Check for existing tmux sessions

[Reelix]

If you log onto an active user and tmux is installed, they might have tmux sessions available that you are initially unable to see which might be useful if they had sensitive information available in one of them (Such as having switched users).

A tmux list-sessions would display any existing sessions and the number of windows in each session.

[rjsu26]

On it!

[exploide]

If this gets added, checking screen would be equally reasonable.

[rjsu26]

All tmux and screen (and other similar tools) session will have to be displayed to the user, or those with some special property?

[Reelix]

It would probably be ideal, although it's really up to the person doing the implementation. A simple ps -aux | grep tmux check would probably be fine for a start, and anything beyond that would be ideal, and up to the developer.

[diego-treitos]

In my opinion, the tmux session will only be useful if you can attach to it so a tmux ls should be enough. Note that if there was a writable tmux socket owned by other users (which would be highly unusual) the socket file would also appear in the writable files outside $HOME (/tmp/tmux-$UID/default).

I am not very familiar with screen (I used it many years ago) but I think screen -ls has similar behavior to tmux ls.

I think I can add 2 new level 0 tests:

• tmux sessions for current user
• screen sessions for current user

and 2 level 1 tests:

• Other users tmux sessions (under /tmp/tmux-$UID/)
• Other users screen sessions (under /run/screen/S-$USER)

[rjsu26]

Created a work in progress PR #52

[rjsu26]

@diego-treitos @exploide @Reelix Let me know what else can be added here. Can we have a level 2 testing where the CVE IDs are also indicated based on installed version of a given software? I think its currently not under scope of LSE, but if incorporated, can be helpful to a user...

[diego-treitos]

@rjsu26 I replied to your PR.

Regarding CVEs, I am working on a way of implementing those tests. For me the problem with CVE test is that is usually very inacurate and I wanted this tool to be as accurate as possible so you are not lead into rabbit holes. On the other hand, testing for CVEs in an accurate way is a huge task, as CVEs are patched in different versions of the software depending on the distribution and in the version of the distribution.

[rjsu26]

@diego-treitos I made the changes and posted a doubt on the PR thread. Can you please check?

Also, let me know if I can help on the CVE testing tasks (as you said you are working on them). Thanks

[diego-treitos]

Alright, thank you! I will review them later and merge them if ready.