"Fossies" - the Fresh Open Source Software Archive

Member "lynis/include/tests_ports_packages" (22 Jul 2021, 77401 Bytes) of package /linux/misc/lynis-3.0.6.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "tests_ports_packages": 3.0.5_vs_3.0.6.

    1 #!/bin/sh
    2 
    3 #################################################################################
    4 #
    5 #   Lynis
    6 # ------------------
    7 #
    8 # Copyright 2007-2013, Michael Boelen
    9 # Copyright 2007-2021, CISOfy
   10 #
   11 # Website  : https://cisofy.com
   12 # Blog     : http://linux-audit.com
   13 # GitHub   : https://github.com/CISOfy/lynis
   14 #
   15 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   16 # welcome to redistribute it under the terms of the GNU General Public License.
   17 # See LICENSE file for usage of this software.
   18 #
   19 #################################################################################
   20 #
   21 # Ports and packages
   22 #
   23 #################################################################################
   24 #
   25     InsertSection "${SECTION_PORTS_AND_PACKAGES}"
   26     PACKAGE_MGR_PKG=0
   27     PACKAGE_AUDIT_TOOL=""
   28     PACKAGE_AUDIT_TOOL_FOUND=0
   29     PACMANCONF="${ROOTDIR}etc/pacman.conf"
   30     INSTALLED_PACKAGES=""
   31 #
   32 #################################################################################
   33 #
   34     Display --indent 2 --text "- Searching package managers"
   35 #
   36 #################################################################################
   37 #
   38     # Test        : PKGS-7301
   39     # Description : Query FreeBSD pkg
   40     if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
   41     Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD pkg"
   42     if [ ${SKIPTEST} -eq 0 ]; then
   43         FIND=$(pkg -N 2>&1; echo $?)
   44         if [ "${FIND}" = "0" ]; then
   45             Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN
   46             Report "package_manager[]=pkg"
   47             PACKAGE_MGR_PKG=1
   48             LogText "Result: Found pkg"
   49             LogText "Test: Querying pkg to get package list"
   50             Display --indent 6 --text "- Querying pkg for installed packages"
   51             LogText "Output:"; LogText "-----"
   52             SPACKAGES=$(${ROOTDIR}usr/sbin/pkg query %n,%v)
   53             for ITEM in ${SPACKAGES}; do
   54                 sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
   55                 sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
   56                 LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
   57                 INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
   58             done
   59         fi
   60     fi
   61 #
   62 #################################################################################
   63 #
   64     # Test        : PKGS-7302
   65     # Description : Query FreeBSD/NetBSD pkg_info
   66     if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
   67     Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info"
   68     if [ ${SKIPTEST} -eq 0 ]; then
   69         COUNT=0
   70         Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
   71         LogText "Result: Found pkg_info"
   72         Report "package_manager[]=pkg_info"
   73         LogText "Test: Querying pkg_info to get package list"
   74         Display --indent 6 --text "- Querying pkg_info for installed packages"
   75         LogText "Output:"; LogText "-----"
   76         SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
   77         for ITEM in ${SPACKAGES}; do
   78             COUNT=$((COUNT + 1))
   79             sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
   80             sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
   81             LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
   82             INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
   83         done
   84         Report "installed_packages=${COUNT}"
   85     fi
   86 #
   87 #################################################################################
   88 #
   89     # Test        : PKGS-7303
   90     # Description : Query brew package manager
   91     FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
   92     if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
   93     Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
   94     if [ ${SKIPTEST} -eq 0 ]; then
   95         Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
   96         LogText "Result: Found brew"
   97         PACKAGE_MGR_PKG=1
   98         Report "package_manager[]=brew"
   99         LogText "Test: Querying brew to get package list"
  100         Display --indent 4 --text "- Querying brew for installed packages"
  101         LogText "Output:"; LogText "-----"
  102         GPACKAGES=$(brew list)
  103         for J in ${GPACKAGES}; do
  104             LogText "Found package ${J}"
  105             INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
  106         done
  107     else
  108         LogText "Result: brew can NOT be found on this system"
  109     fi
  110 #
  111 #################################################################################
  112 #
  113     # Test        : PKGS-7304
  114     # Description : Gentoo packages
  115     if [ -x ${ROOTDIR}usr/bin/emerge -a -x ${ROOTDIR}usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  116     Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Gentoo packages"
  117     if [ ${SKIPTEST} -eq 0 ]; then
  118         Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN
  119         LogText "Result: Found Gentoo emerge"
  120         Report "package_manager[]=emerge"
  121         LogText "Test: Querying portage to get package list"
  122         Display --indent 4 --text "- Querying portage for installed packages"
  123         LogText "Output:"; LogText "-----"
  124         GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
  125         for PKG in ${GPACKAGES}; do
  126             LogText "Found package ${PKG}"
  127             INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
  128         done
  129     else
  130         LogText "Result: emerge can NOT be found on this system"
  131     fi
  132 #
  133 #
  134 #################################################################################
  135 #
  136     # Test        : PKGS-7306
  137     # Description : Solaris packages
  138     if [ -x ${ROOTDIR}usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  139     Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Solaris packages"
  140     if [ ${SKIPTEST} -eq 0 ]; then
  141         Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
  142             LogText "Result: Found Solaris pkginfo"
  143             Report "package_manager[]=pkginfo"
  144             PACKAGE_MGR_PKG=1
  145             LogText "Test: Querying pkginfo to get package list"
  146             Display --indent 4 --text "- Querying pkginfo for installed packages"
  147             LogText "Output:"; LogText "-----"
  148             # Strip SUNW from strings
  149             SPACKAGES=$(${ROOTDIR}usr/bin/pkginfo -i | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2 | ${SEDBINARY} "s#^SUNW##")
  150             for J in ${SPACKAGES}; do
  151                 LogText "Found package ${J}"
  152                 INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
  153             done
  154     else
  155         LogText "Result: pkginfo can NOT be found on this system"
  156     fi
  157 #
  158 #################################################################################
  159 #
  160     # Test        : PKGS-7308
  161     # Description : RPM package based systems
  162     if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  163     Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
  164     if [ ${SKIPTEST} -eq 0 ]; then
  165         COUNT=0
  166         Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
  167         LogText "Result: Found rpm binary (${RPMBINARY})"
  168         Report "package_manager[]=rpm"
  169         LogText "Test: Querying 'rpm -qa' to get package list"
  170         Display --indent 6 --text "- Querying RPM package manager"
  171         LogText "Output:"; LogText "--------"
  172         SPACKAGES=$(${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort)
  173         if [ -z "${SPACKAGES}" ]; then
  174             LogText "Result: RPM binary available, but package list seems to be empty"
  175             LogText "Info: looks like the rpm binary is installed, but not used for package installation"
  176             ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
  177         else
  178             for PKG in ${SPACKAGES}; do
  179                 COUNT=$((COUNT + 1))
  180                 PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}')
  181                 PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}')
  182                 LogText "Found package: ${PKG}"
