"Fossies" - the Fresh Open Source Software Archive

Member "lynis/include/tests_kernel" (22 Jul 2021, 60784 Bytes) of package /linux/misc/lynis-3.0.6.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "tests_kernel": 3.0.5_vs_3.0.6.

    1 #!/bin/sh
    2 
    3 #################################################################################
    4 #
    5 #   Lynis
    6 # ------------------
    7 #
    8 # Copyright 2007-2013, Michael Boelen
    9 # Copyright 2007-2021, CISOfy
   10 #
   11 # Website  : https://cisofy.com
   12 # Blog     : http://linux-audit.com
   13 # GitHub   : https://github.com/CISOfy/lynis
   14 #
   15 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   16 # welcome to redistribute it under the terms of the GNU General Public License.
   17 # See LICENSE file for usage of this software.
   18 #
   19 #################################################################################
   20 #
   21 # Kernel
   22 #
   23 #################################################################################
   24 #
   25     InsertSection "${SECTION_KERNEL}"
   26 #
   27 #################################################################################
   28 #
   29     CPU_PAE=0
   30     CPU_NX=0
   31     LINUXCONFIGFILE=""
   32     LINUXCONFIGFILE_ZIPPED=0
   33     LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d"
   34     APT_ARCHIVE_DIRECTORY="${ROOTDIR}var/cache/apt/archives"
   35 #
   36 #################################################################################
   37 #
   38     # Test        : KRNL-5622
   39     # Description : Check default run level on Linux machines
   40     Register --test-no KRNL-5622 --os Linux --weight L --network NO --category security --description "Determine Linux default run level"
   41     if [ ${SKIPTEST} -eq 0 ]; then
   42         # Checking if we can find the systemd default target
   43         LogText "Test: Checking for systemd default.target"
   44         if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
   45             LogText "Result: symlink found"
   46             if HasData "${READLINKBINARY}"; then
   47                 FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
   48                 if ! HasData "${FIND}"; then
   49                     LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
   50                     ReportException "${TEST_NO}:01"
   51                 else
   52                     FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
   53                     if HasData "${FIND2}"; then
   54                         LogText "Result: Found match on runlevel5/graphical"
   55                         Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
   56                         Report "linux_default_runlevel=5"
   57                     else
   58                         LogText "Result: No match found on runlevel, defaulting to runlevel 3"
   59                         Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
   60                         Report "linux_default_runlevel=3"
   61                     fi
   62                 fi
   63             else
   64                 LogText "Result: No readlink binary, can't determine where symlink is pointing to"
   65                 Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
   66             fi
   67         else
   68             LogText "Result: no systemd found, so trying inittab"
   69             LogText "Test: Checking ${ROOTDIR}etc/inittab"
   70             if [ -f ${ROOTDIR}etc/inittab ]; then
   71                 LogText "Result: file ${ROOTDIR}etc/inittab found"
   72                 LogText "Test: Checking default Linux run level"
   73                 FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
   74                 if IsEmpty "${FIND}"; then
   75                     Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
   76                     LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab"
   77                 else
   78                     Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
   79                     LogText "Found default run level '${FIND}'"
   80                     Report "linux_default_runlevel=${FIND}"
   81                 fi
   82             else
   83                 LogText "Result: file ${ROOTDIR}etc/inittab not found"
   84                 if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
   85                     LogText "Test: Checking run level with who -r, for Debian based systems"
   86                     FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
   87                     if HasData "${FIND}"; then
   88                         LogText "Result: Found default run level '${FIND}'"
   89                         Report "linux_default_runlevel=${FIND}"
   90                         Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
   91                     else
   92                         LogText "Result: Can't determine default run level from who -r"
   93                         Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
   94                     fi
   95                 fi
   96             fi
   97         fi
   98     fi
   99 #
  100 #################################################################################
  101 #
  102     # Test        : KRNL-5677
  103     # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
  104     # More info   : pae and nx bit are both visible on AMD and Intel CPU's if supported
  105 
  106     Register --test-no KRNL-5677 --platform "x86_64 amd64" --os "Linux NetBSD" --weight L --network NO --category security --description "Check CPU options and support"
  107     if [ ${SKIPTEST} -eq 0 ]; then
  108         Display --indent 2 --text "- Checking CPU support (NX/PAE)"
  109         LogText "Test: Checking /proc/cpuinfo"
  110         if [ -f /proc/cpuinfo ]; then
  111             LogText "Result: found /proc/cpuinfo"
  112             LogText "Test: Checking CPU options (XD/NX/PAE)"
  113             FIND_PAE_NX=$(${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx ")
  114             FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo)
  115             FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo)
  116             FOUND=0
  117             if HasData "${FIND_PAE_NX}"; then
  118                 LogText "PAE: Yes"
  119                 LogText "NX: Yes"
