From fcdc07f8d9135b362f3198f31e9271b57baac767 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 25 Apr 2020 00:06:58 +0300 Subject: [CRYP-7902] Check also certificates in DER format Check also certificates in DER (*.cer, *.der) format. Add /etc/refind.d/keys to list of certificate paths. Signed-off-by: Topi Miettinen --- CHANGELOG.md | 1 + default.prf | 2 +- include/tests_crypto | 19 +++++++++++++------ 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b982ac53..6c3974a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -101,6 +101,7 @@ Using the relevant options, the scan will change base on the intended goal. - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output - CRYP-7902 - optionally check also certificates provided by packages +- CRYP-7902 - check also certificates in DER format - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX - FILE-6374 - changed log and allow root location to be changed diff --git a/default.prf b/default.prf index 6ff3eac2..fff29512 100644 --- a/default.prf +++ b/default.prf @@ -93,7 +93,7 @@ skip-plugins=no #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: ssl-certificate-include-packages=no diff --git a/include/tests_crypto b/include/tests_crypto index 02fa0a80..f1aa1bdf 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -50,7 +50,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -76,16 +76,23 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then + echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$" + CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") - if [ $? -eq 0 ]; then + if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then LogText "Result: file is a certificate file" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ ${CER_DER} -eq 0 ]; then + SSL_DER_OPT="-inform der" + else + SSL_DER_OPT= + fi + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") if [ $? -eq 0 ]; then # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null) EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" if [ ${EXIT_CODE} -eq 0 ]; then LogText "Result: certificate ${FILE} seems to be correct and still valid" -- cgit v1.2.3 From b7b132721e166d9809e081e4c082a9e843b2d345 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 20 Jun 2020 17:08:56 +0200 Subject: check permissions of files used by rsh The old rsh (remote shell) grants access to users and hosts in the files /etc/hosts.equiv and ~/r(login|hosts). If attackers can write to those files, he can logon as a different user or even root (in case of roots .r(login|hosts) only) to the system. While the rsh daemon usually checks for non-root owners or write permissions, this may not be the case on any system. Those files might affect other services as well (rlogin, rcp, ...). As hostnames and usernames are not verified securely, the use of rsh and similar commands discouraged. It may still be in use on legacy systems even today, so it should be secured as much as possible if not possible to remove/replace. --- default.prf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/default.prf b/default.prf index 6ff3eac2..7f1a6899 100644 --- a/default.prf +++ b/default.prf @@ -303,6 +303,9 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: -- cgit v1.2.3 From 5cd33746a0a0a7fc85c888c12215749117a661e0 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 20 Jun 2020 17:45:34 +0200 Subject: add (Open)SSH equivalents to rhost files SSH also supports host based authentication. In contrast to the totally insecure rsh, the hostnames are checked cryptographically. The authorization checks are still done with the same syntax as with rsh. In addition to the old rhosts/rlogin (and eqviv) file, SSH adds the slogin file. This must not be writable as well, as attackers could elevate their privileges. --- default.prf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/default.prf b/default.prf index 7f1a6899..26e10fc0 100644 --- a/default.prf +++ b/default.prf @@ -304,8 +304,10 @@ permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: permfile=/root/.rhosts:rw-------:root:root:WARN: permfile=/root/.rlogin:rw-------:root:root:WARN: +permfile=/root/.shosts:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: -- cgit v1.2.3 From b2be7c160e865252d0c589089e444a259576904f Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:19:35 +0200 Subject: detect and test for timesyncd w/o working timedatectl On systems without dbus timedatectl does not work. Thus it is checked if timesyncd currently runs and when /run/systemd/timesyncd/synchronized was last modified. Timesyncd touches this file on any sucessfull synchronization. This is documented in systemd-timesyncd(8). The new test for successfull documentation has the id TIME-3185. --- include/tests_time | 57 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..1985aa44 100644 --- a/include/tests_time +++ b/include/tests_time @@ -124,23 +124,11 @@ fi # Check timedate daemon (systemd) - if [ -n "${TIMEDATECTL}" ]; then - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") - if [ -n "${FIND}" ]; then - # Check for systemd-timesyncd - if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then - LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf" - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" - Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN - SYSTEMD_NTP_ENABLED=1 - else - LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist" - fi - else - LogText "Result: time synchronization not performed according timedatectl command" - fi - else - LogText "Result: timedatectl command not available on this system" + FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep") + if [ -n "${FIND}" ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found running systemd-timesyncd in process list" fi # Check crontab for OpenBSD/FreeBSD @@ -581,6 +569,41 @@ ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi + +# +################################################################################# +# + + # Test : TIME-3185 + # Description : Check systemd-timesyncd synchronized time + + if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "time" --description "Check systemd-timesyncd synchronized time" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -e /run/systemd/timesync/synchronized ]; then + FIND=$(( $(date +%s) - $(stat -L --format %Y /run/systemd/timesync/synchronized) )) + # Check if last sync was more than 2048 seconds (= the default of systemd) ago + if [ ${FIND} -ge 2048 ]; then + COLOR=RED + ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." + else + COLOR=GREEN + fi + Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}" + LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago." + else + Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED + ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" + fi + fi + + # ################################################################################# # -- cgit v1.2.3 From 38b6105c6061c01b7075a76c23a9e73a962692bf Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:27:02 +0200 Subject: add new test to test database --- db/tests.db | 1 + include/tests_time | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index 32347102..26fc8f87 100644 --- a/db/tests.db +++ b/db/tests.db @@ -419,6 +419,7 @@ TIME-3170:test:security:time::Check configuration files: TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation TIME-3182:test:security:time::Check OpenNTPD has working peers +TIME-3185:test:security:time::Check systemd-timesyncd synchronized time TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: diff --git a/include/tests_time b/include/tests_time index 1985aa44..1fb512ae 100644 --- a/include/tests_time +++ b/include/tests_time @@ -584,7 +584,7 @@ fi - Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "time" --description "Check systemd-timesyncd synchronized time" + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" if [ ${SKIPTEST} -eq 0 ]; then if [ -e /run/systemd/timesync/synchronized ]; then FIND=$(( $(date +%s) - $(stat -L --format %Y /run/systemd/timesync/synchronized) )) -- cgit v1.2.3 From df7c6257a56d54a001859c209b92f7e74589cd13 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:41:09 +0200 Subject: compare correct stuff in openntpd tests I accidentially compared rubbish in the openntpd tests, thus they were not executed at all. Additionally, == was used instead of =. --- include/tests_time | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..79e7aa2e 100644 --- a/include/tests_time +++ b/include/tests_time @@ -532,7 +532,7 @@ # # Test : TIME-3180 # Description : Report if ntpctl cannot communicate with OpenNTPD - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -548,7 +548,7 @@ # # Test : TIME-3181 # Description : Check status of OpenNTPD time synchronisation - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -567,7 +567,7 @@ # Test : TIME-3182 # Description : Check OpenNTPD has working peers - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" -- cgit v1.2.3 From 9107867fa1307a7ec65f250efbc2440665078fb0 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:57:01 +0200 Subject: use correct regex and comparison to match peers --- include/tests_time | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_time b/include/tests_time index 79e7aa2e..eee5cbfc 100644 --- a/include/tests_time +++ b/include/tests_time @@ -576,8 +576,8 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) - if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then + FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi -- cgit v1.2.3 From d4639b3c6a98544269d5d7e59146de2e74ef1530 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:29:35 +0200 Subject: find more cron ntp clients, iterate over cron files with glob --- include/tests_time | 42 ++++++++++++++++-------------------------- 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..842e3495 100644 --- a/include/tests_time +++ b/include/tests_time @@ -146,17 +146,20 @@ # Check crontab for OpenBSD/FreeBSD # Check anacrontab for Linux CRONTAB_FILES="/etc/anacrontab /etc/crontab" + # Regex for matching multiple time synchronisation binaries + # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases + CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)' for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then - LogText "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#') + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" + FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: found ntpdate or rdate reference in crontab file ${I}" + LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}" else #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" + LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}" fi else LogText "Result: crontab file ${I} not found" @@ -169,31 +172,18 @@ # Check