux Mint 19:2023-04-01:1680300000: os:Linux Mint 20:2025-04-01:1743458400: # +# macOS - https://support.apple.com/en_US/downloads/macos and +# https://apple.stackexchange.com/a/282788 and +# https://en.wikipedia.org/wiki/Category:MacOS_versions +# +os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000: +os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800: +os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400: +os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200: +os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600: +os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000: +os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400: +os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800: +os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400: +os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000: +os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400: +os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000: +os:macOS Sierra \(10.12\):2016-10-24:1477260000: +os:macOS Sierra \(10.12.1\):2016-12-13:1481583600: +os:macOS Sierra \(10.12.2\):2017-01-23:1485126000: +os:macOS Sierra \(10.12.3\):2017-03-27:1490565600: +os:macOS Sierra \(10.12.4\):2017-05-15:1494799200: +os:macOS Sierra \(10.12.5\):2017-07-19:1500415200: +os:macOS Sierra \(10.12.6\):2019-10-29:1572303600: +os:macOS High Sierra \(10.13\):2017-10-31:1509404400: +os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800: +os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000: +os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400: +os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000: +os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200: +os:macOS High Sierra \(10.13.6\)::-1: +os:macOS Mojave \(10.14\):2018-10-30:1540854000: +os:macOS Mojave \(10.14.1\):2018-12-05:1543964400: +os:macOS Mojave \(10.14.2\):2019-01-22:1548111600: +os:macOS Mojave \(10.14.3\):2019-03-25:1553468400: +os:macOS Mojave \(10.14.4\):2019-05-13:1557698400: +os:macOS Mojave \(10.14.5\):2019-07-22:1563746400: +os:macOS Mojave \(10.14.6\)::-1: +os:macOS Catalina \(10.15\):2019-10-29:1572303600: +os:macOS Catalina \(10.15.1\):2019-12-10:1575932400: +os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: +os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: +os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: +os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: +os:macOS Catalina \(10.15.6\)::-1: +# # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # -- cgit v1.2.3 From ec551d732d52e00cde12ee3d6d85ed699dca0d0e Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Mon, 10 Aug 2020 12:26:55 -0400 Subject: Added Alpine Linux EOL dates --- db/software-eol.db | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 2412a203..63939bcb 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -14,6 +14,14 @@ # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # +# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases +# +os:Alpine 3.12:2022-05-01:1651377600 +os:Alpine 3.11:2021-11-01:1635739200 +os:Alpine 3.10:2021-05-01:1619841600 +os:Alpine 3.9:2020-11-01:1604203200 +os:Alpine 3.8:2020-05-01:1588305600 +# # Amazon Linux # # Note: shortest entry is listed at end due to regular expression matching being used -- cgit v1.2.3 From f65f4d011b88f7e3d16daaabdd851c7ec3c8b08b Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Mon, 10 Aug 2020 12:27:30 -0400 Subject: Improve detecting kernel version on disk Improve handling of kenrel files /boot/vmlinuz-linux-lts /boot/vmlinuz-linux /boot/vmlinuz-lts by updateing RegEx and adding elif this corrects issue where version is identified as 'linux' or 'lts' causing false report that a reboot is needed --- include/tests_kernel | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index 011d02c6..56e7e46f 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -664,6 +664,9 @@ elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts + elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts else # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) @@ -678,7 +681,7 @@ VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" elif [ -f "${FOUND_VMLINUZ}" ]; then - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" fi -- cgit v1.2.3 From 6bad6b058bcdcfd536bad57f05470304b9020b6f Mon Sep 17 00:00:00 2001 From: "danielorihuelarodriguez@gmail.com" Date: Mon, 10 Aug 2020 19:27:43 +0200 Subject: feature: gather locked accounts info --- include/tests_authentication | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/include/tests_authentication b/include/tests_authentication index 3dbe08f7..48877a35 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -859,23 +859,27 @@ PREQS_MET="YES" FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') + FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq) ;; *) PREQS_MET="YES" FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') + FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq) ;; esac elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then PREQS_MET="YES" FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done) FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done) + FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq ; done) else LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" PREQS_MET="NO" FIND_P="" FIND2="" + FIND3="" fi else PREQS_MET="NO" @@ -921,6 +925,31 @@ fi # ################################################################################# +# + # Test : AUTH-9284 + # Description : Search locked accounts + Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts" + if [ "${SKIPTEST}" -eq 0 ]; then + LogText "Test: Checking locked accounts" + SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 <= 999 || $3 == 65534 {print $1}' /etc/passwd | sort | uniq) + if [ "${FIND3}" = "${SYSTEM_ACCOUNTS}" ]; then + LogText "Result: all accounts seem to be unlocked" + Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: found one or more locked accounts" + NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) + for I in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${I}" > /dev/null ; then + LogText "Locked account: ${I}" + Report "locked_account=${I}" + fi + done + Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED + ReportWarning "${TEST_NO}" "Found locked accounts" + fi + fi +# +################################################################################# # # Test : AUTH-9286 # Description : Check user password aging -- cgit v1.2.3 From c857ee7cf2c3e11b37c84d41e50f7f39806a4a4f Mon Sep 17 00:00:00 2001 From: "danielorihuelarodriguez@gmail.com" Date: Sun, 23 Aug 2020 19:54:59 +0200 Subject: fix: take into account unlocked system accounts --- include/tests_authentication | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 48877a35..27b6b29f 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -931,17 +931,22 @@ Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking locked accounts" - SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 <= 999 || $3 == 65534 {print $1}' /etc/passwd | sort | uniq) - if [ "${FIND3}" = "${SYSTEM_ACCOUNTS}" ]; then + NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) + LOCKED_NON_SYSTEM_ACCOUNTS=0 + for account in ${FIND3};do + if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then + LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS+1)) + fi + done + if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then LogText "Result: all accounts seem to be unlocked" Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more locked accounts" - NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) - for I in ${FIND3}; do - if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${I}" > /dev/null ; then - LogText "Locked account: ${I}" - Report "locked_account=${I}" + for account in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then + LogText "Locked account: ${account}" + Report "locked_account=${account}" fi done Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED -- cgit v1.2.3 From dabac5bf89685fb137536409e26d186ec58a94d4 Mon Sep 17 00:00:00 2001 From: Jim Date: Sun, 23 Aug 2020 22:41:19 +0200 Subject: Change timesync sync file, fixes #1012 --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index eda41a6f..46db8d71 100644 --- a/include/tests_time +++ b/include/tests_time @@ -574,7 +574,7 @@ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" - SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" if [ ${SKIPTEST} -eq 0 ]; then if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) -- cgit v1.2.3 From 84fd612c912aa46129d00fea93cb81362df55843 Mon Sep 17 