Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked
in at 2018-11-05 22:53:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Mon Nov 5 22:53:42 2018 rev:31 rq:646071 version:2.7.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2018-10-11
11:55:31.326018185 +0200
+++ /work/SRC/openSUSE:Factory/.lynis.new/lynis.changes 2018-11-05
22:53:44.988180323 +0100
@@ -1,0 +2,12 @@
+Sat Oct 27 02:36:44 UTC 2018 - s...@suspend.net
+
+- update to 2.7.0
+ * added detection of TOMOYO binary (MACF-6240)
+ * Status of TOMOYO framework updated (MACF-6242)
+ * OpenSSH server version detected (SSH-7406)
+ * Check active OSSEC analysis daemon (TOOL-5160)
+ * Changed several warning labels on screen
+ * More generic sulogin for systemd rescue (AUTH-9308)
+ * OS detection now ignores quotes for getting the OS ID
+
+-------------------------------------------------------------------
Old:
----
lynis-2.6.9.tar.gz
lynis-2.6.9.tar.gz.asc
New:
----
lynis-2.7.0.tar.gz
lynis-2.7.0.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.1FDt3e/_old 2018-11-05 22:53:45.796179301 +0100
+++ /var/tmp/diff_new_pack.1FDt3e/_new 2018-11-05 22:53:45.804179291 +0100
@@ -23,7 +23,7 @@
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
Name: lynis
-Version: 2.6.9
+Version: 2.7.0
Release: 0
Summary: Security and System auditing tool
License: GPL-3.0-only
++++++ lynis-2.6.9.tar.gz -> lynis-2.7.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/CHANGELOG.md 2018-10-26 02:00:00.000000000 +0200
@@ -1,5 +1,20 @@
# Lynis Changelog
+## Lynis 2.7.0 (2018-10-26)
+
+### Added
+- MACF-6240 - Detection of TOMOYO binary
+- MACF-6242 - Status of TOMOYO framework
+- SSH-7406 - OpenSSH server version detection
+- TOOL-5160 - Check active OSSEC analysis daemon
+
+### Changed
+- Changed several warning labels on screen
+- AUTH-9308 - More generic sulogin for systemd rescue.service
+- OS detection now ignores quotes for getting the OS ID.
+
+---------------------------------------------------------------------------------
+
## Lynis 2.6.9 (2018-09-19)
### Changed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db
--- old/lynis/db/tests.db 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/db/tests.db 2018-10-26 02:00:00.000000000 +0200
@@ -210,6 +210,8 @@
MACF-6208:test:security:mac_frameworks::Check if AppArmor is enabled:
MACF-6232:test:security:mac_frameworks::Check SELINUX presence:
MACF-6234:test:security:mac_frameworks::Check SELINUX status:
+MACF-6240:test:security:mac_frameworks::Detection of TOMOYO binary:
+MACF-6242:test:security:mac_frameworks::Status of TOMOYO MAC framework:
MACF-6290:test:security:mac_frameworks::Check for implemented MAC framework:
MAIL-8802:test:security:mail_messaging::Check Exim status:
MAIL-8804:test:security:mail_messaging::Exim configuration:
@@ -352,6 +354,7 @@
SQD-3680:test:security:squid::Check Squid version suppression:
SSH-7402:test:security:ssh::Check for running SSH daemon:
SSH-7404:test:security:ssh::Check SSH daemon file location:
+SSH-7406:test:security:ssh::Detection of OpenSSH server version:
SSH-7408:test:security:ssh::Check SSH specific defined options:
SSH-7440:test:security:ssh::AllowUsers and AllowGroups:
STRG-1840:test:security:storage:Linux:Check if USB storage is disabled:
@@ -381,6 +384,7 @@
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
+TOOL-5160:test:security:tooling::Check for active OSSEC analysis daemon:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
USB-3000:test:security:storage:Linux:Check for presence of USBGuard:
# EOF
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries
--- old/lynis/include/binaries 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/include/binaries 2018-10-26 02:00:00.000000000 +0200
@@ -225,6 +225,7 @@
syslog-ng)
SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep
"^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version
${SYSLOGNGVERSION})" ;;
systemctl)
SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl
(client to systemd) - ${BINARY}" ;;
timedatectl) TIMEDATECTL="${BINARY}";
LogText " Found known binary: timedatectl (timedate client) -
${BINARY}" ;;
+ tomoyo-init)
