tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Delete trailing whitespace

This commit is contained in:
Laurent Quillerou 2015-09-07 18:35:07 +03:00
parent a90d225bf4
commit 3cdd9ea949
27 changed files with 62 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CHANGELOG
View File

@ -921,7 +921,7 @@
- Added Squid test: reply_body_max_size option [SQD-3630] - Added Squid test: reply_body_max_size option [SQD-3630]
- Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328]
- Check PHP option allow_url_include [PHP-2378] - Check PHP option allow_url_include [PHP-2378]
Changes: Changes:
- Extended possible Squid configuration file locations - Extended possible Squid configuration file locations
- Added additional sysctl keys to default profile - Added additional sysctl keys to default profile
@ -1098,7 +1098,7 @@
- nginx configuration file check [HTTP-6704] - nginx configuration file check [HTTP-6704]
- Exim status check [MAIL-8802] - Exim status check [MAIL-8802]
- Postfix status check [MAIL-8814] - Postfix status check [MAIL-8814]
Changes: Changes:
- atd needs to run before testing at files [SCHD-7720] - atd needs to run before testing at files [SCHD-7720]
- Removed Solaris OS requirement from logrotate test [LOGG-2148] - Removed Solaris OS requirement from logrotate test [LOGG-2148]
@ -1108,7 +1108,7 @@
- Binary scan optimized and partially combined with other check - Binary scan optimized and partially combined with other check
- Only perform iptables tests if kernel module is active - Only perform iptables tests if kernel module is active
- Don't show message when /etc/shells can't be found [SHLL-6211] - Don't show message when /etc/shells can't be found [SHLL-6211]
- Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
- Renumbered FreeBSD test SHLL-7225 [SHLL-6202] - Renumbered FreeBSD test SHLL-7225 [SHLL-6202]
- Renumbered malware test MALW-3292 [HRDN-7230] - Renumbered malware test MALW-3292 [HRDN-7230]
- Improved grep on process status [PRNT-2304] - Improved grep on process status [PRNT-2304]
@ -1298,10 +1298,10 @@
New: New:
- New test: Passwordless Solaris accounts test [AUTH-9254] - New test: Passwordless Solaris accounts test [AUTH-9254]
- New test: AFICK file integrity [FINT-4310] - New test: AFICK file integrity [FINT-4310]
- New test: AIDE file integrity [FINT-4314] - New test: AIDE file integrity [FINT-4314]
- New test: Osiris file integrity [FINT-4318] - New test: Osiris file integrity [FINT-4318]
- New test: Samhain file integrity [FINT-4322] - New test: Samhain file integrity [FINT-4322]
- New test: Tripwire file integrity [FINT-4326] - New test: Tripwire file integrity [FINT-4326]
- New tests: NIS and NIS+ authentication test [AUTH-9240/42] - New tests: NIS and NIS+ authentication test [AUTH-9240/42]
- Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire
@ -1327,12 +1327,12 @@
- New test: Promiscuous network interfaces (Linux) [NETW-3015] - New test: Promiscuous network interfaces (Linux) [NETW-3015]
- Report option 'bootloader' added to several tests - Report option 'bootloader' added to several tests
- Added readlink binary check - Added readlink binary check
Changes: Changes:
- Extended file check (IsWorldWritable) for symlinks - Extended file check (IsWorldWritable) for symlinks
- Show result if no default gateway is found [NETW-3001] - Show result if no default gateway is found [NETW-3001]
- Added /usr/local/etc to sudoers test [AUTH-9250] - Added /usr/local/etc to sudoers test [AUTH-9250]
- Improved FreeBSD banner output [BANN-7113] - Improved FreeBSD banner output [BANN-7113]
- Removed incorrect line at promiscuous interface test [NETW-3014] - Removed incorrect line at promiscuous interface test [NETW-3014]
- Fix: Show only once the GRUB test output [BOOT-5121] - Fix: Show only once the GRUB test output [BOOT-5121]
- Fix: Typo in NTP test [TIME-3104] - Fix: Typo in NTP test [TIME-3104]
@ -1380,7 +1380,7 @@
- New test: checking for heavy IO waiting processes [PROC-3614] - New test: checking for heavy IO waiting processes [PROC-3614]
- Initial HP-UX support (untested) - Initial HP-UX support (untested)
- Initial AIX support (untested) - Initial AIX support (untested)
- Added iptables binary check - Added iptables binary check
- Added dig check, for DNS related tests - Added dig check, for DNS related tests
- Added option --no-colors to remove all colors from screen output - Added option --no-colors to remove all colors from screen output
- Added option --reverse-colors for optimizing output at light backgrounds - Added option --reverse-colors for optimizing output at light backgrounds
@ -1400,7 +1400,7 @@
- Several tests have their warning reporting improved - Several tests have their warning reporting improved
- Improved SuSE Linux detection - Improved SuSE Linux detection
- Improved syslog-ng detection - Improved syslog-ng detection
- Adjusted README with link to online (extended) documentation - Adjusted README with link to online (extended) documentation
-- --
@ -1410,7 +1410,7 @@
- New test: Check writable startup scripts [BOOT-5184] - New test: Check writable startup scripts [BOOT-5184]
- New test: Syslog-NG consistency check [LOGG-2134] - New test: Syslog-NG consistency check [LOGG-2134]
- New test: Check yum-utils package and scanning package database [PKGS-7384] - New test: Check yum-utils package and scanning package database [PKGS-7384]
- New test: Test for empty ruleset when iptables is loaded [FIRE-4512] - New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
- New test: Check for expired SSL certificates [CRYP-7902] - New test: Check for expired SSL certificates [CRYP-7902]
- New test: Check for LDAP authentication support [AUTH-9238] - New test: Check for LDAP authentication support [AUTH-9238]
- New test: Read available crontab/cron files [SCHD-7704] - New test: Read available crontab/cron files [SCHD-7704]
@ -1449,7 +1449,7 @@
* 1.1.5 (2008-06-10) * 1.1.5 (2008-06-10)
New: New:
- Assigned ID to Apache configuration file test [HTTP-6624] - Assigned ID to Apache configuration file test [HTTP-6624]
- Added pause_between_tests to profile file, to regulate the speed of a scan - Added pause_between_tests to profile file, to regulate the speed of a scan
- Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345]
- Assigned ID to Solaris package test [PKG-7306] - Assigned ID to Solaris package test [PKG-7306]
@ -1732,12 +1732,12 @@
-- --
* 1.0.3 (2007-11-19) * 1.0.3 (2007-11-19)
New: New:
- Added check for sockstat - Added check for sockstat
- Test: added test for GRUB and password option - Test: added test for GRUB and password option
- Test: query listening ports (sockstat) - Test: query listening ports (sockstat)
Changes: Changes:
- Fixed NTPd check (bug) - Fixed NTPd check (bug)
- Extended help for 'double installed package' check (BSD systems, pkg_info) - Extended help for 'double installed package' check (BSD systems, pkg_info)
@ -1789,7 +1789,7 @@
Changes: Changes:
- [bug] Changed skel directory check - [bug] Changed skel directory check
- Fixed display Apache configuration file - Fixed display Apache configuration file
-- --
* 1.0.0 (2007-11-08) * 1.0.0 (2007-11-08)

2
CONTRIBUTIONS.md
View File

@ -36,4 +36,4 @@ To ensure all pull requests can be easily checked and merged, here are some tips
* Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. * Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH.
* Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. * Properly document your code where needed. Besides the 'what', focus on explaining the 'why'.
* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. * Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others.
* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) * Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)

2
FAQ
View File

@ -58,7 +58,7 @@
have a dark background, so it gives extra attention to the message. However have a dark background, so it gives extra attention to the message. However
if you have a white background (for example Mac OS X), you can run Lynis if you have a white background (for example Mac OS X), you can run Lynis
with --no-colors to strip colors or --reverse-colors to reverse the color with --no-colors to strip colors or --reverse-colors to reverse the color
scheme. Another option is to change your terminal colors within Mac OS. scheme. Another option is to change your terminal colors within Mac OS.
Q: Some tests take very long to finish, what to do? Q: Some tests take very long to finish, what to do?
A: Use a second console (or connection) and check the output of ps/lsof etc, A: Use a second console (or connection) and check the output of ps/lsof etc,

2
db/fileperms.db
View File

@ -9,7 +9,7 @@
# 5) file group owner # 5) file group owner
# 6) operating system, or systems # 6) operating system, or systems
# 7) operating system special # 7) operating system special
# 8) # 8)
# #
#================================================== #==================================================
file:/etc/group:644:root:root:Linux: file:/etc/group:644:root:root:Linux:

2
db/hints.db
View File

@ -1,2 +1,2 @@
#version=20091015 #version=20091015
100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: 100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.:

2
db/malware-susp.db
View File

@ -1,4 +1,4 @@
#version=2009101500 #version=2009101500
vuln.txt::: vuln.txt:::
crack*::: crack*:::
exploit*::: exploit*:::

2
db/malware.db
View File

@ -41,4 +41,4 @@
/tmp/.b:::Slapper::: /tmp/.b:::Slapper:::
/usr/man/.sman/sk:::Superkit::: /usr/man/.sman/sk:::Superkit:::
/usr/lib/.tbd:::TBD::: /usr/lib/.tbd:::TBD:::
/sbin/.login:::Login backdoor::: /sbin/.login:::Login backdoor:::

2
db/sbl.db
View File

@ -1,2 +1,2 @@
#version=2008052800 #version=2008052800
php:5.2.5 php:5.2.5

8
debian/README.Debian vendored
View File

@ -1,20 +1,20 @@
lynis for Debian lynis for Debian
---------------- ----------------
When execute Lynis from Debian menu, the program runs with the following When execute Lynis from Debian menu, the program runs with the following
parameter: parameter:
lynis --no-colors lynis --no-colors
It makes a full system check, with the default profile file It makes a full system check, with the default profile file
(/etc/lynis/default.prf). Please adjust this config file with your needs. (/etc/lynis/default.prf). Please adjust this config file with your needs.
For better perform, launch Lynis from a terminal, as root user, with your best For better perform, launch Lynis from a terminal, as root user, with your best
configuration. configuration.
Lynis can be executed directly: Lynis can be executed directly:
# lynis -c # lynis -c
or or
# lynis # lynis
After Lynis runs the system check, it creates the following two files with the After Lynis runs the system check, it creates the following two files with the

4
debian/rules vendored
View File

@ -12,13 +12,13 @@ clean:
dh_testdir dh_testdir
dh_testroot dh_testroot
rm -f build-stamp rm -f build-stamp
dh_clean dh_clean
install: build install: build
dh_testdir dh_testdir
dh_testroot dh_testroot
dh_prep dh_prep
# Add here commands to install the package into debian/lynis. # Add here commands to install the package into debian/lynis.
install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis

6
default.prf
View File

@ -122,7 +122,7 @@ sysctl:kernel.use-nx:0:1:XXX:
[network] [network]
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
@ -149,9 +149,9 @@ sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
[security] [security]
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:

2
extras/README
View File

@ -6,4 +6,4 @@
- Integrity checks and tools - Integrity checks and tools
- Development tools - Development tools
================================================================================ ================================================================================

4
extras/build-lynis.sh
View File

@ -364,7 +364,7 @@ Exit
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Cleaning up OpenBSD package build... " echo -n "- Cleaning up OpenBSD package build... "
if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi
echo "DONE" echo "DONE"
OPENBSD_CONTENTS="openbsd/+CONTENTS" OPENBSD_CONTENTS="openbsd/+CONTENTS"
@ -377,7 +377,7 @@ Exit
for I in ${PACKAGE_LIST_FILES}; do for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} " echo -n "${I} "
#FULLNAME=`cat files.dat | grep ":file:include: #FULLNAME=`cat files.dat | grep ":file:include:
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}" FILE="../${I}"

8
include/functions
View File

@ -89,10 +89,10 @@
# If 'file' is an directory, use -d # If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
else else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
fi fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi fi
@ -1060,7 +1060,7 @@
if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
fi fi
# Skip if test is not in the list # Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"` FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"`
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
@ -1146,7 +1146,7 @@
{ {
if [ $1 = "" ]; then TESTID="UNKNOWN"; fi if [ $1 = "" ]; then TESTID="UNKNOWN"; fi
# Status: OK, WARNING, NEUTRAL, SUGGESTION # Status: OK, WARNING, NEUTRAL, SUGGESTION
# Impact: HIGH, SEVERE, LOW, # Impact: HIGH, SEVERE, LOW,
#report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-" #report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-"
# Reset ID before next test # Reset ID before next test
TESTID="" TESTID=""

2
include/tests_crypto
View File

@ -29,7 +29,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0 FOUNDPROBLEM=0
# Check profile for paths to check # Check profile for paths to check
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
FileIsReadable ${I} FileIsReadable ${I}

2
include/tests_databases
View File

@ -79,7 +79,7 @@
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
AddHP 0 5 AddHP 0 5
else else
logtext "Result: Login did not succeed, so a MySQL root password is set" logtext "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
fi fi

2
include/tests_file_integrity
View File

@ -94,7 +94,7 @@
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)" Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}` FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}`
FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: Unclear how AIDE is dealing with checksums" logtext "Result: Unclear how AIDE is dealing with checksums"
Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW

2
include/tests_filesystems
View File

@ -322,7 +322,7 @@
#SKELDIRS="/etc/skel /usr/share/skel" #SKELDIRS="/etc/skel /usr/share/skel"
#for I in ${SKELDIRS}; do #for I in ${SKELDIRS}; do
# #
# logtext "Searching skel directory ${I}" # logtext "Searching skel directory ${I}"
# #
# if [ -d ${I} ]; then # if [ -d ${I} ]; then

6
include/tests_kernel
View File

@ -49,7 +49,7 @@
logtext "Result: Found match on runlevel5/graphical" logtext "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5" report "linux_default_runlevel=5"
else else
logtext "Result: No match found on runlevel, defaulting to runlevel 3" logtext "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3" report "linux_default_runlevel=3"
@ -376,7 +376,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking presence /etc/security/limits.conf" logtext "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then if [ -f /etc/security/limits.conf ]; then
logtext "Result: file /etc/security/limits.conf exists" logtext "Result: file /etc/security/limits.conf exists"
logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
@ -438,7 +438,7 @@
FILE="/var/run/reboot-required.pkgs" FILE="/var/run/reboot-required.pkgs"
logtext "Test: Checking presence ${FILE}" logtext "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then if [ -f ${FILE} ]; then
logtext "Result: file ${FILE} exists" logtext "Result: file ${FILE} exists"
FIND=`cat ${FILE}` FIND=`cat ${FILE}`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: No reboot needed (file empty)" logtext "Result: No reboot needed (file empty)"

4
include/tests_mac_frameworks
View File

@ -71,7 +71,7 @@
elif [ ${FIND} -eq 1 ]; then elif [ ${FIND} -eq 1 ]; then
logtext "Result: AppArmor is disabled" logtext "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
else else
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
fi fi
@ -119,7 +119,7 @@
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
else else
logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
fi fi
Display --indent 8 --text "Current SELinux mode: ${FIND}" Display --indent 8 --text "Current SELinux mode: ${FIND}"

2
include/tests_malware
View File

@ -47,7 +47,7 @@
################################################################################# #################################################################################
# #
# Test : MALW-3276 # Test : MALW-3276
# Description : Check for installed tool (Rootkit Hunter) # Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter" Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter" logtext "Test: checking presence Rootkit Hunter"

2
include/tests_memory_processes
View File

@ -64,7 +64,7 @@
# #
# Test : PROC-3612 # Test : PROC-3612
# Description : Searching for dead and zombie processes # Description : Searching for dead and zombie processes
# Notes : Don't perform test on Solaris # Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes" Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then

4
include/tests_nameservices
View File

@ -94,7 +94,7 @@
# Check amount of search domains (max 1) # Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else else
@ -566,7 +566,7 @@
fi fi
fi fi
# Check if we found any NIS domain # Check if we found any NIS domain
if [ ! "${NISDOMAIN}" = "" ]; then if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}" logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}" report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN

2
include/tests_ports_packages
View File

@ -860,7 +860,7 @@
SCAN_PERFORMED=0 SCAN_PERFORMED=0
# Update portage. # Update portage.
# Multiple ways to do this. Some require extra packages to be installed, # Multiple ways to do this. Some require extra packages to be installed,
# others require potential firewall ports to be open, outbound. This is the # others require potential firewall ports to be open, outbound. This is the
# "most friendly" way. # "most friendly" way.
logtext "Action: updating portage with emerge-webrsync" logtext "Action: updating portage with emerge-webrsync"
/usr/bin/emerge-webrsync --quiet 2> /dev/null /usr/bin/emerge-webrsync --quiet 2> /dev/null

6
include/tests_storage_nfs
View File

@ -59,7 +59,7 @@
# #
# Test : STRG-1906 # Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered protocols" logtext "Test: Checking NFS registered protocols"
@ -114,7 +114,7 @@
# Description : Check NFS exports # Description : Check NFS exports
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/exports" logtext "Test: check /etc/exports"
if [ -f /etc/exports ]; then if [ -f /etc/exports ]; then
logtext "Result: /etc/exports exists" logtext "Result: /etc/exports exists"
@ -139,7 +139,7 @@
# #
# Test : STRG-1928 # Test : STRG-1928
# Description : Check for empty exports file while NFS is running # Description : Check for empty exports file while NFS is running
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then

10
include/tests_webservers
View File

@ -194,9 +194,9 @@
# # Configuration specific tests # # Configuration specific tests
# SERVERTOKENSFOUND=0 # SERVERTOKENSFOUND=0
# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf" # APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
# #
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then # if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured # # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` # SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then # if [ ! "${SERVERTOKENSTEST}" = "" ]; then
@ -215,17 +215,17 @@
# else # else
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
# fi # fi
# #
# else # else
# # File does not exist, skipping # # File does not exist, skipping
# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file" # logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# fi # fi
# done # done
# #
# # Display results from checks # # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN # Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
# else # else
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED # Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi # fi

2
lynis
View File

@ -488,7 +488,7 @@
echo " Program version: ${PROGRAM_version}" echo " Program version: ${PROGRAM_version}"
echo " Operating system: ${OS}" echo " Operating system: ${OS}"
echo " Operating system name: ${OS_NAME}" echo " Operating system name: ${OS_NAME}"
echo " Operating system version: ${OS_VERSION}" echo " Operating system version: ${OS_VERSION}"
if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}" echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}" echo " Hardware platform: ${HARDWARE}"