00:00:00 2001 From: Jim Date: Mon, 24 Aug 2020 17:59:06 +0200 Subject: Add check for other clock files for earlier systemd versions --- include/tests_time | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index 46db8d71..3c5a8477 100644 --- a/include/tests_time +++ b/include/tests_time @@ -574,8 +574,17 @@ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" - SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + if [ ${SKIPTEST} -eq 0 ]; then + # On earlier systemd versions (237), '/run/systemd/timesync/synchronized' does not exist, so use '/var/lib/systemd/timesync/clock' + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" + fi + # DynamicUser=yes moves the clock file to '/var/lib/private/systemd/timesync/clock' + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock" + fi if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago -- cgit v1.2.3 From 6f6e21add230ae1bc156ea2de23eac9e45a6eec3 Mon Sep 17 00:00:00 2001 From: Jimver Date: Wed, 26 Aug 2020 16:38:35 +0200 Subject: Fix wildcard expansion, absolute path handling and output to stderr --- include/functions | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index e0f75a64..60e213be 100644 --- a/include/functions +++ b/include/functions @@ -2180,7 +2180,8 @@ for I in ${FIND}; do I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//') OPTION=$(echo ${I} | awk '{ print $1 }') - VALUE=$(echo ${I}| cut -d' ' -f2-) + # Use quotes here to prevent wildcard expansion + VALUE=$(echo "${I}"| cut -d' ' -f2-) LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'" STORE_SETTING=1 case ${OPTION} in @@ -2303,9 +2304,21 @@ done if [ ${FOUND} -eq 0 ]; then NGINX_CONF_FILES_ADDITIONS="${NGINX_CONF_FILES_ADDITIONS} ${VALUE}"; fi # Check for additional config files included as follows - # "include sites-enabled/*.conf" - elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then - for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do + # "include sites-enabled/*.conf" (relative path) + # "include /etc/nginx/sites-enabled/*.conf" (absolute path) + elif [ $(echo "${VALUE}" | grep -F -c "*.conf") -gt 0 ]; then + # Check if path is absolute or relative + case $VALUE in + /*) + # Absolute path, so list files directly from that path + CONF_LS=$(${LSBINARY} ${VALUE%;*} 2>/dev/null) # Will error if wildcard doesn't match anything, so pipe stderr to /dev/null + ;; + *) + # Relative path, so construct absolute path first to list files for + CONF_LS=$(${LSBINARY} ${CONFIG_FILE%nginx.conf}${VALUE%;*} 2>/dev/null) + ;; + esac + for FOUND_CONF in CONF_LS; do FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi -- cgit v1.2.3 From cd94da34492ff18eb83b9f2dae89e8e68866ca3d Mon Sep 17 00:00:00 2001 From: Jimver Date: Thu, 27 Aug 2020 12:50:48 +0200 Subject: Use shell wildcard expansion now --- include/functions | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/include/functions b/include/functions index 60e213be..b88a7261 100644 --- a/include/functions +++ b/include/functions @@ -2310,15 +2310,20 @@ # Check if path is absolute or relative case $VALUE in /*) - # Absolute path, so list files directly from that path - CONF_LS=$(${LSBINARY} ${VALUE%;*} 2>/dev/null) # Will error if wildcard doesn't match anything, so pipe stderr to /dev/null + # Absolute path, so wildcard pattern is already correct + CONF_WILDCARD=${VALUE%;*} ;; *) - # Relative path, so construct absolute path first to list files for - CONF_LS=$(${LSBINARY} ${CONFIG_FILE%nginx.conf}${VALUE%;*} 2>/dev/null) + # Relative path, so construct absolute path for wildcard pattern + CONF_WILDCARD=${CONFIG_FILE%nginx.conf}${VALUE%;*} ;; esac - for FOUND_CONF in CONF_LS; do + for FOUND_CONF in ${CONF_WILDCARD}; do + if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then + + LogText "Found no match for ${CONF_WILDCARD}" + break + fi FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi -- cgit v1.2.3 From e6891feeb458055571a1d48c53009ebc99036708 Mon Sep 17 00:00:00 2001 From: Jimver Date: Thu, 27 Aug 2020 12:52:59 +0200 Subject: Remove newline --- include/functions | 1 - 1 file changed, 1 deletion(-) diff --git a/include/functions b/include/functions index b88a7261..f5eb2f98 100644 --- a/include/functions +++ b/include/functions @@ -2320,7 +2320,6 @@ esac for FOUND_CONF in ${CONF_WILDCARD}; do if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then - LogText "Found no match for ${CONF_WILDCARD}" break fi -- cgit v1.2.3 From 554dd2d5e90ade460e2c8f318dde3d7e0031cdce Mon Sep 17 00:00:00 2001 From: Jimver Date: Thu, 27 Aug 2020 12:57:22 +0200 Subject: Better log message --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index f5eb2f98..4af4cd7b 100644 --- a/include/functions +++ b/include/functions @@ -2320,7 +2320,7 @@ esac for FOUND_CONF in ${CONF_WILDCARD}; do if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then - LogText "Found no match for ${CONF_WILDCARD}" + LogText "Found no match for wildcard pattern: ${CONF_WILDCARD}" break fi FOUND=0 -- cgit v1.2.3 From 93a71539d58251b47f07783b4a7d97813460bb81 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 27 Aug 2020 21:44:40 +0200 Subject: Add support for Flatcar Container Linux Fixes cisofy/lynis#1014. Flatcar is a for of CoreOS. Thus the variable LINUX_VERSION_LIKE (introduced with #1004) for Flatcar is CoreOS. --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index c2726d31..d12cab48 100644 --- a/include/osdetection +++ b/include/osdetection @@ -190,6 +190,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "flatcar") + LINUX_VERSION="Flatcar" + LINUX_VERSION_LIKE="CoreOS" + OS_NAME="Flatcar Linux" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "gentoo") LINUX_VERSION="Gentoo" OS_NAME="Gentoo Linux" -- cgit v1.2.3 From 5ca6b7ed7985d63bed1689121f7c4aad00fb53df Mon Sep 17 00:00:00 2001 From: "danielorihuelarodriguez@gmail.com" Date: Fri, 28 Aug 2020 23:19:37 +0200 Subject: feature: take into account LK Some distributions like CentOS 8 contains "LK" instead of "L" for locked users. --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 27b6b29f..7ef56982 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -872,7 +872,7 @@ PREQS_MET="YES" FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done) FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done) - FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq ; done) + FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done) else LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" -- cgit v1.2.3 From 85d36db113fc3584df9ef70b7ec8bb3abf835c45 Mon Sep 17 00:00:00 2001 From: Sergey Zhemoitel Date: Thu, 8 Oct 2020 23:06:35 +0300 Subject: Add ROSA Linux detection --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 9910b307..66592a8f 100644 --- a/include/osdetection +++ b/include/osdetection @@ -273,6 +273,12 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "rosa") + LINUX_VERSION="ROSA Linux" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="ROSA Desktop Fresh R11.1" + ;; *) ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; -- cgit v1.2.3 From ba1cff941fdc41c06f2cabe494cac3420144e92b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 16 Oct 2020 13:02:01 +0200 Subject: Improved detection of kernel by ignoring known incorrect values --- include/tests_kernel | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/tests_kernel b/include/tests_kernel index 011d02c6..7bd11e59 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -680,8 +680,19 @@ elif [ -f "${FOUND_VMLINUZ}" ]; then VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + fi + # Data check: perform reset if we found a version but looks incomplete + # Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux + case ${VERSION_ON_DISK} in + "linux" | "linux-lts") + LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete" + VERSION_ON_DISK="" + ;; + esac + + # If we did not find the version yet, see if we can extract it from the magic data that 'file' returns if [ -z "${VERSION_ON_DISK}" ]; then LogText "Test: checking kernel version on disk" NEXTLINE=0 @@ -697,6 +708,7 @@ done fi + # Last check if we finally got a version or not if [ -z "${VERSION_ON_DISK}" ]; then LogText "Result: could not find the version on disk" ReportException "${TEST_NO}:4" "Could not find the kernel version" -- cgit v1.2.3 From 1c0c9d78583b82ce2fe43aad6fc98634478c0bde Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 16 Oct 2020 13:02:35 +0200 Subject: Move to pre-release --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 4d5306ff..17cd9e91 100755 --- a/lynis +++ b/lynis @@ -45,8 +45,8 @@ # Version details PROGRAM_RELEASE_DATE="2020-10-05" PROGRAM_RELEASE_TIMESTAMP=1601896929 