From 3a72d82d1eb39438eaf993dad4ca635e17f3500c066ded363e29b0c7da37e2ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 6 Mar 2025 15:29:46 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main lynis revision 3b0de71aa5352bed3bb6f9211666db8d --- .gitattributes | 23 + additional_module_blacklist_locations.patch | 32 + dbus-whitelist.db.openSUSE_12.2_x86_64 | 100 ++ fileperms.db.openSUSE_12.2_x86_64 | 156 +++ lynis-3.1.4.tar.gz | 3 + lynis-3.1.4.tar.gz.asc | 16 + lynis-rpmlintrc | 4 + lynis.changes | 1040 +++++++++++++++++++ lynis.keyring | 86 ++ lynis.spec | 140 +++ lynis_1.3.1_include_consts.diff | 12 + lynis_1.3.5_lynis.diff | 20 + lynis_1.3.6_include-osdetection.diff | 13 + prepare_for_suse.sh | 47 + tests_binary_rpath | 77 ++ tests_file_permissionsDB | 77 ++ tests_file_permissions_ww | 52 + tests_network_allowed_ports | 84 ++ tests_system_dbus | 79 ++ tests_system_proc | 59 ++ tests_tmp_symlinks | 50 + tests_users_wo_password | 58 ++ 22 files changed, 2228 insertions(+) create mode 100644 .gitattributes create mode 100644 additional_module_blacklist_locations.patch create mode 100644 dbus-whitelist.db.openSUSE_12.2_x86_64 create mode 100644 fileperms.db.openSUSE_12.2_x86_64 create mode 100644 lynis-3.1.4.tar.gz create mode 100644 lynis-3.1.4.tar.gz.asc create mode 100644 lynis-rpmlintrc create mode 100644 lynis.changes create mode 100644 lynis.keyring create mode 100644 lynis.spec create mode 100644 lynis_1.3.1_include_consts.diff create mode 100644 lynis_1.3.5_lynis.diff create mode 100644 lynis_1.3.6_include-osdetection.diff create mode 100644 prepare_for_suse.sh create mode 100644 tests_binary_rpath create mode 100644 tests_file_permissionsDB create mode 100644 tests_file_permissions_ww create mode 100644 tests_network_allowed_ports create mode 100644 tests_system_dbus create mode 100644 tests_system_proc create mode 100644 tests_tmp_symlinks create mode 100644 tests_users_wo_password diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/additional_module_blacklist_locations.patch b/additional_module_blacklist_locations.patch new file mode 100644 index 0000000..956bcaa --- /dev/null +++ b/additional_module_blacklist_locations.patch @@ -0,0 +1,32 @@ +Index: lynis/include/tests_filesystems +=================================================================== +--- lynis.orig/include/tests_filesystems ++++ lynis/include/tests_filesystems +@@ -835,15 +835,18 @@ + AddHP 3 3 + if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi + fi +- FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) +- if [ -n "${FIND}" ]; then +- FIND1=$(${GREPBINARY} -E "^blacklist[[:space:]]+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") +- FIND2=$(${GREPBINARY} -E "^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") +- if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then +- Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN +- LogText "Result: module ${FS} is blacklisted" +- fi +- fi ++ for SUBDIR in "${ROOTDIR}etc" "/usr/lib"; do ++ FIND=$(${LSBINARY} ${SUBDIR}/modprobe.d/* 2> /dev/null) ++ if [ -n "${FIND}" ]; then ++ FIND1=$(${GREPBINARY} -E "^blacklist[[:space:]]+${FS}$" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#") ++ FIND2=$(${GREPBINARY} -E "^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#") ++ if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then ++ Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN ++ LogText "Result: module ${FS} is blacklisted" ++ break ++ fi ++ fi ++ done + done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" diff --git a/dbus-whitelist.db.openSUSE_12.2_x86_64 b/dbus-whitelist.db.openSUSE_12.2_x86_64 new file mode 100644 index 0000000..1395218 --- /dev/null +++ b/dbus-whitelist.db.openSUSE_12.2_x86_64 @@ -0,0 +1,100 @@ +avahi-dbus.conf +bluetooth.conf +com.redhat.NewPrinterNotification.conf +com.redhat.PrinterDriversInstaller.conf +com.redhat.tuned.conf +ConsoleKit.conf +cups.conf +dnsmasq.conf +fi.epitest.hostap.WPASupplicant.service +FirewallD.conf +fi.w1.wpa_supplicant1.service +gdm.conf +hal.conf +nm-avahi-autoipd.conf +nm-dhcp-client.conf +nm-dispatcher.conf +nm-openconnect-service.conf +nm-openvpn-service.conf +nm-pptp-service.conf +nm-vpnc-service.conf +org.blueman.Mechanism.conf +org.blueman.Mechanism.service +org.freedesktop.Accounts.conf +org.freedesktop.Accounts.service +org.freedesktop.AutoMount.conf +org.freedesktop.Avahi.service +org.freedesktop.colord-sane.conf +org.freedesktop.colord-sane.service +org.freedesktop.ColorManager.conf +org.freedesktop.ColorManager.service +org.freedesktop.ConsoleKit.service +org.freedesktop.DisplayManager.conf +org.freedesktop.GeoClue2.Agent.conf +org.freedesktop.GeoClue2.conf +org.freedesktop.GeoClue2.service +org.freedesktop.Hal.service +org.freedesktop.hostname1.conf +org.freedesktop.hostname1.service +org.freedesktop.locale1.conf +org.freedesktop.locale1.service +org.freedesktop.login1.conf +org.freedesktop.login1.service +org.freedesktop.ModemManager1.conf +org.freedesktop.ModemManager1.service +org.freedesktop.ModemManager.conf +org.freedesktop.ModemManager.service +org.freedesktop.network1.conf +org.freedesktop.network1.service +org.freedesktop.NetworkManager.conf +org.freedesktop.nm_dispatcher.service +org.freedesktop.PackageKit.conf +org.freedesktop.PackageKit.service +org.freedesktop.PolicyKit1.conf +org.freedesktop.PolicyKit1.service +org.freedesktop.PolicyKit.conf +org.freedesktop.PolicyKit.service +org.freedesktop.RealtimeKit1.conf +org.freedesktop.RealtimeKit1.service +org.freedesktop.systemd1.conf +org.freedesktop.systemd1.service +org.freedesktop.timedate1.conf +org.freedesktop.timedate1.service +org.freedesktop.UDisks2.conf +org.freedesktop.UDisks2.service +org.freedesktop.UDisks.conf +org.freedesktop.UDisks.service +org.freedesktop.UPower.conf +org.freedesktop.UPower.service +org.gnome.GConf.Defaults.conf +org.gnome.GConf.Defaults.service +org.gnome.SettingsDaemon.DateTimeMechanism.conf +org.gnome.SettingsDaemon.DateTimeMechanism.service +org.kde.auth.conf +org.kde.fontinst.conf +org.kde.fontinst.service +org.kde.kcontrol.k3bsetup.conf +org.kde.kcontrol.k3bsetup.service +org.kde.kcontrol.kcmclock.conf +org.kde.kcontrol.kcmclock.service +org.kde.kcontrol.kcmkdm.conf +org.kde.kcontrol.kcmkdm.service +org.kde.kcontrol.kcmremotewidgets.conf +org.kde.kcontrol.kcmremotewidgets.service +org.kde.ksysguard.processlisthelper.conf +org.kde.ksysguard.processlisthelper.service +org.kde.polkitkde1.helper.conf +org.kde.polkitkde1.helper.service +org.kde.powerdevil.backlighthelper.conf +org.kde.powerdevil.backlighthelper.service +org.opensuse.CupsPkHelper.Mechanism.conf +org.opensuse.CupsPkHelper.Mechanism.service +org.opensuse.Network.AUTO4.conf +org.opensuse.Network.conf +org.opensuse.Network.DHCP4.conf +org.opensuse.Network.DHCP6.conf +org.opensuse.Network.Nanny.conf +org.opensuse.Snapper.conf +pulseaudio-system.conf +skype.conf +wpa_supplicant.conf diff --git a/fileperms.db.openSUSE_12.2_x86_64 b/fileperms.db.openSUSE_12.2_x86_64 new file mode 100644 index 0000000..d72e703 --- /dev/null +++ b/fileperms.db.openSUSE_12.2_x86_64 @@ -0,0 +1,156 @@ +file:/var/run/uscreens/:1777:root:root:Linux: +file:/etc/crontab:644:root:root:Linux: +file:/etc/exports:644:root:root:Linux: +file:/etc/fstab:644:root:root:Linux: +file:/etc/ftpaccess:644:root:root:Linux: +file:/etc/ftpusers:644:root:root:Linux: +file:/etc/rmtab:644:root:root:Linux: +file:/var/lib/nfs/rmtab:644:root:root:Linux: +file:/etc/syslog.conf:644:root:root:Linux: +file:/bin/su:4755:root:root:Linux: +file:/usr/bin/at:4755:root:trusted:Linux: +file:/usr/bin/crontab:4755:root:trusted:Linux: +file:/usr/bin/gpasswd:4755:root:shadow:Linux: +file:/usr/bin/newgrp:4755:root:root:Linux: +file:/usr/bin/passwd:4755:root:shadow:Linux: +file:/usr/bin/chfn:4755:root:shadow:Linux: +file:/usr/bin/chage:4755:root:shadow:Linux: +file:/usr/bin/chsh:4755:root:shadow:Linux: +file:/usr/bin/expiry:4755:root:shadow:Linux: +file:/usr/bin/sudo:4755:root:root:Linux: +file:/usr/sbin/su-wrapper:4755:root:root:Linux: +file:/usr/bin/opiepasswd:4755:root:root:Linux: +file:/usr/bin/ncpmount:4750:root:trusted:Linux: +file:/usr/bin/ncpumount:4750:root:trusted:Linux: +file:/sbin/mount.nfs:4755:root:root:Linux: +file:/bin/mount:4755:root:root:Linux: +file:/bin/umount:4755:root:root:Linux: +file:/bin/eject:4755:root:audio:Linux: +file:/usr/bin/fusermount:4755:root:trusted:Linux: +file:/usr/lib/majordomo/wrapper:4755:root:daemon:Linux: +file:/usr/lib/pt_chown:4755:root:root:Linux: +file:/usr/lib64/pt_chown:4755:root:root:Linux: +file:/sbin/unix_chkpwd:4755:root:shadow:Linux: +file:/sbin/unix2_chkpwd:4755:root:shadow:Linux: +file:/usr/sbin/popauth:4755:pop:trusted:Linux: +file:/usr/sbin/pam_auth:4755:root:shadow:Linux: +file:/usr/lib/gnome-pty-helper:2755:root:utmp:Linux: +file:/usr/bin/v4l-conf:4755:root:video:Linux: +file:/usr/lib/ia32el/suid_ia32x_loader:4755:root:root:Linux: +file:/usr/bin/ntping:4750:root:trusted:Linux: +file:/usr/bin/wall:2755:root:tty:Linux: +file:/usr/bin/write:2755:root:tty:Linux: +file:/usr/bin/makeweb:2755:root:www:Linux: +file:/usr/bin/yaps:2755:root:uucp:Linux: +file:/usr/bin/nwsfind:4750:root:trusted:Linux: +file:/usr/bin/ncplogin:4750:root:trusted:Linux: +file:/usr/bin/ncpmap:4750:root:trusted:Linux: +file:/usr/lib/lpdfilter/bin/runlpr:4755:root:root:Linux: +file:/sbin/pccardctl:4755:root:trusted:Linux: +file:/usr/sbin/mgnokiidev:4755:root:uucp:Linux: +file:/usr/lib/pcp/pmpost:4755:root:root:Linux: +file:/usr/lib/mailman/cgi-bin/admin:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/admindb:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/edithtml:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/listinfo:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/options:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/private:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/roster:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/subscribe:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/confirm:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/create:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/editarch:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/rmlist:2755:root:mailman:Linux: +file:/usr/lib/mailman/mail/mailman:2755:root:mailman:Linux: +file:/usr/lib/libgnomesu/gnomesu-pam-backend:4755:root:root:Linux: +file:/usr/sbin/change-passwd:4755:root:root:Linux: +file:/usr/bin/get_printing_ticket:4750:root:lp:Linux: +file:/bin/ping:4755:root:root:Linux: +file:/bin/ping6:4755:root:root:Linux: +file:/usr/sbin/mtr:4750:root:dialout:Linux: +file:/usr/bin/rcp:4755:root:root:Linux: +file:/usr/bin/rlogin:4755:root:root:Linux: +file:/usr/bin/rsh:4755:root:root:Linux: +file:/usr/bin/cl_status:2555:root:haclient:Linux: +file:/usr/sbin/exim:4755:root:root:Linux: +file:/usr/sbin/pppoe-wrapper:4750:root:dialout:Linux: +file:/sbin/isdnctrl:4750:root:dialout:Linux: +file:/usr/bin/vboxbeep:4755:root:trusted:Linux: +file:/usr/lib/mc/cons.saver:4755:root:root:Linux: +file:/usr/bin/jfbterm:6755:root:tty:Linux: +file:/opt/kde3/bin/artswrapper:4755:root:root:Linux: +file:/opt/kde3/bin/kcheckpass:4755:root:shadow:Linux: +file:/usr/lib/kde4/libexec/kcheckpass:4755:root:shadow:Linux: +file:/usr/lib64/kde4/libexec/kcheckpass:4755:root:shadow:Linux: +file:/opt/kde3/bin/kdesud:2755:root:nogroup:Linux: +file:/usr/lib/kde4/libexec/kdesud:2755:root:nogroup:Linux: +file:/usr/lib64/kde4/libexec/kdesud:2755:root:nogroup:Linux: +file:/opt/kde3/bin/kpac_dhcp_helper:4755:root:root:Linux: +file:/opt/kde3/bin/start_kdeinit:4755:root:root:Linux: +file:/usr/lib/kde4/libexec/start_kdeinit:4755:root:root:Linux: +file:/usr/lib64/kde4/libexec/start_kdeinit:4755:root:root:Linux: +file:/usr/bin/fileshareset:4755:root:root:Linux: +file:/usr/sbin/amcheck:4750:root:amanda:Linux: +file:/usr/lib/amanda/calcsize:4750:root:amanda:Linux: +file:/usr/lib/amanda/rundump:4750:root:amanda:Linux: +file:/usr/lib/amanda/planner:4750:root:amanda:Linux: +file:/usr/lib/amanda/runtar:4750:root:amanda:Linux: +file:/usr/lib/amanda/dumper:4750:root:amanda:Linux: +file:/usr/lib/amanda/killpgrp:4750:root:amanda:Linux: +file:/usr/lib/gnats/gen-index:4555:gnats:root:Linux: +file:/usr/lib/gnats/pr-edit:4555:gnats:root:Linux: +file:/usr/lib/gnats/queue-pr:4555:gnats:root:Linux: +file:/usr/lib/news/bin/rnews:4550:news:uucp:Linux: +file:/usr/lib/news/bin/inews:2555:news:news:Linux: +file:/usr/lib/news/bin/innbind:4554:root:news:Linux: +file:/usr/lib/mgetty+sendfax/faxq-helper:4755:fax:root:Linux: +file:/var/spool/fax/outgoing/:0755:fax:root:Linux: +file:/var/spool/fax/outgoing/locks:0755:fax:root:Linux: +file:/var/spool/uucppublic/:1777:root:root:Linux: +file:/usr/bin/uucp:6555:uucp:uucp:Linux: +file:/usr/bin/uuname:6555:uucp:uucp:Linux: +file:/usr/bin/uustat:6555:uucp:uucp:Linux: +file:/usr/bin/uux:6555:uucp:uucp:Linux: +file:/usr/lib/uucp/uucico:6555:uucp:uucp:Linux: +file:/usr/lib/uucp/uuxqt:6555:uucp:uucp:Linux: +file:/usr/lib/PolicyKit/polkit-set-default-helper:4755:polkituser:root:Linux: +file:/usr/lib/PolicyKit/polkit-read-auth-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-revoke-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-explicit-grant-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-grant-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-grant-helper-pam:4750:root:polkituser:Linux: +file:/usr/lib/polkit-1/polkit-agent-helper-1:4755:root:root:Linux: +file:/usr/bin/pkexec:4755:root:root:Linux: +file:/lib/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux: +file:/lib64/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux: +file:/usr/bin/newrole:4755:root:root:Linux: +file:/usr/lib/virtualbox/VirtualBox:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VirtualBox3:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxBFE:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxHeadless:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxSDL:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxNetAdpCtl:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxNetDHCP:4750:root:vboxusers:Linux: +file:/usr/bin/vmware-user-suid-wrapper:4755:root:root:Linux: +file:/usr/sbin/lockdev:2755:root:lock:Linux: +file:/usr/sbin/hawk_chkpwd:4750:root:haclient:Linux: +file:/usr/sbin/hawk_invoke:4750:root:haclient:Linux: +file:/usr/lib/chrome_sandbox:4755:root:root:Linux: +file:/sbin/mount.ecryptfs_private:4755:root:root:Linux: +file:/usr/bin/su:4755:root:root:Linux: +file:/usr/sbin/mount.nfs:4755:root:root:Linux: +file:/usr/bin/mount.nfs:4755:root:root:Linux: +file:/usr/bin/mount:4755:root:root:Linux: +file:/usr/bin/umount:4755:root:root:Linux: +file:/usr/bin/eject:4755:root:audio:Linux: +file:/usr/sbin/unix_chkpwd:4755:root:shadow:Linux: +file:/usr/bin/unix_chkpwd:4755:root:shadow:Linux: +file:/usr/sbin/unix2_chkpwd:4755:root:shadow:Linux: +file:/usr/bin/unix2_chkpwd:4755:root:shadow:Linux: +file:/usr/sbin/isdnctrl:4750:root:dialout:Linux: +file:/usr/bin/isdnctrl:4750:root:dialout:Linux: +file:/usr/sbin/pccardctl:4755:root:trusted:Linux: +file:/usr/bin/pccardctl:4755:root:trusted:Linux: +file:/usr/bin/ping:4755:root:root:Linux: +file:/usr/bin/ping6:4755:root:root:Linux: +file:/var/log/messages:0644:root.root:Linux: diff --git a/lynis-3.1.4.tar.gz b/lynis-3.1.4.tar.gz new file mode 100644 index 0000000..997f0d1 --- /dev/null +++ b/lynis-3.1.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6 +size 350939 diff --git a/lynis-3.1.4.tar.gz.asc b/lynis-3.1.4.tar.gz.asc new file mode 100644 index 0000000..f94db92 --- /dev/null +++ b/lynis-3.1.4.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEATuqBxgMUKcQEJfvneki8cL95sQFAmeYyHwACgkQneki8cL9 +5sRiBg//cvWGO3lE+vtXyzUS4ZKUGMy08sqMS7Tso6DEYa+1N0BJUFd4oLprNFfr +B0FmgVvuPEPKnS7vYLj9bYDV9yrlFY6O6Dkqhso2gF3o7P5FSrpjeVU7PUDRtmIH +BTU+WpXv25/8prGSqgYUO91/B4+GLWCCcJz32jwXtX1cEiq2T8J59rlYt+NEhxmE +o/4jMrZpeddVpKbHFuMOvGVxmtE/Uziac1VN1HgTq0zBdFQ1Zc6B75RiIjHewiKE +GDgmBc1S/trEfeJFpJQCLVi/NTW5hCta4MZ4nn/t5Nlkeot7EUAzNX9r48DNWPK9 +ZUfm6tOKBufjeBD1b3gK0p2fWWKuNUfpLtY8U+Gs3uCjMoicqohL1Ki0XqmPEDse +x31HTpwA5xWF0YvxywPmCTzC30LFNn5ORXY+dd3h4+yiNH42krg7BFm5Vv9IvQHq +jMcFcQJy2g4XxUmTBMah3dTl/2woe4IDZ9RLAjc15zHNAoLVuiw3hcqwKJwcxDkJ +Bm7ukHYxTpjs5moxfSr+gZ4BzChpFyzJG+ylAMWTQtQq1S8WW5ku74tPJZojDNGn +SKbWXRo+seJVQzzz/g4sVKbUbyCb4KXh3ZEQpdAEaTnad4WdPpFJeKFVb1zp3sPW +snzxFM9w0qjQNWhGvDcAbB5py2XresIhTpmxvzJwRNTagNeNL/8= +=f15e +-----END PGP SIGNATURE----- diff --git a/lynis-rpmlintrc b/lynis-rpmlintrc new file mode 100644 index 0000000..9dc107f --- /dev/null +++ b/lynis-rpmlintrc @@ -0,0 +1,4 @@ +# lynis demands 640 on these scripts +addFilter("non-executable-script /usr/share/lynis/include/[^ ]+ 0?640L? /bin/(ba|)sh") +# identical translations +addFilter("files-duplicate /usr/share/lynis/db/languages/(en|nl|pt|br)") diff --git a/lynis.changes b/lynis.changes new file mode 100644 index 0000000..910cdb1 --- /dev/null +++ b/lynis.changes @@ -0,0 +1,1040 @@ +------------------------------------------------------------------- +Tue Jan 28 12:22:48 UTC 2025 - Robert Frohl + +- Update to 3.1.4: + * Changed + - Update of translations: Portuguese + - Add macOS Sequoia + - Update of EOL database + - Bugfix for using slashes in parameters (SafeInput function) + - Simplified copyright line and meta data in files + - Support for powerpc64le in authentication section + - Don't show error "kadmin.local: unable to get default realm" + +------------------------------------------------------------------- +Mon Dec 16 10:16:18 UTC 2024 - Robert Frohl + +- Update to 3.1.3: + * Added + - Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS + - Support for blog posts and articles to enhance suggestions + * Changed + - BOOT-5264 - Changed output of systemd-analyze test and added link + - FILE-6398 - Test temporarily disabled as on modern kernels JDB support is built-in + - FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues + - KRNL-5622 - Test if systemctl binary is set + - Several improvements for busybox + - Update of translations: Italian, Russian, Spanish + +------------------------------------------------------------------- +Thu Sep 26 15:14:10 UTC 2024 - Robert Frohl + +- Update to 3.1.2: + * Added + - Detection of ALT Linux + - Detection of Athena OS + - Detection of Container-Optimized OS from Google + - Detection of Koozali SME Server + - Detection of Nobara Linux + - Detection of Open Source Media Center (OSMC) + - Detection of PostmarketOS + - CRYP-7932 - macOS FileVault encryption test + - FILE-6398 - Check if JBD (Journal Block Device) driver is loaded + - FINT-4344 - Wazuh system running state + - PKGS-7305 - Query macOS Apps in /Applications and CoreServices + - File added: .editorconfig, which is used by editors to standardize formatting + * Changed + - Correction of software EOL database and inclusion of AIX entries + - Support sysctl value perf_event_paranoid -> 2|3 + - Update of translations: German, Portuguest, Turkish + - Grammar and spell improvements + - Improved package detection on Alpine Linux + - Slackware support to check installed packges (functionPackageIsInstalled()) + - Added words prosecute/report to LEGAL_BANNER_STRINGS + - Busybox support: Replace newer tr command syntax with older ascii specific operations + - Added Wazuh as a malware scanner/antivirus and rootkit detection tool + - Updated PHP versions and removed PHP 5 (deprecated) + - AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) + - CONT-8104 - Checking for errors, not only warning in docker info output + - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD + - FILE-6344 - Test kernel version (major/minor) + - INSE-8000 - Added inetd package and service name used in ubuntu 24.04 + - KRNL-5622 - Use systemctl get-default instead of following link + - KRNL-5820 - Accept ulimit with -H parameter also + - LOGG-2144 - Check for wazuh-agent presence on Linux systems + - MACF-6234 - Test if semanage binary is available + - MALW-3200 - ESET Endpoint Antivirus added + - MALW-3280 - McAfee Antivirus for Linux deprecated + - MALW-3291 - Check if Microsoft Defender Antivirus is installe + - NETW-3200 - Added regex to allow both /bin/true as /bin/false + - PKGS-7303 - Added version numbers to brew packages + - PKGS-7370 - Cron job check for debsums improved + - PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error) + - PKGS-7410 - Added kernel name for Hardkernel odroid XU4 +- update additional_module_blacklist_locations.patch + +------------------------------------------------------------------- +Sun Mar 17 11:15:28 UTC 2024 - Robert Frohl + +- Update to 3.1.1: + * Added + - Detection of ArcoLinux + * Changed + - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) + - DBS-1882 - Check /snap directory location for Redis configuration file + +------------------------------------------------------------------- +Mon Mar 11 10:21:40 UTC 2024 - Robert Frohl + +- Update to 3.1.0: + * Added + - Translation: Indonesian + * Changed + - MALW-3280 - Correction to detect com.avast.daemon + - OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP + LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky" + - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 + - STATUS_NOT_ACTIVE variable added to translation files + - End-of-life dates updated + - Fixing missing or erroneous test number comments + - Detection of SentinelOne corrected + - Wazuh for file integrity and tooling + - Updated parsing output of arch-audit + - Added support for SentinelOne detection + - Replacing deprecated option -i for xargs + - Path detection for PostgreSQL improved +- Updated additional_module_blacklist_locations.patch + +------------------------------------------------------------------- +Fri Mar 1 11:34:54 UTC 2024 - pgajdos@suse.com + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Sun Nov 12 09:54:02 UTC 2023 - Dirk Müller + +- add missing gawk dependency + +------------------------------------------------------------------- +Thu Aug 3 12:56:11 UTC 2023 - Robert Frohl + +- Update to 3.0.9: + * Changed + - DBS-1820 - Added newer style format for Mongo authorization setting + - FILE-6410 - Locations added for plocate + - SSH-7408 - Only test Compression if sshd version < 7.4 + - Improved fetching timestamp + - Minor changes such as typos + +------------------------------------------------------------------- +Tue May 17 14:00:34 UTC 2022 - Robert Frohl + +- Update to 3.0.8: + * Added + - MALW-3274 - Detect McAfee VirusScan Command Line Scanner + - PKGS-7346 Check Alpine Package Keeper (apk) + - PKGS-7395 Check Alpine upgradeable packages + - EOL for Alpine Linux 3.14 and 3.15 + * Changed + - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) + - FILE-7524 - Test enhanced to support symlinks + - HTTP-6643 - Support ModSecurity version 2 and 3 + - KRNL-5788 - Only run relevant tests and improved logging + - KRNL-5820 - Additional path for security/limits.conf + - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) + - KRNL-5830 - Add a presence check for /boot/vmlinuz + - PRNT-2308 - Bugfix that prevented test from storing values correctly + - Extended location of PAM files for AARCH64 + - Some messages in log improved +- accepted upstream, removed additional_paths_security-limits.patch + +------------------------------------------------------------------- +Fri Feb 4 10:08:03 UTC 2022 - Robert Frohl + +- cover /usr/etc/security/limits.conf too (boo#1194446) + added additional_paths_security-limits.patch + +------------------------------------------------------------------- +Tue Jan 18 13:29:42 UTC 2022 - Robert Frohl + +- Update to 3.0.7: + * Added + - MALW-3290 - Show status of malware components + - OS detection for RHEL 6 and Funtoo Linux + - Added service manager openrc + * Changed + - DBS-1804 - Added alias for MariaDB + - FINT-4316 - Support for newer Ubuntu versions + - MALW-3280 - Added Trend Micro malware agent + - NETW-3200 - Allow unknown number of spaces in modprobe blacklists + - PKGS-7320 - Support for Garuda Linux and arch-audit + - Several improvements for busybox shell + - Russian translation of Lynis extended +- replace 0x429A566FD5B79251 with 0x9DE922F1C2FDE6C4 in lynis.keyring + according to https://packages.cisofy.com/ +- update additional_module_blacklist_locations.patch + +------------------------------------------------------------------- +Wed Oct 13 14:35:34 UTC 2021 - Johannes Segitz + +- Add additional_module_blacklist_locations.patch to check fo blacklisted + modules under /usr/lib/modules.d + +------------------------------------------------------------------- +Mon Oct 11 06:45:59 UTC 2021 - Paolo Stivanin + +- Update to 3.0.6: + * Added + - OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS + - Check for outdated translation files + * Changed + - DBS-1826 - Check if PostgreSQL is being used + - DBS-1828 - Test multiple PostgreSQL configuration file(s) + - KRNL-5830 - Sort kernels by version instead of modification date + - PKGS-7410 - Don't show exception for systems using LXC + - GetHostID function: fallback options added for Linux systems + - Fix: show correct text when egrep is missing + - Fix: variable name for PostgreSQL + +------------------------------------------------------------------- +Thu Sep 16 08:59:23 UTC 2021 - Johannes Segitz + +- Changed tests_binary_rpath to subtract points for files found with RPATH set, + not add points for files that are configured correctly. This resulted in a + huge number of points that skewed the overal result + +------------------------------------------------------------------- +Sat Jul 3 11:54:47 UTC 2021 - Andreas Stieger + +- fix SLE 12 build + +------------------------------------------------------------------- +Fri Jul 2 12:56:40 UTC 2021 - Robert Frohl + +- Update to 3.0.5 + * Added + - OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux + - CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot +attacks (Linux) + * Changed + - ACCT-9622 - Corrected typo + - HRDN-7231 - When calling wc, use the short -l flag instead of --lines + (Busybox compatibility) + - PKGS-7320 - extended to Arch Linux 32 + - Generation of host identifiers (hostid/hostid2) extended + - Linux host identifiers are now using ip as preferred input source + - Improved logging in several areas + +------------------------------------------------------------------- +Tue May 11 12:43:28 UTC 2021 - Johannes Segitz + +- Update to 3.0.4 + * Added + - ACCT-9670 - Detection of cmd tooling + - ACCT-9672 - Test cmd configuration file + - BOOT-5140 - Check for ELILO boot loader presence + - OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others + * Changed + - BOOT-5104 - Add service manager detection support for runit + - FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist + - FIRE-4540 - Corrected nftables empy ruleset test + - LOGG-2138 - Do not check for klogd when metalog is being used + - TIME-3185 - Improved support for Debian stretch + - Corrected issue when Lynis is not executed directly from lynis directory + +------------------------------------------------------------------- +Thu Jan 7 16:38:00 UTC 2021 - Alexandros Toptsoglou + +- Update to 3.0.3 + * Added + - Check for registered non-native binary formats + - OS detection of Parrot GNU/Linux + * Changed + - Force test to check only password authentication + - Support for NetBSD + + * Fixed: command 'configure settings' did not work as intended + +------------------------------------------------------------------- +Mon Jan 4 09:13:29 UTC 2021 - Robert Frohl + +- Update to 3.0.2 + * Added + - Scan for locked user accounts in /etc/passwd + - Loghost configuration + - Check for active Suricata daemon + - OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS + - OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others + - EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 + - Support for Solaris svcs (service manager) + - Enumeration of Solaris services + * Changed + - Detect sysstat systemd unit + - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined + - Support for Solaris + - Improved reboot test by ignoring known bad values + - Ignore rescue kernel such as on CentOS systems + - Detection of Alpine Linux kernel + - Compatibility change for hostname check + - Support for Solaris + - Don't show exception if no kernels were found on the disk + - Supports now checking files at multiple locations (systemd) + - ParseNginx function: Support include on absolute paths + - ParseNginx function: Ignore empty included wildcards + - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux + - HostID: Use first e1000 interface and break after match + - Translations extended and updated + - Test if pgrep exists before using it + - Better support for busybox shell + - Small code enhancements + +------------------------------------------------------------------- +Fri Nov 13 09:42:44 UTC 2020 - Johannes Segitz + +- Add a Requires for net-tools-deprecated, as legacy binary binaries + are still used by some of the custom lynis tests we ship. Later on + I'll port them to use current binaries and remove this again + +------------------------------------------------------------------- +Mon Oct 5 13:50:24 UTC 2020 - Robert Frohl + +- Update to 3.0.1 + * Added + - Detection of Alpine Linux + - Detection of CloudLinux + - Detection of Kali Linux + - Detection of Linux Mint + - Detection of macOS Big Sur (11.0) + - Detection of Pop!_OS + - Detection of PHP 7.4 + - Malware detection tool: Microsoft Defender ATP + - New flag: --slow-warning to allow tests more time before showing a warning + - Test TIME-3185 to check systemd-timesyncd synchronized time + - rsh host file permissions + * Changed + - Added option for LOCKED accounts and bugfix for older bash versions + - Presence check for grub.d added + - Added support for certificates in DER format + - Added data to report + - Redirect errors (e.g. when swap is not encrypted) + - Don't grep nonexistant modprobe.d files + - Set initial firewall state + - Corrected text on screen + - Handle zipped kernel configuration correctly + - Improved version detection for non-symlinked kernel + - Extended detection of BitDefender + - Find more time synchronization commands + - Corrected detection of time peers + - Fix: hostid generation routine would sometimes show too short IDs + - Fix: language detection + - Generic improvements for macOS + - German translation updated + - End-of-life database updated + +------------------------------------------------------------------- +Thu Jun 18 12:17:36 UTC 2020 - Robert Frohl + +- Update to 3.0.0 + * Security issues + - CVE-2020-13882: incorrect Access Control because of a TOCTOU race condition (boo#1173141). + - CVE-2019-13033: local disclosure of license key when data is uploaded (boo#1173142). + * Breaking change: Non-interactive by default + - Lynis now runs non-interactive by default, to be more in line with the Unix + philosophy. So the previously used '--quick' option is now default, and the tool + will only wait when using the '--wait' option. + * Breaking change: Deprecated options + - Option: -c + - Option: --check-update/--info + - Option: --dump-options + - Option: --license-key + * Breaking change: Profile options + - The format of all profile options are converted (from key:value to key=value). + You may have to update the changes you made in your custom.prf. + * Security + - An important focus area for this release is on security. We added several + measures to further tighten any possible misuse. + * New: DevOps, Forensics, and