Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked
in at 2020-10-07 14:18:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Wed Oct 7 14:18:03 2020 rev:39 rq:839830 version:3.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2020-06-19
17:26:24.144420149 +0200
+++ /work/SRC/openSUSE:Factory/.lynis.new.4249/lynis.changes 2020-10-07
14:18:11.781471844 +0200
@@ -1,0 +2,36 @@
+Mon Oct 5 13:50:24 UTC 2020 - Robert Frohl <rfr...@suse.com>
+
+- Update to 3.0.1
+ * Added
+ - Detection of Alpine Linux
+ - Detection of CloudLinux
+ - Detection of Kali Linux
+ - Detection of Linux Mint
+ - Detection of macOS Big Sur (11.0)
+ - Detection of Pop!_OS
+ - Detection of PHP 7.4
+ - Malware detection tool: Microsoft Defender ATP
+ - New flag: --slow-warning to allow tests more time before showing a
warning
+ - Test TIME-3185 to check systemd-timesyncd synchronized time
+ - rsh host file permissions
+ * Changed
+ - Added option for LOCKED accounts and bugfix for older bash versions
+ - Presence check for grub.d added
+ - Added support for certificates in DER format
+ - Added data to report
+ - Redirect errors (e.g. when swap is not encrypted)
+ - Don't grep nonexistant modprobe.d files
+ - Set initial firewall state
+ - Corrected text on screen
+ - Handle zipped kernel configuration correctly
+ - Improved version detection for non-symlinked kernel
+ - Extended detection of BitDefender
+ - Find more time synchronization commands
+ - Corrected detection of time peers
+ - Fix: hostid generation routine would sometimes show too short IDs
+ - Fix: language detection
+ - Generic improvements for macOS
+ - German translation updated
+ - End-of-life database updated
+
+-------------------------------------------------------------------
Old:
----
lynis-3.0.0.tar.gz
lynis-3.0.0.tar.gz.asc
New:
----
lynis-3.0.1.tar.gz
lynis-3.0.1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.uSa3kl/_old 2020-10-07 14:18:12.941472766 +0200
+++ /var/tmp/diff_new_pack.uSa3kl/_new 2020-10-07 14:18:12.945472769 +0200
@@ -23,7 +23,7 @@
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
Name: lynis
-Version: 3.0.0
+Version: 3.0.1
Release: 0
Summary: Security and System auditing tool
License: GPL-3.0-only
++++++ lynis-3.0.0.tar.gz -> lynis-3.0.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/CHANGELOG.md 2020-10-05 02:00:00.000000000 +0200
@@ -1,5 +1,43 @@
# Lynis Changelog
+## Lynis 3.0.1 (2020-10-05)
+
+### Added
+- Detection of Alpine Linux
+- Detection of CloudLinux
+- Detection of Kali Linux
+- Detection of Linux Mint
+- Detection of macOS Big Sur (11.0)
+- Detection of Pop!_OS
+- Detection of PHP 7.4
+- Malware detection tool: Microsoft Defender ATP
+- New flag: --slow-warning to allow tests more time before showing a warning
+- Test TIME-3185 to check systemd-timesyncd synchronized time
+- rsh host file permissions
+
+### Changed
+- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash
versions
+- BOOT-5122 - Presence check for grub.d added
+- CRYP-7902 - Added support for certificates in DER format
+- CRYP-7931 - Added data to report
+- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
+- FILE-6430 - Don't grep nonexistant modprobe.d files
+- FIRE-4535 - Set initial firewall state
+- INSE-8312 - Corrected text on screen
+- KRNL-5728 - Handle zipped kernel configuration correctly
+- KRNL-5830 - Improved version detection for non-symlinked kernel
+- MALW-3280 - Extended detection of BitDefender
+- TIME-3104 - Find more time synchronization commands
+- TIME-3182 - Corrected detection of time peers
+- Fix: hostid generation routine would sometimes show too short IDs
+- Fix: language detection
+- Generic improvements for macOS
+- German translation updated
+- End-of-life database updated
+- Several minor code enhancements
+
+---------------------------------------------------------------------------------
+
## Lynis 3.0.0 (2020-06-18)
This is a major release of Lynis and includes several big changes.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/HAPPY_USERS.md new/lynis/HAPPY_USERS.md
--- old/lynis/HAPPY_USERS.md 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/HAPPY_USERS.md 2020-10-05 02:00:00.000000000 +0200
@@ -33,3 +33,6 @@
valuable feedback and contributions give me the energy to continue to work on
its development, even after 12+ years!
+* Catalyst.net IT - January 2020
+Lynis gave us great insight in to the security state of our systems, as well
as where we can improve.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/languages/de new/lynis/db/languages/de
--- old/lynis/db/languages/de 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/db/languages/de 2020-10-05 02:00:00.000000000 +0200
@@ -1,38 +1,45 @@
-GEN_PHASE="Phase"
+ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
+ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
GEN_CHECKING="Überprüfung"
GEN_CURRENT_VERSION="Aktuelle Version"
GEN_DEBUG_MODE="Debug-Modus"
-GEN_INITIALIZE_PROGRAM="Initiiere Programm"
+GEN_INITIALIZE_PROGRAM="Initialisiere Programm"
+GEN_LATEST_VERSION="Aktuellste Version"
+GEN_PHASE="Phase"
GEN_PLUGINS_ENABLED="Plugins aktiviert"
-GEN_VERBOSE_MODE="Ausführlicher Modus"
GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar"
+GEN_VERBOSE_MODE="Ausführlicher Modus"
GEN_WHAT_TO_DO="Was zu tun ist"
NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden"
NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder
Informationen wurden gefunden"
NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und
können mehrere Minuten benötigen, bis sie abgeschlossen sind"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht
privilegiertem Modus"
SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests"
+SECTION_DATA_UPLOAD="Daten hochladen"
+SECTION_INITIALIZING_PROGRAM="Initialisiere Programm"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse"
+SECTION_SYSTEM_TOOLS="Systemwerkzeuge"
+STATUS_DISABLED="DEAKTIVIERT"
STATUS_DONE="FERTIG"
+STATUS_ENABLED="AKTIVIERT"
+STATUS_ERROR="FEHLER"
+STATUS_FAILED="FEHLERHAFT"
STATUS_FOUND="GEFUNDEN"
-STATUS_YES="JA"
STATUS_NO="NEIN"
-STATUS_OFF="AUS"
-STATUS_OK="OK"
-STATUS_ON="AN"
STATUS_NONE="NICHTS"
+STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
STATUS_NOT_FOUND="NICHT GEFUNDEN"
STATUS_NOT_RUNNING="LÄUFT NICHT"
+STATUS_OFF="AUS"
+STATUS_OK="OK"
+STATUS_ON="AN"
STATUS_RUNNING="LÄUFT"
STATUS_SKIPPED="ÜBERSPRUNGEN"
STATUS_SUGGESTION="VORSCHLAG"
STATUS_UNKNOWN="UNBEKANNT"
STATUS_WARNING="WARNUNG"
-TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
+STATUS_WEAK="SCHWACH"
+STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht
privilegiertem Modus"
-STATUS_DISABLED="DEAKTIVIERT"
-STATUS_ENABLED="AKTIVIERT"
-STATUS_ERROR="FEHLER"
-ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
-ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
+TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/languages/de-AT new/lynis/db/languages/de-AT
--- old/lynis/db/languages/de-AT 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/db/languages/de-AT 2020-10-07 14:18:13.137472922 +0200
@@ -0,0 +1 @@
+symbolic link to de
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/languages/en new/lynis/db/languages/en
--- old/lynis/db/languages/en 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/db/languages/en 2020-10-05 02:00:00.000000000 +0200
@@ -26,14 +26,14 @@
STATUS_ERROR="ERROR"
STATUS_FAILED="FAILED"
STATUS_FOUND="FOUND"
-STATUS_OFF="OFF"
-STATUS_OK="OK"
-STATUS_ON="ON"
STATUS_NO="NO"
STATUS_NONE="NONE"
STATUS_NOT_CONFIGURED="NOT CONFIGURED"
STATUS_NOT_FOUND="NOT FOUND"
STATUS_NOT_RUNNING="NOT RUNNING"
+STATUS_OFF="OFF"
+STATUS_OK="OK"
+STATUS_ON="ON"
STATUS_RUNNING="RUNNING"
STATUS_SKIPPED="SKIPPED"
STATUS_SUGGESTION="SUGGESTION"
@@ -41,5 +41,5 @@
STATUS_WARNING="WARNING"
STATUS_WEAK="WEAK"
STATUS_YES="YES"
-TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
TEXT_UPDATE_AVAILABLE="update available"
+TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db
--- old/lynis/db/software-eol.db 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/db/software-eol.db 2020-10-05 02:00:00.000000000 +0200
@@ -16,8 +16,9 @@
#
# Amazon Linux
#
-os:Amazon Linux:2020-06-30:1593468000:
+# Note: shortest entry is listed at end due to regular expression matching
being used
os:Amazon Linux 2:2023-06-26:1687730400:
+os:Amazon Linux:2020-06-30:1593468000:
#
# Arch Linux
#
@@ -39,6 +40,15 @@
os:Debian 9:2022-01-01:1640991600:
os:Debian 10:2022-01-01:1640991600:
#
+# Fedora - https://fedoraproject.org/wiki/End_of_life
+#
+os:Fedora release 25:2017-12-12:1513033200:
+os:Fedora release 26:2018-05-29:1527544800:
+os:Fedora release 27:2018-11-30:1543532400:
+os:Fedora release 28:2019-05-28:1558994400:
+os:Fedora release 29:2019-11-26:1574722800:
+os:Fedora release 30:2020-05-26:1590444000:
+#
# FreeBSD - https://www.freebsd.org/security/unsupported.html
#
os:FreeBSD 9.3:2014-12-31:1419980400:
@@ -52,6 +62,12 @@
os:FreeBSD 11.2:2019-10-31:1572476400:
os:FreeBSD 12.0:2020-02-29:1582930800:
#
+# Linux Mint
+#
+os:Linux Mint 18:2021-04-01:1617228000:
+os:Linux Mint 19:2023-04-01:1680300000:
+os:Linux Mint 20:2025-04-01:1743458400:
+#
# NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html
#
@@ -120,22 +136,6 @@
os:Red Hat Enterprise Linux 7:2024-06-30:1719698400:
os:Red Hat Enterprise Linux 8:2029-05-07:1872799200:
#
-# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and
-# https://wiki.ubuntu.com/Releases
-#
-os:Ubuntu 14.04:2019-05-01:1556661600:
-os:Ubuntu 14.10:2015-07-01:1435701600:
-os:Ubuntu 15.04:2016-01-01:1451602800:
-os:Ubuntu 15.10:2016-07-01:1467324000:
-os:Ubuntu 16.04:2021-05-01:1619820000:
-os:Ubuntu 16.10:2017-07-01:1498860000:
-os:Ubuntu 17.04:2018-01-01:1514761200:
-os:Ubuntu 17.10:2018-07-01:1530396000:
-os:Ubuntu 18.04:2023-05-01:1682892000:
-os:Ubuntu 18.10:2019-07-18:1563400800:
-os:Ubuntu 19.04:2020-01-01:1577833200:
-os:Ubuntu 20.04:2025-04-01:1743458400
-#
# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases
#
os:Slackware Linux 8.1:2012-08-01:1343768400:
@@ -152,11 +152,25 @@
os:Slackware Linux 13.1:2018-07-05:1530738000:
os:Slackware Linux 13.37:2018-07-05:1530738000:
#
-# Fedora - https://fedoraproject.org/wiki/End_of_life
+# SuSE - https://www.suse.com/lifecycle/
+#
+os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200:
+os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200:
+#
+# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and
+# https://wiki.ubuntu.com/Releases
+#
+os:Ubuntu 14.04:2019-05-01:1556661600:
+os:Ubuntu 14.10:2015-07-01:1435701600:
+os:Ubuntu 15.04:2016-01-01:1451602800:
+os:Ubuntu 15.10:2016-07-01:1467324000:
+os:Ubuntu 16.04:2021-05-01:1619820000:
+os:Ubuntu 16.10:2017-07-01:1498860000:
+os:Ubuntu 17.04:2018-01-01:1514761200:
+os:Ubuntu 17.10:2018-07-01:1530396000:
+os:Ubuntu 18.04:2023-05-01:1682892000:
