tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-26 23:34:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #676 from Capashenn/patch_8

Browse Source 
fix issue #659
This commit is contained in:
Michael Boelen 2019-07-14 13:30:16 +02:00 committed by GitHub
commit 1df9630bcf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 37 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
include/tests_kernel
View File

@ -31,6 +31,7 @@
CPU_NX=0 CPU_NX=0
LINUXCONFIGFILE="" LINUXCONFIGFILE=""
LINUXCONFIGFILE_ZIPPED=0 LINUXCONFIGFILE_ZIPPED=0
LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d"
# #
################################################################################# #################################################################################
# #
@ -436,23 +437,33 @@
# Description : Checking core dumps configuration (Linux) # Description : Checking core dumps configuration (Linux)
Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Limits option
LogText "Test: Checking presence /etc/security/limits.conf" LogText "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then if [ -f /etc/security/limits.conf ]; then
LogText "Result: file /etc/security/limits.conf exists" LogText "Result: file /etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf and /etc/security/limits.d/*"
FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }') FIND1=$(${GREPBINARY} -r -v "^#" /etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }')
FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }') FIND2=$(${GREPBINARY} -r -v "^#" /etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }')
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then if [ "${FIND2}" = "hard core disabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 2
else
LogText "Result: core dumps (soft and hard) are both disabled" LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
CORE_DUMPS_DISABLED=1 CORE_DUMPS_DISABLED=1
AddHP 3 3 AddHP 3 3
elif [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 3
else
LogText "Result: core dumps are not explicitly disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
AddHP 2 3
fi fi
else
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
fi
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
# Sysctl option # Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable" LogText "Test: Checking sysctl value of fs.suid_dumpable"
@ -476,11 +487,6 @@
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE
AddHP 1 1 AddHP 1 1
fi fi
else
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
fi
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
fi fi
# #
################################################################################# #################################################################################