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.1" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.0.2" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" -- cgit v1.2.3 From 5d9c85a35cb26b04459f38e62fb5d805e2c193ea Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 16 Oct 2020 13:02:57 +0200 Subject: Preparations for 3.0.2 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0728f8c9..5c85a577 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.0.2 (not released yet) + +### Changed +- KRNL-5830 - Improved reboot test by ignoring known bad values + +--------------------------------------------------------------------------------- + ## Lynis 3.0.1 (2020-10-05) ### Added -- cgit v1.2.3 From eaca6127eca8176d48479d8044847e942465c3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Sat, 17 Oct 2020 00:04:09 +0200 Subject: Improvements and addition of strings --- db/languages/fr | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/db/languages/fr b/db/languages/fr index 51b4da41..848dd94e 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -1,38 +1,45 @@ +ERROR_NO_LICENSE="Pas de clé de licence configurée" +ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" GEN_CHECKING="Vérification" GEN_CURRENT_VERSION="Version actuelle" GEN_DEBUG_MODE="mode debug" GEN_INITIALIZE_PROGRAM="Initialisation" +GEN_LATEST_VERSION="Dernière version" GEN_PHASE="phase" GEN_PLUGINS_ENABLED="Plugins activés" -GEN_VERBOSE_MODE="mode verbeux" GEN_UPDATE_AVAILABLE="mise à jour disponible" +GEN_VERBOSE_MODE="mode verbeux" GEN_WHAT_TO_DO="Que faire" NOTE_EXCEPTIONS_FOUND="Exceptions trouvées" NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés" -NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" +NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges" -SECTION_CUSTOM_TESTS="Tests Personnalisés" +SECTION_CUSTOM_TESTS="Tests personnalisés" +SECTION_DATA_UPLOAD="Téléchargement de données" +SECTION_INITIALIZING_PROGRAM="Initialisation du programme" SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus" +SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" +SECTION_SYSTEM_TOOLS="Outils système" +STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" +STATUS_ENABLED="ACTIVÉ" +STATUS_ERROR="ERREUR" +STATUS_FAILED="ÉCHOUÉ" STATUS_FOUND="TROUVÉ" -STATUS_YES="OUI" -STATUS_NO="NON" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_NO="NON" STATUS_NONE="AUCUN" +STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" -STATUS_RUNNING="EN COURS": +STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" STATUS_WARNING="ATTENTION" +STATUS_WEAK="FAIBLE" +STATUS_YES="OUI" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" -STATUS_DISABLED="DÉSACTIVÉ" -STATUS_ENABLED="ACTIVÉ" -STATUS_ERROR="ERREUR" -ERROR_NO_LICENSE="Pas de clé de licence configurée" -ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" -- cgit v1.2.3 From 760460528b7141fb0f0741c4d76787a2ca406488 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 12:55:20 +0200 Subject: Added variable --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 053147a4..2224057b 100644 --- a/include/consts +++ b/include/consts @@ -58,6 +58,7 @@ ETC_PATHS="/etc /usr/local/etc" APPLICATION_FIREWALL_ACTIVE=0 BINARY_SCAN_FINISHED=0 BLKIDBINARY="" + BOOTCTLBINARY="" CAT_BINARY="" CFAGENTBINARY="" CHECK=0 -- cgit v1.2.3 From 791800f95d1e1090efc0ba29d958fa1a6d80ab7d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:15:06 +0200 Subject: Added Zorin OS detection --- CHANGELOG.md | 3 +++ include/osdetection | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c85a577..17562153 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Lynis 3.0.2 (not released yet) +### Added +- Detection of Zorin OS + ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values diff --git a/include/osdetection b/include/osdetection index 9910b307..843a932b 100644 --- a/include/osdetection +++ b/include/osdetection @@ -273,6 +273,13 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "zorin") + LINUX_VERSION="Zorin OS" + OS_NAME="Zorin OS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + *) ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; -- cgit v1.2.3 From 6238f5bc8f821ddc8aab371d9bb36e025c281c07 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:26:11 +0200 Subject: Define RHEL as 'RHEL' --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index 107ee28f..5aa5878b 100644 --- a/include/osdetection +++ b/include/osdetection @@ -255,7 +255,7 @@ ;; "rhel") LINUX_VERSION="RHEL" - OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="RHEL" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}" -- cgit v1.2.3 From 577a8b201fbe03f19e6d04a2c5e2538f624eefc8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:26:39 +0200 Subject: Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17562153..ee64679c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,12 @@ ## Lynis 3.0.2 (not released yet) ### Added +- Detection of ROSA Linux - Detection of Zorin OS ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values +- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux --------------------------------------------------------------------------------- -- cgit v1.2.3 From 61c6d5df8d156cdbfc670c3f641db06aa1b761db Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:40:09 +0200 Subject: [PKGS-7410] Don't show exception if no kernels were found on the disk --- include/tests_ports_packages | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 286da608..e1071474 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1289,7 +1289,7 @@ KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from zypper output, which is unexpected." - ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" elif [ ${KERNELS} -gt 3 ]; then LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" @@ -1299,7 +1299,19 @@ fi if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then - ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager" + # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system + case "${OS}" in + "Linux") + if [ -d "${ROOTDIR}boot" ]; then + if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager" + fi + fi + ;; + *) + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager" + ;; + esac fi Report "installed_kernel_packages=${KERNELS}" -- cgit v1.2.3 From 3b240d250d8762891aaa2265e77fd78d6f60fca4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:40:17 +0200 Subject: Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee64679c..0b486c6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,9 @@ ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values +- PKGS-7410 - Don't show exception if no kernels were found on the disk - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- Small code enhancements --------------------------------------------------------------------------------- -- cgit v1.2.3 From 644683a0e4efabef007a3f3e6fe36d9eb2e7d3c3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 14:11:45 +0200 Subject: Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b486c6e..86974a3d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - KRNL-5830 - Improved reboot test by ignoring known bad values - PKGS-7410 - Don't show exception if no kernels were found on the disk - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- French translation improved - Small code enhancements --------------------------------------------------------------------------------- -- cgit v1.2.3 From af57959d6a63fdbc501c3dc2dd475f1618d25759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Mon, 19 Oct 2020 00:41:11 +0200 Subject: Add missing constants From #1035 issue --- include/consts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/consts b/include/consts index 2224057b..bb1d63ff 100644 --- a/include/consts +++ b/include/consts @@ -82,6 +82,7 @@ ETC_PATHS="/etc /usr/local/etc" CONTROL_URL_PROTOCOL="" CONTAINER_TYPE="" CREATE_REPORT_FILE=1 + CRYPTSETUPBINARY="" CSUMBINARY="" CURRENT_TS=0 CUSTOM_URL_APPEND="" @@ -100,12 +101,14 @@ ETC_PATHS="/etc /usr/local/etc" DISCOVERED_BINARIES="" DMIDECODEBINARY="" DNFBINARY="" + DNSDOMAINNAMEBINARY="" DOCKERBINARY="" DOCKER_DAEMON_RUNNING=0 DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 EQUERYBINARY="" + EVMCTLBINARY="" EXIMBINARY="" FAIL2BANBINARY="" FILEBINARY="" @@ -131,6 +134,7 @@ ETC_PATHS="/etc /usr/local/etc" HTTPDBINARY="" IDS_IPS_TOOL_FOUND=0 IFCONFIGBINARY="" + INTEGRITYSETUPBINARY="" IPBINARY="" IPFBINARY="" IPTABLESBINARY="" @@ -149,6 +153,7 @@ ETC_PATHS="/etc /usr/local/etc" LOGDIR="" LOGROTATEBINARY="" LOGTEXT=1 + LSBLKBINARY="" LSMODBINARY="" LSOFBINARY="" LSOF_EXTRA_OPTIONS="" @@ -192,6 +197,7 @@ ETC_PATHS="/etc /usr/local/etc" NGINX_RETURN_FOUND=0 NGINX_ROOT_FOUND=0 NGINX_WEAK_SSL_PROTOCOL_FOUND=0 + NTPCTLBINARY="" NTPD_ROLE="" NTPQBINARY="" OPENSSLBINARY="" @@ -205,6 +211,7 @@ ETC_PATHS="/etc /usr/local/etc" OS_REDHAT_OR_CLONE=0 OSIRISBINARY="" PACMANBINARY="" + PAM_PASSWORD_PWHISTORY_AMOUNT="" PASSWORD_MAXIMUM_DAYS=-1 PASSWORD_MINIMUM_DAYS=-1 PAM_2F_AUTH_ENABLED=0 @@ -239,6 +246,7 @@ ETC_PATHS="/etc /usr/local/etc" REFRESH_REPOSITORIES=1 REMOTE_LOGGING_ENABLED=0 RESOLV_DOMAINNAME="" + RESOLVECTLBINARY="" RKHUNTERBINARY="" ROOTDIR="/" ROOTSHBINARY="" @@ -277,6 +285,7 @@ ETC_PATHS="/etc /usr/local/etc" SLOW_TEST_THRESHOLD=10 SMTPCTLBINARY="" SNORTBINARY="" + SSBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 SSL_CERTIFICATE_INCLUDE_PACKAGES=0 @@ -286,6 +295,7 @@ ETC_PATHS="/etc /usr/local/etc" SWUPDBINARY="" SYSLOGNGBINARY="" SYSTEMCTLBINARY="" + SYSTEMDANALYZEBINARY="" SYSTEM_IS_NOTEBOOK=255 TEMP_FILE="" TEMP_FILES="" @@ -295,6 +305,7 @@ ETC_PATHS="/etc /usr/local/etc" TEST_GROUP_TO_CHECK="all" TESTS_EXECUTED="" TESTS_SKIPPED="" + TIMEDATECTL="" TMPFILE="" TOMOYOINITBINARY="" TOOLTIP_SHOWED=0 @@ -320,6 +331,7 @@ ETC_PATHS="/etc /usr/local/etc" USBGUARD_ROOT="" VALUE="" VERBOSE=0 + VERITYSETUPBINARY="" VGDISPLAYBINARY="" VMTYPE="" VULNERABLE_PACKAGES_FOUND=0 -- cgit v1.2.3 From f0ded6c2a3408d361145952234bfcd306eae0d23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 19 Oct 2020 12:07:16 +0200 Subject: add Mageia EOL dates and grep /etc/mageia-release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/software-eol.db | 10 ++++++++++ include/osdetection | 8 ++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 2412a203..ea7d5888 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -68,6 +68,16 @@ os:Linux Mint 18:2021-04-01:1617228000: os:Linux Mint 19:2023-04-01:1680300000: os:Linux Mint 20:2025-04-01:1743458400: # +# Mageia - https://www.mageia.org/en/support/ +# +os:Mageia 1:2012-12-01:1354316400 +os:Mageia 2:2013-11-22:1385074800 +os:Mageia 3:2014-11-26:1416956400 +os:Mageia 4:2015-09-19:1442613600 +os:Mageia 5:2017-12-31:1514674800 +os:Mageia 6:2019-09-30:1569794400 +os:Mageia 7:2020-12-30:1609282800 +# # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # diff --git a/include/osdetection b/include/osdetection index 5aa5878b..441ef6bd 100644 --- a/include/osdetection +++ b/include/osdetection @@ -396,11 +396,11 @@ LINUX_VERSION="Fedora" fi - # Mageia (has also /etc/megaia-release) - FIND=$(grep "Mageia" /etc/redhat-release) + # Mageia (/etc/redhat-release -> /etc/mageia-release link) + FIND=$(grep "Mageia" /etc/mageia-release) if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release) - OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }') + OS_FULLNAME=$(grep "^Mageia" /etc/mageia-release) + OS_VERSION=$(grep "^Mageia" /etc/mageia-release | awk '{ if ($2=="release") { print $3 } }') LINUX_VERSION="Mageia" fi -- cgit v1.2.3 From 68e8ef862e4da525efc1b157e74e8789a50b32e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 19 Oct 2020 12:38:59 +0200 Subject: mageia got /etc/os-release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/osdetection | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/include/osdetection b/include/osdetection index 441ef6bd..34667ca8 100644 --- a/include/osdetection +++ b/include/osdetection @@ -212,6 +212,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "mageia") + LINUX_VERSION="Mageia" + OS_NAME="Mageia" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "manjaro") LINUX_VERSION="Manjaro" OS_FULLNAME="Manjaro Linux" @@ -396,13 +402,6 @@ LINUX_VERSION="Fedora" fi - # Mageia (/etc/redhat-release -> /etc/mageia-release link) - FIND=$(grep "Mageia" /etc/mageia-release) - if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=$(grep "^Mageia" /etc/mageia-release) - OS_VERSION=$(grep "^Mageia" /etc/mageia-release | awk '{ if ($2=="release") { print $3 } }') - LINUX_VERSION="Mageia" - fi # Oracle Enterprise Linux FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release) -- cgit v1.2.3 From 537624da15d2127007c5d21423d5265e92902aa8 Mon Sep 17 00:00:00 2001 From: Fabien Lehoussel Date: Mon, 19 Oct 2020 15:02:48 +0200 Subject: Fix wc command with --lines argument to be used with busybox --- include/tests_filesystems | 10 +++++----- include/tests_mac_frameworks | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index bfe451ab..3e103959 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -629,11 +629,11 @@ fi done fi - NMOUNTS=$(mount | ${WCBINARY} --lines) - NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines) - NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines) - NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines) - NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines) + NMOUNTS=$(mount | ${WCBINARY} -l) + NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l) + NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l) + NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l) LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 3f23c77e..09c0e3ab 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -76,7 +76,7 @@ Report "apparmor_policy_loaded=1" AddHP 3 3 # ignore kernel threads (Parent PID = 2 [kthreadd]) - NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines) + NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes" for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do LogText "Result: Unconfined process: ${PROCESS}" @@ -159,13 +159,13 @@ fi Display --indent 8 --text "Current SELinux mode: ${FIND}" PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') - NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines) + NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" LogText "Permissive SELinux object types: ${PERMISSIVE}" UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') - NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines) - NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines) + NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l) + NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes" LogText "Unconfined processes: ${UNCONFINED}" LogText "Processes with initrc_t type: ${INITRC}" @@ -207,7 +207,7 @@ Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN Report "tomoyo_enabled=1" if [ ! -z ${TOMOYOPSTREEBINARY} ]; then - NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} --lines) + NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes" for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do LogText "Result: Unconfined process: ${PROCESS}" -- cgit v1.2.3 From ae7be7599ed6d5e98a68fb537e0d8f61375fbedb Mon Sep 17 00:00:00 2001 From: Fabien Lehoussel Date: Mon, 19 Oct 2020 15:09:43 +0200 Subject: Fix head cmd with busybox --- include/tests_crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_crypto b/include/tests_crypto index d4a90cc2..61074cdc 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -245,7 +245,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current" if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then - DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') + DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') if [ "${DATA}" != "none" ]; then LogText "Result: positive match, found RNG: ${DATA}" if IsRunning "rngd"; then -- cgit v1.2.3 From bc85cbb0ba2a200509c0cc4fc56cdc1d27efc50b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 20 Oct 2020 11:49:05 +0200 Subject: add Void Linux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index 5aa5878b..49dba032 100644 --- a/include/osdetection +++ b/include/osdetection @@ -279,6 +279,11 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "void") + LINUX_VERSION="Void Linux" + OS_VERSION="Rolling release" + OS_NAME="Void Linux" + ;; "zorin") LINUX_VERSION="Zorin OS" OS_NAME="Zorin OS" -- cgit v1.2.3 From 77b93ae73df0de716f7dd56f85a8c51406607a54 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 20 Oct 2020 13:06:40 +0200 Subject: Added SLES detection via /etc/os-release --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 49dba032..eac5eadf 100644 --- a/include/osdetection +++ b/include/osdetection @@ -273,6 +273,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "sles") + LINUX_VERSION="SLES" + OS_NAME="openSUSE" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "ubuntu") LINUX_VERSION="Ubuntu" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') -- cgit v1.2.3 From afc4604b9f4cada6a4de588726a8c36773acd1eb Mon Sep 17 00:00:00 2001 From: Claudia Date: Tue, 20 Oct 2020 22:21:13 +0200 Subject: Update macOS EOL --- db/software-eol.db | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index e8163b23..63baa280 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -111,7 +111,8 @@ os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: -os:macOS Catalina \(10.15.6\)::-1: +os:macOS Catalina \(10.15.6\):2020-09-24:1600898400: +os:macOS Catalina \(10.15.7\)::-1: # # Mageia - https://www.mageia.org/en/support/ # -- cgit v1.2.3 From 3124a04ce9ace5a9bc650a70aac940b3bcacac9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 21 Oct 2020 11:27:44 +0200 Subject: require pgrep before usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/functions | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/functions b/include/functions index 8cd95aec..6964da20 100644 --- a/include/functions +++ b/include/functions @@ -1547,8 +1547,7 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 - # AIX does not fully support pgrep options, so using ps instead - if [ "${OS}" != "AIX" ]; then + if [ -x "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then # When --user is used, perform a search using the -u option # Initialize users for strict mode if [ -n "${users:-}" ]; then -- cgit v1.2.3 From 71c474f4550667c055691421bf4241d5fbc53ab3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 14:40:30 +0200 Subject: [KRNL-5830] ignore rescue kernel on systems such as CentOS --- include/tests_kernel | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 7bd11e59..656048e9 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -665,8 +665,9 @@ LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts else - # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default - FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) + # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Get newest file (ls -t and pipe into head) + # Note: ignore a rescue kernel (e.g. CentOS) + FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${HEADBINARY} -1) LogText "Result: found ${FOUND_VMLINUZ}" fi -- cgit v1.2.3 From cd24f376410e4d5a845e065e4915516e98449199 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 14:45:07 +0200 Subject: Updated log --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86974a3d..80cea215 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,12 +3,15 @@ ## Lynis 3.0.2 (not released yet) ### Added -- Detection of ROSA Linux -- Detection of Zorin OS +- Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS +- macOS and Mageia EOL dates ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values +- KRNL-5830 - Ignore rescue kernel such as on CentOS systems - PKGS-7410 - Don't show exception if no kernels were found on the disk +- ParseNginx function: Support include on absolute paths +- ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux - French translation improved - Small code enhancements -- cgit v1.2.3 From 1e9d3b45da6fb9aea3c9d2f666f2e77e87d6b016 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 15:04:55 +0200 Subject: Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80cea215..74bb5be3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems - PKGS-7410 - Don't show exception if no kernels were found on the disk +- TIME-3185 - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux -- cgit v1.2.3 From c2e0c28912f479b816f04f78ce428172dae42645 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 15:09:56 +0200 Subject: Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74bb5be3..a21e03bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- Test if pgrep exists before using it - French translation improved - Small code enhancements -- cgit v1.2.3 From 67d04f25367bc069e717c7b811c0c6e13eeedcf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Thu, 22 Oct 2020 00:13:42 +0200 Subject: Add translate function for all sections + add EN and FR up to date languages files --- db/languages/en | 45 ++++++++++++++++++++++++++++++- db/languages/fr | 59 +++++++++++++++++++++++++++++++++++------ include/binaries | 2 +- include/helper_audit_dockerfile | 10 +++---- include/tests_accounting | 2 +- include/tests_authentication | 2 +- include/tests_banners | 2 +- include/tests_boot_services | 2 +- include/tests_containers | 2 +- include/tests_crypto | 2 +- include/tests_databases | 2 +- include/tests_file_integrity | 2 +- include/tests_file_permissions | 2 +- include/tests_filesystems | 2 +- include/tests_firewalls | 2 +- include/tests_hardening | 2 +- include/tests_homedirs | 2 +- include/tests_insecure_services | 2 +- include/tests_kernel | 2 +- include/tests_kernel_hardening | 2 +- include/tests_ldap | 2 +- include/tests_logging | 2 +- include/tests_mac_frameworks | 2 +- include/tests_mail_messaging | 2 +- include/tests_malware | 2 +- include/tests_nameservices | 2 +- include/tests_networking | 2 +- include/tests_ports_packages | 2 +- include/tests_printers_spoolers | 2 +- include/tests_scheduling | 2 +- include/tests_shells | 2 +- include/tests_snmp | 2 +- include/tests_squid | 2 +- include/tests_ssh | 2 +- include/tests_storage | 2 +- include/tests_system_integrity | 2 +- include/tests_time | 2 +- include/tests_tooling | 2 +- include/tests_usb | 2 +- include/tests_virtualization | 2 +- include/tests_webservers | 2 +- lynis | 4 +-- 42 files changed, 140 insertions(+), 54 deletions(-) diff --git a/db/languages/en b/db/languages/en index 7b697896..7ab20590 100644 --- a/db/languages/en +++ b/db/languages/en @@ -14,12 +14,55 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found" NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" +SECTION_ACCOUNTING="Accounting" +SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" +SECTION_BASICS="Basics" +SECTION_BOOT_AND_SERVICES="Boot and services" +SECTION_CONTAINERS="Containers" +SECTION_CRYPTOGRAPHY="Cryptography" SECTION_CUSTOM_TESTS="Custom tests" SECTION_DATA_UPLOAD="Data upload" +SECTION_DATABASES="Databases" +SECTION_DOWNLOADS="Downloads" +SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" +SECTION_FILE_INTEGRITY="Software: file integrity" +SECTION_FILE_PERMISSIONS="File Permissions" +SECTION_FILE_SYSTEMS="File systems" +SECTION_FIREWALLS="Software: firewalls" +SECTION_GENERAL="General" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Home directories" +SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initializing program" -SECTION_MALWARE="Malware" +SECTION_INSECURE_SERVICES="Insecure services" +SECTION_KERNEL="Kernel" +SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_LDAP_SERVICES="LDAP Services" +SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_MALWARE="Software: Malware" SECTION_MEMORY_AND_PROCESSES="Memory and Processes" +SECTION_NAME_SERVICES="Name services" +SECTION_NETWORKING="Networking" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports and packages" +SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" +SECTION_PROGRAM_DETAILS="Program Details" +SECTION_SCHEDULED_TASKS="Scheduled tasks" +SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="SNMP Support" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Squid Support" +SECTION_SSH_SUPPORT="SSH Support" +SECTION_STORAGE="Storage" +SECTION_SYSTEM_INTEGRITY="Software: System integrity" +SECTION_SYSTEM_TOOLING="Software: System tooling" SECTION_SYSTEM_TOOLS="System tools" +SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" +SECTION_USB_DEVICES="USB Devices" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" +SECTION_VIRTUALIZATION="Virtualization" +SECTION_WEBSERVER="Software: webserver" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" diff --git a/db/languages/fr b/db/languages/fr index 848dd94e..0a867eee 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -2,7 +2,7 @@ ERROR_NO_LICENSE="Pas de clé de licence configurée" ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" GEN_CHECKING="Vérification" GEN_CURRENT_VERSION="Version actuelle" -GEN_DEBUG_MODE="mode debug" +GEN_DEBUG_MODE="mode débug" GEN_INITIALIZE_PROGRAM="Initialisation" GEN_LATEST_VERSION="Dernière version" GEN_PHASE="phase" @@ -12,34 +12,77 @@ GEN_VERBOSE_MODE="mode verbeux" GEN_WHAT_TO_DO="Que faire" NOTE_EXCEPTIONS_FOUND="Exceptions trouvées" NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés" -NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" +NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés qui peuvent prendre plusieurs minutes" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges" +SECTION_ACCOUNTING="Comptes" +SECTION_BANNERS_AND_IDENTIFICATION="Bannières et identification" +SECTION_BASICS="Basics" +SECTION_BOOT_AND_SERVICES="Démarrage et services" +SECTION_CONTAINERS="Conteneurs" +SECTION_CRYPTOGRAPHY="Cryptographie" SECTION_CUSTOM_TESTS="Tests