tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[LOGG-2154] Check for remote syslogging, more in-depth testing

This commit is contained in:
mboelen 2015-12-22 16:56:15 +01:00
parent 95832c61d1
commit 72b0f65438
3 changed files with 137 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

229
CHANGELOG
View File

@ -17,141 +17,152 @@
================================================================================
= Lynis 2.1.x (2.2.0 release in development) =
= Lynis 2.1.6 (development version for 2.2.x) =
This is an major release, which includes both new features and enhancements to existing tests.
*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE ***
* Automation tools
------------------
CFEngine detection has been further extended. Additional logging and reporting of automation tools.
We are proud to present this new release of Lynis. It is a major upgrade, and the
result of many months of work. This version includes new features and tests, and
many small enhancements, to improve the tool. We encourage all to test and
upgrade to this latest release.
* Authentication
----------------
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228.
* Automation tools
------------------
CFEngine detection has been further extended. Additional logging and reporting of automation tools.
New plugin is introduced to analyze PAM settings. It including items like:
- Two-factor authentication methods
- Minimum password length, password strength and protection status against brute force cracking
- Password history
* Authentication
----------------
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228.
New plugin is introduced to analyze PAM settings. It including items like:
Report option: auth_failed_logins_logged
- Two-factor authentication methods
- Minimum password length, password strength and protection status against brute force cracking
- Password history
* Compliance
------------
Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
Report option: auth_failed_logins_logged
Right now these standards can be selected:
- CIS benchmarks
- HIPAA
- ISO27001/ISO27002
- PCI DSS
* Compliance
------------
This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b
Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
* DNS and Name services
-----------------------
Support added for Unbound DNS caching tool [NAME-4034]
Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
Right now these standards can be selected:
- CIS benchmarks
- HIPAA
- ISO27001/ISO27002
- PCI DSS
* Firewalls
-----------
Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
* DNS and Name services
-----------------------
Support added for Unbound DNS caching tool [NAME-4034]
Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
* Hardware
----------
Detection of firewire is enhanced (both ohci and core detected).
* Firewalls
-----------
Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
* Malware
---------
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
* Hardware
----------
Detection of firewire is enhanced (both ohci and core detected).
* Mount points
--------------
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
* Malware
---------
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
* Networking
------------
NETW-3004 now collects network interface names from most common operating systems.
* Mount points
--------------
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
* Operating systems
-------------------
Improved support for Debian 8 systems. Detection for VMware release has been added.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.
* Networking
------------
NETW-3004 now collects network interface names from most common operating systems.
Support for boot loader detection on Mac OS X
* Operating systems
-------------------
Improved support for Debian 8 systems. Detection for VMware release has been added.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.
* Passwords
-----------
AUTH-9286 change has been extended to both capture minimum and password age.
Support for boot loader detection on Mac OS X
* Software
----------
Log when vulnerable software packages were found
* Passwords
-----------
AUTH-9286 change has been extended to both capture minimum and password age.
* SSH
-----
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
* Software and Packages
-----------------------
Log when vulnerable software packages were found
Special thanks to: Kamil Boratyński
* SSH
-----
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
* UEFI and Secure Boot
----------------------
Initial support to test UEFI settings, including Secure Boot option
Options boot_uefi_booted and boot_uefi_booted_secure added to report file
* UEFI and Secure Boot
----------------------
Initial support to test UEFI settings, including Secure Boot option
Options boot_uefi_booted and boot_uefi_booted_secure added to report file
* Virtual machines and Containers
---------------------------------
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
Check file permissions for Docker files, like socket file [CONT-8108]
* Virtual machines and Containers
---------------------------------
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
Check file permissions for Docker files, like socket file [CONT-8108]
* Individual tests
------------------
[AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
[BOOT-5106] New test to test boot loader on Mac OS X
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[FILE-6410] Added /var/lib/locatedb as search path
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[PKGS-7308] Split package name and version for RPM based package manager
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
* Individual tests
------------------
[AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9288] Test for expired passwords
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
[BOOT-5106] New test to test boot loader on Mac OS X
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[FILE-6410] Added /var/lib/locatedb as search path
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[PKGS-7308] Split package name and version for RPM based package manager
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable
* Functions
-----------
[DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
[IsWordWritable] Changed return codes for easier usage of the function
[LogText] Replaces the older logtext function
[Report] Replaces the older report function
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available
* Functions
-----------
[DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
[IsWordWritable] Changed return codes for easier usage of the function
[LogText] Replaces the older logtext function
[RandomString] Creates a random string of characters
[Report] Replaces the older report function
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available
* General improvements
----------------------
- When using pentest mode, it will continue without any delays (=quick mode).
- Data uploads: provide help when self-signed certificates are used.
- Improved output for tests which before showed results as a warning, while actually are just suggestions.
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
- Preparations to allow compressing the Lynis report file and enhance uploads.
- Tool tips are displayed, to make Lynis even easier to use.
- PID file has additional checks, including cleanups.
* General improvements
----------------------
- When using pentest mode, it will continue without any delays (=quick mode).
- Data uploads: provide help when self-signed certificates are used.
- Improved output for tests which before showed results as a warning, while actually are just suggestions.
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
- Preparations to allow compressing the Lynis report file and enhance uploads.
- Tool tips are displayed, to make Lynis even easier to use.
- PID file has additional checks, including cleanups.
* Plugins
---------
[PAM] New plugin available in all versions of Lynis
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
* Special thanks
----------------
We like to specifically thank Kamil Boratyński for his contributions to this release.
--------------------------------------------------------------
* Plugins
---------
[PAM] New plugin available in all versions of Lynis
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
--------------------------------------------------------------
= Lynis 2.1.1 (2015-07-22) =

1
include/consts
View File

@ -130,6 +130,7 @@ unset LANG
PRIVILEGED=0
PROFILEVALUE=""
PSBINARY="ps"
REMOTE_LOGGING_ENABLED=0
RKHUNTERBINARY=""
RPMBINARY=""
RUN_HELPERS=0

19
include/tests_logging
View File

@ -346,13 +346,26 @@
FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: remote logging enabled"
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
else
REMOTE_LOGGING_ENABLED=1
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'`
for DESTINATION in ${DESTINATIONS}; do
FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"`
if [ ! "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
done
fi
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
LogText "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
fi
else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"