  183                 INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
  184             done
  185             Report "installed_packages=${COUNT}"
  186         fi
  187     else
  188         LogText "Result: RPM binary NOT found on this system, test skipped"
  189     fi
  190 #
  191 #################################################################################
  192 #
  193     # Test        : PKGS-7310
  194     # Description : pacman package based systems
  195     if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  196     Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
  197     if [ ${SKIPTEST} -eq 0 ]; then
  198         COUNT=0
  199         Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
  200         LogText "Result: Found pacman binary (${PACMANBINARY})"
  201         Report "package_manager[]=pacman"
  202         PACKAGE_MGR_PKG=1
  203         LogText "Test: Querying 'pacman -Q' to get package list"
  204         Display --indent 6 --text "- Querying pacman package manager"
  205         LogText "Output:"; LogText "--------"
  206         SPACKAGES=$(${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g')
  207         if [ -z "${SPACKAGES}" ]; then
  208             LogText "Result: pacman binary available, but package list seems to be empty"
  209             LogText "Info: looks like the pacman binary is installed, but not used for package installation"
  210         else
  211             for PKG in ${SPACKAGES}; do
  212                 COUNT=$((COUNT + 1))
  213                 PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }')
  214                 PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }')
  215                 LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
  216                 INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}"
  217             done
  218             Report "installed_packages=${COUNT}"
  219         fi
  220     fi
  221 #
  222 #################################################################################
  223 #
  224     # Test        : PKGS-7312
  225     # Description : Check for available package updates when pacman package is used
  226     if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  227     Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
  228     if [ ${SKIPTEST} -eq 0 ]; then
  229         FOUND=0
  230         FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
  231         if [ -n "${FIND}" ]; then
  232             FIND=$(checkupdates)
  233             for I in ${FIND}; do
  234                 LogText "Result: update available for ${I}"
  235                 Report "available_update[]=${I}"
  236                 FOUND=1
  237             done
  238             if [ ${FOUND} -eq 1 ]; then
  239                 Display --indent 4 --text "- Searching update status (checkupdates)" --result "OUTDATED" --color YELLOW
  240                 ReportSuggestion "${TEST_NO}" "Perform update of system updates as this system uses rolling updates"
  241             else
  242                 Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN
  243             fi
  244         else
  245             LogText "Result: skipping this test, can't find checkupdates binary"
  246         fi
  247     else
  248         LogText "Result: pacman binary NOT found on this system, test skipped"
  249     fi
  250 #
  251 #################################################################################
  252 #
  253     # Test        : PKGS-7314
  254     # Description : Check pacman.conf options
  255     if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  256     Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
  257     if [ ${SKIPTEST} -eq 0 ]; then
  258         COUNT=0
  259         # Check configuration options (options start with a capital)
  260         LogText "Test: searching configured options in ${PACMANCONF}"
  261         FIND=$(${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g')
  262         for I in ${FIND}; do
  263             PMOPTION=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }')
  264             PMVALUE=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }')
  265             LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}"
  266             Report "pacman_option[]=${PMOPTION}:${PMVALUE}:"
  267         done
  268 
  269         # Check software repositories
  270         LogText "Test: checking available repositories"
  271         FIND=$(${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]')
  272         for I in ${FIND}; do
  273             COUNT=$((COUNT + 1))
  274             Report "package_repository[]=${I}"
  275         done
  276         LogText "Result: found ${COUNT} repositories"
  277     fi
  278 #
  279 #################################################################################
  280 #
  281     # TODO
  282 
  283     ## Test        : PKGS-7318
  284     ## Description : APT configuration
  285     #if [ -x ${ROOTDIR}usr/bin/apt-config ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  286     #Register --test-no PKGS-7318 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "APT configuration"
  287     #if [ ${SKIPTEST} -eq 0 ]; then
  288     #    LogText "Test: check APT configuration"
  289     #    if ! SkipAtomicTest ${TEST_NO}:atomicname; then
  290     #    # Acquire::AllowInsecureRepositories should be 0 (could be 1)
  291     #    # Acquire::AllowDowngradeToInsecureRepositories should be 0
  292     #    # Binary::apt::Acquire::AllowInsecureRepositories should be 0
  293     #fi
  294 #
  295 #################################################################################
  296 #
  297     # Test        : PKGS-7320
  298     # Description : Check available of arch-audit
  299     if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux"; fi
  300     Register --test-no PKGS-7320 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking for arch-audit tooling"
  301     if [ ${SKIPTEST} -eq 0 ]; then
  302         if [ -z "${ARCH_AUDIT_BINARY}" ]; then
  303             LogText "Result: no arch-audit binary found"
  304             AddHP 1 2
  305             ReportSuggestion "${TEST_NO}" "Consider installing arch-audit to determine vulnerable packages" "arch-audit" "text:Install arch-audit"
  306         else
  307             PACKAGE_AUDIT_TOOL_FOUND=1
  308             PACKAGE_AUDIT_TOOL="arch-audit"
  309             LogText "Result: arch-audit binary found (${ARCH_AUDIT_BINARY})"
  310             AddHP 3 3
  311         fi
  312     fi
  313 #
  314 #################################################################################
  315 #
  316     # Test        : PKGS-7322
  317     # Description : Discover vulnerable packages with arch-audit
  318     if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
  319     Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
  320     if [ ${SKIPTEST} -eq 0 ]; then
  321         LogText "Test: checking arch-audit output for vulnerable packages"
  322         FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY})
  323         if [ -z "${FIND}" ]; then
  324             LogText "Result: no vulnerable packages found with arch-audit"
  325             AddHP 10 10
  326         else
  327             LogText "Result: found one or more vulnerable packages"
  328             for ITEM in ${FIND}; do
  329                 LogText "Found line: ${ITEM}"
  330                 Report "vulnerable_package[]=${ITEM}"
  331                 AddHP 1 2
  332             done
  333             ReportWarning "${TEST_NO}" "Vulnerable packages found" "arch-audit has output" "text:Run arch-audit to see the output, and when needed update the packages with pacman -Suy"
  334         fi
  335     fi
  336 #
  337 #################################################################################
  338 #
  339     # Test        : PKGS-7328
  340     # Description : Check installed packages with Zypper
  341     if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  342     Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
  343     if [ ${SKIPTEST} -eq 0 ]; then
  344         COUNT=0
  345         PACKAGE_AUDIT_TOOL_FOUND=1
  346         PACKAGE_AUDIT_TOOL="zypper"
  347         FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
  348         if [ -n "${FIND}" ]; then
  349             for PKG in ${FIND}; do
  350                 COUNT=$((COUNT + 1))
  351                 LogText "Installed package: ${PKG}"
  352                 INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
  353             done
  354             Report "installed_packages=${COUNT}"
  355         else
  356             # Could not find any installed packages
  357             ReportException "${TEST_NO}" "No installed packages found with Zypper"
  358         fi
  359     fi
  360 #
  361 #################################################################################
  362 #
  363     # Test        : PKGS-7330
  364     # Description : Check vulnerable packages with Zypper
  365     if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  366     Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
  367     if [ ${SKIPTEST} -eq 0 ]; then
  368         FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
  369         if [ -n "${FIND}" ]; then
  370             LogText "Result: No security updates found with Zypper"
  371             Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
  372         else
  373             Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
  374             LogText "Result: Zypper found one or more installed packages which are vulnerable."
  375             ReportWarning "${TEST_NO}" "Found one or more vulnerable packages installed"
  376             # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
  377             FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
  378             LogText "List of vulnerable packages/version:"
  379             for PKG in ${FIND}; do
  380                 VULNERABLE_PACKAGES_FOUND=1
  381                 Report "vulnerable_package[]=${PKG}"
  382                 LogText "Vulnerable package: ${PKG}"
  383                 # Decrease hardening points for every found vulnerable package
  384                 AddHP 1 2
  385             done
  386         fi
  387     fi
  388 #
  389 #################################################################################
  390 #
  391     # Test        : PKGS-7332
  392     # Description : Query macOS ports
  393     if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  394     Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports"
  395     if [ ${SKIPTEST} -eq 0 ]; then
  396         FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?)
  397         if [ "${FIND}" = "0" ]; then
  398             Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN
  399             Report "package_manager[]=port"
  400             PACKAGE_MGR_PKG=1
  401             LogText "Result: Found port utility"
  402             LogText "Test: Querying port to get package list"
  403             Display --indent 6 --text "- Querying port for installed packages"
  404             LogText "Output:"; LogText "-----"
  405             SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active)
  406             for ITEM in ${SPACKAGES}; do
  407                 SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1)
  408                 SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1)
  409                 LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})"
  410                 INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}"
  411             done
  412         fi
  413     fi
  414 #
  415 #################################################################################
  416 #
  417     # Test        : PKGS-7334
  418     # Description : Query macOS ports for available port upgrades
  419     if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  420     Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades"
  421     if [ ${SKIPTEST} -eq 0 ]; then
  422         COUNT=0
  423         LogText "Test: Querying ports for possible port upgrades"
  424         UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1)
  425         for J in ${UPACKAGES}; do
  426             COUNT=$((COUNT + 1))
  427             LogText "Upgrade available (new version): ${J}"
  428             Report "upgrade_available[]=${J}"
  429         done
  430         Report "upgrade_available_count=${COUNT}"
  431         if [ ${COUNT} -eq 0 ]; then
  432             LogText "Result: no upgrades found"
  433             Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN
  434             AddHP 2 2
  435         else
  436             Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW
  437         fi
  438     fi
  439 #
  440 #################################################################################
  441 #
  442     # Test        : PKGS-7345
  443     # Description : Debian package based systems (dpkg)
  444     if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  445     Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg"
  446     if [ ${SKIPTEST} -eq 0 ]; then
  447         COUNT=0
  448         Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
  449         LogText "Result: Found dpkg binary"
  450         Report "package_manager[]=dpkg"
  451         PACKAGE_MGR_PKG=1
  452         LogText "Test: Querying dpkg -l to get package list"
  453         Display --indent 6 --text "- Querying package manager"
  454         LogText "Output:"
  455         SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
  456         for J in ${SPACKAGES}; do
  457             COUNT=$((COUNT + 1))
  458             PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
  459             PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
  460             LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
  461             INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
  462         done
  463         Report "installed_packages=${COUNT}"
  464     else
  465         LogText "Result: dpkg can NOT be found on this system, test skipped"
  466     fi
  467 #
  468 #################################################################################
  469 #
  470     # Test        : PKGS-7346
  471     # Description : Check packages which are removed, but still own configuration files, cron jobs etc
  472     # Notes       : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
  473     if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  474     Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
  475     if [ ${SKIPTEST} -eq 0 ]; then
  476         COUNT=0
  477         LogText "Test: Querying dpkg -l to get unpurged packages"
  478         SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
  479         if [ -z "${SPACKAGES}" ]; then
  480             Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
  481             LogText "Result: no packages found with left overs"
  482         else
  483             Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_FOUND}" --color YELLOW
  484             LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
  485             LogText "Output:"
  486             for J in ${SPACKAGES}; do
  487                 COUNT=$((COUNT + 1))
  488                 LogText "Found unpurged package: ${J}"
  489             done
  490             ReportSuggestion "${TEST_NO}" "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
  491         fi
  492     else
  493         LogText "Result: dpkg can NOT be found on this system, test skipped"
  494     fi
  495 #
  496 #################################################################################
  497 #
  498     # Test        : PKGS-7348
  499     # Description : Show unneeded distfiles if present
  500     # Notes       : Portsclean seems to be gone from the ports, so no suggestion or warning is
  501     #               issued when it's missing.
  502     #               Add portmaster --clean-distfiles-all
  503     Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
  504     if [ ${SKIPTEST} -eq 0 ]; then
  505         if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then
  506             FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
  507             if [ ${FIND} -eq 0 ]; then
  508                 Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
  509                 LogText "Result: no unused distfiles found"
  510             else
  511                 Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
  512                 LogText "Result: found ${FIND} unused distfiles"
  513                 ReportSuggestion "${TEST_NO}" "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
  514             fi
  515         fi
  516     fi
  517 #
  518 #################################################################################
  519 #
  520     # Test        : PKGS-7350
  521     # Description : Use Dandified YUM to gather installed packages
  522     # Notes       : Possible replacement for YUM in the long term
  523     if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  524     Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
  525     if [ ${SKIPTEST} -eq 0 ]; then
  526         COUNT=0
  527         Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
  528         LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
  529         Report "package_manager[]=dnf"
  530         Display --indent 6 --text "- Querying DNF package manager"
  531 
  532         PACKAGE_AUDIT_TOOL_FOUND=1
  533         PACKAGE_AUDIT_TOOL="dnf"
  534         SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
  535         for PKG in ${SPACKAGES}; do
  536             COUNT=$((COUNT + 1))
  537             PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1)
  538             PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2)
  539             LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
  540             INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
  541         done
  542         Report "installed_packages=${COUNT}"
  543     fi
  544 #
  545 #################################################################################
  546 #
  547     # Test        : PKGS-7352
  548     # Description : Use Dandified YUM to detect security updates
  549     if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  550     Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
  551     if [ ${SKIPTEST} -eq 0 ]; then
  552         # Check for security updates
  553         LogText "Action: checking updateinfo for security updates"
  554         FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
  555         if [ -n "${FIND}" ]; then
  556             VULNERABLE_PACKAGES_FOUND=1
  557             LogText "Result: found vulnerable packages, upgrade of system needed."
  558             for PKG in ${FIND}; do
  559                 Report "vulnerable_package[]=${PKG}"
  560                 LogText "Vulnerable package: ${PKG}"
  561                 # Decrease hardening points for every found vulnerable package
  562                 AddHP 1 2
  563             done
  564             ReportWarning "${TEST_NO}" "Found one or more vulnerable packages. Run: dnf upgrade"
  565             Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
  566         else
  567             LogText "Result: no security updates found"
  568             Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
  569             AddHP 5 5
  570         fi
  571     fi
  572 #
  573 #################################################################################
  574 #
  575     # Test        : PKGS-7354
  576     # Description : Perform integrity tests for package database
  577     if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  578     Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
  579     if [ ${SKIPTEST} -eq 0 ]; then
  580         # Check if repoquery plugin is available
  581         FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
  582         if [ -n "${FIND}" ]; then
  583             LogText "Action: checking integrity of package database"
  584             FIND=$(${DNFBINARY} -q repoquery --duplicated)
  585             if [ -n "${FIND}" ]; then
  586                 LogText "Result: found unexpected result on repoquery --duplicated"
  587                 ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
  588             fi
  589             FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
  590             if [ -n "${FIND}" ]; then
  591                 LogText "Result: found unexpected result on repoquery --unsatisfied"
  592                 ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
  593             fi
  594         else
  595             LogText "Result: repoquery plugin not installed."
  596         fi
  597     fi
  598 #
  599 #################################################################################
  600 #
  601     # Test        : PKGS-7366
  602     # Description : Checking if debsecan is installed and enabled on Debian systems
  603     if [ -n "${DEBSECANBINARY}" ] && ( [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] ); then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  604     Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Checking for debsecan utility"
  605     if [ ${SKIPTEST} -eq 0 ]; then
  606         if [ -n "${DEBSECANBINARY}" ]; then
  607             LogText "Result: debsecan utility is installed"
  608             Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
  609             AddHP 3 3
  610             PACKAGE_AUDIT_TOOL_FOUND=1
  611             PACKAGE_AUDIT_TOOL="debsecan"
  612             FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
  613             if [ -n "${FIND}" ]; then
  614                 LogText "Result: cron job is configured for debsecan"
  615                 Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
  616                 AddHP 3 3
  617             else
  618                 LogText "Result: no cron job is configured for debsecan"
  619                 Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
  620                 AddHP 1 3
  621                 ReportSuggestion "${TEST_NO}" "Check debsecan cron job and ensure it is enabled"
  622             fi
  623         else
  624             LogText "Result: debsecan is not installed."
  625             Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
  626             AddHP 0 2
  627             ReportSuggestion "${TEST_NO}" "Install debsecan to check for vulnerabilities on installed packages."
  628         fi
  629     fi
  630 #
  631 #################################################################################
  632 #
  633     # Test        : PKGS-7370
  634     # Description : Checking debsums installation status and presence in cron job
  635     # Note        : Run this only when it is a DPKG based system
  636     if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  637     Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
  638     if [ ${SKIPTEST} -eq 0 ]; then
  639         if [ -n "${DEBSUMSBINARY}" ]; then
  640             LogText "Result: debsums utility is installed"
  641             Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
  642             AddHP 1 1
  643             # Check in /etc/cron.hourly, daily, weekly, monthly etc
  644             COUNT=$(find /etc/cron* -name debsums | wc -l)
  645             if [ ${COUNT} -gt 0 ]; then
  646                 LogText "Result: Cron job is configured for debsums utility."
  647                 Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
  648                 AddHP 3 3
  649             else
  650                 LogText "Result: Cron job is not configured for debsums utility."
  651                 Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
  652                 AddHP 1 3
  653                 ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job."
  654             fi
  655         else
  656             LogText "Result: debsums utility is not installed."
  657             AddHP 0 2
  658             ReportSuggestion "${TEST_NO}" "Install debsums utility for the verification of packages with known good database."
  659         fi
  660     fi
  661 #
  662 #################################################################################
  663 #
  664     # Test        : PKGS-7378
  665     # Description : Query FreeBSD portmaster for available port upgrades
  666     if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  667     Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
  668     if [ ${SKIPTEST} -eq 0 ]; then
  669         COUNT=0
  670         LogText "Test: Querying portmaster for possible port upgrades"
  671         UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
  672         for PKG in ${UPACKAGES}; do
  673             COUNT=$((COUNT + 1))
  674             LogText "Upgrade available (new version): ${PKG}"
  675             Report "upgrade_available[]=${PKG}"
  676         done
  677         Report "upgrade_available_count=${COUNT}"
  678         if [ ${COUNT} -eq 0 ]; then
  679             LogText "Result: no updates found"
  680             Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
  681         else
  682             LogText "Result: found ${COUNT} updates"
  683             Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
  684         fi
  685     fi
  686 #
  687 #################################################################################
  688 #
  689     # Test        : PKGS-7380
  690     # Description : Check for vulnerable NetBSD packages (with pkg_admin)
  691     Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages"
  692     if [ ${SKIPTEST} -eq 0 ]; then
  693         if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then
  694             PACKAGE_AUDIT_TOOL_FOUND=1
  695             PACKAGE_AUDIT_TOOL="pkg_admin audit"
  696             if [ -f ${ROOTDIR}var/db/pkg/pkg-vulnerabilities ]; then
  697                 FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit)
  698                 if [ -z "${FIND}" ]; then
  699                     LogText "Result: pkg_admin audit results are clean"
  700                     Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
  701                     AddHP 10 10
  702                 else
  703                     Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
  704                     LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
  705                     ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
  706                     LogText "List of vulnerable packages/version:"
  707                     for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
  708                         VULNERABLE_PACKAGES_FOUND=1
  709                         Report "vulnerable_package[]=${I}"
  710                         LogText "Vulnerable package: ${I}"
  711                         # Decrease hardening points for every found vulnerable package
  712                         AddHP 1 2
  713                     done
  714                 fi
  715             else
  716                 ReportSuggestion "${TEST_NO}" "Fetch the package database with pkg_admin fetch-pkg-vulnerabilities"
  717                 AddHP 0 2
  718             fi
  719         else
  720             Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
  721             LogText "Result: pkg_admin audit not installed, skipping this vulnerability test."
  722         fi
  723     fi
  724 #
  725 #################################################################################
  726 #
  727     # Test        : PKGS-7381
  728     # Description : Check for vulnerable FreeBSD packages (with pkg)
  729     # Notes       : Related vulnerability file is /var/db/pkg/vuln.xml
  730     # TODO        : Run this in any jail
  731     if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
  732     Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
  733     if [ ${SKIPTEST} -eq 0 ]; then
  734         COUNT=0
  735         PACKAGE_AUDIT_TOOL_FOUND=1
  736         PACKAGE_AUDIT_TOOL="pkg audit"
  737         if [ -f ${ROOTDIR}var/db/pkg/vuln.xml ]; then
  738             # Query pkg audit, with optional refresh of vulnerability data (-F)
  739             if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
  740                 FIND=$(${PKG_BINARY} audit -F -q 2> /dev/null)
  741             else
  742                 FIND=$(${PKG_BINARY} audit -q 2> /dev/null)
  743             fi
  744             if [ $? -eq 0 ]; then
  745                 LogText "Result: pkg audit results are clean"
  746                 Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
  747                 AddHP 10 10
  748             elif [ $? -eq 1 ]; then
  749                 if [ -n "${FIND}" ]; then
  750                     VULNERABLE_PACKAGES_FOUND=1
  751                     Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
  752                     for ITEM in ${FIND}; do
  753                         COUNT=$((COUNT + 1))
  754                         Report "vulnerable_package[]=${ITEM}"
  755                         LogText "Vulnerable package: ${ITEM}"
  756                         AddHP 1 2
  757                     done
  758                     ReportWarning "${TEST_NO}" "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
  759                 else
  760                     LogText "Result: found an exit code greater than zero, yet no output"
  761                 fi
  762             else
  763                 LogText "Result: exited with code $?"
  764                 ReportException "${TEST_NO}" "Found an unknown exit code for pkg audit. Please create an issue at ${PROJECT_SOURCE}"
  765             fi
  766         else
  767             LogText "Result: could not find vulnerability database"
  768             ReportWarning "${TEST_NO}" "No vulnerability database available" "pkg audit" "text:Run pkg audit -F"
  769         fi
  770     fi
  771 #
  772 #################################################################################
  773 #
  774     # Test        : PKGS-7382
  775     # Description : Check for vulnerable FreeBSD packages
  776     # Notes       : Newer machines should use pkg audit instead of portaudit
  777     if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  778     Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
  779     if [ ${SKIPTEST} -eq 0 ]; then
  780         PACKAGE_AUDIT_TOOL_FOUND=1
  781         FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
  782         if [ -z "${FIND}" ]; then
  783             LogText "Result: Portaudit results are clean"
  784             Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
  785             AddHP 10 10
  786         else
  787             Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
  788             LogText "Result: Portaudit found one or more installed packages which are vulnerable."
  789             ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
  790             ReportSuggestion "${TEST_NO}" "Update your system with portupgrade or other tools"
  791             LogText "List of vulnerable packages/version:"
  792             for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
  793                 VULNERABLE_PACKAGES_FOUND=1
  794                 Report "vulnerable_package[]=${PKG}"
  795                 LogText "Vulnerable package: ${PKG}"
  796                 # Decrease hardening points for every found vulnerable package
  797                 AddHP 1 2
  798             done
  799         fi
  800     fi
  801 #
  802 #################################################################################
  803 #
  804     # Test        : PKGS-7383
  805     # Description : Check for YUM package Update management
  806     # Notes       : Skip if DNF is used as package manager
  807     if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  808     Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
  809     if [ ${SKIPTEST} -eq 0 ]; then
  810         LogText "Test: YUM package update management"
  811         FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
  812         if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
  813             LogText "Result: YUM package update management failed"
  814             Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
  815             ReportWarning "${TEST_NO}" "YUM is not properly configured or registered for this platform (no repolist found)"
  816         else
  817             LogText "Result: YUM repository available (${FIND})"
  818             Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_OK}" --color GREEN
  819         fi
  820     fi
  821 #
  822 #################################################################################
  823 #
  824     # Test        : PKGS-7384
  825     # Description : Search for YUM utils package
  826     if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  827     Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
  828     if [ ${SKIPTEST} -eq 0 ]; then
  829         # package-cleanup tool can be found in different locations
  830         if [ -x ${ROOTDIR}bin/package-cleanup -o -x ${ROOTDIR}usr/bin/package-cleanup ]; then
  831             LogText "Result: found YUM utils package (package-cleanup)"
  832             # Check for duplicates
  833             LogText "Test: Checking for duplicate packages"
  834             FIND=$(package-cleanup -q --dupes > /dev/null; echo $?)
  835             if [ "${FIND}" = "0" ]; then
  836                 LogText "Result: No duplicate packages found"
  837                 Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
  838             else
  839                 LogText "Result: One or more duplicate packages found"
  840                 Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
  841                 ReportWarning "${TEST_NO}" "Found one or more duplicate packages installed"
  842                 ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve duplicate package problems"
  843             fi
  844 
  845             # Check for package database problems
  846             LogText "Test: Checking for database problems"
  847             FIND=$(package-cleanup --problems > /dev/null; echo $?)
  848             if [ "${FIND}" = "0" ]; then
  849                 LogText "Result: No package database problems found"
  850                 Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
  851             else
  852                 LogText "Result: One or more problems found in package database"
  853                 Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
  854                 ReportWarning "${TEST_NO}" "Found one or more problems in the package database"
  855                 ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve package problems"
  856             fi
  857         else
  858             Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
  859             LogText "Result: YUM utils package not found"
  860             ReportSuggestion "${TEST_NO}" "Install package 'yum-utils' for better consistency checking of the package database"
  861         fi
  862     fi
  863 #
  864 #################################################################################
  865 #
  866     # Test        : PKGS-7386
  867     # Description : Search for YUM security package
  868     # Notes       : This test does not apply to CentOS and clones, as --security is not available
  869     #             : RHEL 7: plugin default installed
  870     #             : RHEL 6: yum-security-plugin (plugin)
  871     #             : RHEL 5: yum-security (plugin)
  872     if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  873     Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM security package"
  874     if [ ${SKIPTEST} -eq 0 ]; then
  875         DO_TEST=0
  876         LogText "Test: Determining if yum-security package installed"
  877 
  878         # Check for built-in --security option
  879         if [ ${DO_TEST} -eq 0 ]; then
  880             FileExists ${ROOTDIR}usr/share/yum-cli/cli.py
  881             if [ ${FILE_FOUND} -eq 1 ]; then
  882                 if SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"; then
  883                     DO_TEST=1
  884                     LogText "Result: found built-in security in yum"
  885                 else
  886                     LogText "Result: did not find --security in ${ROOTDIR}usr/share/yum-cli/cli.py"
  887                 fi
  888             fi
  889         fi
  890 
  891         if [ ${DO_TEST} -eq 0 ]; then
  892             FileExists ${ROOTDIR}etc/yum/pluginconf.d/security.conf
  893             if [ ${FILE_FOUND} -eq 1 ]; then
  894                 if SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"; then
  895                     DO_TEST=1
  896                     LogText "Result: found enabled plugin"
  897                 else
  898                     LogText "Result: plugin NOT enabled in ${ROOTDIR}etc/yum/pluginconf.d/security.conf"
  899                 fi
  900             fi
  901         fi
  902 
  903         # Check if it's installed as package (this is old style)
  904         if [ ${DO_TEST} -eq 0 ]; then
  905             FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
  906             if [ -n "${FIND}" ]; then
  907                 LogText "Result: found yum-plugin-security package"
  908                 DO_TEST=1
  909             fi
  910         fi
  911 
  912         # If we have the module of yum active, continue testing
  913         if [ ${DO_TEST} -eq 1 ]; then
  914             PACKAGE_AUDIT_TOOL_FOUND=1
  915             PACKAGE_AUDIT_TOOL="yum-security"
  916             LogText "Test: Checking for vulnerable packages"
  917             FIND2=$(${ROOTDIR}usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }')
  918             if [ -z "${FIND2}" ]; then
  919                 LogText "Result: no vulnerable packages found"
  920                 Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
  921             else
  922                 LogText "Result: found vulnerable package(s)"
  923                 Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_WARNING}" --color RED
  924                 for I in ${FIND2}; do
  925                     VULNERABLE_PACKAGES_FOUND=1
  926                     Report "vulnerable_package[]=${I}"
  927                     LogText "Vulnerable package: ${I}"
  928                     AddHP 1 2
  929                 done
  930                 ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
  931             fi
  932         else
  933             LogText "Result: yum-security package not found"
  934             Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
  935             ReportSuggestion "${TEST_NO}" "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
  936         fi
  937     fi
  938 #
  939 #################################################################################
  940 #
  941     # Test        : PKGS-7387
  942     # Description : Search for YUM GPG check
  943     if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  944     Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
  945     if [ ${SKIPTEST} -eq 0 ]; then
  946         if [ -n "${PYTHONBINARY}" ]; then
  947             LogText "Test: checking enabled repositories"
  948             REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
  949             if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
  950             for I in ${REPOS}; do
  951                 REPO=$(echo ${I} | ${AWKBINARY} -F= '{print $1}')
  952                 GPGSIGNED=$(echo ${I} | ${AWKBINARY} -F= '{print $2}')
  953                 if [ "${GPGSIGNED}" = "False" ]; then
  954                     LogText "Result: software repository '${REPO}' is NOT signed"
  955                     Report "software_repository_unsigned[]=${REPO}"
  956                     AddHP 3 4
  957                 elif [ "${GPGSIGNED}" = "True" ]; then
  958                     LogText "Result: software repository '${REPO}' is signed"
  959                     AddHP 4 4
  960                 else
  961                     LogText "Result: unknown status for repository (data: ${I})"
  962                 fi
  963             done
  964         fi
  965         FOUND=0
  966         FileExists ${ROOTDIR}etc/yum.conf
  967         if [ ${FILE_FOUND} -eq 1 ]; then
  968             if SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
  969             if SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
  970             if [ ${FOUND} -eq 1 ]; then
  971                 LogText "Result: GPG check is enabled"
  972                 Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
  973                 AddHP 3 3
  974             else
  975                 Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
  976                 ReportWarning "${TEST_NO}" "No GPG signing option found in yum.conf"
  977                 AddHP 2 3
  978             fi
  979         fi
  980     fi
  981 #
  982 #################################################################################
  983 #
  984     # Test        : PKGS-7388
  985     # Description : Check security repository in Debian/Ubuntu apt sources.list file
  986     PREQS_MET="NO"
  987     if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then
  988         case "${LINUX_VERSION}" in
  989             "Debian" | "Linux Mint" | "Ubuntu" | "Pop!_OS")
  990                 # Todo: PureOS (not rolling) has security repositories
  991                 # Todo: Debian sid does not have a security repository.
  992                 PREQS_MET="YES"
  993             ;;
  994             *)
  995                 LogText "Skipping test, although sources.list or sources.list.d exists. This specific OS version most likely has no security repository"
  996             ;;
  997         esac
  998     fi
  999     Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in apt sources.list file"
 1000     if [ $SKIPTEST -eq 0 ]; then
 1001         FOUND=0
 1002         if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
 1003             if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
 1004                 LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
 1005                 FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
 1006                 if [ -n "${FIND}" ]; then
 1007                     FOUND=1
 1008                     Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
 1009                     LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
 1010                     for REPO in ${FIND}; do
 1011                         REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g')
 1012                         LogText "Output: ${REPO}"
 1013                     done
 1014                 fi
 1015             fi
 1016             if [ -d /etc/apt/sources.list.d ]; then
 1017                 LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
 1018                 FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
 1019                 if [ -n "${FIND}" ]; then
 1020                     FOUND=1
 1021                     Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
 1022                     LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
 1023                     for REPO in ${FIND}; do
 1024                         REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g')
 1025                         LogText "Output: ${REPO}"
 1026                     done
 1027                 fi
 1028             fi
 1029             if [ ${FOUND} -eq 1 ]; then
 1030                 LogText "Result: security repository was found"
 1031                 AddHP 3 3
 1032             else
 1033                 Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
 1034                 ReportWarning "${TEST_NO}" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
 1035                 AddHP 0 3
 1036             fi
 1037         else
 1038             LogText "Skipped as option is set to ignore security repository"
 1039         fi
 1040         unset FIND FOUND REPO
 1041     fi
 1042 #
 1043 #################################################################################
 1044 #
 1045     # Test        : PKGS-7390
 1046     # Description : Check Ubuntu database consistency
 1047     if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
 1048            [ "${LINUX_VERSION_LIKE}" = "Debian" ] ||  [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then
 1049         PREQS_MET="YES"
 1050     else
 1051         PREQS_MET="NO"
 1052     fi
 1053 
 1054     Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
 1055     if [ ${SKIPTEST} -eq 0 ]; then
 1056         LogText "Test: Package database consistency by running apt-get check"
 1057         FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
 1058         if [ "${FIND}" = "0" ]; then
 1059             Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
 1060             LogText "Result: package database seems to be consistent."
 1061         else
 1062             LogText "Result: package database is most likely NOT consistent"
 1063             Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
 1064             ReportWarning "${TEST_NO}" "apt-get check returned a non successful exit code."
 1065             ReportSuggestion "${TEST_NO}" "Run apt-get to perform a manual package database consistency check."
 1066         fi
 1067     fi
 1068 #
 1069 #################################################################################
 1070 #
 1071     # Test        : PKGS-7392
 1072     # Description : Check Debian/Ubuntu vulnerable packages
 1073     # Note        : Skip for zypper-based systems
 1074     if [ -x ${ROOTDIR}usr/bin/apt-get -a -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
 1075     Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
 1076     if [ ${SKIPTEST} -eq 0 ]; then
 1077         VULNERABLE_PACKAGES_FOUND=0
 1078         SCAN_PERFORMED=0
 1079         # If apt-get is installed, then it's a reasonable option for a Package Audit tool
 1080         # If apt-check exists, it will be preferred and will overwrite the PACKAGE_AUDIT_TOOL setting
 1081         PACKAGE_AUDIT_TOOL="apt-get"
 1082         PACKAGE_AUDIT_TOOL_FOUND=1
 1083         # Update the repository, outdated repositories don't give much information
 1084         if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
 1085             LogText "Action: updating package repository with apt-get"
 1086             ${ROOTDIR}usr/bin/apt-get -q=2 update
 1087             LogText "Result: apt-get finished"
 1088         else
 1089             LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
 1090         fi
 1091         LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists"
 1092         if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then
 1093             PACKAGE_AUDIT_TOOL="apt-check"
 1094             LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
 1095             LogText "Test: checking if any of the updates contain security updates"
 1096             # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
 1097             FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
 1098             # Check if we get the proper line back and amount of security patches available
 1099             if [ -z "${FIND}" ]; then
 1100                 LogText "Result: did not find security updates line"
 1101                 ReportSuggestion "${TEST_NO}" "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
 1102                 ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
 1103             else
 1104                 if [ "${FIND}" = "0" ]; then
 1105                     LogText "Result: no vulnerable packages found via apt-check"
 1106                     SCAN_PERFORMED=1
 1107                 else
 1108                     VULNERABLE_PACKAGES_FOUND=1
 1109                     SCAN_PERFORMED=1
 1110                     LogText "Result: found ${FIND} security updates via apt-check"
 1111                     AddHP 0 25
 1112                 fi
 1113             fi
 1114         else
 1115             LogText "Result: apt-check (update-notifier-common) not found"
 1116         fi
 1117 
 1118         # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
 1119         # Show packages which would be upgraded and match 'security' in repository name
 1120         FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
 1121         if [ -n "${FIND}" ]; then
 1122             VULNERABLE_PACKAGES_FOUND=1
 1123             SCAN_PERFORMED=1
 1124             LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
 1125             PACKAGE_AUDIT_TOOL="apt-get"
 1126             PACKAGE_AUDIT_TOOL_FOUND=1
 1127             for PKG in ${FIND}; do
 1128                 LogText "Found vulnerable package: ${PKG}"
 1129                 Report "vulnerable_package[]=${PKG}"
 1130             done
 1131         fi
 1132         if [ ${SCAN_PERFORMED} -eq 1 ]; then
 1133             if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
 1134                 ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
 1135                 ReportSuggestion "${TEST_NO}" "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
 1136                 Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
 1137             else
 1138                 Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
 1139                 LogText "Result: no vulnerable packages found"
 1140             fi
 1141         else
 1142             Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result "${STATUS_DONE}" --color GREEN
 1143             LogText "Result: test not fully executed (missing apt-check output)"
 1144         fi
 1145     fi
 1146 #
 1147 #################################################################################
 1148 #
 1149     # Test        : PKGS-7393
 1150     # Description : Check Gentoo vulnerable packages
 1151     if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
 1152     Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages"
 1153     if [ ${SKIPTEST} -eq 0 ]; then
 1154         VULNERABLE_PACKAGES_FOUND=0
 1155         SCAN_PERFORMED=0
 1156         # Update portage.
 1157         # Multiple ways to do this.  Some require extra packages to be installed,
 1158         # others require potential firewall ports to be open, outbound.  This is the
 1159         # "most friendly" way.
 1160         if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
 1161             LogText "Action: updating portage with emerge-webrsync"
 1162             ${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null
 1163             LogText "Result: emerge-webrsync finished"
 1164         else
 1165             LogText "Result: using a possibly outdated repository, as updating is disabled"
 1166         fi
 1167         LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists"
 1168         if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then
 1169             PACKAGE_AUDIT_TOOL_FOUND=1
 1170             PACKAGE_AUDIT_TOOL="glsa-check"
 1171             LogText "Result: found ${ROOTDIR}usr/bin/glsa-check"
 1172             LogText "Test: checking if there are any vulnerable packages"
 1173             # glsa-check reports the GLSA date/ID string, not the vulnerable package.
 1174             FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
 1175             if [ -z "${FIND}" ]; then
 1176                 LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
 1177                 LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
 1178                 ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected"
 1179             else
 1180                 if [ "${FIND}" = "0" ]; then
 1181                     LogText "Result; no vulnerable packages found via glsa-check"
 1182                     Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_OK}" --color GREEN
