Commit graph

97 commits

Author SHA1 Message Date
Yaisel Hurtado
4368013b43 Fixed detection of security repositories (#370) 2017-03-17 17:59:21 +00:00
Michael Boelen
352ea8c21c Added missing pipe 2017-03-13 19:55:00 +01:00
Michael Boelen
b67d9233eb Added more logging 2017-03-13 19:53:56 +01:00
Michael Boelen
e4474320ee [PKGS-7387] check all repositories for usage of gpg signing 2017-03-13 19:47:06 +01:00
Michael Boelen
de84454d3f Cleanup 2017-03-12 19:27:16 +01:00
Michael Boelen
a70cfd0a70 Improve message 2017-03-09 12:32:32 +01:00
Michael Boelen
336dcb4811 [PKGS-7381] Enhanced FreeBSD pkg audit testing 2017-03-09 12:27:38 +01:00
hlein
62d9a18861 A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.

If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be.  Exec it right away.

* Work around Solaris 'which' command oddity.

Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.

This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.

Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.

* Improved alternate-sh exec to avoid looping.

* Solaris' /usr/ucb/echo supports -n.

* Check for the best hash type that openssl supports.

When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.

* Solaris does not support sed -i; use a tempfile.

* Use the full path for modinfo.

When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.

* Solaris find does not support -maxdepth.

This mirrors the logic already in tests_homedirs.

* Use PSBINARY instead of ps.

* Work around Solaris' date not supporting +%s.

Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds.  A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.

* Revert to using sha1 for HOSTID.

* Whitespace cleanup for openssl hash tests.
2017-03-08 16:24:24 +00:00
hlein
e054e9757c Lots of cleanups (#366)
* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 19:23:08 +00:00
hlein
b595cc0fb5 Various cleanups (#363)
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00
Michael Boelen
34ba1ba184 Changed date and preparing for release 2017-02-09 13:35:40 +01:00
Michael Boelen
22d27434c9 Enhance pkg support on FreeBSD 2016-10-15 16:38:33 +02:00
Michael Boelen
f1c3c23cae Corrected error redirection 2016-10-15 16:22:18 +02:00
Michael Boelen
8777a5e616 Use rootdir and proper error redirection 2016-10-15 16:20:04 +02:00
Michael Boelen
f0b9a64c47 [PKGS-7381] bugfix at detection of pkg tool 2016-10-15 16:16:26 +02:00
Michael Boelen
d88f755f40 [PKGS-7381] check pkg audit and report when the vulnerability database is missing 2016-10-15 16:12:49 +02:00
Michael Boelen
d0d76c44cb Improved logging 2016-10-15 15:38:06 +02:00
Michael Boelen
9caf3005b5 Style improvements and hardening points 2016-09-26 12:05:30 +02:00
Michael Boelen
a3f57e6d01 Mark tests PKGS-7320 and PKGS-7322 as Linux-only 2016-09-24 16:17:11 +02:00
Michael Boelen
98d9096739 Mark arch-audit as a package audit tool 2016-09-24 15:36:45 +02:00
Michael Boelen
1418e0404b Extended message for arch-audit 2016-09-24 15:34:31 +02:00
Michael Boelen
263c0b558b Changes to show more details for warnings 2016-09-24 15:27:42 +02:00
Michael Boelen
1bc29ebb2e Added solution to arch-audit test 2016-09-24 15:20:24 +02:00
Michael Boelen
1063c8f3e8 Replace calls to binaries and changes in output within report 2016-09-24 15:07:20 +02:00
Michael Boelen
780e66ea81 Use OS full name to detect distribution 2016-09-24 14:58:30 +02:00
Michael Boelen
db419495bf Added support for arch-audit tooling 2016-09-24 14:49:14 +02:00
Michael Boelen
9d91f7dac7 [PKGS-7381] Improved output of log and warning 2016-09-22 14:54:55 +02:00
Michael Boelen
6a7ec8795a [PKGS-7381] Collect FreeBSD details for vulnerable packages 2016-09-22 14:47:06 +02:00
Michael Boelen
82ededed31 Style improvements and command replacements 2016-09-08 21:04:17 +02:00
Michael Boelen
679e8c628e Use detected binaries 2016-08-25 15:31:33 +02:00
Michael Boelen
e176011912 Allow repository update to be disabled 2016-08-11 10:01:29 +02:00
Michael Boelen
f9b2993f35 Removed unneeded field 2016-08-10 07:24:10 +02:00
Michael Boelen
fc2d9b935c Removed unneeded field for warnings and suggestions 2016-08-10 07:13:38 +02:00
Michael Boelen
2fe1819c35 [PKGS-7383] Simplified test 2016-07-31 15:51:34 +02:00
beelsr
4143cd69b5 fix yum gpgenabled check to allow spaces around = (#247)
Issue 245

yum.conf allows an arbitrary number of spaces to surround the equals assignment.
2016-07-30 17:14:51 +02:00
Michael Boelen
cfdc8228fd [PKGS-7388] Readability improvements and initialization 2016-07-30 16:40:44 +02:00
Michael Boelen
2f4c854ba7 Rename of categories, introduction of groups 2016-07-24 17:22:00 +02:00
Michael Boelen
983e293eb1 Replaced text strings to allow translations 2016-06-18 11:14:01 +02:00
Michael Boelen
02fdaf4c1e [PKGS-7328] Set non-interactive as first option like other calls to Zypper 2016-05-30 19:43:10 +02:00
Andreas Stieger
ece464b1da improve non-interactive use of zypper (#208)
* PKGS-7328: only list installed items of type package

Otherwise the package list may contain duplicate items of type application or patch

Signed-off-by: Andreas Stieger <astieger@suse.com>

* PKGS-7328, PKGS-7330: run zypper with non-interactive flag

Otherwise the test will hang if zypper issues an interactive query or warning,
such as for new/changed keys, network issues or other errors.

Signed-off-by: Andreas Stieger <astieger@suse.com>
2016-05-30 19:20:37 +02:00
Michael Boelen
90f196f067 [PKGS-7381] Check for vuln.xml file 2016-05-04 21:59:52 +02:00
Michael Boelen
eded02cfde Rewritten counters and dealing with values 2016-05-03 14:57:53 +02:00
Michael Boelen
99236b13f4 Mark apt-get related tests to be root-only 2016-05-02 17:13:31 +02:00
mboelen
42607ceaf5 Replaced old function names with new ones 2016-04-28 12:31:57 +02:00
mboelen
60a7abf877 [PKGS-7354] Test for DNF repoquery plugin before using it 2016-04-21 11:44:42 +02:00
mboelen
95df056ca8 Don't use type -p, as it won't work on all systems 2016-03-24 14:35:12 +01:00
Kamil Boratyński
85236bb996 Added brew as package manager. 2016-03-22 23:06:10 +01:00
Michael Boelen
2fe5fa2cc6 Merge pull request #135 from rhyven/patch-5
Accept apt-get as a package audit tool
2016-03-16 11:02:35 +01:00
Eric Light
a97bcb2142 Accept apt-get as a package audit tool 2016-03-14 12:02:18 +13:00
mboelen
8cc47819b4 Removed copyright line, added description 2016-03-13 16:03:46 +01:00