pentesting mode + - This release adds initial support to allow defining a specialized type of audit + Using the relevant options, the scan will change base on the intended goal. +- Further features, bug fixes and details about the release listed in + https://raw.githubusercontent.com/CISOfy/lynis/3.0.0/CHANGELOG.md + +------------------------------------------------------------------- +Tue Jun 25 07:32:29 UTC 2019 - Robert Frohl + +- Update to 2.7.5 + Added: + * Danish translation + * Slackware end-of-life information + * Detect BSD-style (rc.d) init in Linux systems + * Detection of Bro and Suricata (IDS) + + Changed: + * Corrected end-of-life entries for CentOS 5 and 6 + * Change name to check in /etc/passwd file for QNAP devices + * AIX enhancement to use correct find statement + * Filter on correct field for AIX + * Set ss command as preferred option for Linux and changed output format + * List of PHP ini file locations has been extended + * Removed several pieces of the code as part of cleanup and code health + * Extended help + +------------------------------------------------------------------- +Mon Jun 3 11:20:11 UTC 2019 - Tuukka Pasanen + +- Add more false-positive packages to Dbus database: tuned, autofs, lightdm, geoglue2, snapper and ModemManager + +------------------------------------------------------------------- +Wed May 29 11:47:34 UTC 2019 - Tuukka Pasanen + +- Add these common false-positive packages to Dbus database whitelist: FirewallD, SystemD and Wicked + +------------------------------------------------------------------- +Tue Apr 23 07:24:21 UTC 2019 - Robert Frohl + +- Update to 2.7.4 + Added + * FILE-6324 - Discover XFS mount points + * INSE-8000 - Installed inetd package + * INSE-8100 - Installed xinetd package + * INSE-8102 - Status of xinet daemon + * INSE-8104 - xinetd configuration file + * INSE-8106 - xinetd configuration for inactive daemon + * INSE-8200 - Usage of TCP wrappers + * INSE-8300 - Presence of rsh client + * INSE-8302 - Presence of rsh server + * Detect equery binary detection + * New 'generate' command + + Changed + * AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems + * PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages + * PKGS-7420 - Detect toolkit to automatically download and apply upgrades + * PKGS-7328 - Added global Zypper option --non-interactive + * PKGS-7386 - Only show warning when vulnerable packages were discovered + * PKGS-7392 - Skip test for Zypper-based systems + * Minor changes to improve text output, test descriptions, and logging + * Changed CentOS identifiers in end-of-life database + * AIX enhancement for IsRunning function + * Extended PackageIsInstalled function + * Improve text output on AIX systems + * Corrected lsvg binary detection + +------------------------------------------------------------------- +Thu Mar 21 12:11:32 UTC 2019 - Robert Frohl + +- update to 2.7.3 + Added + * Detection for Lynis being scheduled (e.g. cronjob) + + Changed + * HTTP-6624 - Improved logging for test + * KRNL-5820 - Changed color for default fs.suid_dumpable value + * LOGG-2154 - Adjusted test to search in configuration file correctly + * NETW-3015 - Added support for ip binary + * SQD-3610 - Description of test changed + * SQD-3613 - Corrected description in code + * SSH-7408 - Increased values for MaxAuthRetries + * Improvements to allow tailored tool tips in future + * Corrected detection of blkid binary + * Minor textual changes and cleanups + +------------------------------------------------------------------- +Thu Mar 7 11:54:18 UTC 2019 - Robert Frohl + +- update to 2.7.2 + * Added support for doas (OpenBSD) + * Added test file permissions of doas configuration + * Added support for systemd-boot boot loader + * Added simplify service filter and allow multiple dots in service names + * Added check OpenBSD boot daemons + * Added test permissions for boot files and scripts + * Added support for end-of-life detection of the operating system + * Added new 'lynis show eol' command + * Multiple changes and improvements + +------------------------------------------------------------------- +Fri Feb 1 10:28:13 UTC 2019 - Robert Frohl + +- update to 2.7.1 + * Improve support for Red Hat and clones + * Additional support for Hands Off!, LuLu, and Radio Silence + * Added MariaDB filter for deleted files (tested on CentOS) + * Added /etc/bash.bashrc.local to umask check + * Removed shift statement that did not work on all operating systems + * Minor cleanups and enhancements + * Small improvements to logging + * Added translation for Slovak + +------------------------------------------------------------------- +Sat Oct 27 02:36:44 UTC 2018 - sean@suspend.net + +- update to 2.7.0 + * added detection of TOMOYO binary (MACF-6240) + * Status of TOMOYO framework updated (MACF-6242) + * OpenSSH server version detected (SSH-7406) + * Check active OSSEC analysis daemon (TOOL-5160) + * Changed several warning labels on screen + * More generic sulogin for systemd rescue (AUTH-9308) + * OS detection now ignores quotes for getting the OS ID + +------------------------------------------------------------------- +Tue Oct 9 08:20:47 UTC 2018 - Robert Frohl + +- update to 2.6.9 + * Man page has been updated + * Command 'lynis show options' provides up-to-date list + * Option '--dump-options' is deprecated + * Several options and commands have been extended with more examples + * OS detection now supports openSUSE specific distribution names + * Changed command output when using 'lynis audit system remote' + * added /usr/local/redis/etc path and QNAP support + * ignore exception when no vmlinuz file was discovered + +------------------------------------------------------------------- +Thu Sep 20 13:04:11 UTC 2018 - astieger@suse.com + +- update to 2.6.8: + * improved parsing of boot parameters to init process + * test all PHP files for expose_php and improved logging + * Docker check now tests also for CMD, ENTRYPOINT, and USER configuration + * Improved display in Docker output for showing which keys are used for signing +- includes changes from 2.6.7: + * Added busybox as a service manager + * Limit PAE and no-execute test to AMD64 hardware only + * Ignore /dev/zero and /dev/[aio] as deleted files + * Changed classification of SSH root login with keys + * Docker scan uses new format for maintainer value +- includes chagnes from 2.6.6: + * Improved log text about running kernel version + * Under some condition no hostid2 value was reported + * Solved 'extra operand' issue with tr command + +------------------------------------------------------------------- +Wed Jun 27 08:42:31 UTC 2018 - astieger@suse.com + +- update to 2.6.5: + * mail: Exim configuration test + * network: Use FQDN to test status of a nameserver instead of own IP address + * ssh: Improved test to allow configurations with a Match block +- includes changes from 2.6.4: + * auth: Made 'sulogin' more generic for systemd rescue shell + * dns: Initial work on DNSSEC validation testing + * network: Added support for local resolver 127.0.0.53 + * php: Suhosin test disbled + * ssh: Removed 'DELAYED' from OpenSSH Compression setting + * time: Improvements to detect step-tickers file and entries +- includes changes from 2.6.3: + * crypt: Do prevalidation for certificates before testing them + * hardening: Enhanced compiler permission test + * name: Improved test to filter out empty lines + * packages: changes to detect yum-utils package and related tooling + * plugins: cron file permissions +- includes changes from 2.6.2: + * Textual changes for several tests + * Update of tests database + +------------------------------------------------------------------- +Fri Jan 26 17:00:07 UTC 2018 - astieger@suse.com + +- update to 2.6.1: + * New group 'usb' for tests related to USB devices + * Updated and enhanced tests + * Many bug fixes + * output and UI fixes + +------------------------------------------------------------------- +Thu Jun 8 19:36:22 UTC 2017 - astieger@suse.com + +- Lynis 2.5.1: + * Improved detection of SSL certificate files + * Minor changes to improve logging and results + * Firewall tests: Determine if CSF is in testing mode +- includes changes from Lynis 2.5.0: + * CVE-2017-8108: symlink attack may have allowed arbitrary file + overwrite or privilege escalation (bsc#1043463) + * Deleted unused tests from database file + * Additional sysctls are tested + * Extended test with Symantec components + * Snort detection + * Snort configuration file + +------------------------------------------------------------------- +Tue Apr 4 09:35:48 UTC 2017 - tuukka.pasanen@ilmi.fi + +- Lynis 2.4.8 (Changelog from 2.4.1) + * More PHP paths added + * Minor changes to text + * Show atomic test in report + * Added FileInstalledByPackage function (dpkg and rpm supported) + * Mark Arch Linux version as rolling release (instead of unknown) + * Support for Manjaro Linux + * Escape files when testing if they are readable + * Code cleanups + * Allow host alias to be specified in profile + * Code readability enhancements + * Solaris support has been improved + * Fix for upload function to be used from profile + * Reduce screen output for mail section, unless --verbose is used + * Code cleanups and removed 'update release' command + * Colored output can now be tuned with profile (colors=yes/no) + * Allow data upload to be set as a profile option + * Properly detect SSH daemon version + * Generic code improvements + * Improved the update check and display + * Finish, Portuguese, and Turkish translation + * Extended support and tests for DragonFlyBSD + * Option to configure hostid and hostid2 in profile + * Support for Trend Micro and Cylance (macOS) + * Remove comments at end of nginx configuration + * Used machine ID to create host ID when no SSH keys are available + * Added detection of iptables-save to binaries + +Tests: + BANN-7126 - Added more words to test for + CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler + HTTP-6641 - Support detection for Apache module mod_reqtimeout + PKGS-7388 - Minor change to detect security repositories + CRYP-7902 - Test more certificates names, but only if they are not part of a package + FILE-7524 - Reduce standard screen output for file permissions check + MALW-3280 - Added Avira detection as a malware scanner + NAME-4018 - Only perform name services test when resolv.conf file exists + PKGS-7387 - Check all repositories if they use GPG signing + SCHD-7704 - Permission checks + TIME-3104 - Check permissions before open files + AUTH-9328 - Add missing 0027 and 0077 umasks + BOOT-5104 - Add initsplash and minor code enhancements + DBS-1882 - Include Redis configuration file + FIRE-4502 - Improved detection for iptables modules when using OpenVZ + PKGS-7381 - Enhanced package audit for FreeBSD + AUTH-9308 - Improved test for sulogin string (Debian systems) + FILE-6372 - Properly deal with comment on lines in /etc/fstab + MAIL-8817 - New test to check Postfix configuration for errors + SSH-7408 - Corrected SSH check + AUTH-9308 - Improved test for sulogin string + MAIL-8818 - Test if Linux version is known before comparing in Postfix banner + TIME-3116 - Skip stratum 16 items for time pools + TIME-3148 - New test to detect TZ variable + AUTH-9208 - Removed double logging + AUTH-9222 - Improve logging for double groups + AUTH-9226 - Improve logging for double groups + BOOT-5177 - Sort systemctl unit files to make them unique + DBS-1818 - New test to detect MongoDB + DBS-1820 - New test for MongoDB authentication + FIRE-4512 - Lowered minimum number of iptables firewall rules + FIRE-4586 - Fix applied when searching for "-j LOG" + HRDN-7222 - Changed reporting key of world executable compilers + SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0) + FIRE-4586 - Check logging for firewall components + KRNL-5788 - Remove exception and style improvements + KRNL-5830 - Improved logging + +------------------------------------------------------------------- +Fri Nov 4 13:41:25 UTC 2016 - matthias.gerstner@suse.com + +- lynis 2.4.0 + * Mainly improved support for macOS users + * Support for CoreOS + * Support for clamconf utility + * Support for chinese translation + * More sysctl values in the default profile + * New commands: "upload-only", "show hostids", "show environment", "show os" + +------------------------------------------------------------------- +Wed Sep 28 11:45:44 UTC 2016 - astieger@suse.com + +- lynis 2.3.4 with various improvements, including: + * Several tests have extended log details + * Detection of nftables improved + * Replaced cut, sed, tr and others commands with binary variable + (for forensics and future intrusion checking capabilities) + * OS detection improved + +------------------------------------------------------------------- +Thu Sep 15 14:44:27 UTC 2016 - astieger@suse.com + +- lynis 2.3.3 with many improvements and updates + +------------------------------------------------------------------- +Thu May 12 08:32:25 UTC 2016 - astieger@suse.com + +- lynis 2.2.0: + * new features and tests, small enhancements + * optimisation, better detection + * dealing with OS quirks and unexcepted results + * adjustments for supporting more compliance in-depth + * Detection for CFEngine has been improved + * now tries to determine if failed logins are properly logged + * New plugin is introduced to analyze PAM settings + * Initial support to test UEFI settings, including Secure Boot option. + * Support added for Unbound DNS caching tool, configuration check + * Record if a name caching utility is being used like nscd or Unbound. + * Tests chains of iptables and their default policy (ACCEPT or DROP) + * Support upcoming nftables technology (status check) + * Test added to include osqueryd as a supported tool. + * Detection of firewire is enhanced (both ohci and core detected). + * Extended the test syslog-ng logging to remote systems. + * ESET and LMD (Linux Malware Detect) have been added. + * Discovered malware scanners are also logged to the report. + * Eexpanded test for multiple common mount points and define best + practice mount flags. + * Best practices for IPv6 configuration on Linux are now collected. + * Collect network interface names from most operating systems. + * Password change test has been extended to both capture minimum and password age. + * Add Proxu support + * SystemV init is now detected. + * Now information will be logged when vulnerable software packages were found. + * Support for DNF (Dandified YUM) for Fedora systems has been added. + * Multiple configuration tests of SSH merged. + * Extend detection of virtual machines (VMware tools) + * Machine state detection with Puppet, Facter, dmidecode, and lscpu + * When using pentest mode, it will continue without any delays (=quick mode). + * Improvements for automatic execution of Lynis + * Upload improvements + +------------------------------------------------------------------- +Wed Jul 29 11:05:22 UTC 2015 - astieger@suse.com + +- lynis 2.1.1: + * performance improvements + * additional support for Linux distributions and external utilities + * Apache module directory /usr/lib64/apache has been added, which + is used on openSUSE. + * various other improvements and bug fixes +- update patches for contect changes: + lynis_1.3.1_include_consts.diff, lynis_1.3.5_lynis.diff + +------------------------------------------------------------------- +Tue May 12 15:19:07 UTC 2015 - astieger@suse.com + +- lynis 2.1.0: + * Screen output has been improved to provide additional information. + * Core dump check on Linux is extended to check for actual values as well. + * Software: + + McAfee detection has been extended by detecting a running cma binary. + + Security patch checking with zypper extended. + * Session timeout: + + Tests to determine shell time out setting have been extended + + determine also if variable is exported as a readonly variable. + + Related compliance section PCI DSS 8.1.8 has been extended. +- includes changes from Lynis 2.0.0: + * New feature: helpers + * docker build file audit helper + * Improved OS support + * support systemd, docker, nftables + * New parameters: + + --dump-options (see all options) + + --report-file (define a different location for the report file) +- use tarball supplied default.prf +- clean or silence rpmlint warnings + +------------------------------------------------------------------- +Tue Feb 17 12:32:20 UTC 2015 - astieger@suse.com + +- lynis 1.6.4: + * New: + + Boot loader detection for AIX + + Detection of getcap and lsvg binary + + Added filesystem_ext to report + + Detect rootsh + * Changes: + + Hide errors when RPM database is faulty and show suggestion instead + + Allow OpenBSD to gather information on listening network ports + + Don't trigger warning for Shellshock when doing segfault test + + Do not run Apache test on OpenBSD and strip control chars + + Extended AIDE test with configuration validation test + + Improved Shellshock test regarding non-Linux support + + Added support for gathering volume groups on AIX + + Properly parse PAM lines and add them to report + + Support for boot loader detection on OpenBSD + + Added uptime detection for OpenBSD systems + + Support for volume groups on AIX + + Redirect errors when searching for readlink binary +- includes changes from 1.6.3: + * New: + + Added tests for Shellshock bash vulnerability + + Added test to determine if Snoopy is used + + New test for qdaemon configuration file + + Test for GRUB boot loader password + + New test for qdaemon printer jobs + + Added ClamXav test for Mac OS X + + Gentoo vulnerable packages test + + New test for qdaemon status + + Gentoo package listing + + Running Lynis without root permissions will start non-privileged scan + + Systemd service and timer example file added + + Added grub2-install to binaries + * Changes: + + Adjustments so insecure SSL protocols are detected in nginx config + + Directories will be skipped when searching for nginx log files + + Only gather unique name servers from /etc/resolv.conf + + Properly detect mod_evasive on Gentoo and others + + Improved swap partition detection in /etc/fstab + + Improvements to kernel detection (e.g. Gentoo) + + Test for built-in security options in YUM + + Improved boot loader detection for GRUB2 + + Split GRUB test into two tests + + Added Mac OS uptime check + + Improved GetHostID function for systems having only ip binary + + Improved testing for symlinked binary directories + + Minor adjustments to log output + + Renamed dev directory to extras +- verify source signature +- adjust permissions of items in /usr/share/lynis/include/consts + to match those requested by main executable +- run spec_cleaner + + +------------------------------------------------------------------- +Sun Nov 16 00:39:00 UTC 2014 - Led + +- fix bashisms in scripts + +------------------------------------------------------------------- +Wed Sep 24 16:36:21 UTC 2014 - citypw@gmail.com + +- Upgrade to version 1.6.2 +- Remove files: + * lynis_1.3.7_include-test-filesystem.diff( already fixed) + * lynis-1.3.9.tar.gz + +------------------------------------------------------------------- +Thu Jan 9 18:45:44 UTC 2014 - saigkill@opensuse.org + +- updated to version 1.3.9 +- removed patch + * lynis_1.3.6_include-test-kernel.diff (fixed upstream) + +------------------------------------------------------------------- +Wed Dec 11 20:14:06 UTC 2013 - saigkill@opensuse.org + +- updated to version 1.3.7 +- Changelog: + * FileExists() and SearchItem() functions were added. The yum-security + check and iptables binary check were improved, and the report was + extended to show which tests have been executed or skipped +- updated patch + * lynis_1.3.7_include-test-filesystem.diff + +------------------------------------------------------------------- +Tue Dec 10 18:46:14 UTC 2013 - saigkill@opensuse.org + +- updated to version 1.3.6 +- Removed patches (obsolete): + * lynis_1.3.5_include_binaries.diff + +- Updated patches + * lynis_1.3.6_include_osdetection.diff + * lynis_1.3.6_include-test-kernel.diff + +------------------------------------------------------------------- +Sun Nov 24 14:29:06 UTC 2013 - saigkill@opensuse.org + +- updated to version 1.3.5 + +- Updated patches: + o lynis_1.3.1_lynis.diff + o lynis_1.3.1_include_binaries.diff + o lynis_1.3.1_include-osdetection.diff + o lynis_1.3.1_include-test-kernel.diff + +- Removed patches (obsolete) + o lynis_1.3.1_include-test-databases.diff + o lynis_1.3.1_include-test-storage.diff + o lynis_1.3.1_include-test-homedirs.diff + +------------------------------------------------------------------- +Fri Jun 21 12:22:08 UTC 2013 - thomas@suse.com + +- fixed typo in prepare_for_suse.sh + +------------------------------------------------------------------- +Fri Jan 25 09:40:52 UTC 2013 - thomas@suse.com + +- fixed log message for dbus test +- fixed bash variable incrementation that sneaked in the code + +------------------------------------------------------------------- +Mon Jan 14 14:57:15 UTC 2013 - thomas@suse.com + +- fixed tests_network_allowed_ports to increment index vars + and not loop forever + +------------------------------------------------------------------- +Thu Jan 10 16:53:32 UTC 2013 - thomas@suse.com + +- fixed test_homedirs + +------------------------------------------------------------------- +Thu Jan 10 16:46:02 UTC 2013 - thomas@suse.com + +- some bugfixing for pathnames, didn't work with sudo +- improved default.prf by adding more sysctl vars +- fixed test_storage +- generated fileperm.db and dbus-whitelist for 12.2 + +------------------------------------------------------------------- +Mon Dec 26 16:24:35 UTC 2011 - Sascha.Manns@open-slx.de + +- fixed conflict in spec + +------------------------------------------------------------------- +Mon Dec 26 16:18:01 UTC 2011 - Sascha.Manns@open-slx.de + +- updated to version 1.3.0 +- from Changelog: +- New: + - Profile option: ignore_home_dir + - TCP wrappers category added + - Tooling category added + - Initial extensions to support plugins in the future + - Test for unpurged Debian packages [PKGS-7346] + - Test for compiler permissions [HRDN-7222] +- Changes: + - Converted all dates to ISO format and updated copyright lines + - Correct suggestion for file integrity tool [FINT-4350] + - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] + - Changed logging for /etc/security/limits.conf file [KRNL-5820] + - Fixed incorrect warning for single user mode [AUTH-9308] + - Improved output for stratum 16 time servers [TIME-3116] + - Added suggestion and screen output for kernel hardening [KRNL-6000] + - Screen layout optimalizations and log file improvements + - Improved list/layout of scan options + - Improved binary check for compilers + - Added configuration option in scan profile (show_tool_tips, default + true) + +------------------------------------------------------------------- +Thu Apr 7 15:57:31 UTC 2011 - thomas@novell.com + +- added patch for apache2 and oracle detection + +------------------------------------------------------------------- +Fri Apr 1 22:00:13 UTC 2011 - saigkill@opensuse.org + +- removed rpmlintrc and fixed non-executable-script + +------------------------------------------------------------------- +Sun Dec 26 19:55:21 UTC 2010 - saigkill@opensuse.org + +- prettyfied spec file +- NOTE: Please submit submitrequests to home:saigkill. This Package links to this Repository. + +------------------------------------------------------------------- +Fri Sep 3 05:41:52 UTC 2010 - thomas@novell.com + +- fixed %files section to include /etc/lynis + +------------------------------------------------------------------- +Fri Sep 3 05:12:43 UTC 2010 - thomas@novell.com + +- fixed %files section to reflect new default.prf location + +------------------------------------------------------------------- +Fri Sep 3 05:09:47 UTC 2010 - thomas@novell.com + +- added permdir /root/.gnupg to default.prf + +------------------------------------------------------------------- +Fri Sep 3 05:04:03 UTC 2010 - thomas@novell.com + +- copy default.prf to /etc/lynis/ instead of /etc/, otherwise + lynis will not find it and hang + +------------------------------------------------------------------- +Thu Sep 2 11:32:50 UTC 2010 - thomas@novell.com + +- added %{_datadir}/%{name}/prepare_for_suse.sh + +------------------------------------------------------------------- +Thu Sep 2 10:56:55 UTC 2010 - thomas@novell.com + +- adjusted patch and spec file to make it build + +------------------------------------------------------------------- +Wed Sep 1 12:30:43 UTC 2010 - thomas@novell.com + +- put code from Matthias Weckbecker sec_check into lynis +- adjusted lynis for opensuse +- details: + + tests_tmp_symlinks + + tests_network_allowed_ports + + tests_system_proc + + tests_file_permissions_ww + + tests_binary_rpath + + tests_users_wo_password + + tests_file_permissionsDB + + tests_system_dbus + +------------------------------------------------------------------- +Wed Dec 16 05:19:37 UTC 2009 - saigkill@opensuse.org + +- updated to version 1.2.9 +- added default.prf + +------------------------------------------------------------------- +Wed Dec 9 16:21:53 UTC 2009 - saigkill@opensuse.org + +- update to 1.2.8 + +------------------------------------------------------------------- +Mon Nov 2 18:16:38 UTC 2009 - saigkill@opensuse.org + +- update to 1.2.7 +- This release adds AIX Support and several new tests related to SSH, logging, databases and SMTP. Many minor issues are solved or improved. + +----------------------------------------------------------------- +Mon Apr 6 09:04:05 CEST 2009 - saigkill@opensuse.org + +- update to 1.2.6 +- This release has several new tests and test improvements, like a sudoers + file permissions check, a core dumps configuration check for Linux, PHP + tests, and an /etc/issue banner test. + +----------------------------------------------------------------- +Sat Mar 28 10:27:12 CET 2009 - saigkill@opensuse.org + +- update to 1.2.5 +- This release adds 40+ new tests for services like Dovecot, + BIND, PowerDNS, SSH, Exim, and nginx + +----------------------------------------------------------------- +Tue Mar 17 2009 20:32 CET - mrdocs@opensuse.org + +- added 1.2.4 release +- This release adds more than 30 new tests, +including NTP, auditd, PAM, NFS and ClamAV. + +------------------------------------------------------------------ +Mon Mar 02 22:32 CET 2009 - mrdocs@opensuse.org + +- 1.2.3 release see CHANGELOG for changes + +------------------------------------------------------------------- +Thu Feb 26 14:16:35 CET 2009 - pgajdos@suse.cz + +- removed patches: + - passwd-args.patch + - suppress-dpkg-error.patch +- source repacked gz -> bz2 + +------------------------------------------------------------------- +Sun Feb 17 2009 - mrdocs@opensuse.org + +- 1.2.2 release - see CHANGELOG for changes + +------------------------------------------------------------------ +Mon Feb 16 03:15:44 CET 2009 - saigkill@opensuse.org + +- updated to Version 1.2.2 + +------------------------------------------------------------------ +Wed Jan 07 12:00:00 CET 2009 - saigkill@opensuse.org + +- fixed Rpmlint Errors +- branched for Contrib + +------------------------------------------------------------------ +Wed Nov 10 12:00:00 CET 2008 - saigkill@opensuse.org + +- initial version using the buildservice diff --git a/lynis.keyring b/lynis.keyring new file mode 100644 index 0000000..af9b25a --- /dev/null +++ b/lynis.keyring @@ -0,0 +1,86 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBGDRds0BEAC4XJX2CtSzyZWmVTn5waHSpu/Bfzs8qb9K4IALEtds5LKnvoGV +7gK1fC8gbN2mY9dfuhcTxuLg8G37MROWjY2KAANfjmFUT/MTOE13/uhggg3/Q23U +nHmKjV1FjOrq/Cz7bYO2ErbkxAXqT0/aCgE7b91kKDguX2N6hMyG8BqloyjeDzDu +MJfCbNPbvkJHoOQ7i/0Pq72jTIqgx86EXJdjLvC6Q1P4TfPckW2E+YWxhwnA8Z0w +oF60v1c08uGK2/h2nWcfiLtAkvyuPdtLTKYUZOllcQuV8m/1Ad93pWlKVTNBM4Bn +lp4UyoEbvXMg1yTiEhv+6cezvCJG5LbEQgPKU71VPV7sthAiWjhbn3Mj8HhxnzU0 +BBY+DRaCiWYanVoIkCoospIy4jfmflzWYpAiaezOtaLelyhssuqmxIEvlTeyFBfc +4jm+iuyCLA7Fvue7lN8u5CJJx7FLtg5OmiyNibISs25abGiwX01pNFc+Wu0N8dgw +IdzNQnUWtbIQa2byObzDd8ihQq5sEY03OINlIAFlQTXiKfcav9E5MX/L0ggwRtgB +GKo2A8FfifBzehkjRkeu828xPx2Lff56bkjtpMwPZjlzZfs159zHcfXFS3e+zmU3 +Wvs4FLutsjkVOkmwihitV2fn1VuMfKidpDBd6PmC9bNNrm1zRAS2tgRxqwARAQAB +tC1DSVNPZnkgc29mdHdhcmUgc2lnbmluZyA8c29mdHdhcmVAY2lzb2Z5LmNvbT6J +Aj4EEwECACgFAmDRds0CGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA +AAoJEP67fRgSV2SCuFYP/A2vVOb/XUVlOgQGrfkOMSEDBxKBVcftBmmHG9osIa9t +0JxRcT4lZoHubQdcoPi0DrXBaxQ6huss2uLO8qA7GktjIRq71XPNkWE35i9obH/H +fd4zVifM0154JdTpGV1Ah4ZkJ0uS9+8q+PSehiztuZLFQvAoPwnS4QFve3i6zgdY +Gb3zVyT7QlwVSPI7JZg3Hp8FBEylkvrmPu29ISTMT8C0NmEKvzLtxqYFAi5sD4mj +ldD3tK0eIRe8ksCLTTMaUzgFubqA1Ik+JtjDR/Y+2+SbBkFQdokf5gTg2ysuSxM3 +vNFIyX3TPXlSYVAapLZpC/fvH/wFrTwfyEcHTEzvFx+2qU/BSfeeZ3eTSc0XO29c +eNYTBObR+WrPdVEPHizlAfRDj0m8NWzbBWfCdFWiZOfNQAp/cunETPv6Oj2uuoiT +h7/Z09WPrvvDmtHNyD6fvUL90dGK9/x8An2zoJz4jk/qIotDXL34ZsXPD23O2zxd +ASOmI0nXqYEElAONpB8K/GPVmNVatEqu7fTXtfFz4buiaxCZdrzY8QkBtY/tA6H/ +O7Ln2Oz5DBBeGWvd4wT0lajrQtE7Qx8dQEt185MztKNrP/2gbZzgbKNWN06lN9V8 +Of59oIBycPsFrYhmAMdNp6FaZt9+ndAhCjVmze59Vo3b0JN/eqjV/YeDoWNOefFn +uQINBGDRds0BEADNjOgAEz4azwlpR+lC5T5b3xVGclct0S1BxfZw4scj/7hIjPlJ +tX288Kj8fs8L0vIKUY7IW2Y2bePKAkjnIdOsV86DTHDOGW99um61trHGP2Y1KLYP +6/amDPSOTELn5+U88B2RpXr7xXD14fqdnM46GOM+7FORxOe3pdmeCuoyDDfXZ43Z +gmYl6R0Ioo3+LsFrn74vlVGSzjBW+F6alZpACW6ZET3iM5wDhrxBP9GybIMkpLKo +NVNu9WdHv9WtJ1cnqgyM70EAKbAKddRqGwOf80reFzP+TcdmGzXUWbWt2T+bs34L +nczLjJNB7sl3k8ArLZtrKxRsoAD7vvCh981mHCLGU8kS7Tf6tALJYcVgFVLjX4N1 +ASF3525AKfOE4yOGWvbKDNQP0rJe8nFrDLtikAhmPt346D4tArZGzwuuzzOAca76 +WB9w45wS5w6lIejRft961FeHvqm6r8OE+rS5w6J/NH5vFMm425cwHY1O3u7x1y0I +k3VrOZ6OJ1WU3WTqkCGKtBWBU2hkx4BbwZD6l/f523iS9tgxlUVoNud08fQQTwRY +s4T7oSZ1xbZsHHe/LzwhdQojTc2uMETcTDX9GUDePoVohELzVlMAeQm5mvWFUQ87 +rsgbo3/iEH2u/jeqaM4Q6QeNcEtw1VJ6I0LiSb39TlBpZsw9atC0DOxHXQARAQAB +iQIlBBgBAgAPBQJg0XbNAhsMBQkSzAMAAAoJEP67fRgSV2SC/EQQAKmvxewbYCtN +5kQ6BadCeE2IrtV/yyaz2r0vIMI0jtA1F5n/IYbR/5gVUWLphBL7hKw+Jn9oMqV4 +yymCvY0N4faqqIW0QElp1seTCCFzbVhYC9Hv9vWgfHZhXUDTm6WE/vAwl3BYS/p8 +KSyMIdkmParxWbHV0k6tzyVuV3hYMQD8GsHq4i4/TjJtfh2fNKh4lAaxuUoifpBF +te+3YI5GSKXSSTm2fxAIXoWPnpFTh+VTcTu5Sv7pbR6YT0vFM04V3DPVhNO1l72o +UEA6ubSf1gys03CQ4/yK1k9kBJ3RAGK0nLZbB4cSQD2Lu7KCG3jakpzUiu38Gn/X +Nz7aU78Qnj0VzSL7Ko3Eg0g3TURG+UE4JYE3qUnU/++V43HkGaoh9Cq+ytE6wPAE +GC2j660sI5+TN+hZURUqmyU8sFdviskXQnlJztnEY5tVsoh6JuKEykcBj9jgyvNg +TaA7HAC/Qh2zuEJ4OA0al+IDhMLfWwhhop2+ghy7yF4zHC/VnCaQ+O7+ZIfnIsRW +gpBHTkl70uTlG64crM7RDxGVIgO5O6HIZ+Fu3HIAM6AWtPjkv8XQ/g8x3NnSor40 +E8DeW45fjk/Onh/bs0zyGN6XuZPU2L7aogTF3gP0wxkU0r96r8z+BOqmT6lD4mOL +uSeVcIqCYWRC7bhk2ySSo/oC9QhN3CBluQINBGDRdy0BEACywPYrQsu7xn4VhI8t +F3sEmyWB6S5n2SlVMoc8/PUALboNJJ7msiga30jERUm1wNvTt2Cb5vJU+O8yLi8h +F44MeNoDX1rvqTO81sFJbadM59hqTCBN0LUhndcyJo8aKxxaRDhtVs07OwhDvWMW +Ed87qOP5LZe+onFUQMMfwzr+PhYBum1Bg3YjFd0C13UsTvpGE+Rk5dZxUCojpyON +7KfrNtKEdSLGgzxTEOi1a44OuyN0fLdat4T7tCpJAvXgp7N6XXy7QqKNMWEUXwTv +MIZ2UXVj5SB92Op/scMJLVqaB1RBmsd82okT0fQDKnWfFYGwBoYBBh7h/LpYTAR3 +Kik3fFqZygtn9tliZmt1C4h4KpD6t+QLt6/Rq64q65WgS+YKAR0S92xCPSMek81P +MPReQFMT/lNLJdwrO3bxQv6oTd5PGg6mYo7O3djpBT7EpdRQhS+iqcWMGoL24D0m +Mle3J4gaMhDIYy9vxi3oaODu270PTyW3o2gHw8x1smdPclyDT4gYTu+a97kVMhMc +yohBRC/TqjYTKXPX1YjREg1ChhJ5DkWNFuyK36YH9Dby6SlqtHyT8GHHpE1WQF2T +zxkfZvl4g4nDLZkaYBvYl8w5evaRN0wcgIYknFHAq1ew+bE8jtrkd7j3+XRuEK4P +KCjkK2502EUuqnrTuNHVM6roPQARAQABiQREBBgBAgAPBQJg0XctAhsCBQkSzAMA +AikJEP67fRgSV2SCwV0gBBkBAgAGBQJg0XctAAoJEJ3pIvHC/ebEigwP/0VR8Dkm +522ZbR2ipAoEz/GNFRfJQ+an4GOOVs2DEubKyUFmTzxs6TAxncATwFWoSPgd+xtK +NMJbmL9NeHAR7nfrgHrw+fn/HAaGIjBLXZAjqZidOg9+wvqNuTTz7UCYmezvZZqk +55+dIT8gTXekRlS5vZk2bH+kUxK7v2tFfWY38nvDDL7qeUuJDoIXGHZeYHDsDMcI +kFtxYmFEI1f4abP1RnkC6IwbKsIo8vqD3eIJFO2oPPrgDg+zF/0KNF4RQlUqgng4 +iZ5FakqsqSh8uGplzMjzTRjNc1dNXmsI3n7G9O973/ZmpPyhHFVpI9J39IkAWmXg +d2en/mxGKkXh6XOOWVvgSwZ/2aWFLYsKWBukCiN5KaS/HpO8zCf3LkvqzyvcW9JO +ILK45e4r8gVMefp1NmCdE0Ww9khzpimqosQHu4jt/Pc9l/2ImKDoX5hvPHkjuw71 +jhJCDSoAe5jWkjIdzS61pB3SQUmjIfWbVrmc/LsxzVncKGzMisrUNVH7t8U4wn0Q ++x0R4NvIiK/Ws5FxiYTaCf7oIoZX9nKtGz5SD/WE04QDmoXymweyr1qoxa5H/YPp +pTZSFrSEHCxIlL07/RDC8alA6EhBa+WuP/9fRlFf04mOLIYmmMfKAg9t8RGvqwFm +oMHUTikoJkEgOlaiZyLpV+beXCC4w7G/xKdWGmwP/igj3rCx0IOzfrMuyGxILBPd +ZrHTQ+FMjI9m+bQ2ci7eBH0fuxgM5FDDwu4+0XutbXkhruVPSxRPt3yC3ouQsSi8 +GDi43AxEfHoWliFs5kLlqCArJdIMugiKICEjrUKYLIEcJnkdcPr+vt/0YXLNTEWZ +dmK/dU5Qm52BjK92zuO3H2+Heh5XHbJCNUE75hd0I4GLjJR+CBCAK1OqvS8m6Lq5 +PCWfrAWyTf6AxEXdIAcwAp2igJXE3NR9vpi3mWwXkAvT3dkGkvIoyp6qUdBxglT7 +ifl0EFl8l2ehy7QwTHMF6X2Y3LYTOdn39rQIF789HMW1iolB0CNyULDnEA3cawQg +puTke/XlZpIMhVLL44UpEhMVZ9/20OgKxwP/1q2/iirZVdzqQCYRxKluPyAb0FOU +IbQUOA5QdK8EEwPwAH2HGRk4LsF7xdXPlep2OQObIAjMs9WPbveexdFGiUG/xSPr +NaDpFc+DXX94/hJO9NsUwdI8gN1H+r9fxBZ4a8UHzceMD12Wct4N2wLPZX4MCHYD +bGMmGF0SC2eFOFK7Nn2/emJjjnr15VAgDOKknzFo16lvY7LV6pywNsUsSnPB1bGH +bisG6mkdkW7nPsL0d2w4yz+lL9R7yQjvS1Z8hMeTxbzr6OZdgF4rMxpPclTOaAj9 +4qEb1toWkgrwUmMepzoG +=PBwG +-----END PGP PUBLIC KEY BLOCK----- diff --git a/lynis.spec b/lynis.spec new file mode 100644 index 0000000..2a26db0 --- /dev/null +++ b/lynis.spec @@ -0,0 +1,140 @@ +# +# spec file for package lynis +# +# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2009-2013 Sascha Manns +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# +%define _includedir %{_datadir}/lynis/include +%define _pluginsdir %{_datadir}/lynis/plugins +%define _dbdir %{_datadir}/lynis/db +Name: lynis +Version: 3.1.4 +Release: 0 +Summary: Security and System auditing tool +License: GPL-3.0-only +Group: System/Monitoring +URL: https://cisofy.com/lynis/ +Source0: https://downloads.cisofy.com/%{name}/%{name}-%{version}.tar.gz +Source2: tests_binary_rpath +Source3: tests_file_permissionsDB +Source4: tests_file_permissions_ww +Source5: tests_network_allowed_ports +Source6: tests_system_dbus +Source7: tests_system_proc +Source8: tests_tmp_symlinks +Source9: tests_users_wo_password +Source10: prepare_for_suse.sh +Source11: dbus-whitelist.db.openSUSE_12.2_x86_64 +Source12: fileperms.db.openSUSE_12.2_x86_64 +Source13: https://downloads.cisofy.com/lynis/%{name}-%{version}.tar.gz.asc +Source14: https://cisofy.com/files/cisofy-software.pub#/%{name}.keyring +Source15: %{name}-rpmlintrc +# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE +Patch0: %{name}_1.3.5_lynis.diff +# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE +Patch2: %{name}_1.3.1_include_consts.diff +Patch5: %{name}_1.3.6_include-osdetection.diff +# https://github.com/CISOfy/lynis/pull/1215 +Patch6: additional_module_blacklist_locations.patch +BuildRequires: gcc-c++ +BuildRequires: libxml2-devel +Requires: bash +Requires: cron +Requires: findutils +Requires: gawk +Requires: logrotate +Requires: net-tools-deprecated +Requires: netcfg +Requires: wget +# FIXME: use proper Requires(pre/post/preun/...) +PreReq: %fillup_prereq +BuildArch: noarch + +%description +Lynis is a security and system auditing tool. It scans a system on the +most interesting parts useful for audits, like: + - Security enhancements + - Logging and auditing options + - Banner identification + - Software availability + +%prep +%setup -q -n %{name} +%patch -P 0 +%patch -P 2 +%patch -P 5 +%patch -P 6 -p1 + +%build + +%install + +# Install Profile (default.prf) +install -d %{buildroot}%{_sysconfdir}/%{name} +install -m 644 default.prf %{buildroot}%{_sysconfdir}/%{name}/default.prf +# install binary +install -d %{buildroot}%{_bindir} +install -d %{buildroot}%{_datadir}/%{name} +install %{name} %{buildroot}%{_bindir} +install %{SOURCE10} %{buildroot}%{_datadir}/%{name} +# install man-page +install -d %{buildroot}%{_mandir}/man8 +install -pm 644 %{name}.8 %{buildroot}%{_mandir}/man8 +# install functions/includes +install -d %{buildroot}%{_includedir} +install include/* %{buildroot}%{_includedir} +install %{SOURCE2} %{buildroot}%{_includedir} +install %{SOURCE3} %{buildroot}%{_includedir} +install %{SOURCE4} %{buildroot}%{_includedir} +install %{SOURCE5} %{buildroot}%{_includedir} +install %{SOURCE6} %{buildroot}%{_includedir} +install %{SOURCE7} %{buildroot}%{_includedir} +install %{SOURCE8} %{buildroot}%{_includedir} +install %{SOURCE9} %{buildroot}%{_includedir} +# install plugins +install -d %{buildroot}%{_pluginsdir} +install -pm 644 plugins/* %{buildroot}%{_pluginsdir} +# install database files +install -d %{buildroot}%{_dbdir} +install -pm 644 db/*.db %{buildroot}%{_dbdir} +install -d %{buildroot}%{_dbdir}/languages +install -pm 644 db/languages/* %{buildroot}%{_dbdir}/languages +install -pm 644 %{SOURCE11} %{buildroot}%{_dbdir}/dbus-whitelist.db +install -pm 644 %{SOURCE12} %{buildroot}%{_dbdir}/fileperms.db + +# pacify rpmlint +chmod +x %{buildroot}%{_pluginsdir}/custom_plugin.template + +%files +%{_bindir}/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/default.prf +%{_dbdir}/* +%{_includedir}/* +%{_pluginsdir}/* +%dir %{_sysconfdir}/%{name} +%dir %{_datadir}/%{name} +%dir %{_datadir}/%{name}/db +%dir %{_datadir}/%{name}/include +%attr(640,root,root) %{_datadir}/%{name}/include/* +%dir %{_datadir}/%{name}/plugins +%license LICENSE +%doc CHANGELOG.md CONTRIBUTORS.md FAQ README +%{_mandir}/man8/%{name}.8%{?ext_man} +%{_datadir}/%{name}/prepare_for_suse.sh + +%changelog diff --git a/lynis_1.3.1_include_consts.diff b/lynis_1.3.1_include_consts.diff new file mode 100644 index 0000000..1ee5e46 --- /dev/null +++ b/lynis_1.3.1_include_consts.diff @@ -0,0 +1,12 @@ +Index: include/consts +=================================================================== +--- include/consts.orig ++++ include/consts +@@ -115,6 +115,7 @@ ETC_PATHS="/etc /usr/local/etc" + FAIL2BANBINARY="" + FILEBINARY="" + FILEVALUE="" ++ FILE_NUM_TOTAL=0 + FIND="" + FIREWALL_ACTIVE=0 + FOUNDPATH=0 diff --git a/lynis_1.3.5_lynis.diff b/lynis_1.3.5_lynis.diff new file mode 100644 index 0000000..3486946 --- /dev/null +++ b/lynis_1.3.5_lynis.diff @@ -0,0 +1,20 @@ +Index: lynis +=================================================================== +--- lynis.orig ++++ lynis +@@ -1008,7 +1008,14 @@ ${NORMAL} + mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ + insecure_services banners scheduling accounting time crypto virtualization containers \ + mac_frameworks file_integrity tooling malware file_permissions homedirs \ +- kernel_hardening hardening" ++ kernel_hardening hardening \ ++ system_dbus \ ++ users_wo_password \ ++ binary_rpath \ ++ tmp_symlinks \ ++ file_permissions_ww \ ++ system_proc \ ++ network_allowed_ports" + else + INCLUDE_TESTS="${TEST_GROUP_TO_CHECK}" + LogText "Info: only performing tests from groups: ${TEST_GROUP_TO_CHECK}" diff --git a/lynis_1.3.6_include-osdetection.diff b/lynis_1.3.6_include-osdetection.diff new file mode 100644 index 0000000..ccf9dcc --- /dev/null +++ b/lynis_1.3.6_include-osdetection.diff @@ -0,0 +1,13 @@ +Index: include/osdetection +=================================================================== +--- include/osdetection.orig ++++ include/osdetection +@@ -601,7 +601,7 @@ + OS_NAME="${LINUX_VERSION}" + fi + # If Linux version (full name) is unknown, use uname value +- if [ "${OS_FULLNAME}" = "" ]; then OS_FULLNAME=$(uname -s -r); fi ++ #if [ "${OS_FULLNAME}" = "" ]; then OS_FULLNAME=$(uname -s -r); fi + SYSCTL_READKEY="sysctl -n" + ;; + diff --git a/prepare_for_suse.sh b/prepare_for_suse.sh new file mode 100644 index 0000000..f657fe7 --- /dev/null +++ b/prepare_for_suse.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +umask 0077 + +OSVERS=$(grep VERSION /etc/SuSE-release | sed "s/VERSION = //") +OS=$(head -n 1 /etc/SuSE-release | sed "s/[()]//g" | sed "s/ /_/g") + +fileperms() +{ + PERMS=$(grep -E "^PERMISSION_SECURITY=" /etc/sysconfig/security | awk -F'=' '{print $2}' | sed s/\"//g) + echo $PERMS + for p in $PERMS + do + echo $p + grep -E "^/\w.*" "/etc/permissions."$p | awk -F' ' '{print "file:"$1":"$3":"$2":Linux:"}' >> $TMPDIR/fileperms.lst + done + + if ! [ -f db/fileperms.db.orig ]; then + cp -v db/fileperms.db db/fileperms.db.orig + fi + + rm -f db/fileperms.db + cp $TMPDIR/fileperms.lst db/fileperms.db.$OS + ln -s fileperms.db.$OS db/fileperms.db +} + +dbussystem() +{ + for i in $(ls -1 /usr/share/dbus-*/system-services/*.service /etc/dbus-*/system.d/*.conf 2>/dev/null) + do + basename $i >> $TMPDIR/dbus-whitelist.db.$OS + done + + rm -f db/dbus-whitelist.db + cp -v $TMPDIR/dbus-whitelist.db.$OS db/ + ln -s dbus-whitelist.db.$OS db/dbus-whitelist.db +} + +TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX) + +echo "prepare lynis config for your suse systems" +echo "1. lookup file permission level" +fileperms +echo "2. lookup dbus system serices in /etc/dbus-1/system.d/" +dbussystem + +rm -rf $TMPDIR diff --git a/tests_binary_rpath b/tests_binary_rpath new file mode 100644 index 0000000..7d0d333 --- /dev/null +++ b/tests_binary_rpath @@ -0,0 +1,77 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies if a binary contains an insecure RPATH variable. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Binary integrity" + report "[Software]" +# +################################################################################# +# + # Test : BINARY-1000 + # Description : Verifies if a binary contains an insecure RPATH variable. + Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting binary RPATH check..." + logtext "Test: Checking binary integrity of RPATH" + + RPNOTOK=0 + FILENUM=0 + HPBAD=0 + for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null) + do + ((FILENUM++)) + for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}') + do + if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi + while [ -n "$RPATH_VAL" ] + do + RPATH_VAL_NXT=${RPATH_VAL%%:*} + RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:} + test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P) + + case ":$RPATH_VAL_NXT" in + :/usr/lib*) + ;; + :/lib*) + ;; + :/opt/*/lib*) + ;; + :/usr/X11R6/lib*) + ;; + :/usr/local/lib*) + ;; + *) + ((HPBAD--)) + RPNOTOK=1; + Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED + esac + done + done + done + if [ $RPNOTOK == 0 ]; then + Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN + fi + AddHP $HPBAD 0 + + fi +# +################################################################################# +# + +wait_for_keypress diff --git a/tests_file_permissionsDB b/tests_file_permissionsDB new file mode 100644 index 0000000..c43332f --- /dev/null +++ b/tests_file_permissionsDB @@ -0,0 +1,77 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# File permissions from db file +# +################################################################################# +# +# TODO: +# - owner can have ':' and '.' as delimiter, '.' will cause an error -> fix it! +# - octal perms starting with 0 are valid but will cause an error -> fix it! +# +################################################################################ +# + InsertSection "File systems" +# +################################################################################# +# + # Test : FILE-7525 + # Description : Perform file permissions check + Register --test-no FILE-7525 --weight L --network NO --description "Perform file permissions check from DB" + if [ ${SKIPTEST} -eq 0 ]; then + DB="${DBDIR}/fileperms.db" + Display --indent 2 --text "- Starting file permissions check from DB..." + logtext "Test: Checking file permissions from DB" + logtext "Using database ${DB}." + + HPMAX=0 + HPBAD=0 + for LINE in $(cat $DB) + do + HPMAX=$(($HPMAX + 1)) + FN=$(echo $LINE | cut -d: -f2) + PM=$(echo $LINE | cut -d: -f3) + UN=$(echo $LINE | cut -d: -f4) + GN=$(echo $LINE | cut -d: -f5) + OS=$(echo $LINE | cut -d: -f6) + if [ -z $OS ]; then + logtext "Warning: line format invalid: '$LINE'" + fi + + logtext "Checking $FN" + + STR="$PM:$UN:$GN" + STAT=$(stat --printf="%a:%U:%G" $FN 2>/dev/null) + if [ -z $STAT ]; then + #Display --indent 4 --text "${FN}" --result "NOT FOUND" --color WHITE + continue; + fi + if [ "$STR" != "$STAT" ]; then + HPBAD=$((HPBAD + 1)) + Display --indent 4 --text "${FN}" --result WARNING --color RED + else + Display --indent 4 --text "${FN}" --result OK --color GREEN + fi + done + + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff --git a/tests_file_permissions_ww b/tests_file_permissions_ww new file mode 100644 index 0000000..f3ffe55 --- /dev/null +++ b/tests_file_permissions_ww @@ -0,0 +1,52 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# File permissions world-writeable file +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "File systems" +# +################################################################################# +# + # Test : FILE-7527 + # Description : Perform file permissions check + Register --test-no FILE-7527 --weight L --network NO --description "Lookup world-writeable files." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting file permissions check for world-writeable files..." + logtext "Test: Checking for world-writeable files" + + TMP=$(mktemp /tmp/lynis.XXXXXX) + HPMAX=$FILE_NUM_TOTAL + HP=$HPMAX + find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) -a -perm -0002 -print 2>/dev/null > $TMP + for i in $(cat $TMP) + do + HP=$((HP - 1)) + Display --indent 4 --text "${i} is world-writeable" --result WARNING --color RED + done +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + rm -f $TMP + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ \ No newline at end of file diff --git a/tests_network_allowed_ports b/tests_network_allowed_ports new file mode 100644 index 0000000..da4662f --- /dev/null +++ b/tests_network_allowed_ports @@ -0,0 +1,84 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies open network ports. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Networking" +# +################################################################################# +# + # Test : NETW-3085 + # Description : Verifies open network ports. + Register --test-no NETW-3085 --weight L --network NO --description "Verifies open network ports." + if [ ${SKIPTEST} -eq 0 ]; then + ALLOWED_PORTS=( 22 25 80 111 443 ) + TMP=$(mktemp /tmp/lynis.XXXXXX) + + STR="${ALLOWED_PORTS[@]:0}" + Display --indent 2 --text "- Starting verifying open network ports ($STR)..." + logtext "Test: Checking open network ports" + logtext "Allowed ports: $STR" + + netstat -an | grep -i listen > $TMP + PORTS=($(cat $TMP | awk '{ print $4 }' | sed 's/.*://;s/ACC//' | sort -un)) + + + IDX_P=0 + LEN_P=${#PORTS[@]} + NUM_NOTOK=0 + while [ $IDX_P -lt $LEN_P ] + do + IDX_A=0 + LEN_A=${#ALLOWED_PORTS[@]} + PORTOK=0 + while [ $IDX_A -lt $LEN_A ] + do +# echo "${PORTS[$IDX_P]} vs. ${ALLOWED_PORTS[$IDX_A]}" + if [ ${PORTS[$IDX_P]} == ${ALLOWED_PORTS[$IDX_A]} ] + then + PORTOK=1 + break + fi + ((IDX_A++)) + done + if [ $PORTOK -eq 0 ] + then + ((NUM_NOTOK++)) + P=${PORTS[$IDX_P]} + Display --indent 4 --text "Open port ${P} not allowed" --result WARNING --color RED + fi + + ((IDX_P++)) + done + + HPMAX=$LEN_A + HP=$(expr $LEN_A - $NUM_NOTOK) + if [ $HP -lt 0 ]; then HP=0; fi + + AddHP $HP $HPMAX + + rm -f $TMP + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff --git a/tests_system_dbus b/tests_system_dbus new file mode 100644 index 0000000..a414cae --- /dev/null +++ b/tests_system_dbus @@ -0,0 +1,79 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies dbus policy. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "System Tools" + report "[Software]" +# +################################################################################# +# + # Test : SYSTEM-1000 + # Description : Verifies dbus policy. + Register --test-no SYSTEM-1000 --weight L --network NO --description "Verifies if an unknown dbus service is installed." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting dbus policy check..." + logtext "Test: Checking dbus policy" + + DB="${DBDIR}/dbus-whitelist.db" + + if ! [ -f $DB ] + then + if [ -f ./dbus-whitelist.db ] + then + DB="./dbus-whitelist.db" + else + logtext "Warning: dbus autostart/system services whitelist file is missing." + return + fi + fi + WHITELIST=$(cat $DB) + HPMAX=$(wc -l $DB | cut -d' ' -f1) + HPBAD=0 + E=$(ls -1 /usr/share/dbus-*/system-services/*.service /etc/dbus-*/system.d/*.conf 2>/dev/null) + if ! [ -z "$E" ] + then + for i in $E + do + DF=$(basename $i) + + FOUND=0 + for j in $WHITELIST + do + if [ "$DF" = "$j" ]; then FOUND=1; fi + done + if [ $FOUND -eq 0 ] + then + HPBAD=$((HPBAD + 1)) + PKG=$(rpm -qf "$i") + Display --indent 4 --text "Warning: Package $PKG installs an unknown D-BUS autostart/system service: $DF" --result WARNING --color RED + fi + done + fi + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff --git a/tests_system_proc b/tests_system_proc new file mode 100644 index 0000000..af24b50 --- /dev/null +++ b/tests_system_proc @@ -0,0 +1,59 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Checking for processes running as 'nobody' +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Memory and processes" +# +################################################################################# +# + # Test : PROC-3625 + # Description : Processes running as 'nobody' + Register --test-no PROC-3625 --weight L --network NO --description "Processes running as 'nobody'." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting look-up of 'nobody' processes..." + logtext "Test: Checking for processes running as 'nobody'" + + TMP=$(mktemp /tmp/lynis.XXXXXX) + TMP2=$(mktemp /tmp/lynis.XXXXXX) + ps -eo uname,pid,comm | tr -s " " | sed "s/ /:/g" > $TMP + HPMAX=$(wc -l $TMP | cut -d' ' -f1) + grep '^nobody' $TMP > $TMP2 + + HP=$HPMAX + for i in $(cat $TMP2) + do + HP=$((HP - 1)) + PID=$(echo $i | cut -d: -f2) + PNAME=$(echo $i | cut -d: -f3) + Display --indent 4 --text "${PNAME} [PID ${PID}] runs as user 'nobody'" --result WARNING --color RED + done + +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + + rm -f $TMP $TMP2 + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ \ No newline at end of file diff --git a/tests_tmp_symlinks b/tests_tmp_symlinks new file mode 100644 index 0000000..bfd4de9 --- /dev/null +++ b/tests_tmp_symlinks @@ -0,0 +1,50 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Looks up symlinks in /tmp +# +################################################################################# +# +# TODO: +# - also verify other tmp localtions like /var/tmp and ~/tmp +# +################################################################################ +# + InsertSection "File systems" +# +################################################################################# +# + # Test : FILE-7526 + # Description : Looks up symlinks in /tmp + Register --test-no FILE-7526 --weight L --network NO --description "Looks up symlinks in /tmp" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting look-up of symlinks in /tmp..." + logtext "Test: Checking /tmp for symlinks" + + TMP_SYMLINK=$(find /tmp -type l -print 2>/dev/null) + + if [ "$TMP_SYMLINK" ] + then + for sym in $TMP_SYMLINK + do + Display --indent 4 --text "${sym}" --result WARNING --color RED + done + fi + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ \ No newline at end of file diff --git a/tests_users_wo_password b/tests_users_wo_password new file mode 100644 index 0000000..ea8880c --- /dev/null +++ b/tests_users_wo_password @@ -0,0 +1,58 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies dbus policy. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Users, Groups and Authentication" + report "[Software]" +# +################################################################################# +# + # Test : AUTH-1000 + # Description : Verifies dbus policy. + Register --test-no AUTH-1000 --weight M --network NO --description "Verifies if users without a password exist." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting password check for users..." + logtext "Test: Checking existence of password" + + TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX) + HPMAX=$(wc -l /etc/passwd | cut -d' ' -f1) + awk -F: '$2 == "" && $1 != "" {print $1}' /etc/passwd > $TMPDIR/userwopwd + awk -F: '$2 == "" && $1 != "" {print $1}' /etc/shadow >> $TMPDIR/userwopwd + sort -u $TMPDIR/userwopwd > $TMPDIR/userwopwd2 + HPBAD=0 + for i in $(cat $TMPDIR/userwopwd2) + do + HPBAD=$((HPBAD + 1)) + Display --indent 4 --text "${i} has no password set" --result WARNING --color RED + done + + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + + rm -rf $TMPDIR + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================