+os:Ubuntu 18.10:2019-07-18:1563400800:
+os:Ubuntu 19.04:2020-01-01:1577833200:
+os:Ubuntu 20.04:2025-04-01:1743458400:
#
-os:Fedora release 25:2017-12-12:1513033200
-os:Fedora release 26:2018-05-29:1527544800
-os:Fedora release 27:2018-11-30:1543532400
-os:Fedora release 28:2019-05-28:1558994400
-os:Fedora release 29:2019-11-26:1574722800
-os:Fedora release 30:2020-05-26:1590444000
+# EOF
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db
--- old/lynis/db/tests.db 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/db/tests.db 2020-10-05 02:00:00.000000000 +0200
@@ -419,6 +419,7 @@
TIME-3180:test:security:time::Report if ntpctl cannot communicate with
OpenNTPD:
TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation
TIME-3182:test:security:time::Check OpenNTPD has working peers
+TIME-3185:test:security:time::Check systemd-timesyncd synchronized time
TOOL-5002:test:security:tooling::Checking for automation tools:
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/default.prf new/lynis/default.prf
--- old/lynis/default.prf 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/default.prf 2020-10-05 02:00:00.000000000 +0200
@@ -93,7 +93,7 @@
#skip-upgrade-test=yes
# Locations where to search for SSL certificates (separate paths with a colon)
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
ssl-certificate-include-packages=no
@@ -152,7 +152,7 @@
#
# Kernel options
# ---------------
-# configdate=, followed by:
+# config-data=, followed by:
#
# - Type = Set to 'sysctl'
# - Setting = value of sysctl key (e.g. kernel.sysrq)
@@ -303,6 +303,11 @@
permfile=/etc/passwd:rw-r--r--:root:-:WARN:
permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
+permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/root/.rhosts:rw-------:root:root:WARN:
+permfile=/root/.rlogin:rw-------:root:root:WARN:
+permfile=/root/.shosts:rw-------:root:root:WARN:
# These permissions differ by OS
#permfile=/etc/gshadow:---------:root:-:WARN:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/extras/bash_completion.d/lynis
new/lynis/extras/bash_completion.d/lynis
--- old/lynis/extras/bash_completion.d/lynis 2020-06-18 02:00:00.000000000
+0200
+++ new/lynis/extras/bash_completion.d/lynis 2020-10-05 02:00:00.000000000
+0200
@@ -179,7 +179,7 @@
*)
COMPREPLY=( $( compgen -W ' \
--auditor --cronjob --debug --quick --quiet --logfile
--no-colors --no-log --pentest --reverse-colors \
- --tests --tests-from-category --tests-from-group --upload
--verbose' -- "$cur" ) )
+ --tests --tests-from-category --tests-from-group --upload
--verbose --slow-warning' -- "$cur" ) )
;;
esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries
--- old/lynis/include/binaries 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/binaries 2020-10-05 02:00:00.000000000 +0200
@@ -219,6 +219,7 @@
maldet) LMDBINARY="${BINARY}";
MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary:
maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
md5) MD5BINARY="${BINARY}";
LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;;
md5sum) MD5BINARY="${BINARY}";
LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;;
+ mdatp) MDATPBINARY="${BINARY}";
MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary:
mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;;
modprobe)
MODPROBEBINARY="${BINARY}"; LogText " Found known binary: modprobe
(kernel modules) - ${BINARY}" ;;
mount) MOUNTBINARY="${BINARY}";
LogText " Found known binary: mount (disk utility) - ${BINARY}" ;;
mtree) MTREEBINARY="${BINARY}";
LogText " Found known binary: mtree (mapping directory tree) -
${BINARY}" ;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts
--- old/lynis/include/consts 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/consts 2020-10-05 02:00:00.000000000 +0200
@@ -33,10 +33,6 @@
ETC_PATHS="/etc /usr/local/etc"
-# Do not use specific language, fall back to default
-# Some tools with translated strings are very hard to parse
-unset LANG
-
#
#################################################################################
#
@@ -277,6 +273,7 @@
SKIP_VM_DETECTION=0
SKIPREASON=""
SKIPPED_TESTS_ROOTONLY=""
+ SLOW_TEST_THRESHOLD=10
SMTPCTLBINARY=""
SNORTBINARY=""
SSHKEYSCANBINARY=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions
--- old/lynis/include/functions 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/functions 2020-10-05 02:00:00.000000000 +0200
@@ -1290,7 +1290,8 @@
if [ -n "${STATBINARY}" ]; then
case ${OS} in
- *BSD)
+ *BSD | "macOS")
+ # BSD and macOS have no --format, only short
notation
DATA=$(${STATBINARY} -f "%OLp" ${CHECKFILE})
;;
*)
@@ -2585,7 +2586,7 @@
CURRENT_TS=$(GetTimestamp)
if [ ${PREVIOUS_TS} -gt 0 ]; then
SLOW_TEST=0
- TIME_THRESHOLD=10 # seconds
+ TIME_THRESHOLD=$SLOW_TEST_THRESHOLD # seconds
# Calculate timing and determine if we use seconds or nanoseconds
(more precise)
TIME_DIFF=$((CURRENT_TS - PREVIOUS_TS))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/helper_generate
new/lynis/include/helper_generate
--- old/lynis/include/helper_generate 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/helper_generate 2020-10-05 02:00:00.000000000 +0200
@@ -51,8 +51,10 @@
;;
*)
# xxd does not exist on FreeBSD
- HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"')
- HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"')
+ # Note: hexdump may omit leading or trailing zeroes.
+ # Take 100 characters as input, turn to hex, then take
first 40/64.
+ HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"'
| head -c40)
+ HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"'
| head -c64)
;;
esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/osdetection
new/lynis/include/osdetection
--- old/lynis/include/osdetection 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/osdetection 2020-10-05 02:00:00.000000000 +0200
@@ -62,6 +62,7 @@
10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra
(${OS_VERSION})" ;;
10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave
(${OS_VERSION})" ;;
10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina
(${OS_VERSION})" ;;
+ 11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur
(${OS_VERSION})" ;;
*) echo "Unknown macOS version. Do you know what version
it is? Create an issue at ${PROGRAM_SOURCE}" ;;
esac
else
@@ -143,6 +144,12 @@
OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' |
tr -d '"')
if [ -n "${OS_ID}" ]; then
case ${OS_ID} in
+ "alpine")
+ LINUX_VERSION="Alpine Linux"
+ OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release
| awk -F= '{print $2}' | tr -d '"')
+ ;;
"amzn")
LINUX_VERSION="Amazon Linux"
OS_NAME="Amazon Linux"
@@ -166,6 +173,12 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION="Rolling release"
;;
+ "cloudlinux")
+ LINUX_VERSION="CloudLinux"
+ OS_NAME="CloudLinux"
+ OS_REDHAT_OR_CLONE=1
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
+ ;;
"coreos")
LINUX_VERSION="CoreOS"
OS_NAME="CoreOS Linux"
@@ -188,11 +201,16 @@
OS_NAME="Gentoo Linux"
OS_VERSION="Rolling release"
;;
- "pureos")
- LINUX_VERSION="PureOS"
+ "kali")
+ LINUX_VERSION="Kali"
+ OS_NAME="Kali Linux"
+ OS_VERSION="Rolling release"
+ ;;
+ "linuxmint")
+ LINUX_VERSION="Linux Mint"
+ OS_NAME="Linux Mint"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release
| awk -F= '{print $2}' | tr -d '"')
- OS_NAME="PureOS"
;;
"manjaro")
LINUX_VERSION="Manjaro"
@@ -217,11 +235,17 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
- "ubuntu")
- LINUX_VERSION="Ubuntu"
+ "pop")
+ LINUX_VERSION="Pop!_OS"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release
| awk -F= '{print $2}' | tr -d '"')
- OS_NAME="Ubuntu"
+ OS_NAME="Pop!_OS"
+ ;;
+ "pureos")
+ LINUX_VERSION="PureOS"
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release
| awk -F= '{print $2}' | tr -d '"')
+ OS_NAME="PureOS"
;;
"raspbian")
LINUX_VERSION="Raspbian"
@@ -243,13 +267,22 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release
| awk -F= '{print $2}' | tr -d '"')
;;
+ "ubuntu")
+ LINUX_VERSION="Ubuntu"
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release
| awk -F= '{print $2}' | tr -d '"')
+ OS_NAME="Ubuntu"
+ ;;
*)
- ReportException "OS Detection" "Unknown OS found
in /etc/os-release"
+ ReportException "OS Detection" "Unknown OS found
in /etc/os-release - Please create issue on GitHub project page:
${PROGRAM_SOURCE}"
;;
esac
fi
fi
+ # Alpine
+ if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine
Linux"; OS_VERSION=$(cat /etc/alpine-release); fi
+
# Amazon
if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then
FIND=$(grep "^Amazon" /etc/system-release)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/parameters new/lynis/include/parameters
--- old/lynis/include/parameters 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/parameters 2020-10-05 02:00:00.000000000 +0200
@@ -423,6 +423,23 @@
QUIET=1
;;
+ # Warning when test is slow
+ --slow-warning)
+ if [ $# -gt 1 ]; then
+ shift
+
+ if [ "$1" -gt 0 ] 2>/dev/null; then
+ SLOW_TEST_THRESHOLD="$1"
+ else
+ echo "Argument has to be number."
+ exit 1
+ fi
+ else
+ echo "Specify threshold as number of seconds above which
should Lynis warn about long test."
+ exit 1
+ fi
+ ;;
+
--tests-category | --tests-categories | --view-categories |
--list-categories | --show-categories)
echo "Error: Deprecated option ($1)"
exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/profiles new/lynis/include/profiles
--- old/lynis/include/profiles 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/profiles 2020-10-05 02:00:00.000000000 +0200
@@ -50,6 +50,7 @@
Display --text " "
Display --text
"=================================================================================================="
Display --text " "
+ LogText "Insight: Profile '${PROFILE}' contians one or more
old-style configuration entries"
ReportWarning "GEN-0020" "Your profile contains one or more
old-style configuration entries"
sleep 10
fi
@@ -556,7 +557,6 @@
Display --indent 2 --text "- Checking profiles..." --result "DONE" --color
GREEN
-LogTextBreak
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX -
https://cisofy.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_authentication
new/lynis/include/tests_authentication
--- old/lynis/include/tests_authentication 2020-06-18 02:00:00.000000000
+0200
+++ new/lynis/include/tests_authentication 2020-10-05 02:00:00.000000000
+0200
@@ -286,50 +286,56 @@
# Description : Check password hashing methods vs. recommendations in
crypt(5)
# Notes : Applicable to all Unix-like OS
# Requires read access to /etc/shadow (if it exists)
+
+ ParsePasswordEntry() {
+ METHOD=$1
+ case ${METHOD} in
+ 1:\* | 1:x | 0: | *:!* | *LOCK*)
+ # disabled | shadowed | no password | locked account (can be
literal *LOCK* or something like LOCKED)
+ ;;
+ *:\$5\$*| *:\$6\$*)
+ # sha256crypt | sha512crypt: check number of rounds, should be
>5000
+ ROUNDS=$(echo "${METHOD}" | sed -n
's/.*rounds=\([0-9]*\)\$.*/\1/gp')
+ if [ -z "${ROUNDS}" ]; then
+ echo 'sha256crypt/sha512crypt(default<=5000rounds)'
+ elif [ "${ROUNDS}" -le 5000 ]; then
+ echo 'sha256crypt/sha512crypt(<=5000rounds)'
+ fi
+ ;;
+ *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
+ # yescrypt | gost-yescrypt | bcrypt | scrypt
+ ;;
+ *:_*)
+ echo bsdicrypt
+ ;;
+ *:\$1\$*)
+ echo md5crypt
+ ;;
+ *:\$3\$*)
+ echo NT
+ ;;
+ *:\$md5*)
+ echo SunMD5
+ ;;
+ *:\$sha1*)
+ echo sha1crypt
+ ;;
+ 13:* | 178:*)
+ echo bigcrypt/descrypt
+ ;;
+ *)
+ echo "Unknown password hashing method ${METHOD}. Please report
to lynis-...@cisofy.com"
+ ;;
+ esac
+ }
+
Register --test-no AUTH-9229 --root-only YES --weight L --network NO
--category security --description "Check password hashing methods"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking password hashing methods"
SHADOW="";
if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi
FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F
: '{print length($2) ":" $2 }' | while read METHOD; do
- case ${METHOD} in
- 1:\* | 1:x | 0: | *:!*)
- # disabled | shadowed | no password | locked account