  120                 CPU_PAE=1
  121                 CPU_NX=1
  122                 LogText "Result: PAE or No eXecute option(s) both found"
  123                 Report "cpu_pae=1"
  124                 Report "cpu_nx=1"
  125                 FOUND=1
  126             else
  127                 if HasData "${FIND_PAE}" && IsEmpty "${FIND_NX}"; then
  128                     Report "cpu_pae=1"
  129                     LogText "Result: found PAE"
  130                     CPU_PAE=1
  131                     FOUND=1
  132                 else
  133                     if HasData "${FIND_NX}" && IsEmpty "${FIND_PAE}"; then
  134                         Report "cpu_nx=1"
  135                         LogText "Result: found No eXecute"
  136                         CPU_NX=1
  137                         FOUND=1
  138                     else
  139                         LogText "Result: found no CPU options enabled (PAE or NX bit)"
  140                     fi
  141                 fi
  142             fi
  143             if [ ${FOUND} -eq 1 ]; then
  144                 Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
  145             else
  146                 Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
  147                 ReportSuggestion "${TEST_NO}" "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
  148             fi
  149         else
  150             Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
  151             LogText "Result: /proc/cpuinfo not found"
  152         fi
  153     fi
  154 #
  155 #################################################################################
  156 #
  157     # Test        : KRNL-5680
  158     # Description : Check if installed kernel has PAE support
  159     # Dependency  : KRNL-5677
  160     # More info   : RedHat/CentOS/Fedora uses the package name 'kernel-PAE'
  161 #
  162 #################################################################################
  163 #
  164     # Test        : KRNL-5695
  165     # Description : Determining Linux kernel version and release number
  166     Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number"
  167     if [ ${SKIPTEST} -eq 0 ]; then
  168         # Kernel number (and suffix)
  169         LINUX_KERNEL_RELEASE=$(uname -r)
  170         Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
  171         LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
  172         # Type and build date
  173         LINUX_KERNEL_VERSION=$(uname -v)
  174         Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
  175         LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
  176         Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN
  177     fi
  178 #
  179 #################################################################################
  180 #
  181     # Test        : KRNL-5723
  182     # Description : Check if Linux is build as a monolithic kernel or not
  183     Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
  184     if [ ${SKIPTEST} -eq 0 ]; then
  185         if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
  186             LogText "Test: checking if kernel is monolithic or modular"
  187             # Checking if any modules are loaded
  188             FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
  189             Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
  190             if [ "${FIND}" = "0" ]; then
  191                 LogText "Result: Found monolithic kernel"
  192                 Report "linux_kernel_type=monolithic"
  193                 MONOLITHIC_KERNEL=1
  194             else
  195                 LogText "Result: Found modular kernel"
  196                 Report "linux_kernel_type=modular"
  197                 MONOLITHIC_KERNEL=0
  198             fi
  199         else
  200             LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
  201         fi
  202     fi
  203 #
  204 #################################################################################
  205 #
  206     # Test        : KRNL-5726
  207     # Description : Checking Linux loaded kernel modules
  208     Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
  209     if [ ${SKIPTEST} -eq 0 ]; then
  210         if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
  211             FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
  212             Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
  213             if HasData "${FIND}"; then
  214                 LogText "Loaded modules according lsmod:"
  215                 COUNT=0
  216                 for ITEM in ${FIND}; do
  217                     LogText "Loaded module: ${ITEM}"
  218                     Report "loaded_kernel_module[]=${ITEM}"
  219                     COUNT=$((COUNT + 1))
  220                 done
  221                 Display --indent 6 --text "Found ${COUNT} active modules"
  222             else
  223                 LogText "Result: no loaded modules found"
  224                 LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
  225             fi
  226         else
  227             LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
  228         fi
  229     fi
  230 #
  231 #################################################################################
  232 #
  233     # Test        : KRNL-5728
  234     # Description : Checking for available Linux kernel configuration file in /boot
  235     Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
  236     if [ ${SKIPTEST} -eq 0 ]; then
  237         CHECKFILE="${ROOTDIR}boot/config-$(uname -r)"
  238         CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz"
  239         if [ -f ${CHECKFILE} ]; then
  240             LINUXCONFIGFILE="${CHECKFILE}"
  241             LogText "Result: found config (${LINUXCONFIGFILE})"
  242             Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
  243         elif [ -f ${CHECKFILE_ZIPPED} ]; then
  244             LINUXCONFIGFILE="${CHECKFILE_ZIPPED}"
  245             LINUXCONFIGFILE_ZIPPED=1
  246             LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)"
  247             Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
  248         else
  249             LogText "Result: no Linux kernel configuration file found in ${ROOTDIR}boot"
  250             Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
  251         fi
  252         if HasData "${LINUXCONFIGFILE}"; then
  253             Report "linux_config_file=${LINUXCONFIGFILE}"
  254         fi
  255     fi
  256 #
  257 #################################################################################
  258 #
  259     # Test        : KRNL-5730
  260     # Description : Checking default I/O kernel scheduler
  261     # Notes       : This test could be extended with testing some of the specific devices like disks
  262     #               cat /sys/block/sda/queue/scheduler
  263     PREQS_MET="NO"
  264     if HasData "${LINUXCONFIGFILE}"; then
  265         if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
  266     fi
  267     Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
  268     if [ ${SKIPTEST} -eq 0 ]; then
  269         if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
  270         if [ -n "${GREPTOOL}" ]; then
  271             LogText "Test: Checking the default I/O kernel scheduler"
  272             LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
  273             if [ -n "${LINUX_KERNEL_IOSCHED}" ]; then
  274                 LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
  275                 Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
  276                 Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
  277             else
  278                 LogText "Result: no default I/O kernel scheduler found"
  279                 Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
  280             fi
  281         else
  282             ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings"
  283         fi
  284    fi
  285 #
  286 #################################################################################
  287 #
  288     # Test        : KRNL-5745
  289     # Description : Checking FreeBSD loaded kernel modules
  290     Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --category security --description "Checking FreeBSD loaded kernel modules"
  291     if [ ${SKIPTEST} -eq 0 ]; then
  292         Display --indent 2 --text "- Checking active kernel modules"
  293         LogText "Test: Active kernel modules (KLDs)"
  294         LogText "Description: View all active kernel modules (including kernel)"
  295         LogText "Test: Checking modules"
  296         if [ -f /sbin/kldstat ]; then
  297             FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
  298             if [ $? -eq 0 ]; then
  299                 LogText "Loaded modules according kldstat:"
  300                 COUNT=0
  301                 for ITEM in ${FIND}; do
  302                     LogText "Loaded module: ${ITEM}"
  303                     Report "loaded_kernel_module[]=${ITEM}"
  304                     COUNT=$((COUNT + 1))
  305                 done
  306                 Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
  307             else
  308                 Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
  309                 LogText "Result: Problem with executing kldstat"
  310             fi
  311         else
  312             LogText "Result: no results, can't find /sbin/kldstat"
  313         fi
  314     fi
  315 #
  316 #################################################################################
  317 #
  318     # Test        : KRNL-5831
  319     # Description : Checking DragonFly loaded kernel modules
  320     Register --test-no KRNL-5831 --os DragonFly --weight L --network NO --category security --description "Checking DragonFly loaded kernel modules"
  321     if [ ${SKIPTEST} -eq 0 ]; then
  322         Display --indent 2 --text "- Checking active kernel modules"
  323         LogText "Test: Active kernel modules (KLDs)"
  324         LogText "Description: View all active kernel modules (including kernel)"
  325         LogText "Test: Checking modules"
  326         if [ -x /sbin/kldstat ]; then
  327             FIND=$(/sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
  328             if [ $? -eq 0 ]; then
  329                 LogText "Loaded modules according kldstat:"
  330                 COUNT=0
  331                 for ITEM in ${FIND}; do
  332                     LogText "Loaded module: ${ITEM}"
  333                     Report "loaded_kernel_module[]=${ITEM}"
  334                     COUNT=$((COUNT + 1))
  335                 done
  336                 Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
  337             else
  338                 Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
  339                 LogText "Result: Problem with executing kldstat"
  340             fi
  341         else
  342             echo "[ ${WHITE}SKIPPED${NORMAL} ]"
  343             LogText "Result: no results, can NOT find /sbin/kldstat"
  344         fi
  345     fi
  346 #
  347 #################################################################################
  348 #
  349     # Test        : KRNL-5770
  350     # Description : Checking Solaris load modules
  351     Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules"
  352     if [ ${SKIPTEST} -eq 0 ]; then
  353         LogText "Test: searching loaded kernel modules"
  354         FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
  355         if HasData "${FIND}"; then
  356             for ITEM in ${FIND}; do
  357                 LogText "Found module: ${ITEM}"
  358                 Report "loaded_kernel_module[]=${ITEM}"
  359             done
  360             Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
  361         else
  362             LogText "Result: no output"
  363             Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW
  364         fi
  365     fi
  366 #
  367 #################################################################################
  368 #
  369     # Test        : KRNL-5788
  370     # Description : Checking availability new kernel
  371     if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
  372            [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
  373         PREQS_MET="YES"
  374     else
  375         PREQS_MET="NO"
  376     fi
  377     Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
  378     if [ ${SKIPTEST} -eq 0 ]; then
  379         HAS_VMLINUZ=0
  380         LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
  381         if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
