#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Ports and packages
#
#################################################################################
#
    InsertSection "Ports and packages"
    PACKAGE_MGR_PKG=0
    PKG_AUDIT_TOOL_FOUND=0
#
#################################################################################
#
    Display --indent 2 --text "- Searching package managers..."

    # Test        : PKGS-7301
    # Description : Query FreeBSD pkg
    if [ -x /usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD pkg"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=`pkg -N 2>&1; echo $?`
        if [ "${FIND}" = "0" ]; then
            Display --indent 4 --text "- Searching pkg..." --result FOUND --color GREEN
            report "package_manager[]=pkg"
            PACKAGE_MGR_PKG=1
            #logtext "Result: Found pkg"
            #logtext "Test: Querying pkg to get package list..."
            #Display --indent 6 --text "- Querying pkg for installed packages..."
            #logtext "Output:"; logtext "-----"
            #SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
            #for J in ${SPACKAGES}; do
            #    sPKG_NAME=`echo ${J} | cut -d ',' -f1`
            #    sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
            #    logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
            #    report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
            #done
          else
            Display --indent 4 --text "- Searching pkg..." --result "NOT INSTALLED" --color YELLOW
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7302
    # Description : Query FreeBSD pkg_info
    if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD pkg_info"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        Display --indent 4 --text "- Searching pkg_info..." --result FOUND --color GREEN
        logtext "Result: Found pkg_info"
        report "package_manager[]=pkg_info"
        logtext "Test: Querying pkg_info to get package list..."
        Display --indent 6 --text "- Querying pkg_info for installed packages..."
        logtext "Output:"; logtext "-----"
        SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
        for J in ${SPACKAGES}; do
            N=`expr ${N} + 1`
            sPKG_NAME=`echo ${J} | cut -d ',' -f1`
            sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
            logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
            report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
        done
        report "installed_packages=${N}"
    fi
#
#################################################################################
#
# Temporary disabled due false positives
# Packages like docbook, gcc, automake report multiple installed versions
#    # Test        : PKGS-7303
#    # Description : Query FreeBSD pkg_info
#    if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#    Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
#    if [ ${SKIPTEST} -eq 0 ]; then    
#	SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
#	if [ "${SDOUBLEINSTALLED}" = "" ]; then
#	    Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result OK --color GREEN	
#	    logtext "Ok, no packages show up twice or more in the package listing."
#	  else
#	    Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result WARNING --color RED
#	    for J in ${SDOUBLEINSTALLED}; do
#	        ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
#		logtext "This package ${J} is visible twice or more in the pkg_info listing."
#		ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
#	        ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
#		logtext "installed packages is unneeded."
#		report "double_installed_package[]=${J}"
#	    done
#	fi
#      else
#        Display --indent 4 --text "- Searching pkg_info..." --result "NOT FOUND" --color WHITE
#	logtext "Result: pkg_info can NOT be found on this system"
#    fi    
#
#################################################################################
#
    # Test        : PKGS-7306
    # Description : Solaris packages
    if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
    if [ ${SKIPTEST} -eq 0 ]; then
	Display --indent 4 --text "- Searching pkginfo..." --result FOUND --color GREEN
	    logtext "Result: Found Solaris pkginfo"
	    report "package_manager[]=pkginfo"
	    logtext "Test: Querying pkginfo to get package list"
	    Display --indent 4 --text "- Querying pkginfo for installed packages..."
	    logtext "Output:"; logtext "-----"
	    # Strip SUNW from strings
	    SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"`
	    for J in ${SPACKAGES}; do
	        logtext "Found package ${J}"
		report "installed_package[]=${J}||"
	    done
      else
	logtext "Result: pkginfo can NOT be found on this system"
    fi
#
#
#################################################################################
#
    # Test        : PKGS-7308
    # Description : RPM package based systems
    if [ ! "${RPMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        Display --indent 4 --text "- Searching RPM package manager..." --result FOUND --color GREEN
        logtext "Result: Found rpm binary (${RPMBINARY})"
        report "package_manager[]=rpm"
        logtext "Test: Querying 'rpm -qa' to get package list"
        Display --indent 6 --text "- Querying RPM package manager..."
        logtext "Output:"; logtext "--------"
        SPACKAGES=`${RPMBINARY} -qa | sort`
        if [ "${SPACKAGES}" = "" ]; then
            logtext "Result: RPM binary available, but package list seems to be empty"
            logtext "Info: looks like the rpm binary is installed, but not used for package installation"
          else
            for J in ${SPACKAGES}; do
                N=`expr ${N} + 1`
                logtext "Found package: ${J}"
                report "installed_package[]=${J}||"
            done
            report "installed_packages=${N}"

