Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2019-03-10 09:34:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Sun Mar 10 09:34:37 2019 rev:33 rq:682444 version:2.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2019-02-02 21:50:10.239932927 +0100 +++ /work/SRC/openSUSE:Factory/.lynis.new.28833/lynis.changes 2019-03-10 09:34:45.456185117 +0100 @@ -1,0 +2,14 @@ +Thu Mar 7 11:54:18 UTC 2019 - Robert Frohl <rfr...@suse.com> + +- update to 2.7.2 + * Added support for doas (OpenBSD) + * Added test file permissions of doas configuration + * Added support for systemd-boot boot loader + * Added simplify service filter and allow multiple dots in service names + * Added check OpenBSD boot daemons + * Added test permissions for boot files and scripts + * Added support for end-of-life detection of the operating system + * Added new 'lynis show eol' command + * Multiple changes and improvements + +------------------------------------------------------------------- Old: ---- lynis-2.7.1.tar.gz lynis-2.7.1.tar.gz.asc New: ---- lynis-2.7.2.tar.gz lynis-2.7.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.xSPsA0/_old 2019-03-10 09:34:46.740184810 +0100 +++ /var/tmp/diff_new_pack.xSPsA0/_new 2019-03-10 09:34:46.740184810 +0100 @@ -23,7 +23,7 @@ %define _pluginsdir %{_datadir}/lynis/plugins %define _dbdir %{_datadir}/lynis/db Name: lynis -Version: 2.7.1 +Version: 2.7.2 Release: 0 Summary: Security and System auditing tool License: GPL-3.0-only ++++++ lynis-2.7.1.tar.gz -> lynis-2.7.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md --- old/lynis/CHANGELOG.md 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/CHANGELOG.md 2019-03-07 01:00:00.000000000 +0100 @@ -1,5 +1,31 @@ # Lynis Changelog +## Lynis 2.7.2 (2019-03-07) + +### Added +- AUTH-9409 - Support for doas (OpenBSD) +- AUTH-9410 - Test file permissions of doas configuration +- BOOT-5117 - Support for systemd-boot boot loader added +- BOOT-5177 - Simplify service filter and allow multiple dots in service names +- BOOT-5262 - Check OpenBSD boot daemons +- BOOT-5263 - Test permissions for boot files and scripts +- Support for end-of-life detection of the operating system +- New 'lynis show eol' command +- Korean translation + +### Changed +- AUTH-9252 - Adds support for files in sudoers.d +- AUTH-9252 - Test extended to check file and directory ownership +- BOOT-5122 - Use NONE instead of WARNING if no password is set +- FIRE-4540 - Modify test to better measure rules +- KRNL-5788 - Resolve false positive warning on missing /vmlinuz +- NETW-2704 - Ignore inline comments in /etc/resolv.conf +- PKGS-7388 - Improve detection for security archive +- RPi/Raspian path to PAM_FILE_LOCATIONS + + +--------------------------------------------------------------------------------- + ## Lynis 2.7.1 (2019-01-30) ### Added diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/languages/ko new/lynis/db/languages/ko --- old/lynis/db/languages/ko 1970-01-01 01:00:00.000000000 +0100 +++ new/lynis/db/languages/ko 2019-03-07 01:00:00.000000000 +0100 @@ -0,0 +1,40 @@ +ERROR_NO_LICENSE="라이선스 키가 없습니다" +ERROR_NO_UPLOAD_SERVER="업로드 서버가 설정되지 않았습니다" +GEN_CHECKING="확인중입니다" +GEN_CURRENT_VERSION="현재 버전" +GEN_DEBUG_MODE="디버그 모드" +GEN_INITIALIZE_PROGRAM="프로그램을 초기화합니다" +GEN_LATEST_VERSION="최신 버전" +GEN_PHASE="phase" +GEN_PLUGINS_ENABLED="플러그인이 활성화되었습니다" +GEN_UPDATE_AVAILABLE="업데이트 가능" +GEN_VERBOSE_MODE="상세 모드" +GEN_WHAT_TO_DO="할 일" +NOTE_EXCEPTIONS_FOUND="예외 발견" +NOTE_EXCEPTIONS_FOUND_DETAILED="몇 가지 예외 이벤트나 정보가 발견되었습니다" +NOTE_PLUGINS_TAKE_TIME="참고: 플러그인은 광범위한 테스트를 거치며 완료될 때까지 몇 분의 시간이 소요됩니다" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="비특권 모드로 인해 테스트를 생략했습니다" +SECTION_CUSTOM_TESTS="사용자정의 테스트" +SECTION_MALWARE="악성코드" +SECTION_MEMORY_AND_PROCESSES="메모리와 프로세스" +STATUS_DISABLED="비활성화됨" +STATUS_DONE="완료" +STATUS_ENABLED="활성화됨" +STATUS_ERROR="에러" +STATUS_FOUND="발견" +STATUS_YES="예" +STATUS_NO="아니오" +STATUS_OFF="끔" +STATUS_OK="OK" +STATUS_ON="켬" +STATUS_NONE="없음" +STATUS_NOT_FOUND="발견되지않음" +STATUS_NOT_RUNNING="동작하지않음" +STATUS_RUNNING="동작중" +STATUS_SKIPPED="생략" +STATUS_SUGGESTION="추천" +STATUS_UNKNOWN="알수없음" +STATUS_WARNING="경고" +STATUS_WEAK="취약" +TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다" +TEXT_UPDATE_AVAILABLE="업데이트 가능" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db --- old/lynis/db/software-eol.db 1970-01-01 01:00:00.000000000 +0100 +++ new/lynis/db/software-eol.db 2019-03-07 01:00:00.000000000 +0100 @@ -0,0 +1,46 @@ +# +# End-of-life for operating systems and software +# +# This file has 4 fields: +# 1) category +# 2) name +# 3) date (human-readable) +# 4) converted date (seconds since epoch) +# +# Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# +# CentOS +# +os:CentOS 5:2017-03-31:1490911200: +os:CentOS 6:2020-11-30:1606690800: +os:CentOS 7:2024-06-30:1719698400: +# +# FreeBSD - https://www.freebsd.org/security/unsupported.html +# +os:FreeBSD 9.3:2014-12-31:0: +os:FreeBSD 10.0:2015-02-28:0: +os:FreeBSD 10.1:2016-12-31:0: +os:FreeBSD 10.2:2016-12-31:0: +os:FreeBSD 10.3:2018-04-30:0: +os:FreeBSD 10.4:2018-10-31:0: +os:FreeBSD 11.0:2017-11-30:0: +os:FreeBSD 11.1:2018-09-30:0: +# +# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history +# +os:OpenBSD 5.8:2016-09-01:0: +os:OpenBSD 5.9:2017-04-11:0: +# +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack +# +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:0: +os:Ubuntu 15.04:2016-01-01:0: +os:Ubuntu 15.10:2016-07-01:0: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-01:1561932000: +os:Ubuntu 19.04:2020-01-01:1577833200: \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db --- old/lynis/db/tests.db 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/db/tests.db 2019-03-07 01:00:00.000000000 +0100 @@ -45,6 +45,8 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support: AUTH-9406:test:security:authentication::Query LDAP servers in client configuration: AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs: +AUTH-9409:test:security:authentication:OpenBSD:Check for doas file: +AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions: AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts: BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file: BANN-7124:test:security:banners::Check issue banner file: @@ -56,6 +58,7 @@ BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS: BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader: BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode: +BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader: BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence: BOOT-5122:test:security:boot_services::Check for GRUB boot password: BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader presence: @@ -71,6 +74,8 @@ BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: +BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons: +BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts: CONT-8004:test:security:containers:Solaris:Query running Solaris zones: CONT-8102:test:security:containers::Checking Docker status and information: CONT-8104:test:security:containers::Checking Docker info for any warnings: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries --- old/lynis/include/binaries 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/binaries 2019-03-07 01:00:00.000000000 +0100 @@ -108,10 +108,13 @@ autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;; base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; + bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; + cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;; clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; + clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; @@ -194,6 +197,7 @@ python) PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; python2) PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; python3) PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; + rcctl) RCCTLBINARY="${BINARY}"; LogText " Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;; readlink) READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_show new/lynis/include/helper_show --- old/lynis/include/helper_show 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/helper_show 2019-03-07 01:00:00.000000000 +0100 @@ -32,13 +32,14 @@ HELPERS="audit configure show update" OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--license-key\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only" -SHOW_ARGS="categories changelog commands dbdir details environment groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir" +SHOW_ARGS="categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir" SHOW_HELP="lynis show ${BROWN}categories${NORMAL} (display test categories) lynis show ${BROWN}changelog${NORMAL} ${GRAY}[version]${NORMAL} (release details) lynis show ${BROWN}commands${NORMAL} (all available commands) lynis show ${BROWN}dbdir${NORMAL} (database directory) lynis show ${BROWN}details${NORMAL} (display test details from log file) lynis show ${BROWN}environment${NORMAL} (hardware, virtual machine, or container type) +lynis show ${BROWN}eol${NORMAL} (OS end-of-life status) lynis show ${BROWN}groups${NORMAL} (test groups) lynis show ${BROWN}help${NORMAL} (detailed information about arguments) lynis show ${BROWN}hostids${NORMAL} (unique IDs for this system) @@ -242,6 +243,17 @@ ${ECHOCMD} "virtual-machine=0" fi ;; + "eol") + if [ ${EOL} -eq 0 ]; then + ${ECHOCMD} "OS end-of-life: No" + elif [ ${EOL} -eq 1 ]; then + ${ECHOCMD} "OS end-of-life: Yes" + elif [ ${EOL} -eq 255 ]; then + ${ECHOCMD} "OS end-of-life: Not tested" + else + ${ECHOCMD} "OS end-of-life: Unknown" + fi + ;; "groups") ViewGroups ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/osdetection new/lynis/include/osdetection --- old/lynis/include/osdetection 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/osdetection 2019-03-07 01:00:00.000000000 +0100 @@ -509,6 +509,28 @@ QNAP_DEVICE=1 fi + # Check if this OS is end-of-life + EOL=255 + EOL_DATE="" + EOL_TIMESTAMP=0 + if [ ! -z "${OS_VERSION}" ]; then + if [ -f "${DBDIR}/software-eol.db" ]; then + FIND="${OS_FULLNAME}" + EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) + if [ ! -z "${EOL_TIMESTAMP}" ]; then + EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) + NOW=$(date "+%s") + if [ ! -z "${NOW}" ]; then + if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then + EOL=1 + else + EOL=0 + fi + fi + fi + fi + fi + #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_authentication new/lynis/include/tests_authentication --- old/lynis/include/tests_authentication 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_authentication 2019-03-07 01:00:00.000000000 +0100 @@ -483,20 +483,39 @@ ################################################################################# # # Test : AUTH-9252 - # Description : Check for sudoers file permissions + # Description : Check ownership and permissions for sudo configuration files if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" + Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" - FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10) - LogText "Result: Found file permissions: ${FIND}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - LogText "Result: file ${SUDOERS_FILE} has correct permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED - fi + SUDO_CONFIG_FILES="${SUDOERS_FILE}" + SUDOERS_D="${SUDOERS_FILE}.d" + if [ -d "${SUDOERS_D}" ]; then + LogText "Test: checking drop-in directory (${SUDOERS_D})" + FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) + FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}" + if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then + LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: directory has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED + fi + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" + fi + for f in ${SUDO_CONFIG_FILES}; do + LogText "Test: checking file (${f})" + FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) + FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then + LogText "Result: file ${f} permissions/ownership OK" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: file has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED + fi + done fi # ################################################################################# @@ -1369,6 +1388,50 @@ fi fi # +################################################################################# +# + # Test : AUTH-9409 + # Description : Check for doas file + DOAS_FILE="" + Register --test-no AUTH-9409 --os OpenBSD --weight L --network NO --category security --description "Checking /etc/doas.conf file" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + LogText "Test: checking presence /etc/doas.conf" + if [ -f /etc/doas.conf ]; then + DOAS_FILE=/etc/doas.conf + FOUND=1 + LogText "Result: file /etc/doas.conf found" + else + LogText "Result: file /etc/doas.conf not found" + fi + if [ ${FOUND} -eq 1 ]; then + LogText "Result: /etc/doas.conf file found" + Display --indent 2 --text "- doas file" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: doas file NOT found" + Display --indent 2 --text "- doas file" --result "${STATUS_NOT_FOUND}" --color YELLOW + fi + fi +# +################################################################################# +# + # Test : AUTH-9410 + # Description : Check for doas file permissions + if [ ! -z "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking /etc/doas.conf permissions" + FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10) + LogText "Result: Found /etc/doas.conf file permissions: ${FIND}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then + LogText "Result: file /etc/doas.conf has correct permissions" + Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: file has possibly unsafe file permissions" + Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED + fi + fi +# ################################################################################# # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_boot_services new/lynis/include/tests_boot_services --- old/lynis/include/tests_boot_services 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_boot_services 2019-03-07 01:00:00.000000000 +0100 @@ -125,7 +125,7 @@ if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi fi ;; - "DragonFly" | "NetBSD" | "FreeBSD") + "DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD") if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then SERVICE_MANAGER="bsdrc" fi @@ -240,6 +240,23 @@ # ################################################################################# # + # Test : BOOT-5117 + # Description : Check for systemd-boot boot loader + if [ ! "${BOOTCTLBINARY}" = "" -a ${HAS_SYSTEMD} -eq 1 -a ${UEFI_BOOTED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no BOOT-5117 --preqs-met ${PREQS_MET} --os "Linux" --weight L --network NO --category security --description "Check for systemd-boot bootloader presence" + if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 + CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null | ${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }') + if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then + Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: found systemd-boot" + BOOT_LOADER="systemd-boot" + BOOT_LOADER_FOUND=1 + fi + fi +# +################################################################################# +# # Test : BOOT-5121 # Description : Check for GRUB boot loader Register --test-no BOOT-5121 --weight L --network NO --category security --description "Check for GRUB boot loader presence" @@ -315,7 +332,7 @@ LogText "Result: GRUB has password protection." AddHP 4 4 else - Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED + Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED LogText "Result: Didn't find hashed password line in GRUB boot file!" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 @@ -547,7 +564,7 @@ LogText "Result: systemctl binary found, trying that to discover information" # Running services LogText "Searching for running services (systemctl services only)" - FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') + FIND=$(${SYSTEMCTLBINARY} --no-legend --full --type=service --state=running | ${AWKBINARY} -F.service '{ print $1 }') COUNT=0 Report "running_service_tool=systemctl" for ITEM in ${FIND}; do @@ -562,7 +579,7 @@ # Services at boot LogText "Searching for enabled services (systemctl services only)" - FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') + FIND=$(${SYSTEMCTLBINARY} list-unit-files --no-legend --type=service --state=enabled | ${SORTBINARY} -u | ${AWKBINARY} -F.service '{ print $1 }') COUNT=0 Report "boot_service_tool=systemctl" for ITEM in ${FIND}; do @@ -822,6 +839,120 @@ fi fi # +################################################################################# +# + # Test : BOOT-5262 + # Description : Check for OpenBSD boot daemons + Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot daemons" + if [ ${SKIPTEST} -eq 0 ]; then + if HasData "${RCCTLBINARY}"; then + LogText "Result: rcctl binary found, trying that to discover information" + # OpenBSD (Ask rcctl(8) for running daemons) + LogText "Searching for running daemons (rcctl)" + FIND=$(${RCCTLBINARY} ls started) + COUNT=0 + Report "running_service_tool=rcctl" + for ITEM in ${FIND}; do + LogText "Found running daemon: ${ITEM}" + Report "running_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} running daemons" + LogText "Result: Found ${COUNT} running daemons" + + # OpenBSD (Ask rcctl(8) for enabled daemons) + LogText "Searching for enabled daemons (rcctl)" + FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$') + COUNT=0 + Report "boot_service_tool=rcctl" + for ITEM in ${FIND}; do + LogText "Found enabled daemon at boot: ${ITEM}" + Report "boot_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" + LogText "Result: Found ${COUNT} enabled daemons at boot" + fi + fi +# +################################################################################# +# + # Test : BOOT-5263 + # Description : Check OpenBSD world writable startup scripts + Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO --category security --description "Check permissions for boot files/scripts" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + CHECKDIR="${ROOTDIR}etc/rc.d" + LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit" + LogText "Test: checking if directory ${DIR} exists" + if [ -d ${CHECKDIR} ]; then + LogText "Result: directory ${DIR} found" + LogText "Test: checking for available files in directory" + # OpenBSD uses symlinks to create another instance of daemons + FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY}) + if [ ! -z "${FIND}" ]; then + LogText "Result: found files in directory, checking permissions now" + for FILE in ${FIND}; do + LogText "Test: checking permissions of file ${FILE}" + ShowSymlinkPath "${FILE}" + if [ ${FOUNDPATH} -eq 1 ]; then + CHECKFILE="${SYMLINK}" + LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${FILE})" + else + CHECKFILE="${FILE}" + fi + if IsWorldWritable ${CHECKFILE}; then + FOUND=1 + LogText "Result: warning, file ${CHECKFILE} is world writable" + else + LogText "Result: good, file ${CHECKFILE} not world writable" + fi + done + else + LogText "Result: found no files in directory." + fi + else + LogText "Result: directory ${CHECKDIR} not found. Skipping.." + fi + + # Other files + CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf ${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local" + for I in ${CHECKFILES}; do + if [ -f ${I} ]; then + ShowSymlinkPath "${I}" + if [ ${FOUNDPATH} -eq 1 ]; then + CHECKFILE="${SYMLINK}" + LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})" + else + CHECKFILE="${I}" + fi + LogText "Test: Checking ${CHECKFILE} file for writable bit" + if IsWorldWritable ${CHECKFILE}; then + FOUND=1 + ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" + LogText "Result: warning, file ${CHECKFILE} is world writable" + else + LogText "Result: good, file ${CHECKFILE} not world writable" + fi + fi + done + + # Check results + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED + ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" + LogText "Result: found one or more scripts which are possibly writable by other users" + AddHP 0 3 + else + Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN + AddHP 3 3 + fi + fi +# ################################################################################# # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_firewalls new/lynis/include/tests_firewalls --- old/lynis/include/tests_firewalls 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_firewalls 2019-03-07 01:00:00.000000000 +0100 @@ -506,13 +506,13 @@ # Test : FIRE-4540 # Description : Check nftables configuration if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration" + Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} export json 2> /dev/null | wc -c) - if [ ${NFT_RULES_LENGTH} -le 16 ]; then + NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 - LogText "Result: this firewall set has 16 rules or less and is considered to be empty" + LogText "Result: this firewall set has 3 rules or less and is considered to be empty" else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_hardening new/lynis/include/tests_hardening --- old/lynis/include/tests_hardening 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_hardening 2019-03-07 01:00:00.000000000 +0100 @@ -54,7 +54,7 @@ LogText "Result: no compilers found" else # TODO - c89 c99 cpp ld - TEST_BINARIES="${ASBINARY} ${GCCBINARY}" + TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}" for ITEM in ${TEST_BINARIES}; do FILE="${ITEM}" LogText "Test: Check file permissions for ${ITEM}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_kernel new/lynis/include/tests_kernel --- old/lynis/include/tests_kernel 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_kernel 2019-03-07 01:00:00.000000000 +0100 @@ -374,10 +374,17 @@ LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then LogText "Result: found ${ROOTDIR}usr/bin/apt-cache" - LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz" - if [ -f ${ROOTDIR}vmlinuz ]; then + LogText "Test: checking presence of ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz" + if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 - FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz) + if [ -f ${ROOTDIR}vmlinuz ]; then + FINDVMLINUZ=${ROOTDIR}vmlinuz + else + FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + fi + LogText "Result: found ${FINDVMLINUZ}" + LogText "Test: checking readlink location of ${FINDVMLINUZ}" + FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" LogText "Test: checking package from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') @@ -386,8 +393,8 @@ FINDKERNEL=linux-image-$(uname -r) LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" else - LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date." - ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz" + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_networking new/lynis/include/tests_networking --- old/lynis/include/tests_networking 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_networking 2019-03-07 01:00:00.000000000 +0100 @@ -123,7 +123,7 @@ LogText "Test: Checking /etc/resolv.conf file" if [ -f /etc/resolv.conf ]; then LogText "Result: Found /etc/resolv.conf file" - FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq) + FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1) if [ ! -z "${FIND}" ]; then Display --indent 4 --text "- Testing nameservers" LogText "Test: Querying nameservers" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_php new/lynis/include/tests_php --- old/lynis/include/tests_php 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_php 2019-03-07 01:00:00.000000000 +0100 @@ -72,6 +72,9 @@ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini" + # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current + PHPINILOCS="${PHPINILOCS} \ + ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ @@ -92,6 +95,9 @@ ${ROOTDIR}opt/alt/php56/etc/php.d.all \ ${ROOTDIR}opt/alt/php70/etc/php.d.all \ ${ROOTDIR}opt/alt/php71/etc/php.d.all" + # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current + PHPINIDIRS="${PHPINIDIRS} \ + ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2" # ################################################################################# # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ports_packages new/lynis/include/tests_ports_packages --- old/lynis/include/tests_ports_packages 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/include/tests_ports_packages 2019-03-07 01:00:00.000000000 +0100 @@ -993,7 +993,7 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f ${ROOTDIR}etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ ! -z "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN @@ -1006,7 +1006,7 @@ fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ ! -z "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis --- old/lynis/lynis 2019-01-31 01:00:00.000000000 +0100 +++ new/lynis/lynis 2019-03-07 01:00:00.000000000 +0100 @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="lynis-...@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-01-31" - PROGRAM_RELEASE_TIMESTAMP=1548942179 + PROGRAM_RELEASE_DATE="2019-03-07" + PROGRAM_RELEASE_TIMESTAMP=1551949337 PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.1" + PROGRAM_VERSION="2.7.2" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" @@ -609,6 +609,12 @@ echo " Operating system: ${OS}" echo " Operating system name: ${OS_NAME}" echo " Operating system version: ${OS_VERSION}" + LogText "EOL check: ${EOL}" + if [ ${EOL} -eq 1 ]; then + echo " End-of-life: ${WARNING}YES${NORMAL}" + ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}" + fi + if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi echo " Kernel version: ${OS_KERNELVERSION}" echo " Hardware platform: ${HARDWARE}"