TOMOYOINITBINARY=${BINARY}; LogText " Found known binary: tomoyo-init
(tomoyo component) - ${BINARY}" ;;
tr) TRBINARY="${BINARY}";
LogText " Found known binary: tr (text transformation) - ${BINARY}" ;;
tripwire)
TRIPWIREBINARY="${BINARY}"; LogText " Found known binary: tripwire
(file integrity) - ${BINARY}" ;;
tune2fs) TUNE2FSBINARY="${BINARY}";
LogText " Found known binary: tune2fs (file system tool) - ${BINARY}"
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts
--- old/lynis/include/consts 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/include/consts 2018-10-26 02:00:00.000000000 +0200
@@ -129,6 +129,7 @@
KLDSTATBINARY=""
LAUNCHCTL_BINARY=""
LDAP_CLIENT_CONFIG_FILE=""
+ LICENSE_SERVER=""
LINUX_VERSION=""
LINUXCONFIGFILE=""
LMDBINARY=""
@@ -283,6 +284,7 @@
UPLOAD_PROXY_PORT=""
UPLOAD_PROXY_PROTOCOL=""
UPLOAD_PROXY_SERVER=""
+ UPLOAD_SERVER=""
UPLOAD_TOOL=""
UPLOAD_TOOL_ARGS=""
USBGUARDBINARY=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/helper_audit_dockerfile
new/lynis/include/helper_audit_dockerfile
--- old/lynis/include/helper_audit_dockerfile 2018-09-19 02:00:00.000000000
+0200
+++ new/lynis/include/helper_audit_dockerfile 2018-10-26 02:00:00.000000000
+0200
@@ -136,7 +136,7 @@
FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 )
if [ "${FIND}" = "" ]; then
- ReportWarning "dockerfile" "No user declared in Dockerlfile. Container
will execute command as root"
+ ReportWarning "dockerfile" "No user declared in Dockerfile. Container
will execute command as root"
else
USER=$(echo ${FIND})
Display --indent 2 --text "User" --result "${USER}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/osdetection
new/lynis/include/osdetection
--- old/lynis/include/osdetection 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/include/osdetection 2018-10-26 02:00:00.000000000 +0200
@@ -137,7 +137,7 @@
# Generic
if [ -e /etc/os-release ]; then
- OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}')
+ OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' |
tr -d '"')
if [ ! -z "${OS_ID}" ]; then
case ${OS_ID} in
"arch")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_accounting
new/lynis/include/tests_accounting
--- old/lynis/include/tests_accounting 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/include/tests_accounting 2018-10-26 02:00:00.000000000 +0200
@@ -206,7 +206,7 @@
Display --indent 4 --text "- Checking audit configuration file"
--result "${STATUS_OK}" --color GREEN
else
LogText "Result: could not find auditd configuration file"
- Display --indent 4 --text "- Checking audit configuration file"
--result "${STATUS_WARNING}" --color RED
+ Display --indent 4 --text "- Checking audit configuration file"
--result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Determine the location of auditd
configuration file"
fi
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_boot_services
new/lynis/include/tests_boot_services
--- old/lynis/include/tests_boot_services 2018-09-19 02:00:00.000000000
+0200
+++ new/lynis/include/tests_boot_services 2018-10-26 02:00:00.000000000
+0200
@@ -806,7 +806,7 @@
if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
- FIND=$(${EGREPBINARY} "^ExecStart=-(/bin/sh -c
\")?(/usr)?/(s)?bin/sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
+ FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin"
${ROOTDIR}usr/lib/systemd/system/rescue.service)
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_mac_frameworks
new/lynis/include/tests_mac_frameworks
--- old/lynis/include/tests_mac_frameworks 2018-09-19 02:00:00.000000000
+0200
+++ new/lynis/include/tests_mac_frameworks 2018-10-26 02:00:00.000000000
+0200
@@ -22,6 +22,7 @@
MAC_FRAMEWORK_ACTIVE=0 # Default no MAC framework active
RBAC_FRAMEWORK_ACTIVE=0 # Default no RBAC framework active
SELINUXFOUND=0
+ TOMOYOFOUND=0
InsertSection "Security frameworks"
#
@@ -157,6 +158,46 @@
fi
fi
#
+#################################################################################
+#
+ # Test : MACF-6240
+ # Description : Check if the tomoyo-init binary is available on the system
+ Register --test-no MACF-6240 --weight L --network NO --category security