 1183                 else
 1184                     VULNERABLE_PACKAGES_FOUND=1
 1185                     Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED
 1186                     LogText "Result: found ${FIND} security updates with glsa-check"
 1187                     ReportWarning "${TEST_NO}" "Found ${FIND} security update(s) with glsa-check."
 1188                     LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
 1189                     AddHP 0 25
 1190                 fi
 1191             fi
 1192         else
 1193             LogText "Result: glsa-check tool not found"
 1194             ReportSuggestion "${TEST_NO}" "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
 1195         fi
 1196     fi
 1197 #
 1198 #################################################################################
 1199 #
 1200     # Test        : PKGS-7394
 1201     # Description : Check Ubuntu upgradeable packages
 1202     if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
 1203            [ "${LINUX_VERSION_LIKE}" = "Debian" ] ||  [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then
 1204         PREQS_MET="YES"
 1205     else
 1206         PREQS_MET="NO"
 1207     fi
 1208 
 1209     Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
 1210     if [ ${SKIPTEST} -eq 0 ]; then
 1211         LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
 1212         if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then
 1213             LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions"
 1214             LogText "Test: Checking packages which can be upgraded via apt-show-versions"
 1215             FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
 1216             if [ -z "${FIND}" ]; then
 1217                 LogText "Result: no packages found which can be upgraded"
 1218                 Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
 1219                 AddHP 3 3
 1220             else
 1221                 LogText "Result: found one or more packages which can be upgraded"
 1222                 Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
 1223                 # output: program/repository upgradeable from version X to Y
 1224                 for ITEM in ${FIND}; do
 1225                     ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
 1226                     LogText "${ITEM}"
 1227                 done
 1228             fi
 1229         else
 1230             LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
 1231             Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
 1232             ReportSuggestion "${TEST_NO}" "Install package apt-show-versions for patch management purposes"
 1233         fi
 1234     fi
 1235 
 1236 #
 1237 #################################################################################
 1238 #
 1239     # Test        : PKGS-7398
 1240     # Description : Check package audit tool
 1241     Register --test-no PKGS-7398 --weight L --network YES --category security --description "Check for package audit tool"
 1242     if [ ${SKIPTEST} -eq 0 ]; then
 1243         LogText "Test: checking for package audit tool"
 1244         if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
 1245             Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
 1246             ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages"
 1247             LogText "Result: no package audit tool found"
 1248         else
 1249             Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_INSTALLED}" --color GREEN
 1250             Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}"
 1251             LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
 1252         fi
 1253     fi
 1254 #
 1255 #################################################################################
 1256 #
 1257     # Description : HP-UX packages
 1258     # Notes       : swlist -l fileset (|${GREPBINARY} patch) / print_manifest
 1259 #
 1260 #################################################################################
 1261 #
 1262     # Description : AIX patches
 1263     # Notes       : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
 1264 #
 1265 #################################################################################
 1266 #
 1267     # Test        : PKGS-7410
 1268     # Description : Count number of installed kernel packages
 1269     Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages"
 1270     if [ ${SKIPTEST} -eq 0 ]; then
 1271         KERNELS=0
 1272         TESTED=0
 1273         LogText "Test: Checking how many kernel packages are installed"
 1274 
 1275         if [ "${DPKGBINARY}" ]; then
 1276             TESTED=1
 1277             KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
 1278             KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
 1279             if [ ${KERNELS} -eq 0 ]; then
 1280                 LogText "Result: found no kernels from dpkg -l output, which is unexpected"
 1281             elif [ ${KERNELS} -gt 5 ]; then
 1282                 LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
 1283                 ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove"
 1284             else
 1285                 LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
 1286             fi
 1287         fi
 1288         if [ "${RPMBINARY}" ]; then
 1289             TESTED=1
 1290             KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
 1291             if [ ${KERNELS} -eq 0 ]; then
 1292                 LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
 1293             elif [ ${KERNELS} -gt 5 ]; then
 1294                 LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
 1295                 ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
 1296             else
 1297                 LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
 1298             fi
 1299         fi
 1300 
 1301         if [ "${ZYPPERBINARY}" ]; then
 1302             TESTED=1
 1303             KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
 1304             if [ ${KERNELS} -eq 0 ]; then
 1305                 LogText "Result: found no kernels from zypper output, which is unexpected."
 1306                 ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
 1307             elif [ ${KERNELS} -gt 3 ]; then
 1308                 LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
 1309                 ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
 1310             else
 1311                 LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
 1312             fi
 1313         fi
 1314 
 1315         if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
 1316             # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system
 1317             case "${OS}" in
 1318                 "Linux")
 1319                     case "${CONTAINER_TYPE}" in
 1320                         "LXC")
 1321                             LogText "Info: LXC shares the kernel with host, so skipping further testing"
 1322                         ;;
 1323                         *)
 1324                             if [ -d "${ROOTDIR}boot" ]; then
 1325                                 if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then
 1326                                     ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
 1327                                 fi
 1328                             fi
 1329                         ;;
 1330                     esac
 1331                 ;;
 1332                 *)
 1333                     ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
 1334                 ;;
 1335             esac
 1336         fi
 1337 
 1338         Report "installed_kernel_packages=${KERNELS}"
 1339     fi
 1340 #
 1341 #################################################################################
 1342 #
 1343     # Test        : PKGS-7420
 1344     # Description : Detect toolkit to automatically download and apply upgrades
 1345     Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades"
 1346     if [ ${SKIPTEST} -eq 0 ]; then
 1347         UNATTENDED_UPGRADES_TOOLKIT=0
 1348         UNATTENDED_UPGRADES_TOOL=""
 1349         UNATTENDED_UPGRADES_OPTION_AVAILABLE=0
 1350 
 1351         case "${OS}" in
 1352             "Linux")
 1353                 for DIST in CentOS Debian Fedora RHEL Ubuntu; do
 1354                     if [ "${LINUX_VERSION}" = "${DIST}" ] || [ "${LINUX_VERSION_LIKE}" = "${DIST}" ]; then
 1355                         UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
 1356                     fi
 1357                 done
 1358 
 1359                 if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then
 1360                     # Test available tools for Linux
 1361                     if [ -f "${ROOTDIR}bin/auter" ]; then
 1362                         UNATTENDED_UPGRADES_TOOL="auter"
 1363                         UNATTENDED_UPGRADES_TOOLKIT=1
 1364                         LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
 1365                         Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
 1366                     fi
 1367                     if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
 1368                         UNATTENDED_UPGRADES_TOOL="yum-cron"
 1369                         UNATTENDED_UPGRADES_TOOLKIT=1
 1370                         LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
 1371                         Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
 1372                     fi
 1373                     if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
 1374                         UNATTENDED_UPGRADES_TOOL="dnf-automatic"
 1375                         UNATTENDED_UPGRADES_TOOLKIT=1
 1376                         LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
 1377                         Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
 1378                     fi
 1379                     if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
 1380                         UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
 1381                         UNATTENDED_UPGRADES_TOOLKIT=1
 1382                         LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
 1383                         Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
 1384                     fi
 1385                 fi
 1386             ;;
 1387         esac
 1388 
 1389         if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then
 1390             if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then
 1391                 AddHP 5 5
 1392                 Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN
 1393             else
 1394                 AddHP 1 5
 1395                 Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOT_FOUND}" --color YELLOW
 1396                 LogText "Result: no toolkit for automatic updates discovered"
 1397                 ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades"
 1398             fi
 1399         fi
 1400 
 1401         Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}"
 1402     fi
 1403 #
 1404 #################################################################################
 1405 #
 1406 
 1407 WaitForKeyPress
 1408 
 1409 #
 1410 #================================================================================
 1411 # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com