- ;;
- *:\$5\$*| *:\$6\$*)
- # sha256crypt | sha512crypt: check number of rounds,
should be >5000
- ROUNDS=$(echo "${METHOD}" | sed -n
's/.*rounds=\([0-9]*\)\$.*/\1/gp')
- if [ -z "${ROUNDS}" ]; then
- echo 'sha256crypt/sha512crypt(default<=5000rounds)'
- elif [ "${ROUNDS}" -le 5000 ]; then
- echo 'sha256crypt/sha512crypt(<=5000rounds)'
- fi
- ;;
- *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
- # yescrypt | gost-yescrypt | bcrypt | scrypt
- ;;
- *:_*)
- echo bsdicrypt
- ;;
- *:\$1\$*)
- echo md5crypt
- ;;
- *:\$3\$*)
- echo NT
- ;;
- *:\$md5*)
- echo SunMD5
- ;;
- *:\$sha1*)
- echo sha1crypt
- ;;
- 13:* | 178:*)
- echo bigcrypt/descrypt
- ;;
- *)
- echo "Unknown password hashing method ${METHOD}. Please
report to lynis-...@cisofy.com"
- ;;
- esac
+ ParsePasswordEntry ${METHOD}
done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Password hashing methods" --result
"${STATUS_OK}" --color GREEN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_boot_services
new/lynis/include/tests_boot_services
--- old/lynis/include/tests_boot_services 2020-06-18 02:00:00.000000000
+0200
+++ new/lynis/include/tests_boot_services 2020-10-05 02:00:00.000000000
+0200
@@ -332,8 +332,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
- CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*"
-print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
- CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg
${CONF_FILES}"
+ if [ "${ROOTDIR}etc/grub.d" ]; then
+ CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name
"[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
+ CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg
${CONF_FILES}"
+ else
+ CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
+ fi
for FILE in ${CONF_FILES}; do
if [ -f "${FILE}" ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_crypto
new/lynis/include/tests_crypto
--- old/lynis/include/tests_crypto 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_crypto 2020-10-05 02:00:00.000000000 +0200
@@ -22,6 +22,10 @@
#
#################################################################################
#
+ RNG_FOUND=0
+#
+#################################################################################
+#
InsertSection "Cryptography"
#
#################################################################################
@@ -50,7 +54,7 @@
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
- FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null |
${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/
/__space__/g')
+ FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null |
${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY}
's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
@@ -76,16 +80,23 @@
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed
by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1
] || ! FileInstalledByPackage "${FILE}"; then
+ echo ${FILE} | ${EGREPBINARY} --quiet
".cer$|.der$"
+ CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT'
"${FILE}")
- if [ $? -eq 0 ]; then
+ if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
LogText "Result: file is a certificate
file"
- FIND=$(${OPENSSLBINARY} x509 -noout
-in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
+ if [ ${CER_DER} -eq 0 ]; then
+ SSL_DER_OPT="-inform der"
+ else
+ SSL_DER_OPT=
+ fi
+ FIND=$(${OPENSSLBINARY} x509 -noout
${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end
date' has been expired
- FIND=$(${OPENSSLBINARY} x509
-noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
+ FIND=$(${OPENSSLBINARY} x509
-noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
- CERT_CN=$(${OPENSSLBINARY} x509
-noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e
's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
- CERT_NOTAFTER=$(${OPENSSLBINARY}
x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if
($1=="notAfter") { print $2 }}')
+ CERT_CN=$(${OPENSSLBINARY} x509
-noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e
's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
+ CERT_NOTAFTER=$(${OPENSSLBINARY}
x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY}
-F= '{if ($1=="notAfter") { print $2 }}')
Report
"certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate
${FILE} seems to be correct and still valid"
@@ -181,20 +192,28 @@
if [ ${SKIPTEST} -eq 0 ]; then
ENCRYPTED_SWAPS=0
UNENCRYPTED_SWAPS=0
- SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings)
- for BLOCK_DEV in ${SWAPS}; do
- if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
- LogText "Result: Found LUKS encrypted swap device:
${BLOCK_DEV}"
- ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1))
- elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" | ${GREPBINARY}
--quiet "cipher:"; then
- LogText "Result: Found non-LUKS encrypted swap device:
${BLOCK_DEV}"
- ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1))
- else
- LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
- UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
- fi
- done
- Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and
${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
+ # Redirect errors, as RHEL 5/6 and others don't have the --show option
+ SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
+ if [ $? -eq 0 ]; then
+ for BLOCK_DEV in ${SWAPS}; do
+ if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
+ LogText "Result: Found LUKS encrypted swap device:
${BLOCK_DEV}"
+ ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
+ Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
+ elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null |
${GREPBINARY} --quiet "cipher:"; then
+ LogText "Result: Found non-LUKS encrypted swap device:
${BLOCK_DEV}"
+ ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
+ Report "encrypted_swap[]=${BLOCK_DEV},other"
+ else
+ LogText "Result: Found unencrypted swap device:
${BLOCK_DEV}"
+ UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
+ Report "non_encrypted_swap[]=${BLOCK_DEV}"
+ fi
+ done
+ Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted
and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color
WHITE
+ else
+ LogText "Result: skipping testing as swapon returned an error."
+ fi
fi
#
#################################################################################
@@ -232,6 +251,7 @@
if IsRunning "rngd"; then
Display --indent 2 --text "- HW RNG & rngd" --result
"${STATUS_YES}" --color GREEN
LogText "Result: rngd is running"
+ RNG_FOUND=1
else
