diff -Nru lynis-3.0.7/CHANGELOG.md lynis-3.0.8/CHANGELOG.md --- lynis-3.0.7/CHANGELOG.md 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/CHANGELOG.md 2022-05-17 00:00:00.000000000 +0000 @@ -1,5 +1,27 @@ # Lynis Changelog +## Lynis 3.0.8 (2022-05-17) + +### Added +- MALW-3274 - Detect McAfee VirusScan Command Line Scanner +- PKGS-7346 Check Alpine Package Keeper (apk) +- PKGS-7395 Check Alpine upgradeable packages +- EOL for Alpine Linux 3.14 and 3.15 + +### Changed +- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) +- FILE-7524 - Test enhanced to support symlinks +- HTTP-6643 - Support ModSecurity version 2 and 3 +- KRNL-5788 - Only run relevant tests and improved logging +- KRNL-5820 - Additional path for security/limits.conf +- KRNL-5830 - Check for /var/run/needs_restarting (Slackware) +- KRNL-5830 - Add a presence check for /boot/vmlinuz +- PRNT-2308 - Bugfix that prevented test from storing values correctly +- Extended location of PAM files for AARCH64 +- Some messages in log improved + +--------------------------------------------------------------------------------- + ## Lynis 3.0.7 (2022-01-18) ### Added diff -Nru lynis-3.0.7/db/software-eol.db lynis-3.0.8/db/software-eol.db --- lynis-3.0.7/db/software-eol.db 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/db/software-eol.db 2022-05-17 00:00:00.000000000 +0000 @@ -16,6 +16,8 @@ # # Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.15:2023-11-01:1698793200 +os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 diff -Nru lynis-3.0.7/db/tests.db lynis-3.0.8/db/tests.db --- lynis-3.0.7/db/tests.db 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/db/tests.db 2022-05-17 00:00:00.000000000 +0000 @@ -265,6 +265,7 @@ MAIL-8860:test:security:mail_messaging::Check Qmail status: MAIL-8880:test:security:mail_messaging::Check Sendmail status: MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status: +MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line Scanner: MALW-3275:test:security:malware::Check for chkrootkit: MALW-3276:test:security:malware::Check for Rootkit Hunter: MALW-3278:test:security:malware::Check for LMD: @@ -322,6 +323,7 @@ PHP-2378:test:security:php::Check PHP allow_url_include option: PHP-2379:test:security:php::Check PHP suhosin extension status: PHP-2382:test:security:php::Check PHP listen option: +PKGS-7200:test:security:ports_packages:Linux:Check Alpine Package Keeper (apk): PKGS-7301:test:security:ports_packages::Query NetBSD pkg: PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info: PKGS-7303:test:security:ports_packages::Query brew package manager: @@ -358,6 +360,7 @@ PKGS-7392:test:security:ports_packages:Linux:Check for Debian/Ubuntu security updates: PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages: PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates: +PKGS-7395:test:security:ports_packages:Linux:Check Alpine upgradeable packages: PKGS-7398:test:security:ports_packages::Check for package audit tool: PKGS-7410:test:security:ports_packages::Count installed kernel packages: PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades: diff -Nru lynis-3.0.7/debian/changelog lynis-3.0.8/debian/changelog --- lynis-3.0.7/debian/changelog 2022-02-10 06:54:20.000000000 +0000 +++ lynis-3.0.8/debian/changelog 2022-10-15 10:18:37.000000000 +0000 @@ -1,3 +1,16 @@ +lynis (3.0.8-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * No source change upload to rebuild with debhelper 13.10. + + -- Michael Biebl Sat, 15 Oct 2022 12:18:37 +0200 + +lynis (3.0.8-1) unstable; urgency=medium + + * NUR. + + -- Marc Dequènes (Duck) Tue, 20 Sep 2022 03:40:06 +0900 + lynis (3.0.7-1) unstable; urgency=medium * NUR. diff -Nru lynis-3.0.7/include/binaries lynis-3.0.8/include/binaries --- lynis-3.0.7/include/binaries 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/binaries 2022-05-17 00:00:00.000000000 +0000 @@ -134,6 +134,7 @@ aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;; + apk) APKBINARY=${BINARY}; LogText " Found known binary: apk (package manager) - ${BINARY}" ;; arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;; auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;; awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;; diff -Nru lynis-3.0.7/include/consts lynis-3.0.8/include/consts --- lynis-3.0.7/include/consts 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/consts 2022-05-17 00:00:00.000000000 +0000 @@ -43,6 +43,7 @@ # == Variable initializing == # APTBINARY="" + APKBINARY="" ARCH_AUDIT_BINARY="" AUDITORNAME="" AUDITCTLBINARY="" diff -Nru lynis-3.0.7/include/functions lynis-3.0.8/include/functions --- lynis-3.0.7/include/functions 