        fi
      else
        logtext "Result: RPM binary NOT found on this system, test skipped"
    fi
#
#################################################################################
#
    # Test        : PKGS-7310
    # Description : pacman package based systems
    if [ ! "${PACMANBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        Display --indent 4 --text "- Searching pacman package manager..." --result FOUND --color GREEN
        logtext "Result: Found pacman binary (${PACMANBINARY})"
        report "package_manager[]=pacman"
        logtext "Test: Querying 'pacman -Q' to get package list"
        Display --indent 6 --text "- Querying pacman package manager..."
        logtext "Output:"; logtext "--------"
        SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
        if [ "${SPACKAGES}" = "" ]; then
            logtext "Result: pacman binary available, but package list seems to be empty"
            logtext "Info: looks like the pacman binary is installed, but not used for package installation"
            #YYY ReportException?
          else
            for J in ${SPACKAGES}; do
                N=`expr ${N} + 1`
                PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'`
                PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'`
                logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
                report "installed_package[]=${PACKAGE_NAME}|${PACKAGE_VERSION}|"
            done
            report "installed_packages=${N}"

        fi
      else
        logtext "Result: pacman binary NOT found on this system, test skipped"
    fi
#
#################################################################################
#
    # Test        : PKGS-7312
    # Description : HP-UX packages
    # Notes       : swlist -l fileset (|grep patch) / print_manifest
#
#################################################################################
#
    # Test        : PKGS-7316
    # Description : AIX patches
    # Notes       : /usr/sbin/instfix -c -i | cut -d":" -f1
#
#################################################################################
#
    # Test        : PKGS-7328
    # Description : Check installed packages with Zypper
    if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for installed packages"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        FIND=`${ZYPPERBINARY} se -i | awk '{ if ($1=="i") { print $3 } }'`
        if [ ! "${FIND}" = "" ]; then
            for I in ${FIND}; do
                N=`expr ${N} + 1`
                logtext "Installed package: ${I}"
                report "installed_package[]=${I}|-|"
            done
            report "installed_packages=${N}"
          else
            # Could not find any installed packages
            ReportException ${TEST_NO} "No installed packages found with Zypper"
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7330
    # Description : Check vulnerable packages with Zypper
    if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for vulnerable packages"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=`${ZYPPERBINARY} lp | ${AWKBINARY} '{ if ($7=="security") { if ($11=="update") { print $13 } else { print $11 } } }' | sed 's/:$//' | grep -v "^$" | sort | uniq`
            if [ "${FIND}" = "" ]; then
                logtext "Result: No security updates found with Zypper"
                Display --indent 2 --text "- Using Zypper to obtain vulnerabile packages" --result NONE --color GREEN
              else
                Display --indent 2 --text "- Using Zypper to obtain vulnerabilities" --result WARNING --color RED
                logtext "Result: Zypper found one or more installed packages which are vulnerable."
                ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
                logtext "List of vulnerable packages/version:"
                for I in ${FIND}; do
                    report "vulnerable_package[]=${I}"
                    logtext "Vulnerable package: ${I}"
                    # Decrease hardening points for every found vulnerable package
                    AddHP 1 2
                done
            fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7345
    # Description : Debian package based systems (dpkg)
    if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        Display --indent 4 --text "- Searching dpkg package manager..." --result FOUND --color GREEN
        logtext "Result: Found dpkg binary"
        report "package_manager[]=dpkg"
        logtext "Test: Querying dpkg -l to get package list"
        Display --indent 6 --text "- Querying package manager..."
        logtext "Output:"
        SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort`
        for J in ${SPACKAGES}; do
            N=`expr ${N} + 1`
            PACKAGE_NAME=`echo ${J} | cut -d '#' -f2`
            PACKAGE_VERSION=`echo ${J} | cut -d '#' -f3`
            logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
            report "installed_package[]=${PACKAGE_NAME}|${PACKAGE_VERSION}|"
        done
        report "installed_packages=${N}"
      else
        logtext "Result: dpkg can NOT be found on this system, test skipped"
    fi
#
#################################################################################
#
    # Test        : PKGS-7346
    # Description : Check packages which are removed, but still own configuration files, cron jobs etc
    # Notes       : Cleanup: for pkg in `dpkg -l | grep "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done
    if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        logtext "Test: Querying dpkg -l to get unpurged packages"
        SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
        if [ "${SPACKAGES}" = "" ]; then
            Display --indent 4 --text "- Query unpurged packages..." --result NONE --color GREEN
            logtext "Result: no packages found with left overs"
          else
            Display --indent 4 --text "- Query unpurged packages..." --result FOUND --color YELLOW
            logtext "Result: found one or more packages with left over configuration files, cron jobs etc"
            logtext "Output:"
            for J in ${SPACKAGES}; do
                N=`expr ${N} + 1`
                logtext "Found unpurged package: ${J}"
            done
            ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
        fi
      else
        logtext "Result: dpkg can NOT be found on this system, test skipped"
    fi
#
#################################################################################

    # Test        : PKGS-7348
    # Description : Show unneeded distfiles if present
    # Notes       : Portsclean seems to be gone from the ports, so no suggestion or warning is
    #               issued when it's missing.
    #               Add portmaster --clean-distfiles-all
    Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --description "Check for old distfiles"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -x /usr/local/sbin/portsclean ]; then
            FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
            if [ ${FIND} -eq 0 ]; then
                Display --indent 2 --text "- Checking presence old distfiles..." --result OK --color GREEN
                logtext "Result: no unused distfiles found"
              else
                Display --indent 2 --text "- Checking presence old distfiles..." --result WARNING --color YELLOW
                logtext "Result: found ${FIND} unused distfiles"
                ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
            fi
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7378
    # Description : Query FreeBSD portmaster for available port upgrades
    if [ -x /usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades"
    if [ ${SKIPTEST} -eq 0 ]; then
        N=0
        logtext "Test: Querying portmaster for possible port upgrades"
        UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'`
        for J in ${UPACKAGES}; do
            N=`expr ${N} + 1`
            logtext "Upgrade available (new version): ${J}"
            report "upgrade_available[]=${J}"
        done
        report "upgrade_available_count=${N}"
        if [ ${N} -eq 0 ]; then
            logtext "Result: no upgrades found"
            Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN
          else
            Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7381
    # Description : Check for vulnerable FreeBSD packages (with png)
    Register --test-no PKGS-7381 --os FreeBSD --weight L --network NO --description "Check for vulnerable FreeBSD packages"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -x /usr/sbin/pkg ]; then
            FIND=`/usr/sbin/pkg audit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
            PKG_AUDIT_TOOL_FOUND=1
            PKG_AUDIT_TOOL="pkg audit"
            if [ "${FIND}" = "" ]; then
                logtext "Result: pkg audit results are clean"
                Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result NONE --color GREEN
              # Don't check yet, output of found vulnerable packages unclear
              #else
                #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result WARNING --color RED
                #logtext "Result: pkg audit found one or more installed packages which are vulnerable."
                #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
                #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
                #logtext "List of vulnerable packages/version:"
                #for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort | uniq`; do
                #    report "vulnerable_package[]=${I}"
                #    logtext "Vulnerable package: ${I}"
                #    # Decrease hardening points for every found vulnerable package
                #    AddHP 1 2
                #done
            fi
          else
            Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE
            logtext "Result: pkg audit not installed, can't perform vulnerability test."
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7382
    # Description : Check for vulnerable FreeBSD packages
    Register --test-no PKGS-7382 --os FreeBSD --weight L --network NO --description "Check for vulnerable FreeBSD packages"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -x /usr/local/sbin/portaudit ]; then
            PKG_AUDIT_TOOL_FOUND=1
            FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
            if [ "${FIND}" = "" ]; then
                logtext "Result: Portaudit results are clean"
                Display --indent 2 --text "- Checking portaudit to obtain vulnerabile packages..." --result NONE --color GREEN
              else
                Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities..." --result WARNING --color RED
                logtext "Result: Portaudit found one or more installed packages which are vulnerable."
                ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
                ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
                logtext "List of vulnerable packages/version:"
                for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort | uniq`; do
                    report "vulnerable_package[]=${I}"
                    logtext "Vulnerable package: ${I}"
                    # Decrease hardening points for every found vulnerable package
                    AddHP 1 2
                done
            fi
          else
            # Don't advice portaudit anymore, as pkg audit is the replacement (pkgng)
            logtext "Result: Portaudit not installed, can't perform vulnerability test."
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7383
    # Description : Check for YUM package Update management
    if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: YUM package update management"
        sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'`
        if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then
          logtext "Result: YUM package update management failed"
          Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED
          ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)"
          #ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)"
        else
          logtext "Result: YUM repository available (${sFIND})"
          Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7384
    # Description : Search for YUM utils package
    if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -x /usr/bin/package-cleanup ]; then
            logtext "Result: found YUM utils package (/usr/bin/package-cleanup)"
            # Check for duplicates
            logtext "Test: Checking for duplicate packages"
            FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
            if [ "${FIND}" = "0" ]; then
                logtext "Result: No duplicate packages found"
                Display --indent 2 --text "- Checking package database duplicates..." --result OK --color GREEN
              else
                logtext "Result: One or more duplicate packages found"
                Display --indent 2 --text "- Checking package database duplicates..." --result WARNING --color RED
                ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
                ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
            fi

            # Check for package database problems
            logtext "Test: Checking for database problems"
            FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
            if [ "${FIND}" = "0" ]; then
                logtext "Result: No package database problems found"
                Display --indent 2 --text "- Checking package database for problems..." --result OK --color GREEN
              else
                logtext "Result: One or more problems found in package database"
                Display --indent 2 --text "- Checking package database for problems..." --result WARNING --color RED
                ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
                ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
            fi
          else
            Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW
            logtext "Result: YUM utils package not found"
            ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7386
    # Description : Search for YUM security package
    # Notes       : This test does not apply to CentOS and clones, as --security is not available
    if [ -x /usr/bin/yum ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package"
    if [ ${SKIPTEST} -eq 0 ]; then
        DO_TEST=0
        logtext "Test: Determining if yum-security package installed"

        FileExists /etc/yum/pluginconf.d/security.conf
        if [ ${FILE_FOUND} -eq 1 ]; then
           SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf"
           if [ ${ITEM_FOUND} -eq 1 ]; then
               DO_TEST=1
           fi
         else
           # Check if it's installed as package (this is old style)
           FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"`
           if [ ! "${FIND}" = "" ]; then
               logtext "Result: found yum-plugin-security package"
               DO_TEST=1
           fi
        fi

        # If we have the module of yum active, continue.
        if [ ${DO_TEST} -eq 1 ]; then
            PKG_AUDIT_TOOL_FOUND=1
            PKG_AUDIT_TOOL="yum-security"
            logtext "Test: Checking for vulnerable packages"
            FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security") print $3","$5 }'`
            if [ "${FIND2}" = "" ]; then
                logtext "Result: no vulnerable packages found"
                Display --indent 2 --text "- Checking missing security packages..." --result OK --color GREEN
              else
                logtext "Result: found vulnerable package(s)"
                Display --indent 2 --text "- Checking missing security packages..." --result WARNING --color RED
                for I in ${FIND2}; do
                    report "vulnerable_package[]=${I}"
                    logtext "Vulnerable package: ${I}"
                    AddHP 1 2
                done
                ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
                ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
            fi
          else
            logtext "Result: yum-security package not found"
            Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW
            ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7387
    # Description : Search for YUM GPG check
    if [ -x /usr/bin/yum ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for GPG signing in YUM security package"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        FileExists /etc/yum.conf
        if [ ${FILE_FOUND} -eq 1 ]; then
           SearchItem "^gpgenabled=1$" "/etc/yum.conf"
           if [ ${ITEM_FOUND} -eq 1 ]; then
               FOUND=1
               logtext "Result: GPG check is enabled"
               Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN
             else
               Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED
               ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf"
           fi
        fi
     fi
#
#################################################################################
#
    # Test        : PKGS-7388
    # Description : Check security repository in Debian/ubuntu apt sources.list file
    if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7388 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file"
    if [ $SKIPTEST -eq 0 ]; then
        if [ -f /etc/apt/sources.list -a ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then
            logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
            FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'`
            if [ ! "${FIND}" = "" ]; then
                Display --indent 2 --text "- Checking security repository in sources.list file... " --result OK --color GREEN
                logtext "Result: Found security repository in /etc/apt/sources.list"
                for I in ${FIND}; do
                    I=`echo ${I} | sed 's/!space!/ /g'`
                    logtext "Output: ${I}"
                done
                AddHP 3 3
              else
                Display --indent 2 --text "- Checking security repository in sources.list file... " --result WARNING --color RED
                ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list."
                ReportSuggestion ${TEST_NO} "Check /etc/apt/sources.list if a security repository is configured correctly"
                AddHP 0 3
            fi
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7390
    # Description : Check Ubuntu database consistency
    if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Package database consistency by running apt-get check"
        FIND=`/usr/bin/apt-get -q=2 check; echo $?`
        if [ "${FIND}" = "0" ]; then
            Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN
            logtext "Result: package database seems to be consistent."
          else
            logtext "Result: package database is most likely NOT consistent"
            Display --indent 2 --text "- Checking APT package database..." --result WARNING --color RED
            ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
            ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7392
    # Description : Check Debian/Ubuntu vulnerable packages
    if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Debian/Ubuntu security updates"
    if [ ${SKIPTEST} -eq 0 ]; then
        VULNERABLE_PACKAGES_FOUND=0
        SCAN_PERFORMED=0
        # Update the repository, outdated repositories don't give much information
        logtext "Action: updating repository with apt-get"
        /usr/bin/apt-get -q=2 update
        logtext "Result: apt-get finished"
        logtext "Action: Checking if /usr/lib/update-notifier/apt-check exists"
        if [ -x /usr/lib/update-notifier/apt-check ]; then
          PKG_AUDIT_TOOL_FOUND=1
          PKG_AUDIT_TOOL="apt-check"
          logtext "Result: found /usr/lib/update-notifier/apt-check"
          logtext "Action: checking if any of the updates contain security updates"
          FIND=`/usr/lib/update-notifier/apt-check --human-readable | grep "are security updates" | awk -F" " '{ print $1 }'`
          # Check if we get the proper line back and amount of security patches available
          if [ "${FIND}" = "" ]; then
              logtext "Result: did not find security updates line"
              ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test gives an unexpected result"
            else
              if [ "${FIND}" = "0" ]; then
                  logtext "Result: no vulnerable packages found via apt-check"
                  SCAN_PERFORMED=1
                else
                  VULNERABLE_PACKAGES_FOUND=1
                  SCAN_PERFORMED=1
                  logtext "Result: found ${FIND} security updates via apt-check"
                  AddHP 0 25
              fi
          fi
          else
            logtext "Result: apt-check (update-notifier-common) not found"
        fi

        # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
        # Show packages which would be upgraded and match 'security' in repository name
        FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
        if [ ! "${FIND}" = "" ]; then
            #Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
            VULNERABLE_PACKAGES_FOUND=1
            SCAN_PERFORMED=1
            logtext "Result: found vulnerable package(s) via apt-get (-security channel)"
            PKG_AUDIT_TOOL="apt-get"
            PKG_AUDIT_TOOL_FOUND=1
            for I in ${FIND}; do
                logtext "Found vulnerable package: ${I}"
                report "vulnerable_package[]=${I}"
            done
        fi
        if [ ${SCAN_PERFORMED} -eq 1 ]; then
            if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
                ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
                ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
                Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
              else
                Display --indent 2 --text "- Checking vulnerable packages..." --result OK --color GREEN
                logtext "Result: no vulnerable packages found"
            fi
          else
            Display --indent 2 --text "- Checking vulnerable packages (apt-get only)..." --result DONE --color GREEN
            logtext "Result: test not fully executed (missing apt-check)"
        fi
    fi
#
#################################################################################
#
    # Test        : PKGS-7394
    # Description : Check Ubuntu upgradeable packages
    if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: checking /usr/bin/apt-show-versions"
        if [ -x /usr/bin/apt-show-versions ]; then
            logtext "Result: found /usr/bin/apt-show-versions"
            logtext "Test: Checking packages which can be upgraded via apt-show-versions"
            FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
            if [ "${FIND}" = "" ]; then
                logtext "Result: no packages found which can be upgraded"
                Display --indent 2 --text "- Checking upgradeable packages..." --result NONE --color GREEN
                AddHP 3 3
              else
                logtext "Result: found one or more packages which can be upgraded"
                Display --indent 2 --text "- Checking upgradeable packages..." --result FOUND --color YELLOW
                # output: program/repository upgradeable from version X to Y
                for I in ${FIND}; do
                    I=`echo ${I} | sed 's/!space!/ /g'`
                    logtext "${I}"
                done
            fi
          else
            logtext "Result: /usr/bin/apt-show-versions not found"
            Display --indent 2 --text "- Checking upgradeable packages..." --result SKIPPED --color WHITE
            ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
        fi
    fi

#
#################################################################################
#
    # Test        : PKGS-7398
    # Description : Check package audit tool
    Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: checking for package audit tool"
        if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then
            Display --indent 2 --text "- Checking package audit tool..." --result NONE --color RED
            ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
            logtext "Result: no package audit tool found"
          else
            Display --indent 2 --text "- Checking package audit tool..." --result INSTALLED --color GREEN
            Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}"
            logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}"
        fi
    fi
#
#################################################################################
#

# check for popularity-contest (Debian/Ubuntu)
# check for yum-changelog


report "pkg_audit_tool=${PKG_AUDIT_TOOL}"
report "pkg_audit_tool_found=${PKG_AUDIT_TOOL_FOUND}"

wait_for_keypress


#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