Display --indent 2 --text "- HW RNG & rngd" --result
"${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when website has listing for
this control
@@ -263,8 +283,9 @@
done
if [ -z "${FOUND}" ]; then
Display --indent 2 --text "- SW prng" --result "${STATUS_NO}"
--color YELLOW
- ReportSuggestion "${TEST_NO}" "Utilize software pseudo random
number generators"
+ # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random
number generators"
else
+ RNG_FOUND=1
Display --indent 2 --text "- SW prng" --result "${STATUS_YES}"
--color GREEN
LogText "Result: found ${FOUND} running"
fi
@@ -272,6 +293,10 @@
#
#################################################################################
#
+ Report "rng_found=${RNG_FOUND}"
+#
+#################################################################################
+#
WaitForKeyPress
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_filesystems
new/lynis/include/tests_filesystems
--- old/lynis/include/tests_filesystems 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_filesystems 2020-10-05 02:00:00.000000000 +0200
@@ -830,12 +830,15 @@
AddHP 3 3
if IsDebug; then Display --indent 6 --text "- Module ${FS}
not present in the kernel" --result OK --color GREEN; fi
fi
- FIND1=$(${EGREPBINARY} "blacklist ${FS}"
${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
- FIND2=$(${EGREPBINARY} "install ${FS} /bin/true"
${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
- if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
- Display --indent 4 --text "- Module $FS is blacklisted"
--result "OK" --color GREEN
- LogText "Result: module ${FS} is blacklisted"
- fi
+ FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
+ if [ -n "${FIND}" ]; then
+ FIND1=$(${EGREPBINARY} "blacklist ${FS}"
${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+ FIND2=$(${EGREPBINARY} "install ${FS}
/bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+ if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
+ Display --indent 4 --text "- Module $FS is
blacklisted" --result "OK" --color GREEN
+ LogText "Result: module ${FS} is blacklisted"
+ fi
+ fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules:
${AVAILABLE_MODPROBE_FS}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_firewalls
new/lynis/include/tests_firewalls
--- old/lynis/include/tests_firewalls 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_firewalls 2020-10-05 02:00:00.000000000 +0200
@@ -407,6 +407,8 @@
Register --test-no FIRE-4534 --weight L --os "macOS" --network NO
--category security --description "Check for presence of outbound firewalls on
macOS"
if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+
# Little Snitch Daemon (macOS)
LogText "Test: checking process Little Snitch Daemon"
if IsRunning --full "Little Snitch Daemon"; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_insecure_services
new/lynis/include/tests_insecure_services
--- old/lynis/include/tests_insecure_services 2020-06-18 02:00:00.000000000
+0200
+++ new/lynis/include/tests_insecure_services 2020-10-05 02:00:00.000000000
+0200
@@ -385,7 +385,7 @@
if [ ${FOUND} -eq 1 ]; then
LogText "Result: telnet server is installed"
Display --indent 2 --text "- Installed telnet server package"
--result "${STATUS_FOUND}" --color YELLOW
- ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and
replace with SSH when possible"
+ ReportSuggestion "${TEST_NO}" "Removing the telnet server package
and replace with SSH when possible"
Report "insecure_service[]=telnet-server"
else
LogText "Result: telnet server is NOT installed"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_kernel
new/lynis/include/tests_kernel
--- old/lynis/include/tests_kernel 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_kernel 2020-10-05 02:00:00.000000000 +0200
@@ -235,12 +235,13 @@
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category
security --description "Checking Linux kernel config"
if [ ${SKIPTEST} -eq 0 ]; then
CHECKFILE="${ROOTDIR}boot/config-$(uname -r)"
+ CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz"
if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration
file" --result "${STATUS_FOUND}" --color GREEN
- elif [ -f ${ROOTDIR}proc/config.gz ]; then
- LINUXCONFIGFILE="${CHECKFILE}"
+ elif [ -f ${CHECKFILE_ZIPPED} ]; then
+ LINUXCONFIGFILE="${CHECKFILE_ZIPPED}"
LINUXCONFIGFILE_ZIPPED=1
LogText "Result: found config: ${ROOTDIR}proc/config.gz
(compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration
file" --result "${STATUS_FOUND}" --color GREEN
@@ -674,7 +675,10 @@
LogText "Result: found a symlink, retrieving
destination"
FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}")
LogText "Result: destination file is ${FOUND_VMLINUZ}"
- VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY}
's/^vmlinuz-//')
+ VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY}
's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
+ LogText "Result: version derived from file name is
'${VERSION_ON_DISK}'"
+ elif [ -f "${FOUND_VMLINUZ}" ]; then
+ VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY}
's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
LogText "Result: version derived from file name is
'${VERSION_ON_DISK}'"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_malware
new/lynis/include/tests_malware
--- old/lynis/include/tests_malware 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_malware 2020-10-05 02:00:00.000000000 +0200
@@ -102,28 +102,6 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
- # ESET security products
- LogText "Test: checking process esets_daemon"
- if IsRunning "esets_daemon"; then
- FOUND=1
- ESET_DAEMON_RUNNING=1
- MALWARE_SCANNER_INSTALLED=1
- if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING}
ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
- LogText "Result: found ESET security product"
- Report "malware_scanner[]=eset"
- fi
-
- # Bitdefender (macOS)
- LogText "Test: checking process epagd"
- if IsRunning "epagd"; then
- FOUND=1
- BITDEFENDER_DAEMON_RUNNING=1
- MALWARE_SCANNER_INSTALLED=1
- if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING}
Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
- LogText "Result: found Bitdefender security product"
- Report "malware_scanner[]=bitdefender"
- fi
-
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
if IsRunning "com.avast.daemon"; then
@@ -146,6 +124,17 @@
Report "malware_scanner[]=avira"
fi
+ # Bitdefender (macOS)
+ LogText "Test: checking process epagd"
+ if IsRunning "bdagentd" || IsRunning "epagd"; then
+ FOUND=1
