From 72b0f65438ded70afad2cc024e5f3d76b3ac6bd8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 22 Dec 2015 16:56:15 +0100 Subject: [PATCH] [LOGG-2154] Check for remote syslogging, more in-depth testing --- CHANGELOG | 229 ++++++++++++++++++++++-------------------- include/consts | 1 + include/tests_logging | 19 +++- 3 files changed, 137 insertions(+), 112 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index c8617835..4db4e446 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,141 +17,152 @@ ================================================================================ - = Lynis 2.1.x (2.2.0 release in development) = += Lynis 2.1.6 (development version for 2.2.x) = - This is an major release, which includes both new features and enhancements to existing tests. +*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE *** - * Automation tools - ------------------ - CFEngine detection has been further extended. Additional logging and reporting of automation tools. +We are proud to present this new release of Lynis. It is a major upgrade, and the +result of many months of work. This version includes new features and tests, and +many small enhancements, to improve the tool. We encourage all to test and +upgrade to this latest release. - * Authentication - ---------------- - Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes - checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228. +* Automation tools +------------------ +CFEngine detection has been further extended. Additional logging and reporting of automation tools. - New plugin is introduced to analyze PAM settings. It including items like: - - Two-factor authentication methods - - Minimum password length, password strength and protection status against brute force cracking - - Password history +* Authentication +---------------- +Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes +checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228. +New plugin is introduced to analyze PAM settings. It including items like: - Report option: auth_failed_logins_logged +- Two-factor authentication methods +- Minimum password length, password strength and protection status against brute force cracking +- Password history - * Compliance - ------------ - Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards. +Report option: auth_failed_logins_logged - Right now these standards can be selected: - - CIS benchmarks - - HIPAA - - ISO27001/ISO27002 - - PCI DSS +* Compliance +------------ +This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b +Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards. - * DNS and Name services - ----------------------- - Support added for Unbound DNS caching tool [NAME-4034] - Configuration check for Unbound [NAME-4036] - Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used +Right now these standards can be selected: +- CIS benchmarks +- HIPAA +- ISO27001/ISO27002 +- PCI DSS - * Firewalls - ----------- - Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available. - New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now. +* DNS and Name services +----------------------- +Support added for Unbound DNS caching tool [NAME-4034] +Configuration check for Unbound [NAME-4036] +Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used - * Hardware - ---------- - Detection of firewire is enhanced (both ohci and core detected). +* Firewalls +----------- +Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available. +New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now. - * Malware - --------- - ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. +* Hardware +---------- +Detection of firewire is enhanced (both ohci and core detected). - * Mount points - -------------- - FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. +* Malware +--------- +ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. - * Networking - ------------ - NETW-3004 now collects network interface names from most common operating systems. +* Mount points +-------------- +FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. - * Operating systems - ------------------- - Improved support for Debian 8 systems. Detection for VMware release has been added. - Boot loader exception is not longer displayed when only a subset of tests is performed. - FreeBSD systems can now use service command to gather information about enabled services. +* Networking +------------ +NETW-3004 now collects network interface names from most common operating systems. - Support for boot loader detection on Mac OS X +* Operating systems +------------------- +Improved support for Debian 8 systems. Detection for VMware release has been added. +Boot loader exception is not longer displayed when only a subset of tests is performed. +FreeBSD systems can now use service command to gather information about enabled services. - * Passwords - ----------- - AUTH-9286 change has been extended to both capture minimum and password age. +Support for boot loader detection on Mac OS X - * Software - ---------- - Log when vulnerable software packages were found +* Passwords +----------- +AUTH-9286 change has been extended to both capture minimum and password age. - * SSH - ----- - Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. +* Software and Packages +----------------------- +Log when vulnerable software packages were found - Special thanks to: Kamil Boratyński +* SSH +----- +Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. - * UEFI and Secure Boot - ---------------------- - Initial support to test UEFI settings, including Secure Boot option - Options boot_uefi_booted and boot_uefi_booted_secure added to report file +* UEFI and Secure Boot +---------------------- +Initial support to test UEFI settings, including Secure Boot option +Options boot_uefi_booted and boot_uefi_booted_secure added to report file - * Virtual machines and Containers - --------------------------------- - Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools - like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. - Check file permissions for Docker files, like socket file [CONT-8108] +* Virtual machines and Containers +--------------------------------- +Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools +like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. +Check file permissions for Docker files, like socket file [CONT-8108] - * Individual tests - ------------------ - [AUTH-9204] Exclude NIS entries to avoid false positives - [AUTH-9230] Removed test as it was merged into AUTH-9228 - [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. - [BOOT-5106] New test to test boot loader on Mac OS X - [BOOT-5180] Only gets executed if runlevel 2 is found - [CONT-8108] New test to test for Docker file permissions - [FILE-6410] Added /var/lib/locatedb as search path - [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox - [PKGS-7308] Split package name and version for RPM based package manager - [MALW-3278] New test to detect LMD (Linux Malware Detect) - [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) - [TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running +* Individual tests +------------------ +[AUTH-9204] Exclude NIS entries to avoid false positives +[AUTH-9230] Removed test as it was merged into AUTH-9228 +[AUTH-9288] Test for expired passwords +[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. +[BOOT-5106] New test to test boot loader on Mac OS X +[BOOT-5180] Only gets executed if runlevel 2 is found +[CONT-8108] New test to test for Docker file permissions +[FILE-6410] Added /var/lib/locatedb as search path +[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox +[PKGS-7308] Split package name and version for RPM based package manager +[MALW-3278] New test to detect LMD (Linux Malware Detect) +[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) +[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running +[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable - * Functions - ----------- - [DigitsOnly] New function to extract only numbers from a text string - [DisplayManual] New function to show text on screen without any markup - [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome - [GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier - [IsWordWritable] Changed return codes for easier usage of the function - [LogText] Replaces the older logtext function - [Report] Replaces the older report function - [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) - [ReportWarning] Like ReportSuggestion() has additional parameters - [ShowComplianceFinding] Display compliance findings - [ShowSymlinkPath] Ensure readlink is available +* Functions +----------- +[DigitsOnly] New function to extract only numbers from a text string +[DisplayManual] New function to show text on screen without any markup +[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome +[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier +[IsWordWritable] Changed return codes for easier usage of the function +[LogText] Replaces the older logtext function +[RandomString] Creates a random string of characters +[Report] Replaces the older report function +[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) +[ReportWarning] Like ReportSuggestion() has additional parameters +[ShowComplianceFinding] Display compliance findings +[ShowSymlinkPath] Ensure readlink is available - * General improvements - ---------------------- - - When using pentest mode, it will continue without any delays (=quick mode). - - Data uploads: provide help when self-signed certificates are used. - - Improved output for tests which before showed results as a warning, while actually are just suggestions. - - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. - - Preparations to allow compressing the Lynis report file and enhance uploads. - - Tool tips are displayed, to make Lynis even easier to use. - - PID file has additional checks, including cleanups. +* General improvements +---------------------- +- When using pentest mode, it will continue without any delays (=quick mode). +- Data uploads: provide help when self-signed certificates are used. +- Improved output for tests which before showed results as a warning, while actually are just suggestions. +- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. +- Preparations to allow compressing the Lynis report file and enhance uploads. +- Tool tips are displayed, to make Lynis even easier to use. +- PID file has additional checks, including cleanups. - * Plugins - --------- - [PAM] New plugin available in all versions of Lynis - [PLGN-2804] Limit report output of EXT file systems to 1 item per line +* Special thanks +---------------- +We like to specifically thank Kamil Boratyński for his contributions to this release. - -------------------------------------------------------------- +* Plugins +--------- +[PAM] New plugin available in all versions of Lynis +[PLGN-2804] Limit report output of EXT file systems to 1 item per line + +-------------------------------------------------------------- = Lynis 2.1.1 (2015-07-22) = diff --git a/include/consts b/include/consts index 9c647d58..4ff0a896 100644 --- a/include/consts +++ b/include/consts @@ -130,6 +130,7 @@ unset LANG PRIVILEGED=0 PROFILEVALUE="" PSBINARY="ps" + REMOTE_LOGGING_ENABLED=0 RKHUNTERBINARY="" RPMBINARY="" RUN_HELPERS=0 diff --git a/include/tests_logging b/include/tests_logging index a8c65e23..4099ae6a 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -346,13 +346,26 @@ FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` if [ ! "${FIND}" = "" ]; then LogText "Result: remote logging enabled" - AddHP 5 5 - Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN - else + REMOTE_LOGGING_ENABLED=1 + else + # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination + DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'` + for DESTINATION in ${DESTINATIONS}; do + FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"` + if [ ! "${FIND2}" = "" ]; then + LogText "Result: found destination ${DESTINATION} configured for remote logging" + REMOTE_LOGGING_ENABLED=1 + fi + done + fi + if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then LogText "Result: no remote logging found" ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW + else + AddHP 5 5 + Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN fi else LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"