  382             LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
  383             LogText "Test: checking presence of ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz"
  384             if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
  385                 HAS_VMLINUZ=1
  386                 if [ -f ${ROOTDIR}vmlinuz ]; then
  387                     FINDVMLINUZ=${ROOTDIR}vmlinuz
  388                 else
  389                     FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
  390                 fi
  391                 LogText "Result: found ${FINDVMLINUZ}"
  392                 LogText "Test: checking readlink location of ${FINDVMLINUZ}"
  393                 FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
  394                 LogText "Output: readlink reported file ${FINDKERNFILE}"
  395                 LogText "Test: checking package from dpkg -S"
  396                 FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
  397                 LogText "Output: dpkg -S reported package ${FINDKERNEL}"
  398             elif [ -e ${ROOTDIR}dev/grsec ]; then
  399                 FINDKERNEL=linux-image-$(uname -r)
  400                 LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
  401             elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
  402                 FINDKERNEL=raspberrypi-kernel
  403                 LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
  404             elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
  405                 FINDKERNEL=linux-image-$(uname -r)
  406                 LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
  407             else
  408                 LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz.  Unable to check whether kernel is up-to-date."
  409                 ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
  410             fi
  411             LogText "Test: Using apt-cache policy to determine if there is an update available"
  412             FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
  413             FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
  414             LogText "Kernel installed: ${FINDINST}"
  415             LogText "Kernel candidate: ${FINDCAND}"
  416             if IsEmpty "${FINDINST}"; then
  417                 Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
  418                 LogText "Result: Exception occurred, no output from apt-cache policy"
  419                 if [ ${HAS_VMLINUZ} -eq 1 ]; then
  420                     ReportException "${TEST_NO}:01"
  421                     ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
  422                 fi
  423                 LogText "Result: apt-cache policy did not return an installed kernel version"
  424             else
  425                 if [ "${FINDINST}" = "${FINDCAND}" ]; then
  426                     if [ -e /dev/grsec ]; then
  427                         Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
  428                         LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
  429                         ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
  430                     else
  431                         Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
  432                         LogText "Result: no kernel update available"
  433                     fi
  434                 else
  435                     Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
  436                     LogText "Result: kernel update available according 'apt-cache policy'."
  437                     ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
  438                 fi
  439             fi
  440         else
  441             LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
  442         fi
  443     fi
  444 #
  445 #################################################################################
  446 #
  447     # Test        : KRNL-5820
  448     # Description : Checking core dumps configuration (Linux)
  449     Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
  450     if [ ${SKIPTEST} -eq 0 ]; then
  451         Display --indent 2 --text "- Checking core dumps configuration"
  452         LogText "Test: Checking presence of systemd"
  453         # systemd option
  454         if [ $HAS_SYSTEMD -eq 1 ]; then
  455             LogText "Result: systemd is present on this system"
  456             LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/systemd/coredump.conf and ${ROOTDIR}etc/systemd/coredump.conf.d/*.conf"
  457             # check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none
  458             SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
  459             SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
  460             SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
  461             SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
  462             SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
  463             # check conf files in possibly existing coredump.conf.d folders 
  464             # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
  465             # while there could be multiple files overwriting each other, we are checking the number of occurrences
  466             SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
  467             SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
  468             SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
  469             SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
  470             SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
  471             if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
  472                ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
  473                ( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
  474                ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ); then
  475                 LogText "Result: core dumps are disabled by 'ProcessSizeMax=0' and 'Storage=none' in systemd configuration files"
  476                 AddHP 1 1
  477                 TMP_COLOR="GREEN"
  478                 if [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -gt 1 ]; then
  479                     LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set multiple times in systemd configuration files. Check config!"