+ BITDEFENDER_DAEMON_RUNNING=1
+ MALWARE_SCANNER_INSTALLED=1
+ if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING}
Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
+ LogText "Result: found Bitdefender security product"
+ Report "malware_scanner[]=bitdefender"
+ fi
+
# CrowdStrike falcon-sensor
LogText "Test: checking process falcon-sensor (CrowdStrike)"
if IsRunning "falcon-sensor"; then
@@ -168,6 +157,17 @@
Report "malware_scanner[]=cylance-protect"
fi
+ # ESET security products
+ LogText "Test: checking process esets_daemon"
+ if IsRunning "esets_daemon"; then
+ FOUND=1
+ ESET_DAEMON_RUNNING=1
+ MALWARE_SCANNER_INSTALLED=1
+ if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING}
ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
+ LogText "Result: found ESET security product"
+ Report "malware_scanner[]=eset"
+ fi
+
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is
related to Kaspersky first
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_php new/lynis/include/tests_php
--- old/lynis/include/tests_php 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_php 2020-10-05 02:00:00.000000000 +0200
@@ -36,6 +36,7 @@
${ROOTDIR}etc/php7.1/php.ini \
${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php7.3/php.ini \
+ ${ROOTDIR}etc/php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini \
${ROOTDIR}etc/php/cli-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5/php.ini \
@@ -45,24 +46,29 @@
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
${ROOTDIR}etc/php/apache2-php7.3/php.ini \
+ ${ROOTDIR}etc/php/apache2-php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
+ ${ROOTDIR}etc/php/cgi-php7.4/php.ini \
${ROOTDIR}etc/php/cli-php5.5/php.ini \
${ROOTDIR}etc/php/cli-php5.6/php.ini \
${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini \
${ROOTDIR}etc/php/cli-php7.2/php.ini \
${ROOTDIR}etc/php/cli-php7.3/php.ini \
+ ${ROOTDIR}etc/php/cli-php7.4/php.ini \
${ROOTDIR}etc/php/embed-php5.5/php.ini \
${ROOTDIR}etc/php/embed-php5.6/php.ini \
${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.2/php.ini \
${ROOTDIR}etc/php/embed-php7.3/php.ini \
+ ${ROOTDIR}etc/php/embed-php7.4/php.ini \
+ ${ROOTDIR}etc/php/fpm-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
@@ -71,7 +77,9 @@
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \
- ${ROOTDIR}etc/php5/cli-php5.4/php.ini
${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
+ ${ROOTDIR}etc/php5/cli-php5.4/php.ini \
+ ${ROOTDIR}etc/php5/cli-php5.5/php.ini \
+ ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
@@ -79,12 +87,20 @@
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.3/apache2/php.ini \
- ${ROOTDIR}etc/php/7.0/cli/php.ini
${ROOTDIR}etc/php/7.0/fpm/php.ini \
- ${ROOTDIR}etc/php/7.1/cli/php.ini
${ROOTDIR}etc/php/7.1/fpm/php.ini \
- ${ROOTDIR}etc/php/7.2/cli/php.ini
${ROOTDIR}etc/php/7.2/fpm/php.ini \
- ${ROOTDIR}etc/php/7.3/cli/php.ini
${ROOTDIR}etc/php/7.3/fpm/php.ini \
+ ${ROOTDIR}etc/php/7.4/apache2/php.ini \
+ ${ROOTDIR}etc/php/7.0/cli/php.ini \
+ ${ROOTDIR}etc/php/7.0/fpm/php.ini \
+ ${ROOTDIR}etc/php/7.1/cli/php.ini \
+ ${ROOTDIR}etc/php/7.1/fpm/php.ini \
+ ${ROOTDIR}etc/php/7.2/cli/php.ini \
+ ${ROOTDIR}etc/php/7.2/fpm/php.ini \
+ ${ROOTDIR}etc/php/7.3/cli/php.ini \
+ ${ROOTDIR}etc/php/7.3/fpm/php.ini \
+ ${ROOTDIR}etc/php/7.4/cli/php.ini \
+ ${ROOTDIR}etc/php/7.4/fpm/php.ini \
${ROOTDIR}var/www/conf/php.ini \
- ${ROOTDIR}usr/local/etc/php.ini
${ROOTDIR}usr/local/lib/php.ini \
+ ${ROOTDIR}usr/local/etc/php.ini \
+ ${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
${ROOTDIR}usr/local/php54/lib/php.ini \
${ROOTDIR}usr/local/php56/lib/php.ini \
@@ -92,6 +108,7 @@
${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
${ROOTDIR}usr/local/php73/lib/php.ini \
+ ${ROOTDIR}usr/local/php74/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
@@ -101,6 +118,7 @@
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
+ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \
@@ -112,27 +130,42 @@
${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
+ ${ROOTDIR}opt/alt/php74/etc/php.ini \
${ROOTDIR}etc/opt/remi/php56/php.ini \
${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \
${ROOTDIR}etc/opt/remi/php72/php.ini \
- ${ROOTDIR}etc/opt/remi/php73/php.ini"
+ ${ROOTDIR}etc/opt/remi/php73/php.ini \
+ ${ROOTDIR}etc/opt/remi/php74/php.ini"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of
-current
PHPINILOCS="${PHPINILOCS} \
- ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini
${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini"
+ ${ROOTDIR}etc/php-5.6.ini \
+ ${ROOTDIR}etc/php-7.0.ini \
+ ${ROOTDIR}etc/php-7.1.ini \
+ ${ROOTDIR}etc/php-7.2.ini \
+ ${ROOTDIR}etc/php-7.3.ini \
+ ${ROOTDIR}etc/php-7.4.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.3/cli/conf.d \
+ ${ROOTDIR}etc/php/7.4/cli/conf.d \
${ROOTDIR}etc/php/7.0/fpm/conf.d \
${ROOTDIR}etc/php/7.1/fpm/conf.d \
${ROOTDIR}etc/php/7.2/fpm/conf.d \
${ROOTDIR}etc/php/7.3/fpm/conf.d \
+ ${ROOTDIR}etc/php/7.4/fpm/conf.d \
${ROOTDIR}etc/php.d \
- ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
- ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
+ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \
@@ -144,14 +177,21 @@
${ROOTDIR}opt/alt/php71/etc/php.d.all \
${ROOTDIR}opt/alt/php72/etc/php.d.all \
${ROOTDIR}opt/alt/php73/etc/php.d.all \
+ ${ROOTDIR}opt/alt/php74/etc/php.d.all \
${ROOTDIR}usr/local/lib/php.conf.d \
${ROOTDIR}usr/local/php70/lib/php.conf.d \
${ROOTDIR}usr/local/php71/lib/php.conf.d \
${ROOTDIR}usr/local/php72/lib/php.conf.d \
- ${ROOTDIR}usr/local/php73/lib/php.conf.d"
+ ${ROOTDIR}usr/local/php73/lib/php.conf.d \
+ ${ROOTDIR}usr/local/php74/lib/php.conf.d"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of
-current
PHPINIDIRS="${PHPINIDIRS} \
- ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0
${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3"
+ ${ROOTDIR}etc/php-5.6 \
+ ${ROOTDIR}etc/php-7.0 \
+ ${ROOTDIR}etc/php-7.1 \
+ ${ROOTDIR}etc/php-7.2 \
+ ${ROOTDIR}etc/php-7.3 \
+ ${ROOTDIR}etc/php-7.4"
#
#################################################################################
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_time new/lynis/include/tests_time
--- old/lynis/include/tests_time 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/include/tests_time 2020-10-05 02:00:00.000000000 +0200
@@ -86,9 +86,8 @@
# Reason: openntpd syncs only if large time corrections are not
required or -s is passed.
# This might be not intended by the administrator (-s is
NOT the default!)