--description "Check TOMOYO Linux presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: checking if we have tomoyo-init binary"
+ if [ -z "${TOMOYOINITBINARY}" ]; then
+ TOMOYOFOUND=0
+ LogText "Result: tomoyo-init binary not found"
+ Display --indent 2 --text "- Checking presence TOMOYO Linux"
--result "${STATUS_NOT_FOUND}" --color WHITE
+ else
+ TOMOYOFOUND=1
+ LogText "Result: tomoyo-init binary found"
+ Display --indent 2 --text "- Checking presence TOMOYO Linux"
--result "${STATUS_FOUND}" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MACF-6242
+ # Description : Check TOMOYO Linux status
+ if [ ${TOMOYOFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MACF-6242 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check TOMOYO Linux status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FILE="/sys/kernel/security/tomoyo/stat"
+ if [ -f ${FILE} ]; then
+ MAC_FRAMEWORK_ACTIVE=1
+ LogText "Result: TOMOYO Linux is enabled"
+ Display --indent 4 --text "- Checking TOMOYO Linux status"
--result "${STATUS_ENABLED}" --color GREEN
+ Report "tomoyo_enabled=1"
+ AddHP 3 3
+ else
+ LogText "Result: TOMOYO Linux is disabled"
+ Display --indent 4 --text "- Checking TOMOYO Linux status"
--result "${STATUS_DISABLED}" --color YELLOW
+ Report "tomoyo_enabled=0"
+ AddHP 0 3
+ fi
+ fi
+#
#################################################################################
#
# Test : RBAC-6272
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_memory_processes
new/lynis/include/tests_memory_processes
--- old/lynis/include/tests_memory_processes 2018-09-19 02:00:00.000000000
+0200
+++ new/lynis/include/tests_memory_processes 2018-10-26 02:00:00.000000000
+0200
@@ -84,7 +84,7 @@
else
LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}"
- Display --indent 2 --text "- Searching for dead/zombie processes"
--result "${STATUS_WARNING}" --color RED
+ Display --indent 2 --text "- Searching for dead/zombie processes"
--result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or
zombie processes"
fi
fi
@@ -109,7 +109,7 @@
LogText "Result: found one or more processes which were waiting to
get IO requests handled first"
LogText "More info: processes which show up with the status flag
'D' are often stuck, until a disk IO event finished. This can happen for
example with network storage, where the connection or protocol settings are not
logtext well configured."
LogText "Output: PIDs ${FIND}"
- Display --indent 2 --text "- Searching for IO waiting processes"
--result "${STATUS_WARNING}" --color RED
+ Display --indent 2 --text "- Searching for IO waiting processes"
--result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes
waiting for IO requests"
fi
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ports_packages
new/lynis/include/tests_ports_packages
--- old/lynis/include/tests_ports_packages 2018-09-19 02:00:00.000000000
+0200
+++ new/lynis/include/tests_ports_packages 2018-10-26 02:00:00.000000000
+0200
@@ -808,7 +808,7 @@
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight
M --network NO --category security --description "Check for YUM package update
management"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: YUM package update management"
- FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist |
${SEDBINARY} 's/ //g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print
$2}' | ${EGREPBINARY} "^[0-9]+$")
+ FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist |
${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F
":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- YUM package management consistency"
--result "${STATUS_WARNING}" --color RED
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh
--- old/lynis/include/tests_ssh 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/include/tests_ssh 2018-10-26 02:00:00.000000000 +0200
@@ -27,6 +27,9 @@
SSH_DAEMON_PORT=""
SSH_DAEMON_RUNNING=0
SSH_DAEMON_OPTIONS_FILE=""
+ OPENSSHD_VERSION=0
+ OPENSSHD_VERSION_MAJOR=0
+ OPENSSHD_VERSION_MINOR=0
#
#################################################################################
#
@@ -90,6 +93,23 @@
#
#################################################################################