  480                     ReportSuggestion "${TEST_NO}" "Check systemd configuration for duplicate entries of core dump settings"
  481                     TMP_COLOR="YELLOW"
  482                 fi
  483                 Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DISABLED}" --color "${TMP_COLOR}"
  484             elif [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
  485                 LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set in ${ROOTDIR}etc/systemd/coredump.conf but overwritten in subdir config files"
  486                 ReportSuggestion "${TEST_NO}" "Check systemd configuration for overwriting core dump settings"
  487                 Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color YELLOW
  488                 AddHP 0 1
  489             elif ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] ) || \
  490                  ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \
  491                  ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
  492                  ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
  493                 LogText "Result: core dumps are explicitly enabled in systemd configuration files"
  494                 ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
  495                 Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
  496                 AddHP 0 1
  497             else
  498                 LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'"
  499                 Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DEFAULT}" --color WHITE
  500                 AddHP 0 1
  501             fi
  502         fi
  503         # Profile option
  504         LogText "Test: Checking presence ${ROOTDIR}etc/profile"
  505         if [ -f "${ROOTDIR}etc/profile" ]; then
  506             LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
  507             # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
  508             ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
  509             ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
  510             if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
  511                 LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
  512                 Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
  513                 AddHP 1 1
  514             elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then
  515                 LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'"
  516                 Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
  517                 AddHP 0 1
  518             elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
  519                 LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'"
  520                 Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED
  521                 AddHP 0 1
  522             else
  523                 LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!"
  524                 Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW
  525             fi
  526         fi
  527         # Limits option
  528         LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
  529         if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then
  530             LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
  531             LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
  532             # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
  533             FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
  534             FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
  535             FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
  536 
  537             # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
  538             if [ "${FIND3}" = "core dumps disabled" ]; then
  539                 FIND1="soft core disabled"
  540                 FIND2="hard core disabled"
  541             elif [ "${FIND3}" = "core dumps enabled" ]; then
  542                 FIND1="soft core enabled"
  543                 FIND2="hard core enabled"
  544             fi
  545 
  546             IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
  547             IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
  548 
  549             if [ "${FIND2}" = "hard core disabled" ]; then
  550                 LogText "Result: core dumps are hard disabled"
  551                 Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
  552                 if [ "${FIND1}" = "soft core disabled" ]; then
  553                     Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
  554                 else
  555                     Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
  556                 fi
  557                 AddHP 3 3
  558             elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
  559                 LogText "Result: core dumps (soft and hard) are enabled"
  560                 Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
  561                 Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
  562                 ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
  563                 AddHP 0 3
  564             elif [ "${FIND1}" = "soft core disabled" ]; then
  565                 LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
  566                 Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
  567                 Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
  568                 AddHP 2 3
  569             elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
  570                 LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
  571                 Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
  572                 Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
  573                 AddHP 0 3
  574             else
  575                 LogText "Result: core dumps are not explicitly disabled"
  576                 Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
  577                 Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
  578                 ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file"
  579                 AddHP 1 3
  580             fi
  581         else
  582             LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test"
  583         fi
  584 
  585         # Sysctl option
  586         LogText "Test: Checking sysctl value of fs.suid_dumpable"
  587         FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }')
  588         if [ -z "${FIND}" ]; then
  589             LogText "Result: sysctl key fs.suid_dumpable not found"
  590         else
  591             LogText "Result: value ${FIND} found"
  592         fi
  593         if [ "${FIND}" = "2" ]; then
  594             LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
  595             Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_PROTECTED}" --color WHITE
  596             AddHP 1 1
  597         elif [ "${FIND}" = "1" ]; then
  598             LogText "Result: all programs can perform core dumps (value 1, for debugging)"
  599             Display --indent 2 --text "- Checking setuid core dumps configuration" --result "${STATUS_DEBUG}" --color YELLOW
  600             ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
  601             AddHP 0 1
  602         else
  603             # 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped
  604             # https://www.kernel.org/doc/Documentation/sysctl/fs.txt
  605             LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump"
  606             Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
  607             AddHP 1 1
  608         fi
  609     fi
  610 #
  611 #################################################################################
  612 #
  613     # Test        : KRNL-5830
  614     # Description : Check if system needs a reboot (Linux only)
  615     Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
  616     if [ ${SKIPTEST} -eq 0 ]; then
  617         REBOOT_NEEDED=2
  618         FILE="${ROOTDIR}var/run/reboot-required.pkgs"
  619         LogText "Test: Checking presence ${FILE}"
  620         if [ -f ${FILE} ]; then
  621             LogText "Result: file ${FILE} exists"
  622             FIND=$(${WCBINARY} -l < ${FILE})
  623             if [ "${FIND}" = "0" ]; then
  624                 LogText "Result: No reboot needed (file empty)"
  625                 REBOOT_NEEDED=0
  626             else
  627                 PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
  628                 LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
  629                 for I in ${FIND}; do
  630                     LogText "Package: ${I}"
  631                 done
  632                 REBOOT_NEEDED=1
  633             fi
  634         else
  635             LogText "Result: file ${FILE} not found"
  636         fi
  637 
  638         # Check if /boot exists
  639         if [ -d "${ROOTDIR}boot" ]; then
  640             LogText "Result: /boot exists, performing more tests from here"
  641             FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
  642             if [ -n "${FIND}" ]; then
  643                 if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
  644                     LogText "Result: found /boot/vmlinuz (not symlinked)"
  645                     NEXTLINE=0
  646                     FINDVERSION=""
  647                     for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do
  648                         if [ ${NEXTLINE} -eq 1 ]; then
  649                             FINDVERSION="${I}"
  650                             break
  651                         else
  652                             # Searching for the Linux kernel after the keyword 'version'
  653                             if [ "${I}" = "version" ]; then NEXTLINE=1; fi
  654                         fi
  655                     done
  656                     if [ -n "${FINDVERSION}" ]; then
  657                         CURRENT_KERNEL=$(uname -r)
  658                         if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
  659                             LogText "Result: reboot needed, as current kernel is different than the one loaded"
  660                             REBOOT_NEEDED=1
  661                         fi
  662                     else
  663                         ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
  664                     fi
  665                 elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
  666                     if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
  667                         LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
  668                         FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
  669                     elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
  670                         LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts"
  671                         FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts
  672                     elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then
  673                         LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts"
  674                         FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts
  675                     else
  676                         # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
  677                         # Note: ignore a rescue kernel (e.g. CentOS)
  678                         FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
  679                         LogText "Result: found ${FOUND_VMLINUZ}"
  680                     fi
  681 
  682                     VERSION_ON_DISK=""
  683                     if [ -L "${FOUND_VMLINUZ}" ]; then
  684                         LogText "Result: found a symlink, retrieving destination"
  685                         FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}")
  686                         LogText "Result: destination file is ${FOUND_VMLINUZ}"
  687                         VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
  688                         LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
  689                     elif [ -f "${FOUND_VMLINUZ}" ]; then
  690                         VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//')
  691                         LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
  692 
  693                     fi
  694 
  695                     # Data check: perform reset if we found a version but looks incomplete
  696                     # Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux
  697                     case ${VERSION_ON_DISK} in
  698                         "linux" | "linux-lts")
  699                             LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete"
  700                             VERSION_ON_DISK=""
  701                         ;;
  702                     esac
  703 
  704                     # If we did not find the version yet, see if we can extract it from the magic data that 'file' returns
  705                     if [ -z "${VERSION_ON_DISK}" ]; then
  706                         LogText "Test: checking kernel version on disk"
  707                         NEXTLINE=0
  708                         VERSION_ON_DISK=""
  709                         for I in $(file ${FOUND_VMLINUZ}); do
  710                             if [ ${NEXTLINE} -eq 1 ]; then
  711                                 VERSION_ON_DISK="${I}"
  712                                 break
  713                             else
  714                                 # Searching for the Linux kernel after the keyword 'version'
  715                                 if [ "${I}" = "version" ]; then NEXTLINE=1; fi
  716                             fi
  717                         done
  718                     fi
  719 
  720                     # Last check if we finally got a version or not
  721                     if [ -z "${VERSION_ON_DISK}" ]; then
  722                         LogText "Result: could not find the version on disk"
  723                         ReportException "${TEST_NO}:4" "Could not find the kernel version"
  724                     else
  725                         LogText "Result: found version ${VERSION_ON_DISK}"
  726                         ACTIVE_KERNEL=$(uname -r)
  727                         LogText "Result: active kernel version ${ACTIVE_KERNEL}"
  728                         if [ "${VERSION_ON_DISK}" = "${ACTIVE_KERNEL}" ]; then
  729                             REBOOT_NEEDED=0
  730                             LogText "Result: no reboot needed, active kernel is the same version as the one on disk"
  731                         else
  732                             REBOOT_NEEDED=1
  733                             LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk"
  734                         fi
  735                     fi
  736                 else
  737                     if [ -L ${ROOTDIR}boot/vmlinuz ]; then
  738                         LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file"
  739                     else
  740                         LogText "Result: ${ROOTDIR}boot/vmlinuz not on disk, trying to find ${ROOTDIR}boot/vmlinuz*"
  741                     fi
  742                     # Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on
  743                     MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
  744                     LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
  745                     FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
  746                     if [ -n "${FIND}" ]; then
  747                         for ITEM in ${FIND}; do
  748                             LogText "Result: found ${ITEM}"
  749                         done
  750                         # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
  751                         # Ignore rescue images. Remove generic. and huge. for Slackware machines
  752                         # TODO: see if this can be simplified using ls -v sorting
  753                         LogText "Action: checking relevant kernels"
  754                         KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
  755                         KERNELS_ONE_LINE=$(${ECHOCMD} ${KERNELS} | ${TRBINARY} '\n' ' ')
  756                         LogText "Output: ${KERNELS_ONE_LINE}"
  757                     elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
  758                         LogText "Output: Found a kernel file in ${ROOTDIR}boot"
  759                         # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
  760                         # Examples:
  761                         # /boot/kernel-genkernel-x86_64-3.14.14-gentoo
  762                         KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
  763                         if [ -n "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
  764                     else
  765                         ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
  766                     fi
  767                     if [ -n "${KERNELS}" ]; then
  768                         FOUND_KERNEL=0
  769                         for I in ${KERNELS}; do
  770                             # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
  771                             if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then
  772                                 LogText "Result: found a kernel (${I}) later than active kernel (${MYKERNEL})"
  773                                 REBOOT_NEEDED=1
  774                             fi
  775                             if [ "${MYKERNEL}" = "${I}" ]; then
  776                                 FOUND_KERNEL=1
  777                                 LogText "Result: found ${I} (= active kernel)"
  778                             else
  779                                 LogText "Result: found ${I}"
  780                             fi
  781                         done
  782                         # Check if we at least found the kernel on disk
  783                         if [ ${FOUND_KERNEL} -eq 0 ]; then
  784                             ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected"
  785                         else
  786                             # If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel
  787                             if [ ${REBOOT_NEEDED} -eq 2 ]; then
  788                                 LogText "Result: found the running kernel on disk being the last entry, so it looks up-to-date"
  789                                 REBOOT_NEEDED=0
  790                             fi
  791                         fi
  792                     fi
  793                 fi
  794             # No files in /boot
  795             else
  796                 LogText "Result: Skipping this test, as there are no files in /boot"
  797             fi
  798         else
  799             LogText "Result: /boot does not exist or not privileged to read files"
  800         fi
  801 
  802         # Attempt to check for Raspbian if reboot is needed
  803         # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename
  804         # and compares that date with the currently running kernel's build date (uname -v).
  805         # Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of
  806         # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version.
  807         if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then
  808             LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution"
  809             LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
  810 
  811             FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
  812             | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
  813 
  814             if [ -n "${FOUND_KERNEL_DATE}" ]; then
  815                 FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
  816             else
  817                 LogText "Result: Skipping this test, as there was no package date to extract"
  818             fi
  819 
  820             if [ -n "${FOUND_KERNEL_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -gt 1 ]; then
  821                 LogText "Result: Got package date: ${FOUND_KERNEL_DATE} (= ${FOUND_KERNEL_IN_SECONDS} seconds)"
  822                 UNAME_OUTPUT="$(${UNAMEBINARY} -v 2> /dev/null)"
  823             else
  824                 LogText "Result: Skipping this test, as extracting the seconds of package date failed"
  825             fi
  826             
  827             if [ -n "${UNAME_OUTPUT}" ]; then
  828                 LogText "Result: Got an output from 'uname -v'"
  829                 LogText "Check: Trying to extract kernel build date from 'uname -v' output"
  830                 next=""
  831                 for part in ${UNAME_OUTPUT}; do
  832                     if [ -z "$next" ]; then
  833                         if [ "${part}" = "Mon" ] || [ "${part}" = "Tue" ] || [ "${part}" = "Wed" ] || [ "${part}" = "Thu" ] || [ "${part}" = "Fri" ] || [ "${part}" = "Sat" ] || [ "${part}" = "Sun" ]; then
  834                             next="month"
  835                         fi
  836                     elif [ "$next" = "month" ]; then
  837                         if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
  838                             UNAME_DATE_MONTH="${part}"
  839                             next="day"
  840                         fi
  841                     elif [ "${next}" = "day" ]; then
  842                         if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
  843                             UNAME_DATE_DAY="${part}"
  844                             next="time"
  845                         fi
  846                     elif [ "${next}" = "time" ]; then
  847                         if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
  848                             next="year"
  849                         fi
  850                     elif [ "${next}" = "year" ]; then
  851                         if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
  852                             UNAME_DATE_YEAR="${part}"
  853                             break
  854                         fi
  855                     fi
  856                 done
  857                 if [ -n "${UNAME_DATE_MONTH}" ] && [ -n "${UNAME_DATE_DAY}" ] && [ -n "${UNAME_DATE_YEAR}" ]; then
  858                     LogText "Result: Extracted kernel build date is: ${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}"
  859                     UNAME_DATE_IN_SECONDS=$(date -d "${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}" "+%s" 2> /dev/null)
  860                     LogText "Check: Comparing kernel build date in seconds (${UNAME_DATE_IN_SECONDS}s) with package date in seconds (${FOUND_KERNEL_IN_SECONDS}s)"
  861                     if [ -n "${UNAME_DATE_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -ge ${UNAME_DATE_IN_SECONDS} ]; then
  862                         LogText "Result: package creation date is older than running kernel. Hence, this check should be valid."
  863                         LogText "Check if package create date and kernel build date are not more than 3 days apart."
  864 
  865                         SECONDS_APART=$(( ${FOUND_KERNEL_IN_SECONDS} - ${UNAME_DATE_IN_SECONDS} ))
  866                         if [ ${SECONDS_APART} -ge 60 ]; then
  867                             MINUTES_APART=$(( ${SECONDS_APART} / 60 ))
  868                             if [ ${MINUTES_APART} -ge 60 ]; then
  869                                 DAYS_APART=$(( ${MINUTES_APART} / 60 ))
  870                                 if [ ${DAYS_APART} -ge 24 ]; then DAYS_APART=$(( ${DAYS_APART} / 24 )); else DAYS_APART=0; fi
  871                             else
  872                                 DAYS_APART=0
  873                             fi
  874                         else
  875                             DAYS_APART=0
  876                         fi
  877                         # assuming kernels are packaged definitely within 3 days. ACCEPTED_TIME_DIFF needs a value in seconds
  878                         ACCEPTED_TIME_DIFF=$((3 * 24 * 60 * 60))
  879                         if [ ${FOUND_KERNEL_IN_SECONDS} -le $((${UNAME_DATE_IN_SECONDS} + ${ACCEPTED_TIME_DIFF})) ]; then
  880                             LogText "Result: package create date and kernel build date are only ${DAYS_APART} day(s) apart."
  881                             LogText "Result: Assuming no reboot needed."
  882                             REBOOT_NEEDED=0
  883                         else
  884                             LogText "Result: package create date and kernel build date are ${DAYS_APART} day(s) apart."
  885                             LogText "Result: Assuming reboot is needed."
  886                             REBOOT_NEEDED=1
  887                         fi
  888                     else
  889                         LogText "Result: Package's create date is older than running kernel, which is unexpected. Might not be a valid test. Skipping..."
  890                     fi
  891                 else
  892                     LogText "Result: Could not extract Day, Month and Year from 'uname -v' output"
  893                 fi
  894             else
  895                 LogText "Result: Did not get output from 'uname -v'. Skipping test."
  896             fi
  897                 
  898             
  899         else
  900             LogText "Result: /var/cache/apt/archives/ does not exist"
  901         fi
  902 
  903         # Display discovered status
  904         if [ ${REBOOT_NEEDED} -eq 0 ]; then
  905             Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN
  906             AddHP 5 5
  907         elif [ ${REBOOT_NEEDED} -eq 1 ]; then
  908             Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
  909             ReportWarning "${TEST_NO}" "Reboot of system is most likely needed" "" "text:reboot"
  910             AddHP 0 5
  911         else
  912             Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
  913         fi
  914     fi
  915 #
  916 #################################################################################
  917 #
  918 
  919 WaitForKeyPress
  920 
  921 #
  922 #================================================================================
  923 # Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com