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" |
${GREPBINARY} -v "grep")
- ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null
# Status code 0 is when communication over the socket is
successfull
- if [ "$?" -eq 0 ]; then
+ if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1;
NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ntpctl)"
OPENNTPD_COMMUNICATION=1
@@ -101,7 +100,7 @@
LogText "result: running openntpd not found, but ntpctl is
instaalled"
fi
- if [ "${NTP_DAEMON}" == "openntpd" ]; then
+ if [ "${NTP_DAEMON}" = "openntpd" ]; then
Display --indent 2 --text "- NTP daemon found: OpenNTPD"
--result "${STATUS_FOUND}" --color GREEN
fi
fi
@@ -124,39 +123,30 @@
fi
# Check timedate daemon (systemd)
- if [ -n "${TIMEDATECTL}" ]; then
- FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock)
synchronized: yes")
- if [ -n "${FIND}" ]; then
- # Check for systemd-timesyncd
- if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
- LogText "Result: found
${ROOTDIR}etc/systemd/timesyncd.conf"
- FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1;
NTP_DAEMON="systemd-timesyncd"
- Display --indent 2 --text "- NTP daemon found: systemd
(timesyncd)" --result "${STATUS_FOUND}" --color GREEN
- SYSTEMD_NTP_ENABLED=1
- else
- LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does
not exist"
- fi
- else
- LogText "Result: time synchronization not performed according
timedatectl command"
- fi
- else
- LogText "Result: timedatectl command not available on this system"
+ FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" |
${GREPBINARY} -v "grep")
+ if [ -n "${FIND}" ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1;
NTP_DAEMON="systemd-timesyncd"
+ Display --indent 2 --text "- NTP daemon found: systemd
(timesyncd)" --result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: Found running systemd-timesyncd in process list"
fi
# Check crontab for OpenBSD/FreeBSD
# Check anacrontab for Linux
CRONTAB_FILES="/etc/anacrontab /etc/crontab"
+ # Regex for matching multiple time synchronisation binaries
+ # Partial sanity check for sntp and ntpdig, but this does not consider
all corner cases
+ CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)'
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
- LogText "Test: checking for ntpdate or rdate in crontab file
${I}"
- FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v
'^#')
+ LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in
crontab file ${I}"
+ FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY}
-v '^#')
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in
crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
- LogText "Result: found ntpdate or rdate reference in
crontab file ${I}"
+ LogText "Result: found ntpdate, rdate, sntp or ntpdig
reference in crontab file ${I}"
else
#Display --indent 2 --text "- Checking NTP client in
crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
- LogText "Result: no ntpdate or rdate reference found in
crontab file ${I}"
+ LogText "Result: no ntpdate, rdate, sntp or ntpdig
reference found in crontab file ${I}"
fi
else
LogText "Result: crontab file ${I} not found"
@@ -169,31 +159,18 @@
# Check cron jobs
for I in ${CRON_DIRS}; do
- if [ -d ${I} ]; then
- if FileIsReadable ${I}; then
- FIND=$(${FINDBINARY} ${I} -type f -a ! -name
".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' |
${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ')
+ for J in "${I}"/*; do # iterate over folders in a safe way
+ # Check: regular file, readable and not called .placeholder
+ FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
+ if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
+ LogText "Test: checking for ntpdate, rdate, sntp or ntpdig
in ${J}"
+ FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" |
"${GREPBINARY}" -v "^#")
if [ -n "${FIND}" ]; then
- for J in ${FIND}; do
- # Place back spaces if needed
- J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g')
- LogText "Test: checking for ntpdate or rdate in
${J}"
- if FileIsReadable ${J}; then
- FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}"
| ${GREPBINARY} -v "^#")
- if [ -n "${FIND2}" ]; then
- LogText "Positive match found: ${FIND2}"
- FOUND=1; FOUND_IN_CRON=1;
NTP_CONFIG_TYPE_SCHEDULED=1
- fi
- else
- LogText "Result: could not test in file '${J}'
as it is not readable"
- fi
- done
- else
- LogText "Result: ${I} is empty, skipping search in
directory"
+ FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
+ LogText "Result: found ntpdate, rdate, sntp or ntpdig
in ${J}"
fi
- else
- LogText "Result: could not search in directory due to
permissions"
fi
- fi
+ done
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
@@ -532,7 +509,7 @@
#
# Test : TIME-3180
# Description : Report if ntpctl cannot communicate with OpenNTPD
- if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [
"${NTP_DAEMON}" == "openntpd" ]; then
+ if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [
"${NTP_DAEMON}" = "openntpd" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@@ -548,7 +525,7 @@
#
# Test : TIME-3181
# Description : Check status of OpenNTPD time synchronisation
- if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [
"${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
+ if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [
"${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@@ -567,7 +544,7 @@
# Test : TIME-3182
# Description : Check OpenNTPD has working peers
- if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [
"${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
+ if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [
"${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@@ -576,11 +553,47 @@
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L
--network NO --category security --description "Check OpenNTPD has working
peers"
if [ ${SKIPTEST} -eq 0 ]; then
# Format is "xx/yy peers valid, ..."
- FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" |
${EGREPBINARY} -o "[0-9]{1,4}" )
- if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
+ FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' |
${CUTBINARY} -d '/' -f 1)
+ if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD has no peers"
"${NTPCTLBINARY} -s status"
fi
fi
+
+#
+#################################################################################
+#
+
+ # Test : TIME-3185
+ # Description : Check systemd-timesyncd synchronized time
+
+ if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then
+ PREQS_MET="YES"
+ else
+ PREQS_MET="NO"
+ fi
+
+
+ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L
--network NO --category "security" --description "Check systemd-timesyncd
synchronized time"
+ SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -e "${SYNCHRONIZED_FILE}" ]; then
+ FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y
"${SYNCHRONIZED_FILE}") ))
+ # Check if last sync was more than 2048 seconds (= the default of
systemd) ago
+ if [ "${FIND}" -ge 2048 ]; then
+ COLOR=RED
+ ReportWarning "${TEST_NO}" "systemd-timesyncd did not
synchronized the time recently."
+ else
+ COLOR=GREEN
+ fi
+ Display --indent 2 --text "- Last time synchronization" --result
"${FIND}s" --color "${COLOR}"
+ LogText "Result: systemd-timesyncd synchronized time ${FIND}
seconds ago."
+ else
+ Display --indent 2 --text "- Last time synchronization" --result
"${STATUS_NOT_FOUND}" --color RED
+ ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully
synchronized time"
+ fi
+ fi
+ unset SYNCHRONIZED_FILE
+
#
#################################################################################
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2020-06-18 02:00:00.000000000 +0200
+++ new/lynis/lynis 2020-10-05 02:00:00.000000000 +0200
@@ -43,10 +43,10 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/";
# Version details
- PROGRAM_RELEASE_DATE="2020-06-18"
- PROGRAM_RELEASE_TIMESTAMP=1592477492
+ PROGRAM_RELEASE_DATE="2020-10-05"
+ PROGRAM_RELEASE_TIMESTAMP=1601896929
PROGRAM_RELEASE_TYPE="release" # pre-release or release
- PROGRAM_VERSION="3.0.0"
+ PROGRAM_VERSION="3.0.1"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
@@ -216,7 +216,7 @@
# Extract the short notation of the language (first two characters).
if [ -x "$(command -v locale 2> /dev/null)" ]; then
- LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep
"^[a-z]{2}$")
+ LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d
'"' | egrep "^[a-z]{2}$")
# Try locale command if shell variable had no value
if [ -z "${DISPLAY_LANG}" ]; then
DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
@@ -241,6 +241,11 @@
echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
exit 1
fi
+
+ # Now that we have determined the language, we unset it from shell
+ # Some tools with translated strings are very hard to parse
+ unset LANG
+
#
#################################################################################
#
@@ -448,6 +453,7 @@
${GRAY}--verbose${NORMAL} : Show more details on
screen
${GRAY}--version (-V)${NORMAL} : Display version number
and quit
${GRAY}--wait${NORMAL} : Wait between a set of
tests
+ ${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL} : Threshold for slow
test warning in seconds (default 10)
${WHITE}Enterprise options${NORMAL}
${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of
available plugins
@@ -773,7 +779,7 @@
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
# Show if release is old, only if we didn't show it with normal update
check
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
- ReportSuggestion "LYNIS" "This release is more than 4 months old.
Consider upgrading"
+ ReportSuggestion "LYNIS" "This release is more than 4 months old.
Check the website or GitHub to see if there is an update available."
fi
OLD_RELEASE=1
fi