cron jobs for I in ${CRON_DIRS}; do - if [ -d ${I} ]; then - if FileIsReadable ${I}; then - FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ') + for J in "${I}"/*; do # iterate over folders in a safe way + # Check: regular file, readable and not called .placeholder + FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" + FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then - for J in ${FIND}; do - # Place back spaces if needed - J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g') - LogText "Test: checking for ntpdate or rdate in ${J}" - if FileIsReadable ${J}; then - FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#") - if [ -n "${FIND2}" ]; then - LogText "Positive match found: ${FIND2}" - FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 - fi - else - LogText "Result: could not test in file '${J}' as it is not readable" - fi - done - else - LogText "Result: ${I} is empty, skipping search in directory" + FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" fi - else - LogText "Result: could not search in directory due to permissions" fi - fi + done done if [ ${FOUND_IN_CRON} -eq 1 ]; then -- cgit v1.2.3 From 092fe08c400a0b7eb4f6ace7ac4ebaf6c4c9bec6 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:40:36 +0200 Subject: shellcheck: check exit code directly --- include/tests_time | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_time b/include/tests_time index eee5cbfc..c85e2876 100644 --- a/include/tests_time +++ b/include/tests_time @@ -86,9 +86,8 @@ # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") - ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null # Status code 0 is when communication over the socket is successfull - if [ "$?" -eq 0 ]; then + if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ntpctl)" OPENNTPD_COMMUNICATION=1 -- cgit v1.2.3 From 7ba220811f309ae69751821858e5b39bbc5c3cb7 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:41:45 +0200 Subject: use = instead of == --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index c85e2876..153397e2 100644 --- a/include/tests_time +++ b/include/tests_time @@ -100,7 +100,7 @@ LogText "result: running openntpd not found, but ntpctl is instaalled" fi - if [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON}" = "openntpd" ]; then Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN fi fi -- cgit v1.2.3 From e27208a342aee4ac5c1c19cac0f27700201a7708 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:48:12 +0200 Subject: use STATBINARY, put filename in variable --- include/tests_time | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/tests_time b/include/tests_time index 1fb512ae..e3cf4ac8 100644 --- a/include/tests_time +++ b/include/tests_time @@ -585,11 +585,12 @@ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" if [ ${SKIPTEST} -eq 0 ]; then - if [ -e /run/systemd/timesync/synchronized ]; then - FIND=$(( $(date +%s) - $(stat -L --format %Y /run/systemd/timesync/synchronized) )) + if [ -e "${SYNCHRONIZED_FILE}" ]; then + FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago - if [ ${FIND} -ge 2048 ]; then + if [ "${FIND}" -ge 2048 ]; then COLOR=RED ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." else @@ -602,7 +603,7 @@ ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" fi fi - + unset SYNCHRONIZED_FILE # ################################################################################# -- cgit v1.2.3 From 7df0b8618b5cce39961b245a3c582af4294276d7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 7 Aug 2020 11:56:19 +0200 Subject: Updated log --- CHANGELOG.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2be50de..213fbe89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,16 +3,21 @@ ## Lynis 3.0.1 (not released yet) ### Added +- Detection of Alpine Linux - Detection of Kali Linux - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS - Detection of PHP 7.4 - Malware detection tool: Microsoft Defender ATP +- New flag: --slow-warning to allow tests more time before showing a warning +- Test TIME-3185 to check systemd-timesyncd synchronized time +- rsh host file permissions ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - BOOT-5122 - Presence check for grub.d added +- CRYP-7902 - Added support for certificates in DER format - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - FILE-6430 - Don't grep nonexistant modprobe.d files - FIRE-4535 - Set initial firewall state @@ -20,12 +25,14 @@ - KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel - MALW-3280 - Extended detection of BitDefender +- TIME-3104 - Find more time synchronization commands +- TIME-3182 - Corrected detection of time peers - Fix: hostid generation routine would sometimes show too short IDs -- Generic improvements for macOS - Fix: language detection +- Generic improvements for macOS - German translation updated - End-of-life database updated -- Small code enhancements +- Several minor code enhancements --------------------------------------------------------------------------------- @@ -135,7 +142,6 @@ Using the relevant options, the scan will change base on the intended goal. - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output - CRYP-7902 - optionally check also certificates provided by packages -- CRYP-7902 - check also certificates in DER format - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX - FILE-6330 - corrected description -- cgit v1.2.3