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/functions 2022-05-17 00:00:00.000000000 +0000 @@ -1306,6 +1306,11 @@ if [ $# -ne 2 ]; then Fatal "Incorrect usage of HasCorrectFilePermissions"; fi CHECKFILE="$1" CHECKPERMISSION_FULL="$2" + # Check for symlink + if [ -L ${CHECKFILE} ]; then + ShowSymlinkPath ${CHECKFILE} + if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi + fi if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then return 2 else @@ -1320,9 +1325,8 @@ CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}') # First try stat command - LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive" + LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} (${CHECKPERMISSION_FULL}) or more restrictive" if [ -n "${STATBINARY}" ]; then - case ${OS} in *BSD | "macOS") # BSD and macOS have no --format, only short notation @@ -1388,7 +1392,7 @@ fi done - LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECKPERMISSION_FULL})" + LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECK_PERMISSION})" # No match, return exit code 1 return 1 fi @@ -2002,7 +2006,11 @@ if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi sFILE=$1 FileIsWorldWritable="" - + # Check for symlink + if [ -L ${sFILE} ]; then + ShowSymlinkPath ${sFILE} + if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi + fi # Only check if target is a file or directory if [ -f ${sFILE} -o -d ${sFILE} ]; then FINDVAL=$(ls -ld ${sFILE} | cut -c 9) @@ -2090,6 +2098,9 @@ elif [ -n "${XBPSBINARY}" ]; then output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? + elif [ -n "${APKBINARY}" ]; then + output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package}) + exit_code=$? else if [ "${package}" != "__dummy__" ]; then ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})" diff -Nru lynis-3.0.7/include/osdetection lynis-3.0.8/include/osdetection --- lynis-3.0.7/include/osdetection 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/osdetection 2022-05-17 00:00:00.000000000 +0000 @@ -678,7 +678,7 @@ ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac - elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then + elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then OPENSOLARIS=1 # Solaris has a free form text file with release information diff -Nru lynis-3.0.7/include/tests_authentication lynis-3.0.8/include/tests_authentication --- lynis-3.0.7/include/tests_authentication 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_authentication 2022-05-17 00:00:00.000000000 +0000 @@ -25,7 +25,7 @@ LDAP_AUTH_ENABLED=0 LDAP_PAM_ENABLED=0 LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf" - PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" + PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers" SUDOERS_FILE="" # @@ -607,7 +607,7 @@ Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED ;; esac - SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} -L ${SUDOERS_D} -type f -print)" fi for f in ${SUDO_CONFIG_FILES}; do LogText "Test: checking file (${f})" @@ -764,7 +764,7 @@ LogText "Result: directory /etc/pam.d exists" Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) for FILE in ${FIND}; do LogText "Found file: ${FILE}" done @@ -1533,31 +1533,49 @@ # Description : Logging of failed login attempts Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f "${ROOTDIR}etc/pam.conf" ]; then + if [ -f "${ROOTDIR}etc/pam.conf" -o -d "${ROOTDIR}etc/pam.d" ]; then FOUND_PAM_TALLY2=0 FOUND_TALLYLOG=0 - if [ -s "${ROOTDIR}var/log/tallylog" ]; then + FOUND_PAM_FAILLOCK=0 + FOUND_FAILLOCKDIR=0 + if [ -d "${ROOTDIR}var/run/faillock" ]; then + FOUND_FAILLOCKDIR=1 + LogText "Result: found ${ROOTDIR}var/run/faillock directory" + elif [ -s "${ROOTDIR}var/log/tallylog" ]; then FOUND_TALLYLOG=1 LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero" else - LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes" + LogText "Result: did not find ${ROOTDIR}var/run/faillock directory or ${ROOTDIR}var/log/tallylog file on disk or its file size is zero bytes" fi - # Determine if pam_tally2 is available + # Determine if pam_faillock is available for D in $(GetReportData --key "pam_module\\\[\\\]"); do - if ContainsString "pam_tally2" "${D}"; then - LogText "Result: found pam_tally2 module on disk" - FOUND_PAM_TALLY2=1 + if ContainsString "pam_faillock" "${D}"; then + LogText "Result: found pam_faillock module on disk" + FOUND_PAM_FAILLOCK=1 fi done - if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then + if [ ${FOUND_PAM_FAILLOCK} -eq 0 ]; then + # Determine if pam_tally2 is available + for D in $(GetReportData --key "pam_module\\\[\\\]"); do + if ContainsString "pam_tally2" "${D}"; then + LogText "Result: found pam_tally2 module on disk" + FOUND_PAM_TALLY2=1 + fi + done + fi + if [ ${FOUND_PAM_FAILLOCK} -eq 1 -a ${FOUND_FAILLOCKDIR} -eq 1 ]; then + LogText "Outcome: authentication failures are logged using pam_faillock" + AUTH_FAILED_LOGINS_LOGGED=1 + Report "auth_failed_logins_tooling[]=pam_faillock" + elif [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then LogText "Outcome: authentication failures are logged using pam_tally2" AUTH_FAILED_LOGINS_LOGGED=1 Report "auth_failed_logins_tooling[]=pam_tally2" else - LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts" + LogText "Outcome: it looks like pam_faillock or pam_tally2 is not configured to log failed login attempts" fi - unset FOUND_PAM_TALLY2 FOUND_TALLYLOG + unset FOUND_PAM_TALLY2 FOUND_TALLYLOG FOUND_PAM_FAILLOCK FOUND_FAILLOCKDIR fi # Also check /etc/logins.defs, although its usage decreased over the years if [ -f ${ROOTDIR}etc/login.defs ]; then diff -Nru lynis-3.0.7/include/tests_boot_services lynis-3.0.8/include/tests_boot_services --- lynis-3.0.7/include/tests_boot_services 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_boot_services 2022-05-17 00:00:00.000000000 +0000 @@ -347,7 +347,7 @@ FOUND=0 if [ -d "${ROOTDIR}etc/grub.d" ]; then - CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES=$(${FINDBINARY} -L "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" else CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" @@ -785,7 +785,7 @@ if [ -d ${DIR} ]; then LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" - FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${SORTBINARY}) if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do @@ -809,7 +809,7 @@ for NO in 0 1 2 3 4 5 6; do LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit" if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then - FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY}) for I in ${FIND}; do if IsWorldWritable ${I}; then FOUND=1 @@ -1017,7 +1017,7 @@ LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" # OpenBSD uses symlinks to create another instance of daemons - FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${CHECKDIR} -type f -print | ${SORTBINARY}) if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do diff -Nru lynis-3.0.7/include/tests_databases lynis-3.0.8/include/tests_databases --- lynis-3.0.7/include/tests_databases 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_databases 2022-05-17 00:00:00.000000000 +0000 @@ -204,7 +204,7 @@ Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" - CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") + CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" LogText "Found configuration file (${CF})" diff -Nru lynis-3.0.7/include/tests_kernel lynis-3.0.8/include/tests_kernel --- lynis-3.0.7/include/tests_kernel 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_kernel 2022-05-17 00:00:00.000000000 +0000 @@ -368,14 +368,14 @@ # # Test : KRNL-5788 # Description : Checking availability new kernel - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || - [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then + FINDKERNEL="" HAS_VMLINUZ=0 LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then @@ -384,62 +384,69 @@ if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 if [ -f ${ROOTDIR}vmlinuz ]; then - FINDVMLINUZ=${ROOTDIR}vmlinuz + FINDVMLINUZ="${ROOTDIR}vmlinuz" else - FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + FINDVMLINUZ="${ROOTDIR}boot/vmlinuz" fi LogText "Result: found ${FINDVMLINUZ}" LogText "Test: checking readlink location of ${FINDVMLINUZ}" FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" + LogText "Test: checking relevant package using output from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e ${ROOTDIR}dev/grsec ]; then - FINDKERNEL=linux-image-$(uname -r) + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" elif [ -e ${ROOTDIR}etc/rpi-issue ]; then - FINDKERNEL=raspberrypi-kernel + FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then - FINDKERNEL=linux-image-$(uname -r) + elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else - LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi - LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - LogText "Kernel installed: ${FINDINST}" - LogText "Kernel candidate: ${FINDCAND}" - if IsEmpty "${FINDINST}"; then - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Exception occurred, no output from apt-cache policy" - if [ ${HAS_VMLINUZ} -eq 1 ]; then - ReportException "${TEST_NO}:01" - ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" - fi - LogText "Result: apt-cache policy did not