tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Copyright line changes and cleanups

This commit is contained in:
mboelen 2015-07-22 16:28:11 +02:00
parent 1775590ba7
commit 66fb369593
18 changed files with 60 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
include/tests_authentication
View File

@ -389,7 +389,6 @@
if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
# YYY add more tests to audit sudoers file
else
logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
@ -590,7 +589,6 @@
else
logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi
else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
@ -673,7 +671,6 @@
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
# YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
@ -690,7 +687,7 @@
#
# Test : AUTH-9304
# Description : Check if single user mode login is properly configured in Solaris
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists (Solaris 10 does not have this file by default)
@ -791,7 +788,6 @@
AddHP 2 2
fi
else
# YYY
logtext "Result: No inittab or init file found, unsure if system is protected"
fi
fi
@ -1070,7 +1066,6 @@
Display --indent 6 --text "LDAP server: ${I}"
logtext "Result: found LDAP server ${I}"
report "ldap_server[]=${I}"
# YYY check if host(s) are reachable/respond to queries
done
else
logtext "Result: ${I} does NOT exist"
@ -1079,38 +1074,6 @@
fi
#
#################################################################################
#
# Test : AUTH-92xx
# Description : login.access checks
#Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks"
#
#################################################################################
#
# pam_unix.so
# pam_cracklib.so
# pam_pwcheck.so
# pam_env.so
# pam_xauth.so
# pam_tally.so
# pam_wheel.so
# pam_limits.so
# pam_nologin.so
# pam_deny.so
# pam_securetty.so
# pam_time.so
# pam_access.so
# pam_listfile.so
# pam_lastlog.so
# pam_warn.so
# pam_console.so
# pam_resmgr.so
# pam_devperm.so
#
#################################################################################
#
# sudoers: Check for potential harmful commands like vi, echo, cat
#
#################################################################################
#
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
@ -1123,4 +1086,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

20
include/tests_banners
View File

@ -221,29 +221,9 @@
#
#################################################################################
#
# /etc/dt/config/*/Xresources
# /etc/default/telnetd (telnet without TCP wrappers)
# /etc/default/ftpd (ftp without TCP wrappers)
# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
# /etc/ftpaccess (HP-UX)
# /etc/ftpmotd (AIX)
# /etc/ftpaccess.ctl (AIX)
# /etc/security/login.cfg (AIX)
# /etc/X11/xdm/Xresources
# /etc/X11/xdm/kdmrc
# /etc/X11/gdm/gdm
# /etc/vsftpd.conf
#
#################################################################################
#
wait_for_keypress
#
#################################################################################
#
# Notes:
# HPUX: /etc/copyright
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

58
include/tests_boot_services
View File

@ -144,9 +144,6 @@
GRUBCONFFILE="/boot/grub2/grub.cfg"
fi
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
# YYY password check, when documentation of GRUB2 project is improved
# YYY Add check permission check (600)
fi
# Some OSes like Gentoo do not have /boot mounted by default
@ -263,7 +260,6 @@
logtext "Result: LILO password option set"
AddHP 4 4
fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
fi
@ -318,7 +314,6 @@
if [ -f /etc/yaboot.conf ]; then
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
#YYY add permission check
BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1
else
@ -397,11 +392,6 @@
fi
#
#################################################################################
#
# Test : BOOT-5166
# Description : Check for /etc/rc.local file (and contents)
#
#################################################################################
#
# Test : BOOT-5177
# Description : Check for Linux boot services (systemd and chkconfig)
@ -467,48 +457,13 @@
fi
#
#################################################################################
#
# Test : BOOT-5178
# Description : Check for Linux boot services (Red Hat style)
# if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# N=`expr ${N} + 1`
#* mctrans (if selinux is NOT enabled)
#* restorecond (if selinux is NOT enabled) --> and is it really needed?
#
# if profile is server, warn if found:
#* pcscd (if profile=server)
#* avahi-daemon
# Redhat: /etc/sysconfig/network
# check if NOZEROCONF=yes is available
#
#* xfs (if /usr/bin/startx is not found)
#
#if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
#* mdmonitor
#
#
#* firstboot
# Display warning if [ ! -f /etc/reconfigSys ]
# AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
#
#* acpid
# Display warning if no modules are loaded (lsmod | grep -i acpi)
#
#
# fi
#
#################################################################################
#
# Test : BOOT-5180
# Description : Check for Linux boot services (Debian style)
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then
# YYY runlevel check
# Runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
if [ ! "${sRUNLEVEL}" = "" ]; then
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
@ -609,16 +564,6 @@
fi
#
#################################################################################
#
# Add autostart services, like from KDE/Gnome
# Test : BOOT-5102
# Description : Check for tasks which are autostarted via /etc/inittab
#Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#YYY check against static list?
#
#################################################################################
#
# Test : BOOT-5202
# Description : Check uptime of system
@ -721,7 +666,6 @@
#################################################################################
#
report "boot_loader=${BOOT_LOADER}"
report "service_manager=${SERVICE_MANAGER}"