#
+ # Test : SSH-7406
+ # Description : Check OpenSSH version
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
+ Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Determine OpenSSH version"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' |
${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' |
${TRBINARY} -d ',')
+ LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
+ if [ ! -z ${OPENSSHD_VERSION} ]; then
+ OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY}
-F. '{print $1}')
+ LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
+ OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY}
-F. '{print $2}')
+ LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}"
+ fi
+ fi
+#
+#################################################################################
+#
# Test : SSH-7408
# Description : Check SSH specific defined options
# Notes : Instead of parsing the configuration file, we query the
SSH daemon itself
@@ -124,20 +144,30 @@
PermitTunnel:NO,,YES:=\
Port:,,22:!\
PrintLastLog:YES,,NO:=\
- Protocol:2,,1:=\
StrictModes:YES,,NO:=\
TCPKeepAlive:NO,,YES:=\
UseDNS:NO,,YES:=\
- UsePrivilegeSeparation:SANDBOX,YES,NO:=\
VerifyReverseMapping:YES,,NO:=\
X11Forwarding:NO,,YES:=\
AllowAgentForwarding:NO,,YES:="
- # Notes
- # =========================================================
- # UsePrivilegeSeparation - removed since OpenSSH 7.5
- #
- # Disabled MaxStartups:4,8,16:<\ (needs fixing)
+
+ # OpenSSH had some options removed over time. Based on the version we
add some additional options to check
+ if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then
+ LogText "Result: added additional options for OpenSSH 6.x and
lower"
+ SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:=
Protocol:2,,1:="
+ elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then
+ # Protocol 1 support removed (OpenSSH 7.4 and later)
+ if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then
+ LogText "Result: added additional options for OpenSSH < 7.4"
+ SSHOPS="${SSHOPS} Protocol:2,,1:="
+ fi
+ # UsePrivilegedSeparation removed (OpenSSH 7.5 and later)
+ if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then
+ LogText "Result: added additional options for OpenSSH < 7.5"
+ SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:="
+ fi
+ fi
# Go through our list of options
for I in ${SSHOPS}; do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_tooling
new/lynis/include/tests_tooling
--- old/lynis/include/tests_tooling 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/include/tests_tooling 2018-10-26 02:00:00.000000000 +0200
@@ -27,7 +27,7 @@
PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0
SALT_MINION_RUNNING=0
- IPS_TOOL_FOUND=0
+ IDS_IPS_TOOL_FOUND=0
FAIL2BAN_FOUND=0
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
@@ -361,6 +361,23 @@
fi
fi
#
+#################################################################################
+#
+ # Test : TOOL-5160
+ # Description : Check for OSSEC
+ Register --test-no TOOL-5126 --weight L --network NO --category security
--description "Check for active OSSEC analysis daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+
+ if IsRunning "ossec-analysisd"; then
+ IDS_IPS_TOOL_FOUND=1
+ LogText "Result: OSSEC analysis daemon is active"
+ Report "ids_ips_tooling[]=ossec"
+ Display --indent 2 --text "- Checking presence of OSSEC" --result
"${STATUS_FOUND}" --color GREEN
+ else
+ LogText "Result: OSSEC analysis daemon not active"
+ fi
+ fi
+#
#################################################################################
#
# Test : TOOL-5190
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2018-09-19 02:00:00.000000000 +0200
+++ new/lynis/lynis 2018-10-26 02:00:00.000000000 +0200
@@ -35,10 +35,10 @@
PROGRAM_AUTHOR_CONTACT="lynis-...@cisofy.com"
# Version details
- PROGRAM_RELEASE_DATE="2018-09-19"
- PROGRAM_RELEASE_TIMESTAMP=1537349608
+ PROGRAM_RELEASE_DATE="2018-10-26"
+ PROGRAM_RELEASE_TIMESTAMP=1540556675
PROGRAM_RELEASE_TYPE="final" # dev or final
- PROGRAM_VERSION="2.6.9"
+ PROGRAM_VERSION="2.7.0"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