return an installed kernel version" + + if IsEmpty "${FINDKERNEL}"; then + LogText "Result: could not check kernel update status as kernel is unknown" else - if [ "${FINDINST}" = "${FINDCAND}" ]; then - if [ -e /dev/grsec ]; then - Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN - LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" - ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" - else - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN - LogText "Result: no kernel update available" + LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" + LogText "Test: Using apt-cache policy to determine if there is an update available" + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + LogText "Kernel installed: ${FINDINSTALLED}" + LogText "Kernel candidate: ${FINDCANDIDATE}" + if IsEmpty "${FINDINSTALLED}"; then + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Exception occurred, no output from apt-cache policy" + if [ ${HAS_VMLINUZ} -eq 1 ]; then + ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy" + ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" fi + LogText "Result: apt-cache policy did not return an installed kernel version" else - Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW - LogText "Result: kernel update available according 'apt-cache policy'." - ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN + LogText "Result: no kernel update available" + fi + else + Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW + LogText "Result: kernel update available according 'apt-cache policy'." + ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + fi fi fi else - LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." + LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests." fi + unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ fi # ################################################################################# @@ -463,9 +470,9 @@ # check conf files in possibly existing coredump.conf.d folders # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. # while there could be multiple files overwriting each other, we are checking the number of occurrences - SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') + SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) + SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) + SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ @@ -506,81 +513,84 @@ LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" - ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" + ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN AddHP 1 1 elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" - Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE + Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" - Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED + Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ENABLED}" --color RED AddHP 0 1 else LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" - Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW + Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi - # Limits option - LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" - if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then - LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" - # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) - FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) + + # Limits options + for DIR in "/" "/usr/"; do + LogText "Test: Checking presence ${DIR}etc/security/limits.conf" + if [ -f "${DIR}etc/security/limits.conf" ]; then + LogText "Result: file ${DIR}etc/security/limits.conf exists" + LogText "Test: Checking if core dumps are disabled in ${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" + # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. + FIND1=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND3=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) - # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. - if [ "${FIND3}" = "core dumps disabled" ]; then - FIND1="soft core disabled" - FIND2="hard core disabled" - elif [ "${FIND3}" = "core dumps enabled" ]; then - FIND1="soft core enabled" - FIND2="hard core enabled" - fi + # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. + if [ "${FIND3}" = "core dumps disabled" ]; then + FIND1="soft core disabled" + FIND2="hard core disabled" + elif [ "${FIND3}" = "core dumps enabled" ]; then + FIND1="soft core enabled" + FIND2="hard core enabled" + fi - IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" - IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" - if [ "${FIND2}" = "hard core disabled" ]; then - LogText "Result: core dumps are hard disabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" - if [ "${FIND1}" = "soft core disabled" ]; then - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + if [ "${FIND2}" = "hard core disabled" ]; then + LogText "Result: core dumps are hard disabled" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" + if [ "${FIND1}" = "soft core disabled" ]; then + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + else + Display --indent 4 --text "- 'soft' config in ${DIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + fi + AddHP 3 3 + elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps (soft and hard) are enabled" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" + AddHP 0 3 + elif [ "${FIND1}" = "soft core disabled" ]; then + LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + AddHP 2 3 + elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + AddHP 0 3 else - Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + LogText "Result: core dumps are not explicitly disabled" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${DIR}etc/security/limits.conf file" + AddHP 1 3 fi - AddHP 3 3 - elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps (soft and hard) are enabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" - AddHP 0 3 - elif [ "${FIND1}" = "soft core disabled" ]; then - LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" - AddHP 2 3 - elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - AddHP 0 3 else - LogText "Result: core dumps are not explicitly disabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" - AddHP 1 3 + LogText "Result: file ${DIR}etc/security/limits.conf does not exist, skipping test for this file" fi - else - LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" - fi + done # Sysctl option LogText "Test: Checking sysctl value of fs.suid_dumpable" @@ -615,25 +625,29 @@ Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 - FILE="${ROOTDIR}var/run/reboot-required.pkgs" - LogText "Test: Checking presence ${FILE}" - if [ -f ${FILE} ]; then - LogText "Result: file ${FILE} exists" - FIND=$(${WCBINARY} -l < ${FILE}) - if [ "${FIND}" = "0" ]; then - LogText "Result: No reboot needed (file empty)" - REBOOT_NEEDED=0 + for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting" + do + LogText "Test: Checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + FIND=$(${WCBINARY} -l < ${FILE}) + if [ "${FIND}" = "0" ]; then + LogText "Result: No reboot needed (file empty)" + REBOOT_NEEDED=0 + break + else + PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) + LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" + for I in ${FIND}; do + LogText "Package: ${I}" + done + REBOOT_NEEDED=1 + break + fi else - PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) - LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" - for I in ${FIND}; do - LogText "Package: ${I}" - done - REBOOT_NEEDED=1 + LogText "Result: file ${FILE} not found" fi - else - LogText "Result: file ${FILE} not found" - fi + done # Check if /boot exists if [ -d "${ROOTDIR}boot" ]; then @@ -663,7 +677,10 @@ ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then - if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then + if [ -f ${ROOTDIR}boot/vmlinuz ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then diff -Nru lynis-3.0.7/include/tests_logging lynis-3.0.8/include/tests_logging --- lynis-3.0.7/include/tests_logging 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_logging 2022-05-17 00:00:00.000000000 +0000 @@ -387,7 +387,7 @@ fi TARGET="${ROOTDIR}etc/rsyslog.d" if [ -d ${TARGET} ]; then - FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ') + FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ') for F in ${FILES}; do F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g') LogText "Test: analyzing file ${F} for remote target" diff -Nru lynis-3.0.7/include/tests_malware lynis-3.0.8/include/tests_malware --- lynis-3.0.7/include/tests_malware 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_malware 2022-05-17 00:00:00.000000000 +0000 @@ -46,6 +46,24 @@ # ################################################################################# # + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mcafeecl" + else + LogText "Result: McAfee VirusScan for Command Line not found" + fi + fi +# +################################################################################# +# # Test : MALW-3275 # Description : Check for installed tool (chkrootkit) Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" diff -Nru lynis-3.0.7/include/tests_ports_packages lynis-3.0.8/include/tests_ports_packages --- lynis-3.0.7/include/tests_ports_packages 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_ports_packages 2022-05-17 00:00:00.000000000 +0000 @@ -35,6 +35,34 @@ # ################################################################################# # + # Test : PKGS-7200 + # Description : Check Alpine Package Keeper (apk) + if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found apk binary" + Report "package_manager[]=apk" + PACKAGE_MGR_PKG=1 + LogText "Test: Querying apk info -v to get package list" + Display --indent 6 --text "- Querying package manager" + LogText "Output:" + SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort) + for J in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Report "installed_packages=${COUNT}" + else + LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped" + fi +# +################################################################################# +# # Test : PKGS-7301 # Description : Query FreeBSD pkg if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -1236,6 +1264,41 @@ # ################################################################################# # + # Test : PKGS-7395 + # Description : Check Alpine upgradeable packages + if [ "${LINUX_VERSION}" = "Alpine Linux" ] && [ -x "${ROOTDIR}sbin/apk" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + Register --test-no PKGS-7395 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Alpine updates" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then + LogText "Action: updating package repository with apk" + ${ROOTDIR}sbin/apk update + LogText "Result: apk finished" + else + LogText "Result: using a possibly outdated repository, as updating is disabled via configuration" + fi + LogText "Test: Checking packages which can be upgraded via apk version -l '<'" + FIND=$(${ROOTDIR}sbin/apk version -l '<' | ${GREPBINARY} '<' | ${SEDBINARY} 's/\s\+<\s/ /dev/null | ${GREPBINARY} -v ".placeholder") + FIND=$(${FINDBINARY} -L ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder") if [ -z "${FIND}" ]; then LogText "Result: no files found in ${I}" else diff -Nru lynis-3.0.7/include/tests_shells lynis-3.0.8/include/tests_shells --- lynis-3.0.7/include/tests_shells 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_shells 2022-05-17 00:00:00.000000000 +0000 @@ -167,9 +167,9 @@ FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null) if [ -n "${FIND}" ]; then # Determine if we can find a TMOUT value - FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) - FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') + FIND2=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') if [ -n "${FIND}" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do diff -Nru lynis-3.0.7/include/tests_squid lynis-3.0.8/include/tests_squid --- lynis-3.0.7/include/tests_squid 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_squid 2022-05-17 00:00:00.000000000 +0000 @@ -131,7 +131,7 @@ Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" - FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) + FIND=$(find -L ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) if [ -n "${FIND}" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED diff -Nru lynis-3.0.7/include/tests_ssh lynis-3.0.8/include/tests_ssh --- lynis-3.0.7/include/tests_ssh 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_ssh 2022-05-17 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ LogText "Result: ${I}/sshd_config exists" if [ ${FOUND} -eq 1 ]; then ReportException "${TEST_NO}:01" - LogText "Result: we already had found another sshd_config file. Using this new file then." + LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one." fi FileIsReadable ${I}/sshd_config if [ ${CANREAD} -eq 1 ]; then diff -Nru lynis-3.0.7/include/tests_webservers lynis-3.0.8/include/tests_webservers --- lynis-3.0.7/include/tests_webservers 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/include/tests_webservers 2022-05-17 00:00:00.000000000 +0000 @@ -288,7 +288,7 @@ Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module - if CheckItem "apache_module" "/mod_security2.so"; then + if CheckItem "apache_module" "/mod_security(2|3).so" ; then Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else diff -Nru lynis-3.0.7/lynis lynis-3.0.8/lynis --- lynis-3.0.7/lynis 2022-01-18 00:00:00.000000000 +0000 +++ lynis-3.0.8/lynis 2022-05-17 00:00:00.000000000 +0000 @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2022-01-18" - PROGRAM_RELEASE_TIMESTAMP=1642512096 + PROGRAM_RELEASE_DATE="2022-05-17" + PROGRAM_RELEASE_TIMESTAMP=1652791205 PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.7" + PROGRAM_VERSION="3.0.8" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis"