mirror of https://github.com/CISOfy/lynis.git
Copyright line changes and cleanups
This commit is contained in:
mboelen
parent
1775590ba7
commit
66fb369593
|
|
@ -389,7 +389,6 @@
|
||||||
if [ ${FOUND} -eq 1 ]; then
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
logtext "Result: sudoers file found (${SUDOERS_FILE})"
|
logtext "Result: sudoers file found (${SUDOERS_FILE})"
|
||||||
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
|
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
|
||||||
# YYY add more tests to audit sudoers file
|
|
||||||
else
|
else
|
||||||
logtext "Result: sudoers file NOT found"
|
logtext "Result: sudoers file NOT found"
|
||||||
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
|
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
|
||||||
|
|
@ -590,7 +589,6 @@
|
||||||
else
|
else
|
||||||
logtext "Result: LDAP module not found"
|
logtext "Result: LDAP module not found"
|
||||||
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
|
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
|
||||||
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
|
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
|
||||||
|
|
@ -673,7 +671,6 @@
|
||||||
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
|
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
|
||||||
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
|
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
|
||||||
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
|
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
|
||||||
# YYY check if LDAP is used with password policies
|
|
||||||
logtext "Result: password aging limits are not configured"
|
logtext "Result: password aging limits are not configured"
|
||||||
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
|
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
|
||||||
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
|
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
|
||||||
|
|
@ -690,7 +687,7 @@
|
||||||
#
|
#
|
||||||
# Test : AUTH-9304
|
# Test : AUTH-9304
|
||||||
# Description : Check if single user mode login is properly configured in Solaris
|
# Description : Check if single user mode login is properly configured in Solaris
|
||||||
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
|
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
|
||||||
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
|
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# Check if file exists (Solaris 10 does not have this file by default)
|
# Check if file exists (Solaris 10 does not have this file by default)
|
||||||
|
|
@ -791,7 +788,6 @@
|
||||||
AddHP 2 2
|
AddHP 2 2
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# YYY
|
|
||||||
logtext "Result: No inittab or init file found, unsure if system is protected"
|
logtext "Result: No inittab or init file found, unsure if system is protected"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
@ -1070,7 +1066,6 @@
|
||||||
Display --indent 6 --text "LDAP server: ${I}"
|
Display --indent 6 --text "LDAP server: ${I}"
|
||||||
logtext "Result: found LDAP server ${I}"
|
logtext "Result: found LDAP server ${I}"
|
||||||
report "ldap_server[]=${I}"
|
report "ldap_server[]=${I}"
|
||||||
# YYY check if host(s) are reachable/respond to queries
|
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
logtext "Result: ${I} does NOT exist"
|
logtext "Result: ${I} does NOT exist"
|
||||||
|
|
@ -1079,38 +1074,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : AUTH-92xx
|
|
||||||
# Description : login.access checks
|
|
||||||
#Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks"
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# pam_unix.so
|
|
||||||
# pam_cracklib.so
|
|
||||||
# pam_pwcheck.so
|
|
||||||
# pam_env.so
|
|
||||||
# pam_xauth.so
|
|
||||||
# pam_tally.so
|
|
||||||
# pam_wheel.so
|
|
||||||
# pam_limits.so
|
|
||||||
# pam_nologin.so
|
|
||||||
# pam_deny.so
|
|
||||||
# pam_securetty.so
|
|
||||||
# pam_time.so
|
|
||||||
# pam_access.so
|
|
||||||
# pam_listfile.so
|
|
||||||
# pam_lastlog.so
|
|
||||||
# pam_warn.so
|
|
||||||
# pam_console.so
|
|
||||||
# pam_resmgr.so
|
|
||||||
# pam_devperm.so
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# sudoers: Check for potential harmful commands like vi, echo, cat
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
|
|
||||||
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
|
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
|
||||||
|
|
@ -1123,4 +1086,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -221,29 +221,9 @@
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# /etc/dt/config/*/Xresources
|
|
||||||
# /etc/default/telnetd (telnet without TCP wrappers)
|
|
||||||
# /etc/default/ftpd (ftp without TCP wrappers)
|
|
||||||
# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
|
|
||||||
# /etc/ftpaccess (HP-UX)
|
|
||||||
# /etc/ftpmotd (AIX)
|
|
||||||
# /etc/ftpaccess.ctl (AIX)
|
|
||||||
# /etc/security/login.cfg (AIX)
|
|
||||||
# /etc/X11/xdm/Xresources
|
|
||||||
# /etc/X11/xdm/kdmrc
|
|
||||||
# /etc/X11/gdm/gdm
|
|
||||||
# /etc/vsftpd.conf
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Notes:
|
|
||||||
# HPUX: /etc/copyright
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -144,9 +144,6 @@
|
||||||
GRUBCONFFILE="/boot/grub2/grub.cfg"
|
GRUBCONFFILE="/boot/grub2/grub.cfg"
|
||||||
fi
|
fi
|
||||||
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
|
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
|
||||||
# YYY password check, when documentation of GRUB2 project is improved
|
|
||||||
# YYY Add check permission check (600)
|
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Some OSes like Gentoo do not have /boot mounted by default
|
# Some OSes like Gentoo do not have /boot mounted by default
|
||||||
|
|
@ -263,7 +260,6 @@
|
||||||
logtext "Result: LILO password option set"
|
logtext "Result: LILO password option set"
|
||||||
AddHP 4 4
|
AddHP 4 4
|
||||||
fi
|
fi
|
||||||
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
|
|
||||||
else
|
else
|
||||||
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
|
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
|
||||||
fi
|
fi
|
||||||
|
|
@ -318,7 +314,6 @@
|
||||||
if [ -f /etc/yaboot.conf ]; then
|
if [ -f /etc/yaboot.conf ]; then
|
||||||
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
|
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
|
||||||
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
|
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
|
||||||
#YYY add permission check
|
|
||||||
BOOT_LOADER="YABOOT"
|
BOOT_LOADER="YABOOT"
|
||||||
BOOT_LOADER_FOUND=1
|
BOOT_LOADER_FOUND=1
|
||||||
else
|
else
|
||||||
|
|
@ -397,11 +392,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : BOOT-5166
|
|
||||||
# Description : Check for /etc/rc.local file (and contents)
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : BOOT-5177
|
# Test : BOOT-5177
|
||||||
# Description : Check for Linux boot services (systemd and chkconfig)
|
# Description : Check for Linux boot services (systemd and chkconfig)
|
||||||
|
|
@ -467,48 +457,13 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : BOOT-5178
|
|
||||||
# Description : Check for Linux boot services (Red Hat style)
|
|
||||||
# if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
||||||
# Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
|
|
||||||
# if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
# N=0
|
|
||||||
# N=`expr ${N} + 1`
|
|
||||||
|
|
||||||
#* mctrans (if selinux is NOT enabled)
|
|
||||||
#* restorecond (if selinux is NOT enabled) --> and is it really needed?
|
|
||||||
#
|
|
||||||
# if profile is server, warn if found:
|
|
||||||
#* pcscd (if profile=server)
|
|
||||||
#* avahi-daemon
|
|
||||||
# Redhat: /etc/sysconfig/network
|
|
||||||
# check if NOZEROCONF=yes is available
|
|
||||||
#
|
|
||||||
#* xfs (if /usr/bin/startx is not found)
|
|
||||||
#
|
|
||||||
#if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
|
|
||||||
#* mdmonitor
|
|
||||||
#
|
|
||||||
#
|
|
||||||
#* firstboot
|
|
||||||
# Display warning if [ ! -f /etc/reconfigSys ]
|
|
||||||
# AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
|
|
||||||
#
|
|
||||||
#* acpid
|
|
||||||
# Display warning if no modules are loaded (lsmod | grep -i acpi)
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : BOOT-5180
|
# Test : BOOT-5180
|
||||||
# Description : Check for Linux boot services (Debian style)
|
# Description : Check for Linux boot services (Debian style)
|
||||||
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
|
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# YYY runlevel check
|
# Runlevel check
|
||||||
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
|
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
|
||||||
if [ ! "${sRUNLEVEL}" = "" ]; then
|
if [ ! "${sRUNLEVEL}" = "" ]; then
|
||||||
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
|
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
|
||||||
|
|
@ -609,16 +564,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Add autostart services, like from KDE/Gnome
|
|
||||||
# Test : BOOT-5102
|
|
||||||
# Description : Check for tasks which are autostarted via /etc/inittab
|
|
||||||
#Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
#fi
|
|
||||||
#YYY check against static list?
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : BOOT-5202
|
# Test : BOOT-5202
|
||||||
# Description : Check uptime of system
|
# Description : Check uptime of system
|
||||||
|
|
@ -721,7 +666,6 @@
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
report "boot_loader=${BOOT_LOADER}"
|
report "boot_loader=${BOOT_LOADER}"
|
||||||
report "service_manager=${SERVICE_MANAGER}"
|
report "service_manager=${SERVICE_MANAGER}"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -159,7 +159,6 @@
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
||||||
|
|
@ -50,7 +50,6 @@
|
||||||
FOUNDPROBLEM=1
|
FOUNDPROBLEM=1
|
||||||
logtext "Result: certificate ${J} has been expired"
|
logtext "Result: certificate ${J} has been expired"
|
||||||
report "expired_certificate[]=${J}|unknown entity|"
|
report "expired_certificate[]=${J}|unknown entity|"
|
||||||
#YYY Dump more information to log file
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
logtext "Result: can not read file ${J} (no permission)"
|
logtext "Result: can not read file ${J} (no permission)"
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -37,7 +37,6 @@
|
||||||
if [ ${RUNNING} -eq 1 ]; then
|
if [ ${RUNNING} -eq 1 ]; then
|
||||||
logtext "Result: inetd is running"
|
logtext "Result: inetd is running"
|
||||||
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
|
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
|
||||||
#YYY perform manual check
|
|
||||||
INETD_ACTIVE=1
|
INETD_ACTIVE=1
|
||||||
else
|
else
|
||||||
logtext "Result: inetd is NOT running"
|
logtext "Result: inetd is NOT running"
|
||||||
|
|
@ -61,8 +60,6 @@
|
||||||
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
|
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
|
||||||
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
|
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
|
||||||
fi
|
fi
|
||||||
# YYY immutable bit could be set
|
|
||||||
# YYY permission check (already set in profile)
|
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|
@ -106,15 +103,9 @@
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Check telnet in /etc/xinetd.conf
|
|
||||||
# Check telnet in /etc/xinetd/*
|
|
||||||
# Check running telnet daemon (telnetd)
|
|
||||||
# rshd rlogin rexec
|
|
||||||
# /etc/hosts.equiv
|
|
||||||
|
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -276,10 +276,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# YYY Check for kernel options
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : KRNL-5745
|
# Test : KRNL-5745
|
||||||
# Description : Checking FreeBSD loaded kernel modules
|
# Description : Checking FreeBSD loaded kernel modules
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -66,4 +66,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -101,4 +101,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -36,7 +36,6 @@
|
||||||
|
|
||||||
# Test : LOGG-2130
|
# Test : LOGG-2130
|
||||||
# Description : Check for a running syslog daemon
|
# Description : Check for a running syslog daemon
|
||||||
# Notes : Log which syslog daemon is found YYY
|
|
||||||
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
|
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
logtext "Test: Searching for a logging daemon"
|
logtext "Test: Searching for a logging daemon"
|
||||||
|
|
@ -476,12 +475,6 @@
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
#
|
|
||||||
# Rsyslogd checks
|
|
||||||
#
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
|
|
||||||
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
|
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
|
||||||
report "log_rotation_tool=${LOGROTATE_TOOL}"
|
report "log_rotation_tool=${LOGROTATE_TOOL}"
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}"
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|
||||||
# To implement:
|
|
||||||
# FMAC (OpenSolaris, MAC)
|
|
||||||
# LSM (Linux Security Modules)
|
|
||||||
# TrustedBSD (MAC)
|
|
||||||
# RSBAC (RBAC)
|
|
||||||
# Apple sandbox technology
|
|
||||||
# PAX
|
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -50,29 +50,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : MAIL-8804
|
|
||||||
# Description : Check Exim configuration
|
|
||||||
#if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
||||||
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
# if [ ! "${EXIMBINARY}" = "" ]; then
|
|
||||||
# logtext "Test: Searching Exim configuration file"
|
|
||||||
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
|
|
||||||
# if [ ! "${FIND}" = "" ]; then
|
|
||||||
# Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
|
|
||||||
# Display --indent 4 --text "Result: configuration file is ${FIND}"
|
|
||||||
# logtext "Result: found Exim"
|
|
||||||
# logtext "Result: configuration file is ${FIND}"
|
|
||||||
# else
|
|
||||||
# Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
|
|
||||||
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
|
|
||||||
# fi
|
|
||||||
# else
|
|
||||||
# logtext "Exim binary not found, no tests performed"
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : MAIL-8814
|
# Test : MAIL-8814
|
||||||
# Description : Check Postfix process
|
# Description : Check Postfix process
|
||||||
|
|
@ -161,26 +138,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : MAIL-8842
|
|
||||||
# Description : Check Dovecot logging locations
|
|
||||||
#Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
# ParseDovecot
|
|
||||||
# CONF="/etc/dovecot/dovecot.conf"
|
|
||||||
# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
|
|
||||||
# if [ ! "${FIND}" = "" ]; then
|
|
||||||
# logtext "Result: output for error messages = ${FIND}"
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
|
|
||||||
# if [ ! "${FIND}" = "" ]; then
|
|
||||||
# logtext "Result: output for informational messages = ${FIND}"
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : MAIL-8860
|
# Test : MAIL-8860
|
||||||
# Description : Check Qmail process status
|
# Description : Check Qmail process status
|
||||||
|
|
@ -239,23 +196,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : MAIL-xxxx
|
|
||||||
# Description : Check if outgoing mail is obscured (increased privacy)
|
|
||||||
#Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
#YYY Add support for mail, procmail
|
|
||||||
#YYY Add support for MUAs: Thunderbird, Kmail, Evolution
|
|
||||||
# Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
|
|
||||||
#- Dovecot : \'/usr/local/etc/dovecot.conf\'
|
|
||||||
#- For Sendmail : \'/var/mail/sendmail.cf\'
|
|
||||||
#- Fetchmail : \'~/.fetchmailrc\' (not only root)
|
|
||||||
#- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
|
|
||||||
report "imap_daemon=${IMAP_DAEMON}"
|
report "imap_daemon=${IMAP_DAEMON}"
|
||||||
|
|
@ -267,4 +207,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://cisofy.com
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -168,12 +168,9 @@
|
||||||
#
|
#
|
||||||
# Test : MALW-3288
|
# Test : MALW-3288
|
||||||
# Description : Check for ClamXav (Mac OS X)
|
# Description : Check for ClamXav (Mac OS X)
|
||||||
#
|
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
#################################################################################
|
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav"
|
||||||
#
|
|
||||||
Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav"
|
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then
|
|
||||||
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
|
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
|
||||||
if [ ! "${CLAMSCANBINARY}" = "" ]; then
|
if [ ! "${CLAMSCANBINARY}" = "" ]; then
|
||||||
logtext "Result: Found ClamXav clamscan installed"
|
logtext "Result: Found ClamXav clamscan installed"
|
||||||
|
|
@ -184,9 +181,6 @@
|
||||||
logtext "Result: ClamXav malware scanner not found"
|
logtext "Result: ClamXav malware scanner not found"
|
||||||
AddHP 0 3
|
AddHP 0 3
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
logtext "Result: could not find ClamXav location"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|
@ -196,12 +190,6 @@
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Other projects: maldetect (rfxn)
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
|
|
||||||
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
|
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -110,23 +110,10 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Ubuntu test: dead processes
|
|
||||||
# who -d
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Test : PROC-3624
|
|
||||||
# Description : Check shared memory (ipcs -m)
|
|
||||||
# Notes : if it's empty, check /dev/shm and warn if any files are left behind
|
|
||||||
#Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -233,7 +233,6 @@
|
||||||
else
|
else
|
||||||
logtext "Result: nscd is not running"
|
logtext "Result: nscd is not running"
|
||||||
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
|
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
|
||||||
#YYY show performance suggestion if LDAP is used
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
|
|
@ -263,7 +262,6 @@
|
||||||
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
|
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
logtext "Test: Search BIND configuration file"
|
logtext "Test: Search BIND configuration file"
|
||||||
#YYY add chrooted environments
|
|
||||||
for I in ${BIND_CONFIG_LOCS}; do
|
for I in ${BIND_CONFIG_LOCS}; do
|
||||||
if [ -f ${I}/named.conf ]; then
|
if [ -f ${I}/named.conf ]; then
|
||||||
BIND_CONFIG_LOCATION="${I}/named.conf"
|
BIND_CONFIG_LOCATION="${I}/named.conf"
|
||||||
|
|
@ -377,7 +375,6 @@
|
||||||
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
|
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
logtext "Test: Search PowerDNS configuration file"
|
logtext "Test: Search PowerDNS configuration file"
|
||||||
#YYY add chrooted environments
|
|
||||||
for I in ${POWERDNS_CONFIG_LOCS}; do
|
for I in ${POWERDNS_CONFIG_LOCS}; do
|
||||||
if [ -f ${I}/pdns.conf ]; then
|
if [ -f ${I}/pdns.conf ]; then
|
||||||
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
|
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
|
||||||
|
|
@ -609,4 +606,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : NETW-2704 (YYY move to nameservices section)
|
# Test : NETW-2704
|
||||||
# Description : Basic nameserver configuration tests (connectivity)
|
# Description : Basic nameserver configuration tests (connectivity)
|
||||||
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
|
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
|
@ -200,7 +200,7 @@
|
||||||
case ${OS} in
|
case ${OS} in
|
||||||
AIX)
|
AIX)
|
||||||
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
|
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
|
||||||
# IPv6 support in AIX? (YYY)
|
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
|
||||||
;;
|
;;
|
||||||
DragonFly|FreeBSD|NetBSD)
|
DragonFly|FreeBSD|NetBSD)
|
||||||
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
|
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
|
||||||
|
|
@ -473,8 +473,6 @@
|
||||||
IsRunning dhclient
|
IsRunning dhclient
|
||||||
if [ ${RUNNING} -eq 1 ]; then
|
if [ ${RUNNING} -eq 1 ]; then
|
||||||
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
|
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
|
||||||
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
|
|
||||||
#report "manual[]=System is running DHCP client"
|
|
||||||
DHCP_CLIENT_RUNNING=1
|
DHCP_CLIENT_RUNNING=1
|
||||||
else
|
else
|
||||||
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
|
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
|
||||||
|
|
@ -482,20 +480,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : NETW-3060
|
|
||||||
# Description : Check if IPv6 is configured AND used
|
|
||||||
# /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
|
|
||||||
# or
|
|
||||||
# aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
|
|
||||||
#Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Linux: net.ipv4.ip_always_defrag
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
|
|
||||||
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
|
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
|
||||||
|
|
@ -503,4 +487,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -252,37 +252,13 @@
|
||||||
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
|
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
|
||||||
AddHP 2 2
|
AddHP 2 2
|
||||||
fi
|
fi
|
||||||
#YYY Check through all files
|
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Disable/use functions:
|
|
||||||
# safe_mode (only for PHP5?)
|
|
||||||
# open_basedir (limits access to defined directory, comparable with chrooting)
|
|
||||||
# disable_classes
|
|
||||||
# session.save_path
|
|
||||||
# session.referer_check
|
|
||||||
# upload_tmp_dir
|
|
||||||
# file_uploads Off, if possible
|
|
||||||
# Set display_errors to Off
|
|
||||||
# Set log_errors to On and define error_log (with value Syslog or a filename)
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# mod_suexec
|
|
||||||
# suPHP (/etc/suphp.conf)
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Test : PHP-2388
|
|
||||||
# Description : Check php version number
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@
|
||||||
# Lynis
|
# Lynis
|
||||||
# ------------------
|
# ------------------
|
||||||
#
|
#
|
||||||
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
||||||
# Web site: http://www.rootkit.nl
|
# Web site: https://cisofy.com
|
||||||
#
|
#
|
||||||
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
# welcome to redistribute it under the terms of the GNU General Public License.
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
|
|
@ -78,35 +78,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Temporary disabled due false positives
|
|
||||||
# Packages like docbook, gcc, automake report multiple installed versions
|
|
||||||
# # Test : PKGS-7303
|
|
||||||
# # Description : Query FreeBSD pkg_info
|
|
||||||
# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
||||||
# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
|
|
||||||
# if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
|
|
||||||
# if [ "${SDOUBLEINSTALLED}" = "" ]; then
|
|
||||||
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
|
|
||||||
# logtext "Ok, no packages show up twice or more in the package listing."
|
|
||||||
# else
|
|
||||||
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
|
|
||||||
# for J in ${SDOUBLEINSTALLED}; do
|
|
||||||
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
|
|
||||||
# logtext "This package ${J} is visible twice or more in the pkg_info listing."
|
|
||||||
# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
|
|
||||||
# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
|
|
||||||
# logtext "installed packages is unneeded."
|
|
||||||
# report "double_installed_package[]=${J}"
|
|
||||||
# done
|
|
||||||
# fi
|
|
||||||
# else
|
|
||||||
# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
|
|
||||||
# logtext "Result: pkg_info can NOT be found on this system"
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
# Test : PKGS-7304
|
# Test : PKGS-7304
|
||||||
# Description : Gentoo packages
|
# Description : Gentoo packages
|
||||||
|
|
@ -152,7 +123,6 @@
|
||||||
logtext "Result: pkginfo can NOT be found on this system"
|
logtext "Result: pkginfo can NOT be found on this system"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : PKGS-7308
|
# Test : PKGS-7308
|
||||||
|
|
@ -202,7 +172,6 @@
|
||||||
if [ "${SPACKAGES}" = "" ]; then
|
if [ "${SPACKAGES}" = "" ]; then
|
||||||
logtext "Result: pacman binary available, but package list seems to be empty"
|
logtext "Result: pacman binary available, but package list seems to be empty"
|
||||||
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
|
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
|
||||||
#YYY ReportException?
|
|
||||||
else
|
else
|
||||||
for J in ${SPACKAGES}; do
|
for J in ${SPACKAGES}; do
|
||||||
N=`expr ${N} + 1`
|
N=`expr ${N} + 1`
|
||||||
|
|
@ -380,7 +349,7 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
# Test : PKGS-7348
|
# Test : PKGS-7348
|
||||||
# Description : Show unneeded distfiles if present
|
# Description : Show unneeded distfiles if present
|
||||||
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
|
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
|
||||||
|
|
@ -540,7 +509,6 @@
|
||||||
if [ "${FIND}" = "" ]; then
|
if [ "${FIND}" = "" ]; then
|
||||||
logtext "Result: pkg audit results are clean"
|
logtext "Result: pkg audit results are clean"
|
||||||
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
|
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
|
||||||
# Don't check yet, output of found vulnerable packages unclear (YYY)
|
|
||||||
else
|
else
|
||||||
logtext "Result: ${FIND}"
|
logtext "Result: ${FIND}"
|
||||||
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
|
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
|
||||||
|
|
@ -1014,21 +982,6 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
|
||||||
# Test : PKGS-7414
|
|
||||||
# Description : Check installonly_limit in yum.conf
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Test : PKGS-7416
|
|
||||||
# Description : Check for popularity-contest (Debian/Ubuntu)
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Test : PKGS-7418
|
|
||||||
# Description : Check for yum-changelog
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
|
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
|
||||||
|
|
@ -1043,4 +996,4 @@ wait_for_keypress
|
||||||
|
|
||||||
#
|
#
|
||||||
#================================================================================
|
#================================================================================
|
||||||
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
|
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue