Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2018-11-05 22:53:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Mon Nov 5 22:53:42 2018 rev:31 rq:646071 version:2.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2018-10-11 11:55:31.326018185 +0200 +++ /work/SRC/openSUSE:Factory/.lynis.new/lynis.changes 2018-11-05 22:53:44.988180323 +0100 @@ -1,0 +2,12 @@ +Sat Oct 27 02:36:44 UTC 2018 - s...@suspend.net + +- update to 2.7.0 + * added detection of TOMOYO binary (MACF-6240) + * Status of TOMOYO framework updated (MACF-6242) + * OpenSSH server version detected (SSH-7406) + * Check active OSSEC analysis daemon (TOOL-5160) + * Changed several warning labels on screen + * More generic sulogin for systemd rescue (AUTH-9308) + * OS detection now ignores quotes for getting the OS ID + +------------------------------------------------------------------- Old: ---- lynis-2.6.9.tar.gz lynis-2.6.9.tar.gz.asc New: ---- lynis-2.7.0.tar.gz lynis-2.7.0.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.1FDt3e/_old 2018-11-05 22:53:45.796179301 +0100 +++ /var/tmp/diff_new_pack.1FDt3e/_new 2018-11-05 22:53:45.804179291 +0100 @@ -23,7 +23,7 @@ %define _pluginsdir %{_datadir}/lynis/plugins %define _dbdir %{_datadir}/lynis/db Name: lynis -Version: 2.6.9 +Version: 2.7.0 Release: 0 Summary: Security and System auditing tool License: GPL-3.0-only ++++++ lynis-2.6.9.tar.gz -> lynis-2.7.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md --- old/lynis/CHANGELOG.md 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/CHANGELOG.md 2018-10-26 02:00:00.000000000 +0200 @@ -1,5 +1,20 @@ # Lynis Changelog +## Lynis 2.7.0 (2018-10-26) + +### Added +- MACF-6240 - Detection of TOMOYO binary +- MACF-6242 - Status of TOMOYO framework +- SSH-7406 - OpenSSH server version detection +- TOOL-5160 - Check active OSSEC analysis daemon + +### Changed +- Changed several warning labels on screen +- AUTH-9308 - More generic sulogin for systemd rescue.service +- OS detection now ignores quotes for getting the OS ID. + +--------------------------------------------------------------------------------- + ## Lynis 2.6.9 (2018-09-19) ### Changed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db --- old/lynis/db/tests.db 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/db/tests.db 2018-10-26 02:00:00.000000000 +0200 @@ -210,6 +210,8 @@ MACF-6208:test:security:mac_frameworks::Check if AppArmor is enabled: MACF-6232:test:security:mac_frameworks::Check SELINUX presence: MACF-6234:test:security:mac_frameworks::Check SELINUX status: +MACF-6240:test:security:mac_frameworks::Detection of TOMOYO binary: +MACF-6242:test:security:mac_frameworks::Status of TOMOYO MAC framework: MACF-6290:test:security:mac_frameworks::Check for implemented MAC framework: MAIL-8802:test:security:mail_messaging::Check Exim status: MAIL-8804:test:security:mail_messaging::Exim configuration: @@ -352,6 +354,7 @@ SQD-3680:test:security:squid::Check Squid version suppression: SSH-7402:test:security:ssh::Check for running SSH daemon: SSH-7404:test:security:ssh::Check SSH daemon file location: +SSH-7406:test:security:ssh::Detection of OpenSSH server version: SSH-7408:test:security:ssh::Check SSH specific defined options: SSH-7440:test:security:ssh::AllowUsers and AllowGroups: STRG-1840:test:security:storage:Linux:Check if USB storage is disabled: @@ -381,6 +384,7 @@ TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: +TOOL-5160:test:security:tooling::Check for active OSSEC analysis daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: USB-3000:test:security:storage:Linux:Check for presence of USBGuard: # EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries --- old/lynis/include/binaries 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/binaries 2018-10-26 02:00:00.000000000 +0200 @@ -225,6 +225,7 @@ syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; timedatectl) TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;; + tomoyo-init) TOMOYOINITBINARY=${BINARY}; LogText " Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;; tr) TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;; tripwire) TRIPWIREBINARY="${BINARY}"; LogText " Found known binary: tripwire (file integrity) - ${BINARY}" ;; tune2fs) TUNE2FSBINARY="${BINARY}"; LogText " Found known binary: tune2fs (file system tool) - ${BINARY}" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts --- old/lynis/include/consts 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/consts 2018-10-26 02:00:00.000000000 +0200 @@ -129,6 +129,7 @@ KLDSTATBINARY="" LAUNCHCTL_BINARY="" LDAP_CLIENT_CONFIG_FILE="" + LICENSE_SERVER="" LINUX_VERSION="" LINUXCONFIGFILE="" LMDBINARY="" @@ -283,6 +284,7 @@ UPLOAD_PROXY_PORT="" UPLOAD_PROXY_PROTOCOL="" UPLOAD_PROXY_SERVER="" + UPLOAD_SERVER="" UPLOAD_TOOL="" UPLOAD_TOOL_ARGS="" USBGUARDBINARY="" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_audit_dockerfile new/lynis/include/helper_audit_dockerfile --- old/lynis/include/helper_audit_dockerfile 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/helper_audit_dockerfile 2018-10-26 02:00:00.000000000 +0200 @@ -136,7 +136,7 @@ FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 ) if [ "${FIND}" = "" ]; then - ReportWarning "dockerfile" "No user declared in Dockerlfile. Container will execute command as root" + ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root" else USER=$(echo ${FIND}) Display --indent 2 --text "User" --result "${USER}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/osdetection new/lynis/include/osdetection --- old/lynis/include/osdetection 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/osdetection 2018-10-26 02:00:00.000000000 +0200 @@ -137,7 +137,7 @@ # Generic if [ -e /etc/os-release ]; then - OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}') + OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ ! -z "${OS_ID}" ]; then case ${OS_ID} in "arch") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_accounting new/lynis/include/tests_accounting --- old/lynis/include/tests_accounting 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_accounting 2018-10-26 02:00:00.000000000 +0200 @@ -206,7 +206,7 @@ Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN else LogText "Result: could not find auditd configuration file" - Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_WARNING}" --color RED + Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_boot_services new/lynis/include/tests_boot_services --- old/lynis/include/tests_boot_services 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_boot_services 2018-10-26 02:00:00.000000000 +0200 @@ -806,7 +806,7 @@ if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then LogText "Result: file /usr/lib/systemd/system/rescue.service" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) + FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_mac_frameworks new/lynis/include/tests_mac_frameworks --- old/lynis/include/tests_mac_frameworks 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_mac_frameworks 2018-10-26 02:00:00.000000000 +0200 @@ -22,6 +22,7 @@ MAC_FRAMEWORK_ACTIVE=0 # Default no MAC framework active RBAC_FRAMEWORK_ACTIVE=0 # Default no RBAC framework active SELINUXFOUND=0 + TOMOYOFOUND=0 InsertSection "Security frameworks" # @@ -157,6 +158,46 @@ fi fi # +################################################################################# +# + # Test : MACF-6240 + # Description : Check if the tomoyo-init binary is available on the system + Register --test-no MACF-6240 --weight L --network NO --category security --description "Check TOMOYO Linux presence" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking if we have tomoyo-init binary" + if [ -z "${TOMOYOINITBINARY}" ]; then + TOMOYOFOUND=0 + LogText "Result: tomoyo-init binary not found" + Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_NOT_FOUND}" --color WHITE + else + TOMOYOFOUND=1 + LogText "Result: tomoyo-init binary found" + Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_FOUND}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : MACF-6242 + # Description : Check TOMOYO Linux status + if [ ${TOMOYOFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no MACF-6242 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check TOMOYO Linux status" + if [ ${SKIPTEST} -eq 0 ]; then + FILE="/sys/kernel/security/tomoyo/stat" + if [ -f ${FILE} ]; then + MAC_FRAMEWORK_ACTIVE=1 + LogText "Result: TOMOYO Linux is enabled" + Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN + Report "tomoyo_enabled=1" + AddHP 3 3 + else + LogText "Result: TOMOYO Linux is disabled" + Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_DISABLED}" --color YELLOW + Report "tomoyo_enabled=0" + AddHP 0 3 + fi + fi +# ################################################################################# # # Test : RBAC-6272 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_memory_processes new/lynis/include/tests_memory_processes --- old/lynis/include/tests_memory_processes 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_memory_processes 2018-10-26 02:00:00.000000000 +0200 @@ -84,7 +84,7 @@ else LogText "Result: found one or more dead or zombie processes" LogText "Output: PIDs ${FIND}" - Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" fi fi @@ -109,7 +109,7 @@ LogText "Result: found one or more processes which were waiting to get IO requests handled first" LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." LogText "Output: PIDs ${FIND}" - Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ports_packages new/lynis/include/tests_ports_packages --- old/lynis/include/tests_ports_packages 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_ports_packages 2018-10-26 02:00:00.000000000 +0200 @@ -808,7 +808,7 @@ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" - FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/ //g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") + FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh --- old/lynis/include/tests_ssh 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_ssh 2018-10-26 02:00:00.000000000 +0200 @@ -27,6 +27,9 @@ SSH_DAEMON_PORT="" SSH_DAEMON_RUNNING=0 SSH_DAEMON_OPTIONS_FILE="" + OPENSSHD_VERSION=0 + OPENSSHD_VERSION_MAJOR=0 + OPENSSHD_VERSION_MINOR=0 # ################################################################################# # @@ -90,6 +93,23 @@ # ################################################################################# # + # Test : SSH-7406 + # Description : Check OpenSSH version + if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version" + if [ ${SKIPTEST} -eq 0 ]; then + OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',') + LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}" + if [ ! -z ${OPENSSHD_VERSION} ]; then + OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}') + LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}" + OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}') + LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}" + fi + fi +# +################################################################################# +# # Test : SSH-7408 # Description : Check SSH specific defined options # Notes : Instead of parsing the configuration file, we query the SSH daemon itself @@ -124,20 +144,30 @@ PermitTunnel:NO,,YES:=\ Port:,,22:!\ PrintLastLog:YES,,NO:=\ - Protocol:2,,1:=\ StrictModes:YES,,NO:=\ TCPKeepAlive:NO,,YES:=\ UseDNS:NO,,YES:=\ - UsePrivilegeSeparation:SANDBOX,YES,NO:=\ VerifyReverseMapping:YES,,NO:=\ X11Forwarding:NO,,YES:=\ AllowAgentForwarding:NO,,YES:=" - # Notes - # ========================================================= - # UsePrivilegeSeparation - removed since OpenSSH 7.5 - # - # Disabled MaxStartups:4,8,16:<\ (needs fixing) + + # OpenSSH had some options removed over time. Based on the version we add some additional options to check + if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then + LogText "Result: added additional options for OpenSSH 6.x and lower" + SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" + elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then + # Protocol 1 support removed (OpenSSH 7.4 and later) + if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then + LogText "Result: added additional options for OpenSSH < 7.4" + SSHOPS="${SSHOPS} Protocol:2,,1:=" + fi + # UsePrivilegedSeparation removed (OpenSSH 7.5 and later) + if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then + LogText "Result: added additional options for OpenSSH < 7.5" + SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:=" + fi + fi # Go through our list of options for I in ${SSHOPS}; do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_tooling new/lynis/include/tests_tooling --- old/lynis/include/tests_tooling 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/include/tests_tooling 2018-10-26 02:00:00.000000000 +0200 @@ -27,7 +27,7 @@ PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 - IPS_TOOL_FOUND=0 + IDS_IPS_TOOL_FOUND=0 FAIL2BAN_FOUND=0 FAIL2BAN_EMAIL=0 FAIL2BAN_SILENT=0 @@ -361,6 +361,23 @@ fi fi # +################################################################################# +# + # Test : TOOL-5160 + # Description : Check for OSSEC + Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC analysis daemon" + if [ ${SKIPTEST} -eq 0 ]; then + + if IsRunning "ossec-analysisd"; then + IDS_IPS_TOOL_FOUND=1 + LogText "Result: OSSEC analysis daemon is active" + Report "ids_ips_tooling[]=ossec" + Display --indent 2 --text "- Checking presence of OSSEC" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: OSSEC analysis daemon not active" + fi + fi +# ################################################################################# # # Test : TOOL-5190 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis --- old/lynis/lynis 2018-09-19 02:00:00.000000000 +0200 +++ new/lynis/lynis 2018-10-26 02:00:00.000000000 +0200 @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="lynis-...@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2018-09-19" - PROGRAM_RELEASE_TIMESTAMP=1537349608 + PROGRAM_RELEASE_DATE="2018-10-26" + PROGRAM_RELEASE_TIMESTAMP=1540556675 PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.6.9" + PROGRAM_VERSION="2.7.0" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis"