Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked
in at 2019-03-10 09:34:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Sun Mar 10 09:34:37 2019 rev:33 rq:682444 version:2.7.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2019-02-02
21:50:10.239932927 +0100
+++ /work/SRC/openSUSE:Factory/.lynis.new.28833/lynis.changes 2019-03-10
09:34:45.456185117 +0100
@@ -1,0 +2,14 @@
+Thu Mar 7 11:54:18 UTC 2019 - Robert Frohl <rfr...@suse.com>
+
+- update to 2.7.2
+ * Added support for doas (OpenBSD)
+ * Added test file permissions of doas configuration
+ * Added support for systemd-boot boot loader
+ * Added simplify service filter and allow multiple dots in service names
+ * Added check OpenBSD boot daemons
+ * Added test permissions for boot files and scripts
+ * Added support for end-of-life detection of the operating system
+ * Added new 'lynis show eol' command
+ * Multiple changes and improvements
+
+-------------------------------------------------------------------
Old:
----
lynis-2.7.1.tar.gz
lynis-2.7.1.tar.gz.asc
New:
----
lynis-2.7.2.tar.gz
lynis-2.7.2.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.xSPsA0/_old 2019-03-10 09:34:46.740184810 +0100
+++ /var/tmp/diff_new_pack.xSPsA0/_new 2019-03-10 09:34:46.740184810 +0100
@@ -23,7 +23,7 @@
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
Name: lynis
-Version: 2.7.1
+Version: 2.7.2
Release: 0
Summary: Security and System auditing tool
License: GPL-3.0-only
++++++ lynis-2.7.1.tar.gz -> lynis-2.7.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/CHANGELOG.md 2019-03-07 01:00:00.000000000 +0100
@@ -1,5 +1,31 @@
# Lynis Changelog
+## Lynis 2.7.2 (2019-03-07)
+
+### Added
+- AUTH-9409 - Support for doas (OpenBSD)
+- AUTH-9410 - Test file permissions of doas configuration
+- BOOT-5117 - Support for systemd-boot boot loader added
+- BOOT-5177 - Simplify service filter and allow multiple dots in service names
+- BOOT-5262 - Check OpenBSD boot daemons
+- BOOT-5263 - Test permissions for boot files and scripts
+- Support for end-of-life detection of the operating system
+- New 'lynis show eol' command
+- Korean translation
+
+### Changed
+- AUTH-9252 - Adds support for files in sudoers.d
+- AUTH-9252 - Test extended to check file and directory ownership
+- BOOT-5122 - Use NONE instead of WARNING if no password is set
+- FIRE-4540 - Modify test to better measure rules
+- KRNL-5788 - Resolve false positive warning on missing /vmlinuz
+- NETW-2704 - Ignore inline comments in /etc/resolv.conf
+- PKGS-7388 - Improve detection for security archive
+- RPi/Raspian path to PAM_FILE_LOCATIONS
+
+
+---------------------------------------------------------------------------------
+
## Lynis 2.7.1 (2019-01-30)
### Added
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/languages/ko new/lynis/db/languages/ko
--- old/lynis/db/languages/ko 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/db/languages/ko 2019-03-07 01:00:00.000000000 +0100
@@ -0,0 +1,40 @@
+ERROR_NO_LICENSE="라이선스 키가 없습니다"
+ERROR_NO_UPLOAD_SERVER="업로드 서버가 설정되지 않았습니다"
+GEN_CHECKING="확인중입니다"
+GEN_CURRENT_VERSION="현재 버전"
+GEN_DEBUG_MODE="디버그 모드"
+GEN_INITIALIZE_PROGRAM="프로그램을 초기화합니다"
+GEN_LATEST_VERSION="최신 버전"
+GEN_PHASE="phase"
+GEN_PLUGINS_ENABLED="플러그인이 활성화되었습니다"
+GEN_UPDATE_AVAILABLE="업데이트 가능"
+GEN_VERBOSE_MODE="상세 모드"
+GEN_WHAT_TO_DO="할 일"
+NOTE_EXCEPTIONS_FOUND="예외 발견"
+NOTE_EXCEPTIONS_FOUND_DETAILED="몇 가지 예외 이벤트나 정보가 발견되었습니다"
+NOTE_PLUGINS_TAKE_TIME="참고: 플러그인은 광범위한 테스트를 거치며 완료될 때까지 몇 분의 시간이 소요됩니다"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="비특권 모드로 인해 테스트를 생략했습니다"
+SECTION_CUSTOM_TESTS="사용자정의 테스트"
+SECTION_MALWARE="악성코드"
+SECTION_MEMORY_AND_PROCESSES="메모리와 프로세스"
+STATUS_DISABLED="비활성화됨"
+STATUS_DONE="완료"
+STATUS_ENABLED="활성화됨"
+STATUS_ERROR="에러"
+STATUS_FOUND="발견"
+STATUS_YES="예"
+STATUS_NO="아니오"
+STATUS_OFF="끔"
+STATUS_OK="OK"
+STATUS_ON="켬"
+STATUS_NONE="없음"
+STATUS_NOT_FOUND="발견되지않음"
+STATUS_NOT_RUNNING="동작하지않음"
+STATUS_RUNNING="동작중"
+STATUS_SKIPPED="생략"
+STATUS_SUGGESTION="추천"
+STATUS_UNKNOWN="알수없음"
+STATUS_WARNING="경고"
+STATUS_WEAK="취약"
+TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
+TEXT_UPDATE_AVAILABLE="업데이트 가능"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db
--- old/lynis/db/software-eol.db 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/db/software-eol.db 2019-03-07 01:00:00.000000000 +0100
@@ -0,0 +1,46 @@
+#
+# End-of-life for operating systems and software
+#
+# This file has 4 fields:
+# 1) category
+# 2) name
+# 3) date (human-readable)
+# 4) converted date (seconds since epoch)
+#
+# Date can be converted on Linux using: date "+%s" --date=2020-01-01
+#
+# CentOS
+#
+os:CentOS 5:2017-03-31:1490911200:
+os:CentOS 6:2020-11-30:1606690800:
+os:CentOS 7:2024-06-30:1719698400:
+#
+# FreeBSD - https://www.freebsd.org/security/unsupported.html
+#
+os:FreeBSD 9.3:2014-12-31:0:
+os:FreeBSD 10.0:2015-02-28:0:
+os:FreeBSD 10.1:2016-12-31:0:
+os:FreeBSD 10.2:2016-12-31:0:
+os:FreeBSD 10.3:2018-04-30:0:
+os:FreeBSD 10.4:2018-10-31:0:
+os:FreeBSD 11.0:2017-11-30:0:
+os:FreeBSD 11.1:2018-09-30:0:
+#
+# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history
+#
+os:OpenBSD 5.8:2016-09-01:0:
+os:OpenBSD 5.9:2017-04-11:0:
+#
+# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack
+#
+os:Ubuntu 14.04:2019-05-01:1556661600:
+os:Ubuntu 14.10:2015-07-01:0:
+os:Ubuntu 15.04:2016-01-01:0:
+os:Ubuntu 15.10:2016-07-01:0:
+os:Ubuntu 16.04:2021-05-01:1619820000:
+os:Ubuntu 16.10:2017-07-01:1498860000:
+os:Ubuntu 17.04:2018-01-01:1514761200:
+os:Ubuntu 17.10:2018-07-01:1530396000:
+os:Ubuntu 18.04:2023-05-01:1682892000:
+os:Ubuntu 18.10:2019-07-01:1561932000:
+os:Ubuntu 19.04:2020-01-01:1577833200:
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db
--- old/lynis/db/tests.db 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/db/tests.db 2019-03-07 01:00:00.000000000 +0100
@@ -45,6 +45,8 @@
AUTH-9402:test:security:authentication::Query LDAP authentication support:
AUTH-9406:test:security:authentication::Query LDAP servers in client
configuration:
AUTH-9408:test:security:authentication::Logging of failed login attempts via
/etc/login.defs:
+AUTH-9409:test:security:authentication:OpenBSD:Check for doas file:
+AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions:
AUTH-9489:test:security:authentication:DragonFly:Check login shells for
passwordless accounts:
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
BANN-7124:test:security:banners::Check issue banner file:
@@ -56,6 +58,7 @@
BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS:
BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader:
BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode:
+BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader:
BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence:
BOOT-5122:test:security:boot_services::Check for GRUB boot password:
BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader
presence:
@@ -71,6 +74,8 @@
BOOT-5202:test:security:boot_services::Check uptime of system:
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot
loader presence:
+BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons:
+BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot
files/scripts:
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
CONT-8102:test:security:containers::Checking Docker status and information:
CONT-8104:test:security:containers::Checking Docker info for any warnings:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries
--- old/lynis/include/binaries 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/binaries 2019-03-07 01:00:00.000000000 +0100
@@ -108,10 +108,13 @@
autolog) AUTOLOGBINARY="${BINARY}";
IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary:
autolog (idle session killer) - ${BINARY}" ;;
base64) BASE64BINARY="${BINARY}";
LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;;
blkid) BLKDBINARY="${BINARY}";
LogText " Found known binary: blkid (information about block devices)
- ${BINARY}" ;;
+ bootctl) BOOTCTLBINARY="${BINARY}";
LogText " Found known binary: bootctl (systemd-boot manager utility) -
${BINARY}" ;;
cat) CAT_BINARY="${BINARY}";
LogText " Found known binary: cat (generic file handling) - ${BINARY}"
;;
+ cc) CCBINARY="${BINARY}";
COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) -
${BINARY}" ;;
chkconfig) CHKCONFIGBINARY=${BINARY};
LogText " Found known binary: chkconfig (administration tool) -
${BINARY}" ;;
clamconf) CLAMCONF_BINARY=${BINARY};
LogText " Found known binary: clamconf (information about ClamAV) -
${BINARY}" ;;
clamscan) CLAMSCANBINARY=${BINARY};
LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
+ clang) CLANGBINARY=${BINARY};
COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler)
- ${BINARY}" ;;
cfagent) CFAGENTBINARY="${BINARY}";
FILE_INT_TOOL_FOUND=1; LogText " Found known binary:
cfengine agent (configuration tool) - ${BINARY}" ;;
chkrootkit)
CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1;
LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
comm) COMMBINARY="${BINARY}";
LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
@@ -194,6 +197,7 @@
python) PYTHONBINARY="${BINARY}";
PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //');
LogText "Found known binary: ${FILENAME} (programming language interpreter) -
${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2BINARY="${BINARY}";
PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //');
LogText "Found known binary: ${FILENAME} (programming language interpreter) -
${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3BINARY="${BINARY}";
PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //');
LogText "Found known binary: ${FILENAME} (programming language interpreter) -
${BINARY} (version ${PYTHON3VERSION})" ;;
+ rcctl) RCCTLBINARY="${BINARY}";
LogText " Found known binary: rcctl (services and daemons
configuration and control) - ${BINARY}" ;;
readlink)
READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink
(follows symlinks) - ${BINARY}" ;;
rkhunter)
RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1;
LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHBINARY="${BINARY}";
LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}"
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/helper_show
new/lynis/include/helper_show
--- old/lynis/include/helper_show 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/helper_show 2019-03-07 01:00:00.000000000 +0100
@@ -32,13 +32,14 @@
HELPERS="audit configure show update"
OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help
(-h)\n--license-key\n--log-file\n--manpage
(--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick
(-Q)\n--quiet
(-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version
(-V)\n--wait\n--warnings-only"
-SHOW_ARGS="categories changelog commands dbdir details environment groups help
hostids includedir language license logfile man options os pidfile plugindir
profiles release releasedate report settings tests version workdir"
+SHOW_ARGS="categories changelog commands dbdir details environment eol groups
help hostids includedir language license logfile man options os pidfile
plugindir profiles release releasedate report settings tests version workdir"
SHOW_HELP="lynis show ${BROWN}categories${NORMAL} (display test
categories)
lynis show ${BROWN}changelog${NORMAL} ${GRAY}[version]${NORMAL} (release
details)
lynis show ${BROWN}commands${NORMAL} (all available commands)
lynis show ${BROWN}dbdir${NORMAL} (database directory)
lynis show ${BROWN}details${NORMAL} (display test details from
log file)
lynis show ${BROWN}environment${NORMAL} (hardware, virtual
machine, or container type)
+lynis show ${BROWN}eol${NORMAL} (OS end-of-life status)
lynis show ${BROWN}groups${NORMAL} (test groups)
lynis show ${BROWN}help${NORMAL} (detailed information
about arguments)
lynis show ${BROWN}hostids${NORMAL} (unique IDs for this
system)
@@ -242,6 +243,17 @@
${ECHOCMD} "virtual-machine=0"
fi
;;
+ "eol")
+ if [ ${EOL} -eq 0 ]; then
+ ${ECHOCMD} "OS end-of-life: No"
+ elif [ ${EOL} -eq 1 ]; then
+ ${ECHOCMD} "OS end-of-life: Yes"
+ elif [ ${EOL} -eq 255 ]; then
+ ${ECHOCMD} "OS end-of-life: Not tested"
+ else
+ ${ECHOCMD} "OS end-of-life: Unknown"
+ fi
+ ;;
"groups")
ViewGroups
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/osdetection
new/lynis/include/osdetection
--- old/lynis/include/osdetection 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/osdetection 2019-03-07 01:00:00.000000000 +0100
@@ -509,6 +509,28 @@
QNAP_DEVICE=1
fi
+ # Check if this OS is end-of-life
+ EOL=255
+ EOL_DATE=""
+ EOL_TIMESTAMP=0
+ if [ ! -z "${OS_VERSION}" ]; then
+ if [ -f "${DBDIR}/software-eol.db" ]; then
+ FIND="${OS_FULLNAME}"
+ EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value
~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
+ if [ ! -z "${EOL_TIMESTAMP}" ]; then
+ EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value
~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
+ NOW=$(date "+%s")
+ if [ ! -z "${NOW}" ]; then
+ if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
+ EOL=1
+ else
+ EOL=0
+ fi
+ fi
+ fi
+ fi
+ fi
+
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX -
https://cisofy.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_authentication
new/lynis/include/tests_authentication
--- old/lynis/include/tests_authentication 2019-01-31 01:00:00.000000000
+0100
+++ new/lynis/include/tests_authentication 2019-03-07 01:00:00.000000000
+0100
@@ -483,20 +483,39 @@
#################################################################################
#
# Test : AUTH-9252
- # Description : Check for sudoers file permissions
+ # Description : Check ownership and permissions for sudo configuration
files
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO";
fi
- Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check sudoers file"
+ Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network
NO --root-only YES --category security --description "Check ownership and
permissions for sudo configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
- FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10)
- LogText "Result: Found file permissions: ${FIND}"
- if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" =
"r--r-----" ]; then
- LogText "Result: file ${SUDOERS_FILE} has correct permissions"
- Display --indent 4 --text "- Check sudoers file permissions"
--result "${STATUS_OK}" --color GREEN
- else
- LogText "Result: file has possibly unsafe file permissions"
- Display --indent 4 --text "- Check sudoers file permissions"
--result "${STATUS_WARNING}" --color RED
- fi
+ SUDO_CONFIG_FILES="${SUDOERS_FILE}"
+ SUDOERS_D="${SUDOERS_FILE}.d"
+ if [ -d "${SUDOERS_D}" ]; then
+ LogText "Test: checking drop-in directory (${SUDOERS_D})"
+ FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
+ FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
+ LogText "Result: Found directory permissions: ${FIND} and owner
UID GID: ${FIND2}"
+ if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o
"${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then
+ LogText "Result: directory ${SUDOERS_D} permissions/ownership
OK"
+ Display --indent 4 --text "- Permissions for directory:
${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
+ else
+ LogText "Result: directory has possibly unsafe
permissions/ownership"
+ Display --indent 4 --text "- Permissions for directory:
${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
+ fi
+ SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY}
${SUDOERS_D} -type f -print)"
+ fi
+ for f in ${SUDO_CONFIG_FILES}; do
+ LogText "Test: checking file (${f})"
+ FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
+ FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
+ LogText "Result: Found file permissions: ${FIND} and owner UID
GID: ${FIND2}"
+ if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o
"${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then
+ LogText "Result: file ${f} permissions/ownership OK"
+ Display --indent 4 --text "- Permissions for: ${f}" --result
"${STATUS_OK}" --color GREEN
+ else
+ LogText "Result: file has possibly unsafe
permissions/ownership"
+ Display --indent 4 --text "- Permissions for: ${f}" --result
"${STATUS_WARNING}" --color RED
+ fi
+ done
fi
#
#################################################################################
@@ -1369,6 +1388,50 @@
fi
fi
#
+#################################################################################
+#
+ # Test : AUTH-9409
+ # Description : Check for doas file
+ DOAS_FILE=""
+ Register --test-no AUTH-9409 --os OpenBSD --weight L --network NO
--category security --description "Checking /etc/doas.conf file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ LogText "Test: checking presence /etc/doas.conf"
+ if [ -f /etc/doas.conf ]; then
+ DOAS_FILE=/etc/doas.conf
+ FOUND=1
+ LogText "Result: file /etc/doas.conf found"
+ else
+ LogText "Result: file /etc/doas.conf not found"
+ fi
+ if [ ${FOUND} -eq 1 ]; then
+ LogText "Result: /etc/doas.conf file found"
+ Display --indent 2 --text "- doas file" --result "${STATUS_FOUND}"
--color GREEN
+ else
+ LogText "Result: doas file NOT found"
+ Display --indent 2 --text "- doas file" --result
"${STATUS_NOT_FOUND}" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9410
+ # Description : Check for doas file permissions
+ if [ ! -z "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET}
--weight L --network NO --category security --description "Check /etc/doas.conf
file permissions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: checking /etc/doas.conf permissions"
+ FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10)
+ LogText "Result: Found /etc/doas.conf file permissions: ${FIND}"
+ if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" =
"r--r-----" ]; then
+ LogText "Result: file /etc/doas.conf has correct permissions"
+ Display --indent 4 --text "- Check doas file permissions" --result
"${STATUS_OK}" --color GREEN
+ else
+ LogText "Result: file has possibly unsafe file permissions"
+ Display --indent 4 --text "- Check doas file permissions" --result
"${STATUS_WARNING}" --color RED
+ fi
+ fi
+#
#################################################################################
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_boot_services
new/lynis/include/tests_boot_services
--- old/lynis/include/tests_boot_services 2019-01-31 01:00:00.000000000
+0100
+++ new/lynis/include/tests_boot_services 2019-03-07 01:00:00.000000000
+0100
@@ -125,7 +125,7 @@
if [ -f /usr/bin/init-openrc ]; then
SERVICE_MANAGER="openrc"; fi
fi
;;
- "DragonFly" | "NetBSD" | "FreeBSD")
+ "DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD")
if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f
${ROOTDIR}etc/rc ]; then
SERVICE_MANAGER="bsdrc"
fi
@@ -240,6 +240,23 @@
#
#################################################################################
#
+ # Test : BOOT-5117
+ # Description : Check for systemd-boot boot loader
+ if [ ! "${BOOTCTLBINARY}" = "" -a ${HAS_SYSTEMD} -eq 1 -a ${UEFI_BOOTED}
-eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no BOOT-5117 --preqs-met ${PREQS_MET} --os "Linux"
--weight L --network NO --category security --description "Check for
systemd-boot bootloader presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
+ CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null |
${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }')
+ if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then
+ Display --indent 2 --text "- Checking systemd-boot presence"
--result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: found systemd-boot"
+ BOOT_LOADER="systemd-boot"
+ BOOT_LOADER_FOUND=1
+ fi
+ fi
+#
+#################################################################################
+#
# Test : BOOT-5121
# Description : Check for GRUB boot loader
Register --test-no BOOT-5121 --weight L --network NO --category security
--description "Check for GRUB boot loader presence"
@@ -315,7 +332,7 @@
LogText "Result: GRUB has password protection."
AddHP 4 4
else
- Display --indent 4 --text "- Checking for password protection"
--result "${STATUS_WARNING}" --color RED
+ Display --indent 4 --text "- Checking for password protection"
--result "${STATUS_NONE}" --color RED
LogText "Result: Didn't find hashed password line in GRUB boot
file!"
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader
to prevent altering boot configuration (e.g. boot in single user mode without
password)"
AddHP 0 2
@@ -547,7 +564,7 @@
LogText "Result: systemctl binary found, trying that to discover
information"
# Running services
LogText "Searching for running services (systemctl services only)"
- FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{
if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
+ FIND=$(${SYSTEMCTLBINARY} --no-legend --full --type=service
--state=running | ${AWKBINARY} -F.service '{ print $1 }')
COUNT=0
Report "running_service_tool=systemctl"
for ITEM in ${FIND}; do
@@ -562,7 +579,7 @@
# Services at boot
LogText "Searching for enabled services (systemctl services only)"
- FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service |
${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' |
${AWKBINARY} -F. '{ print $1 }')
+ FIND=$(${SYSTEMCTLBINARY} list-unit-files --no-legend
--type=service --state=enabled | ${SORTBINARY} -u | ${AWKBINARY} -F.service '{
print $1 }')
COUNT=0
Report "boot_service_tool=systemctl"
for ITEM in ${FIND}; do
@@ -822,6 +839,120 @@
fi
fi
#
+#################################################################################
+#
+ # Test : BOOT-5262
+ # Description : Check for OpenBSD boot daemons
+ Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO
--category security --description "Check for OpenBSD boot daemons"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if HasData "${RCCTLBINARY}"; then
+ LogText "Result: rcctl binary found, trying that to discover
information"
+ # OpenBSD (Ask rcctl(8) for running daemons)
+ LogText "Searching for running daemons (rcctl)"
+ FIND=$(${RCCTLBINARY} ls started)
+ COUNT=0
+ Report "running_service_tool=rcctl"
+ for ITEM in ${FIND}; do
+ LogText "Found running daemon: ${ITEM}"
+ Report "running_service[]=${ITEM}"
+ COUNT=$((COUNT + 1 ))
+ done
+ LogText "Note: Run rcctl ls all | egrep
'^(pf|check_quotas|library_aslr)$' to see all daemons"
+ Display --indent 2 --text "- Check running daemons (rcctl)"
--result "${STATUS_DONE}" --color GREEN
+ Display --indent 8 --text "Result: found ${COUNT} running daemons"
+ LogText "Result: Found ${COUNT} running daemons"
+
+ # OpenBSD (Ask rcctl(8) for enabled daemons)
+ LogText "Searching for enabled daemons (rcctl)"
+ FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v
'^(pf|check_quotas|library_aslr)$')
+ COUNT=0
+ Report "boot_service_tool=rcctl"
+ for ITEM in ${FIND}; do
+ LogText "Found enabled daemon at boot: ${ITEM}"
+ Report "boot_service[]=${ITEM}"
+ COUNT=$((COUNT + 1 ))
+ done
+ LogText "Note: Run rcctl ls all | egrep
'^(pf|check_quotas|library_aslr)$' to see all daemons"
+ Display --indent 2 --text "- Check enabled daemons at boot
(rcctl)" --result "${STATUS_DONE}" --color GREEN
+ Display --indent 8 --text "Result: found ${COUNT} enabled daemons
at boot"
+ LogText "Result: Found ${COUNT} enabled daemons at boot"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5263
+ # Description : Check OpenBSD world writable startup scripts
+ Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO
--category security --description "Check permissions for boot files/scripts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ CHECKDIR="${ROOTDIR}etc/rc.d"
+ LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit"
+ LogText "Test: checking if directory ${DIR} exists"
+ if [ -d ${CHECKDIR} ]; then
+ LogText "Result: directory ${DIR} found"
+ LogText "Test: checking for available files in directory"
+ # OpenBSD uses symlinks to create another instance of daemons
+ FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print |
${SORTBINARY})
+ if [ ! -z "${FIND}" ]; then
+ LogText "Result: found files in directory, checking
permissions now"
+ for FILE in ${FIND}; do
+ LogText "Test: checking permissions of file ${FILE}"
+ ShowSymlinkPath "${FILE}"
+ if [ ${FOUNDPATH} -eq 1 ]; then
+ CHECKFILE="${SYMLINK}"
+ LogText "Result: found the path behind this symlink
(${CHECKFILE} --> ${FILE})"
+ else
+ CHECKFILE="${FILE}"
+ fi
+ if IsWorldWritable ${CHECKFILE}; then
+ FOUND=1
+ LogText "Result: warning, file ${CHECKFILE} is world
writable"
+ else
+ LogText "Result: good, file ${CHECKFILE} not world
writable"
+ fi
+ done
+ else
+ LogText "Result: found no files in directory."
+ fi
+ else
+ LogText "Result: directory ${CHECKDIR} not found. Skipping.."
+ fi
+
+ # Other files
+ CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf
${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local"
+ for I in ${CHECKFILES}; do
+ if [ -f ${I} ]; then
+ ShowSymlinkPath "${I}"
+ if [ ${FOUNDPATH} -eq 1 ]; then
+ CHECKFILE="${SYMLINK}"
+ LogText "Result: found the path behind this symlink
(${CHECKFILE} --> ${I})"
+ else
+ CHECKFILE="${I}"
+ fi
+ LogText "Test: Checking ${CHECKFILE} file for writable bit"
+ if IsWorldWritable ${CHECKFILE}; then
+ FOUND=1
+ ReportWarning ${TEST_NO} "Found writable startup script
${CHECKFILE}"
+ LogText "Result: warning, file ${CHECKFILE} is world
writable"
+ else
+ LogText "Result: good, file ${CHECKFILE} not world
writable"
+ fi
+ fi
+ done
+
+ # Check results
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Check startup files (permissions)"
--result "${STATUS_WARNING}" --color RED
+ ReportWarning ${TEST_NO} "Found world writable startup scripts"
"-" "-"
+ LogText "Result: found one or more scripts which are possibly
writable by other users"
+ AddHP 0 3
+ else
+ Display --indent 2 --text "- Check startup files (permissions)"
--result "${STATUS_OK}" --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
#################################################################################
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_firewalls
new/lynis/include/tests_firewalls
--- old/lynis/include/tests_firewalls 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/tests_firewalls 2019-03-07 01:00:00.000000000 +0100
@@ -506,13 +506,13 @@
# Test : FIRE-4540
# Description : Check nftables configuration
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight
L --network NO --category security --description "Check for empty nftables
configuration"
+ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight
L --network NO --root-only YES --category security --description "Check for
empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
- NFT_RULES_LENGTH=$(${NFTBINARY} export json 2> /dev/null | wc -c)
- if [ ${NFT_RULES_LENGTH} -le 16 ]; then
+ NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null
| ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
+ if [ ${NFT_RULES_LENGTH} -le 3 ]; then
FIREWALL_EMPTY_RULESET=1
- LogText "Result: this firewall set has 16 rules or less and is
considered to be empty"
+ LogText "Result: this firewall set has 3 rules or less and is
considered to be empty"
else
LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables
configuration"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_hardening
new/lynis/include/tests_hardening
--- old/lynis/include/tests_hardening 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/tests_hardening 2019-03-07 01:00:00.000000000 +0100
@@ -54,7 +54,7 @@
LogText "Result: no compilers found"
else
# TODO - c89 c99 cpp ld
- TEST_BINARIES="${ASBINARY} ${GCCBINARY}"
+ TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}"
for ITEM in ${TEST_BINARIES}; do
FILE="${ITEM}"
LogText "Test: Check file permissions for ${ITEM}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_kernel
new/lynis/include/tests_kernel
--- old/lynis/include/tests_kernel 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/tests_kernel 2019-03-07 01:00:00.000000000 +0100
@@ -374,10 +374,17 @@
LogText "Test: Searching apt-cache, to determine if a newer kernel is
available"
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
- LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
- if [ -f ${ROOTDIR}vmlinuz ]; then
+ LogText "Test: checking presence of ${ROOTDIR}vmlinuz or
${ROOTDIR}boot/vmlinuz"
+ if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
HAS_VMLINUZ=1
- FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
+ if [ -f ${ROOTDIR}vmlinuz ]; then
+ FINDVMLINUZ=${ROOTDIR}vmlinuz
+ else
+ FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
+ fi
+ LogText "Result: found ${FINDVMLINUZ}"
+ LogText "Test: checking readlink location of ${FINDVMLINUZ}"
+ FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null |
${AWKBINARY} -F : '{print $1}')
@@ -386,8 +393,8 @@
FINDKERNEL=linux-image-$(uname -r)
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity;
assuming ${FINDKERNEL}"
else
- LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to
check whether kernel is up-to-date."
- ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz
is missing on this Debian/Ubuntu system." "/vmlinuz"
+ LogText "This system is missing ${ROOTDIR}vmlinuz or
${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
+ ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz
or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz
or /boot/vmlinuz"
fi
LogText "Test: Using apt-cache policy to determine if there is an
update available"
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY}
'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_networking
new/lynis/include/tests_networking
--- old/lynis/include/tests_networking 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/tests_networking 2019-03-07 01:00:00.000000000 +0100
@@ -123,7 +123,7 @@
LogText "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
- FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY}
-d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq)
+ FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY}
-d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
if [ ! -z "${FIND}" ]; then
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_php new/lynis/include/tests_php
--- old/lynis/include/tests_php 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/include/tests_php 2019-03-07 01:00:00.000000000 +0100
@@ -72,6 +72,9 @@
${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \
${ROOTDIR}etc/opt/remi/php72/php.ini"
+ # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of
-current
+ PHPINILOCS="${PHPINILOCS} \
+ ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini
${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
@@ -92,6 +95,9 @@
${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all"
+ # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of
-current
+ PHPINIDIRS="${PHPINIDIRS} \
+ ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0
${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2"
#
#################################################################################
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ports_packages
new/lynis/include/tests_ports_packages
--- old/lynis/include/tests_ports_packages 2019-01-31 01:00:00.000000000
+0100
+++ new/lynis/include/tests_ports_packages 2019-03-07 01:00:00.000000000
+0100
@@ -993,7 +993,7 @@
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
LogText "Searching for security.debian.org/security.ubuntu.com
or security repositories in /etc/apt/sources.list file"
- FIND=$(${EGREPBINARY}
"security.debian.org|security.ubuntu.com|security "
${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/
/!space!/g')
+ FIND=$(${EGREPBINARY}
"security.debian.org|security.ubuntu.com|security/? "
${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/
/!space!/g')
if [ ! -z "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository
in sources.list file" --result "${STATUS_OK}" --color GREEN
@@ -1006,7 +1006,7 @@
fi
if [ -d /etc/apt/sources.list.d ]; then
LogText "Searching for security.debian.org/security.ubuntu.com
or security repositories in /etc/apt/sources.list.d directory"
- FIND=$(${EGREPBINARY} -r
"security.debian.org|security.ubuntu.com|security " /etc/apt/sources.list.d |
${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
+ FIND=$(${EGREPBINARY} -r
"security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d |
${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository
in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2019-01-31 01:00:00.000000000 +0100
+++ new/lynis/lynis 2019-03-07 01:00:00.000000000 +0100
@@ -35,10 +35,10 @@
PROGRAM_AUTHOR_CONTACT="lynis-...@cisofy.com"
# Version details
- PROGRAM_RELEASE_DATE="2019-01-31"
- PROGRAM_RELEASE_TIMESTAMP=1548942179
+ PROGRAM_RELEASE_DATE="2019-03-07"
+ PROGRAM_RELEASE_TIMESTAMP=1551949337
PROGRAM_RELEASE_TYPE="final" # dev or final
- PROGRAM_VERSION="2.7.1"
+ PROGRAM_VERSION="2.7.2"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
@@ -609,6 +609,12 @@
echo " Operating system: ${OS}"
echo " Operating system name: ${OS_NAME}"
echo " Operating system version: ${OS_VERSION}"
+ LogText "EOL check: ${EOL}"
+ if [ ${EOL} -eq 1 ]; then
+ echo " End-of-life: ${WARNING}YES${NORMAL}"
+ ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked
end-of-life as of ${EOL_DATE}"
+ fi
+
if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode:
${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}"