personnalisés" SECTION_DATA_UPLOAD="Téléchargement de données" +SECTION_DATABASES="Bases de données" +SECTION_DOWNLOADS="Téléchargements" +SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie" +SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier" +SECTION_FILE_PERMISSIONS="Permissions de fichier" +SECTION_FILE_SYSTEMS="Systèmes de fichier" +SECTION_FIREWALLS="Logiciel : Pare-feux" +SECTION_GENERAL="Général" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Home directories" +SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initialisation du programme" -SECTION_MALWARE="Malware" +SECTION_INSECURE_SERVICES="Services non sécurisés" +SECTION_KERNEL="Noyau" +SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_LDAP_SERVICES="Services LDAP" +SECTION_LOGGING_AND_FILES="Journalisation et fichiers" +SECTION_MALWARE="Logiciel : Malware" SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" +SECTION_NAME_SERVICES="Services de noms" +SECTION_NETWORKING="Mise en réseau" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports et packages" +SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression" +SECTION_PROGRAM_DETAILS="Détails du programme" +SECTION_SCHEDULED_TASKS="Tâches planifiées" +SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="Prise en charge SNMP" +SECTION_SOFTWARE="Logiciel" +SECTION_SQUID_SUPPORT="Prise en charge Squid" +SECTION_SSH_SUPPORT="Prise en charge SSH" +SECTION_STORAGE="Stockage" +SECTION_SYSTEM_INTEGRITY="Logiciel : Intégrité du système" +SECTION_SYSTEM_TOOLING="Logiciel : System tooling" SECTION_SYSTEM_TOOLS="Outils système" +SECTION_TIME_AND_SYNCHRONIZATION="Heure et synchronisation" +SECTION_USB_DEVICES="Périphériques USB" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification" +SECTION_VIRTUALIZATION="Virtualisation" +SECTION_WEBSERVER="Logiciel : Serveur web" STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" STATUS_ENABLED="ACTIVÉ" STATUS_ERROR="ERREUR" STATUS_FAILED="ÉCHOUÉ" STATUS_FOUND="TROUVÉ" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NO="NON" STATUS_NONE="AUCUN" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" -STATUS_WARNING="ATTENTION" +STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" STATUS_YES="OUI" -TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" +TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" diff --git a/include/binaries b/include/binaries index ae2c2824..86a4a22f 100644 --- a/include/binaries +++ b/include/binaries @@ -30,7 +30,7 @@ ################################################################################# # if [ ${CHECK_BINARIES} -eq 1 ]; then - InsertSection "System Tools" + InsertSection "${SECTION_SYSTEM_TOOLS}" Display --indent 2 --text "- Scanning available tools..." LogText "Start scanning for available audit binaries and tools..." diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 05d24c24..a71326ee 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -44,7 +44,7 @@ fi ################################################################################################## # - InsertSection "Image" + InsertSection "${SECTION_IMAGE}" PKGMGR="" FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g') @@ -93,7 +93,7 @@ fi # ################################################################################################## # - InsertSection "Basics" + InsertSection "${SECTION_BASICS}" MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2) if [ -z "${MAINTAINER}" ]; then @@ -127,7 +127,7 @@ fi # ################################################################################################## # - InsertSection "Software" + InsertSection "${SECTION_SOFTWARE}" case $PKGMGR in "apt") @@ -166,7 +166,7 @@ fi # ################################################################################################## # - InsertSection "Downloads" + InsertSection "${SECTION_DOWNLOADS}" FILE_DOWNLOAD=0 @@ -217,7 +217,7 @@ fi # ################################################################################################## # - InsertSection "Permissions" + InsertSection "${SECTION_PERMISSIONS}" FIND=$(grep -i "chmod 777" ${AUDIT_FILE}) if HasData "${FIND}"; then diff --git a/include/tests_accounting b/include/tests_accounting index 91fca1a0..ea763789 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Accounting" + InsertSection "${SECTION_ACCOUNTING}" # ################################################################################# # diff --git a/include/tests_authentication b/include/tests_authentication index 3dbe08f7..274cd4f4 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -31,7 +31,7 @@ # ################################################################################# # - InsertSection "Users, Groups and Authentication" + InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}" # Test : AUTH-9204 # Description : Check users with UID zero (0) diff --git a/include/tests_banners b/include/tests_banners index 60fa3c2e..f7e4d7e9 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Banners and identification" + InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}" # ################################################################################# # diff --git a/include/tests_boot_services b/include/tests_boot_services index fe5707e4..c86ca52c 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Boot and services" + InsertSection "${SECTION_BOOT_AND_SERVICES}" # ################################################################################# # diff --git a/include/tests_containers b/include/tests_containers index a9a18836..78c12c50 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Containers" + InsertSection "${SECTION_CONTAINERS}" # ################################################################################# # diff --git a/include/tests_crypto b/include/tests_crypto index d4a90cc2..4885fab0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -26,7 +26,7 @@ # ################################################################################# # - InsertSection "Cryptography" + InsertSection "${SECTION_CRYPTOGRAPHY}" # ################################################################################# # diff --git a/include/tests_databases b/include/tests_databases index ace3fd67..fc44d690 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -39,7 +39,7 @@ # ################################################################################# # - InsertSection "Databases" + InsertSection "${SECTION_DATABASES}" # Test : DBS-1804 # Description : Check if MySQL is being used diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 728c2616..c06b1703 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -25,7 +25,7 @@ # ################################################################################# # - InsertSection "Software: file integrity" + InsertSection "${SECTION_FILE_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# diff --git a/include/tests_file_permissions b/include/tests_file_permissions index e9e859fd..50ccdeee 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "File Permissions" + InsertSection "${SECTION_FILE_PERMISSIONS}" # ################################################################################# # diff --git a/include/tests_filesystems b/include/tests_filesystems index bfe451ab..8dc65acc 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -28,7 +28,7 @@ # ################################################################################# # - InsertSection "File systems" + InsertSection "${SECTION_FILE_SYSTEMS}" # ################################################################################# # diff --git a/include/tests_firewalls b/include/tests_firewalls index d3ff1e3d..4d0ba748 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: firewalls" + InsertSection "${SECTION_FIREWALLS}" # ################################################################################# # diff --git a/include/tests_hardening b/include/tests_hardening index 2f88b179..4feff7c6 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Hardening" + InsertSection "${SECTION_HARDENING}" # COMPILER_INSTALLED is initialized before HARDEN_COMPILERS_NEEDED=0 diff --git a/include/tests_homedirs b/include/tests_homedirs index 09f4601c..c896bf86 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Home directories" + InsertSection "${SECTION_HOME_DIRECTORIES}" # ################################################################################# # diff --git a/include/tests_insecure_services b/include/tests_insecure_services index d6d87245..230d117e 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Insecure services" + InsertSection "${SECTION_INSECURE_SERVICES}" # ################################################################################# # diff --git a/include/tests_kernel b/include/tests_kernel index 656048e9..d0f5cdcd 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Kernel" + InsertSection "${SECTION_KERNEL}" # ################################################################################# # diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 59a5f846..2b45394e 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Kernel Hardening" + InsertSection "${SECTION_KERNEL_HARDENING}" # ################################################################################# # diff --git a/include/tests_ldap b/include/tests_ldap index 26d11965..7558d491 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "LDAP Services" + InsertSection "${SECTION_LDAP_SERVICES}" # ################################################################################# # diff --git a/include/tests_logging b/include/tests_logging index 292940e3..b6110263 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -36,7 +36,7 @@ # ################################################################################# # - InsertSection "Logging and files" + InsertSection "${SECTION_LOGGING_AND_FILES}" # Test : LOGG-2130 # Description : Check for a running syslog daemon diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 3f23c77e..5234ab36 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -24,7 +24,7 @@ SELINUXFOUND=0 TOMOYOFOUND=0 - InsertSection "Security frameworks" + InsertSection "${SECTION_SECURITY_FRAMEWORKS}" # ################################################################################# # diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 3a65765c..cbbde8a0 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: e-mail and messaging" + InsertSection "${SECTION_EMAIL_AND_MESSAGING}" # ################################################################################# # diff --git a/include/tests_malware b/include/tests_malware index 5e3c6fca..3710be60 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: ${SECTION_MALWARE}" + InsertSection "${SECTION_MALWARE}" # ################################################################################# # diff --git a/include/tests_nameservices b/include/tests_nameservices index df41fbc9..46f4f1fb 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Name services" + InsertSection "${SECTION_NAME_SERVICES}" # ################################################################################# # diff --git a/include/tests_networking b/include/tests_networking index 420f26ea..9657a841 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -31,7 +31,7 @@ # ################################################################################# # - InsertSection "Networking" + InsertSection "${SECTION_NETWORKING}" # ################################################################################# # diff --git a/include/tests_ports_packages b/include/tests_ports_packages index e1071474..c2978be6 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Ports and packages" + InsertSection "${SECTION_PORTS_AND_PACKAGES}" PACKAGE_MGR_PKG=0 PACKAGE_AUDIT_TOOL="" PACKAGE_AUDIT_TOOL_FOUND=0 diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index b8435493..61304f87 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -34,7 +34,7 @@ # ################################################################################# # - InsertSection "Printers and Spools" + InsertSection "${SECTION_PRINTERS_AND_SPOOLS}" # ################################################################################# # diff --git a/include/tests_scheduling b/include/tests_scheduling index a7b3f5c2..b461ba95 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Scheduled tasks" + InsertSection "${SECTION_SCHEDULED_TASKS}" # ################################################################################# # diff --git a/include/tests_shells b/include/tests_shells index 6f39e1fd..89be9979 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -23,7 +23,7 @@ ################################################################################# # IDLE_TIMEOUT=0 - InsertSection "Shells" + InsertSection "${SECTION_SHELLS}" # ################################################################################# # diff --git a/include/tests_snmp b/include/tests_snmp index d8ce450d..0bf785f0 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -28,7 +28,7 @@ # ################################################################################# # - InsertSection "SNMP Support" + InsertSection "${SECTION_SNMP_SUPPORT}" # Test : SNMP-3302 # Description : Check for a running SNMP daemon diff --git a/include/tests_squid b/include/tests_squid index f94befa0..d62310a3 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -29,7 +29,7 @@ # ################################################################################# # - InsertSection "Squid Support" + InsertSection "${SECTION_SQUID_SUPPORT}" # ################################################################################# # diff --git a/include/tests_ssh b/include/tests_ssh index bd02440c..43c678b9 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -34,7 +34,7 @@ # ################################################################################# # - InsertSection "SSH Support" + InsertSection "${SECTION_SSH_SUPPORT}" # ################################################################################# # diff --git a/include/tests_storage b/include/tests_storage index 6de4f15d..89431aa0 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Storage" + InsertSection "${SECTION_STORAGE}" # ################################################################################# # diff --git a/include/tests_system_integrity b/include/tests_system_integrity index 7a21925b..825f3d70 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -25,7 +25,7 @@ # ################################################################################# # - InsertSection "Software: system integrity" + InsertSection "${SECTION_SYSTEM_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# diff --git a/include/tests_time b/include/tests_time index 3c5a8477..95c695bc 100644 --- a/include/tests_time +++ b/include/tests_time @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Time and Synchronization" + InsertSection "${SECTION_TIME_AND_SYNCHRONIZATION}" # ################################################################################# # diff --git a/include/tests_tooling b/include/tests_tooling index 7fed8460..26870934 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -37,7 +37,7 @@ # ################################################################################# # - InsertSection "Software: System tooling" + InsertSection "${SECTION_SYSTEM_TOOLING}" # ################################################################################# # diff --git a/include/tests_usb b/include/tests_usb index 1c6cae6d..92c81a32 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -19,7 +19,7 @@ # ################################################################################# # - InsertSection "USB Devices" + InsertSection "${SECTION_USB_DEVICES}" # ################################################################################# # diff --git a/include/tests_virtualization b/include/tests_virtualization index 3902defc..e4df170e 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Virtualization" + InsertSection "${SECTION_VIRTUALIZATION}" # ################################################################################# # diff --git a/include/tests_webservers b/include/tests_webservers index 188a6031..45588492 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: webserver" + InsertSection "${SECTION_WEBSERVER}" # ################################################################################# # diff --git a/lynis b/lynis index 17cd9e91..e7af15da 100755 --- a/lynis +++ b/lynis @@ -862,7 +862,7 @@ ${NORMAL} ################################################################################# # if IsVerbose; then - InsertSection "Program Details" + InsertSection "${SECTION_PROGRAM_DETAILS}" Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN if IsDebug; then Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN @@ -1017,7 +1017,7 @@ ${NORMAL} LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen - InsertSection "General" + InsertSection "${SECTION_GENERAL}" Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED fi else -- cgit v1.2.3 From 4671fb7fb93598d38e315a7be6709752b553b995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 22 Oct 2020 12:10:01 +0200 Subject: add Synology