1
include/tests_containers
View File

@ -159,7 +159,6 @@
#################################################################################
#
wait_for_keypress
#

1
include/tests_crypto
View File

@ -50,7 +50,6 @@
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}|unknown entity|"
#YYY Dump more information to log file
fi
else
logtext "Result: can not read file ${J} (no permission)"

15
include/tests_insecure_services
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -37,7 +37,6 @@
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
#YYY perform manual check
INETD_ACTIVE=1
else
logtext "Result: inetd is NOT running"
@ -61,8 +60,6 @@
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi
# YYY immutable bit could be set
# YYY permission check (already set in profile)
fi
#
#################################################################################
@ -106,15 +103,9 @@
#
#################################################################################
#
# Check telnet in /etc/xinetd.conf
# Check telnet in /etc/xinetd/*
# Check running telnet daemon (telnetd)
# rshd rlogin rexec
# /etc/hosts.equiv
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

8
include/tests_kernel
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -276,10 +276,6 @@
fi
#
#################################################################################
#
# YYY Check for kernel options
#
#################################################################################
#
# Test : KRNL-5745
# Description : Checking FreeBSD loaded kernel modules

6
include/tests_kernel_hardening
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

6
include/tests_ldap
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -101,4 +101,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

11
include/tests_logging
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -36,7 +36,6 @@
# Test : LOGG-2130
# Description : Check for a running syslog daemon
# Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon"
@ -476,12 +475,6 @@
#
#################################################################################
#
#
# Rsyslogd checks
#
#
#################################################################################
#
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
report "log_rotation_tool=${LOGROTATE_TOOL}"

24
include/tests_mac_frameworks
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -48,11 +48,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${AASTATUSBINARY}" = "" ]; then
# Checking AppArmor status
#0 if apparmor is enabled and policy is loaded.
#1 if apparmor is not enabled/loaded.
#2 if apparmor is enabled but no policy is loaded.
#3 if control files are not available
#4 if apparmor status can't be read
# 0 if apparmor is enabled and policy is loaded.
# 1 if apparmor is not enabled/loaded.
# 2 if apparmor is enabled but no policy is loaded.
# 3 if control files are not available
# 4 if apparmor status can't be read
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}"
wait_for_keypress
# To implement:
# FMAC (OpenSolaris, MAC)
# LSM (Linux Security Modules)
# TrustedBSD (MAC)
# RSBAC (RBAC)
# Apple sandbox technology
# PAX
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

66
include/tests_mail_messaging
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -50,29 +50,6 @@
fi
#
#################################################################################
#
# Test : MAIL-8804
# Description : Check Exim configuration
#if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ ! "${EXIMBINARY}" = "" ]; then
# logtext "Test: Searching Exim configuration file"
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
# if [ ! "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
# Display --indent 4 --text "Result: configuration file is ${FIND}"
# logtext "Result: found Exim"
# logtext "Result: configuration file is ${FIND}"
# else
# Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
# fi
# else
# logtext "Exim binary not found, no tests performed"
# fi
#
#################################################################################
#
# Test : MAIL-8814
# Description : Check Postfix process
@ -161,26 +138,6 @@
fi
#
#################################################################################
#
# Test : MAIL-8842
# Description : Check Dovecot logging locations
#Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
#if [ ${SKIPTEST} -eq 0 ]; then
# ParseDovecot
# CONF="/etc/dovecot/dovecot.conf"
# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for error messages = ${FIND}"
# fi
#
# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for informational messages = ${FIND}"
# fi
#
# fi
#
#################################################################################
#
# Test : MAIL-8860
# Description : Check Qmail process status
@ -239,23 +196,6 @@
fi
#
#################################################################################
#
# Test : MAIL-xxxx
# Description : Check if outgoing mail is obscured (increased privacy)
#Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#YYY Add support for mail, procmail
#YYY Add support for MUAs: Thunderbird, Kmail, Evolution
# Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
#- Dovecot : \'/usr/local/etc/dovecot.conf\'
#- For Sendmail : \'/var/mail/sendmail.cf\'
#- Fetchmail : \'~/.fetchmailrc\' (not only root)
#- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
#
#################################################################################
#
report "imap_daemon=${IMAP_DAEMON}"
@ -267,4 +207,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

40
include/tests_malware
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
# Web site: http://cisofy.com
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -166,26 +166,20 @@
#
#################################################################################
#
# Test : MALW-3288
# Description : Check for ClamXav (Mac OS X)
#
#################################################################################
#
Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav"
# Test : MALW-3288
# Description : Check for ClamXav (Mac OS X)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
logtext "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
MALWARE_SCANNER_INSTALLED=1
AddHP 3 3
else
logtext "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
logtext "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
MALWARE_SCANNER_INSTALLED=1
AddHP 3 3
else
logtext "Result: could not find ClamXav location"
logtext "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
fi
#
@ -196,12 +190,6 @@
#
#################################################################################
#
#################################################################################
#
# Other projects: maldetect (rfxn)
#
#################################################################################
#
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"

19
include/tests_memory_processes
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -110,23 +110,10 @@
fi
#
#################################################################################
#
# Ubuntu test: dead processes
# who -d
#
#################################################################################
#
# Test : PROC-3624
# Description : Check shared memory (ipcs -m)
# Notes : if it's empty, check /dev/shm and warn if any files are left behind
#Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

9
include/tests_nameservices
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -233,7 +233,6 @@
else
logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
#YYY show performance suggestion if LDAP is used
fi
fi
#
@ -263,7 +262,6 @@
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search BIND configuration file"
#YYY add chrooted environments
for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf"
@ -377,7 +375,6 @@
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search PowerDNS configuration file"
#YYY add chrooted environments
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
@ -609,4 +606,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

28
include/tests_networking
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -29,7 +29,7 @@
#
#################################################################################
#
# Test : NETW-2704 (YYY move to nameservices section)
# Test : NETW-2704
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
@ -44,7 +44,7 @@
for I in ${FIND}; do
logtext "Found nameserver: ${I}"
report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
# Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
@ -200,7 +200,7 @@
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
# IPv6 support in AIX? (YYY)
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
@ -473,8 +473,6 @@
IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
#report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
@ -482,20 +480,6 @@
fi
#
#################################################################################
#
# Test : NETW-3060
# Description : Check if IPv6 is configured AND used
# /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
# or
# aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
#Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Linux: net.ipv4.ip_always_defrag
#
#################################################################################
#
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
@ -503,4 +487,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

30
include/tests_php
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -252,37 +252,13 @@
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
fi
#
#################################################################################
#
# Disable/use functions:
# safe_mode (only for PHP5?)
# open_basedir (limits access to defined directory, comparable with chrooting)
# disable_classes
# session.save_path
# session.referer_check
# upload_tmp_dir
# file_uploads Off, if possible
# Set display_errors to Off
# Set log_errors to On and define error_log (with value Syslog or a filename)
#
#################################################################################
#
# mod_suexec
# suPHP (/etc/suphp.conf)
#
#################################################################################
#
# Test : PHP-2388
# Description : Check php version number
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

55
include/tests_ports_packages
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -78,35 +78,6 @@
fi
#
#################################################################################
#
# Temporary disabled due false positives
# Packages like docbook, gcc, automake report multiple installed versions
# # Test : PKGS-7303
# # Description : Query FreeBSD pkg_info
# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
# if [ ${SKIPTEST} -eq 0 ]; then
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
# if [ "${SDOUBLEINSTALLED}" = "" ]; then
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
# logtext "Ok, no packages show up twice or more in the package listing."
# else
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
# for J in ${SDOUBLEINSTALLED}; do
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
# logtext "This package ${J} is visible twice or more in the pkg_info listing."
# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
# logtext "installed packages is unneeded."
# report "double_installed_package[]=${J}"
# done
# fi
# else
# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
# logtext "Result: pkg_info can NOT be found on this system"
# fi
#
#################################################################################
#
# Test : PKGS-7304
# Description : Gentoo packages
@ -152,7 +123,6 @@
logtext "Result: pkginfo can NOT be found on this system"
fi
#
#
#################################################################################
#
# Test : PKGS-7308
@ -202,7 +172,6 @@
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: pacman binary available, but package list seems to be empty"
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
#YYY ReportException?
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
@ -380,7 +349,7 @@
fi
#
#################################################################################
#
# Test : PKGS-7348
# Description : Show unneeded distfiles if present
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
@ -540,7 +509,6 @@
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
# Don't check yet, output of found vulnerable packages unclear (YYY)
else
logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
@ -1014,21 +982,6 @@
fi
#
#################################################################################
#
# Test : PKGS-7414
# Description : Check installonly_limit in yum.conf
#
#################################################################################
#
# Test : PKGS-7416
# Description : Check for popularity-contest (Debian/Ubuntu)
#
#################################################################################
#
# Test : PKGS-7418
# Description : Check for yum-changelog
#
#################################################################################
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
@ -1043,4 +996,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com