Antivirus Essential malware scanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/binaries | 1 + include/tests_malware | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/include/binaries b/include/binaries index 86a4a22f..a07d34ad 100644 --- a/include/binaries +++ b/include/binaries @@ -287,6 +287,7 @@ suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;; swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;; + synoavd) SYNOAVDBINARY=${BINARY}; LogText " Found known binary: synoavd (Synology AV scanner) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; diff --git a/include/tests_malware b/include/tests_malware index 3710be60..3c2cd72d 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -39,6 +39,7 @@ MALWARE_SCANNER_INSTALLED=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 + SYNOLOGY_DAEMON_RUNNING=0 # ################################################################################# # @@ -239,6 +240,17 @@ Report "malware_scanner[]=symantec" fi + # Synology Antivirus Essential + LogText "Test: checking process synoavd" + if IsRunning "synoavd"; then + FOUND=1 + SYNOLOGY_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Synology Antivirus Essential" + Report "malware_scanner[]=synoavd" + fi + # TrendMicro (macOS) LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)" if IsRunning "TmccMac"; then -- cgit v1.2.3 From 9f9fd51e1db93897bc58e29307478b378cdcb0e7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 22 Oct 2020 13:26:46 +0200 Subject: Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a21e03bf..db5b05ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,9 @@ - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- French translation file improved and translations extended - Test if pgrep exists before using it -- French translation improved +- Better support for busybox shell - Small code enhancements --------------------------------------------------------------------------------- -- cgit v1.2.3 From 0467df631460ec65e1b3a8dbd8875cce2715357c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 22 Oct 2020 13:28:58 +0200 Subject: Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index db5b05ea..edb1f41e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,12 @@ ### Added - Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS -- macOS and Mageia EOL dates +- Alpine, macOS and Mageia EOL dates ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems +- KRNL-5830 - Detection of Alpine Linux kernel - PKGS-7410 - Don't show exception if no kernels were found on the disk - TIME-3185 - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths -- cgit v1.2.3 From bd6e1d5d395536963a5d66a95c147435cd7d914b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 22 Oct 2020 14:17:01 +0200 Subject: Include AUTH-9284 and minor changes --- CHANGELOG.md | 1 + db/tests.db | 1 + include/tests_authentication | 8 ++++---- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index edb1f41e..69123178 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.0.2 (not released yet) ### Added +- AUTH-9284 - Scan for locked user accounts in /etc/passwd - Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS - Alpine, macOS and Mageia EOL dates diff --git a/db/tests.db b/db/tests.db index 26fc8f87..6efe1a1a 100644 --- a/db/tests.db +++ b/db/tests.db @@ -37,6 +37,7 @@ AUTH-9268:test:security:authentication::Checking presence pam.d files: AUTH-9278:test:security:authentication::Checking LDAP pam status: AUTH-9282:test:security:authentication::Checking password protected account without expire date: AUTH-9283:test:security:authentication::Checking accounts without password: +AUTH-9284:test:security:authentication::Checking locked user accounts in /etc/passwd: AUTH-9286:test:security:authentication::Checking user password aging: AUTH-9288:test:security:authentication::Checking for expired passwords: AUTH-9304:test:security:authentication:Solaris:Check single user login configuration: diff --git a/include/tests_authentication b/include/tests_authentication index a3c97bff..6186881a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -927,8 +927,8 @@ ################################################################################# # # Test : AUTH-9284 - # Description : Search locked accounts - Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts" + # Description : Check locked user accounts in /etc/passwd + Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking locked accounts" NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) @@ -946,11 +946,11 @@ for account in ${FIND3}; do if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then LogText "Locked account: ${account}" - Report "locked_account=${account}" + Report "locked_account[]=${account}" fi done Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED - ReportWarning "${TEST_NO}" "Found locked accounts" + ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them" fi fi # -- cgit v1.2.3 From 299f531dcbef92545a0d3b50e017571ea5523916 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Thu, 22 Oct 2020 12:17:00 -0400 Subject: sorted italian language file --- db/languages/it | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/db/languages/it b/db/languages/it index 4ff32699..46ed8360 100644 --- a/db/languages/it +++ b/db/languages/it @@ -1,38 +1,38 @@ +ERROR_NO_LICENSE="Nessuna chiave di licenza configurata" +ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato" GEN_CHECKING="Controllo" GEN_CURRENT_VERSION="Versione corrente" GEN_DEBUG_MODE="Modalità Debug" GEN_INITIALIZE_PROGRAM="Inizializzando il programma" GEN_PHASE="fase" GEN_PLUGINS_ENABLED="Plugin abilitati" -GEN_VERBOSE_MODE="Modalità Verbose" GEN_UPDATE_AVAILABLE="aggiornamento disponibile" +GEN_VERBOSE_MODE="Modalità Verbose" GEN_WHAT_TO_DO="Cosa fare" NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni" NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni eccezionali" NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" SECTION_CUSTOM_TESTS="Test su misura (Custom)" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memoria e Processi" +STATUS_DISABLED="DISABILITATO" STATUS_DONE="FATTO" +STATUS_ENABLED="ABILITATO" +STATUS_ERROR="ERRORE" STATUS_FOUND="TROVATO" -STATUS_YES="SI" STATUS_NO="NO" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NONE="NESSUNO" STATUS_NOT_FOUND="NON TROVATO" STATUS_NOT_RUNNING="NON IN ESECUZIONE" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="IN ESECUZIONE" STATUS_SKIPPED="SALTATO" STATUS_SUGGESTION="SUGGERIMENTO" STATUS_UNKNOWN="SCONOSCIUTO" STATUS_WARNING="ATTENZIONE" -TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" +STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" -STATUS_DISABLED="DISABILITATO" -STATUS_ENABLED="ABILITATO" -STATUS_ERROR="ERRORE" -ERROR_NO_LICENSE="Nessuna chiave di licenza configurata" -ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato" +TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" -- cgit v1.2.3 From 806ba69b36de5a46ef4a9a56fd941780176ca0b1 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Thu, 22 Oct 2020 14:27:14 -0400 Subject: Add values for Italian --- db/languages/it | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/db/languages/it b/db/languages/it index 46ed8360..e22b9837 100644 --- a/db/languages/it +++ b/db/languages/it @@ -4,6 +4,7 @@ GEN_CHECKING="Controllo" GEN_CURRENT_VERSION="Versione corrente" GEN_DEBUG_MODE="Modalità Debug" GEN_INITIALIZE_PROGRAM="Inizializzando il programma" +GEN_LATEST_VERSION="Versione ultima" GEN_PHASE="fase" GEN_PLUGINS_ENABLED="Plugin abilitati" GEN_UPDATE_AVAILABLE="aggiornamento disponibile" @@ -14,15 +15,23 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" SECTION_CUSTOM_TESTS="Test su misura (Custom)" +SECTION_DOWNLOADS="Scaricamenti" +SECTION_GENERAL="Generale" +SECTION_INITIALIZING_PROGRAM="Inizializzando il programma" +SECTION_INSECURE_SERVICES="Service insicuri" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memoria e Processi" +SECTION_STORAGE="Spazio di archiviazione" +SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione" STATUS_DISABLED="DISABILITATO" STATUS_DONE="FATTO" STATUS_ENABLED="ABILITATO" STATUS_ERROR="ERRORE" +STATUS_FAILED="FALLITO" STATUS_FOUND="TROVATO" STATUS_NO="NO" STATUS_NONE="NESSUNO" +STATUS_NOT_CONFIGURED="NON CONFIGURATO" STATUS_NOT_FOUND="NON TROVATO" STATUS_NOT_RUNNING="NON IN ESECUZIONE" STATUS_OFF="OFF" @@ -33,6 +42,7 @@ STATUS_SKIPPED="SALTATO" STATUS_SUGGESTION="SUGGERIMENTO" STATUS_UNKNOWN="SCONOSCIUTO" STATUS_WARNING="ATTENZIONE" +STATUS_WEAK="DEBOLE" STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" -- cgit v1.2.3