mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-22 21:34:38 +02:00
[LOGG-2154] Check for remote syslogging, more in-depth testing
This commit is contained in:
parent
95832c61d1
commit
72b0f65438
229
CHANGELOG
229
CHANGELOG
@ -17,141 +17,152 @@
|
|||||||
|
|
||||||
================================================================================
|
================================================================================
|
||||||
|
|
||||||
= Lynis 2.1.x (2.2.0 release in development) =
|
= Lynis 2.1.6 (development version for 2.2.x) =
|
||||||
|
|
||||||
This is an major release, which includes both new features and enhancements to existing tests.
|
*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE ***
|
||||||
|
|
||||||
* Automation tools
|
We are proud to present this new release of Lynis. It is a major upgrade, and the
|
||||||
------------------
|
result of many months of work. This version includes new features and tests, and
|
||||||
CFEngine detection has been further extended. Additional logging and reporting of automation tools.
|
many small enhancements, to improve the tool. We encourage all to test and
|
||||||
|
upgrade to this latest release.
|
||||||
|
|
||||||
* Authentication
|
* Automation tools
|
||||||
----------------
|
------------------
|
||||||
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
|
CFEngine detection has been further extended. Additional logging and reporting of automation tools.
|
||||||
checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228.
|
|
||||||
|
|
||||||
New plugin is introduced to analyze PAM settings. It including items like:
|
* Authentication
|
||||||
- Two-factor authentication methods
|
----------------
|
||||||
- Minimum password length, password strength and protection status against brute force cracking
|
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
|
||||||
- Password history
|
checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228.
|
||||||
|
New plugin is introduced to analyze PAM settings. It including items like:
|
||||||
|
|
||||||
Report option: auth_failed_logins_logged
|
- Two-factor authentication methods
|
||||||
|
- Minimum password length, password strength and protection status against brute force cracking
|
||||||
|
- Password history
|
||||||
|
|
||||||
* Compliance
|
Report option: auth_failed_logins_logged
|
||||||
------------
|
|
||||||
Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
|
|
||||||
|
|
||||||
Right now these standards can be selected:
|
* Compliance
|
||||||
- CIS benchmarks
|
------------
|
||||||
- HIPAA
|
This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b
|
||||||
- ISO27001/ISO27002
|
Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
|
||||||
- PCI DSS
|
|
||||||
|
|
||||||
* DNS and Name services
|
Right now these standards can be selected:
|
||||||
-----------------------
|
- CIS benchmarks
|
||||||
Support added for Unbound DNS caching tool [NAME-4034]
|
- HIPAA
|
||||||
Configuration check for Unbound [NAME-4036]
|
- ISO27001/ISO27002
|
||||||
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
|
- PCI DSS
|
||||||
|
|
||||||
* Firewalls
|
* DNS and Name services
|
||||||
-----------
|
-----------------------
|
||||||
Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
|
Support added for Unbound DNS caching tool [NAME-4034]
|
||||||
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
|
Configuration check for Unbound [NAME-4036]
|
||||||
|
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
|
||||||
|
|
||||||
* Hardware
|
* Firewalls
|
||||||
----------
|
-----------
|
||||||
Detection of firewire is enhanced (both ohci and core detected).
|
Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
|
||||||
|
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
|
||||||
|
|
||||||
* Malware
|
* Hardware
|
||||||
---------
|
----------
|
||||||
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
|
Detection of firewire is enhanced (both ohci and core detected).
|
||||||
|
|
||||||
* Mount points
|
* Malware
|
||||||
--------------
|
---------
|
||||||
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
|
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
|
||||||
|
|
||||||
* Networking
|
* Mount points
|
||||||
------------
|
--------------
|
||||||
NETW-3004 now collects network interface names from most common operating systems.
|
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
|
||||||
|
|
||||||
* Operating systems
|
* Networking
|
||||||
-------------------
|
------------
|
||||||
Improved support for Debian 8 systems. Detection for VMware release has been added.
|
NETW-3004 now collects network interface names from most common operating systems.
|
||||||
Boot loader exception is not longer displayed when only a subset of tests is performed.
|
|
||||||
FreeBSD systems can now use service command to gather information about enabled services.
|
|
||||||
|
|
||||||
Support for boot loader detection on Mac OS X
|
* Operating systems
|
||||||
|
-------------------
|
||||||
|
Improved support for Debian 8 systems. Detection for VMware release has been added.
|
||||||
|
Boot loader exception is not longer displayed when only a subset of tests is performed.
|
||||||
|
FreeBSD systems can now use service command to gather information about enabled services.
|
||||||
|
|
||||||
* Passwords
|
Support for boot loader detection on Mac OS X
|
||||||
-----------
|
|
||||||
AUTH-9286 change has been extended to both capture minimum and password age.
|
|
||||||
|
|
||||||
* Software
|
* Passwords
|
||||||
----------
|
-----------
|
||||||
Log when vulnerable software packages were found
|
AUTH-9286 change has been extended to both capture minimum and password age.
|
||||||
|
|
||||||
* SSH
|
* Software and Packages
|
||||||
-----
|
-----------------------
|
||||||
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
|
Log when vulnerable software packages were found
|
||||||
|
|
||||||
Special thanks to: Kamil Boratyński
|
* SSH
|
||||||
|
-----
|
||||||
|
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
|
||||||
|
|
||||||
* UEFI and Secure Boot
|
* UEFI and Secure Boot
|
||||||
----------------------
|
----------------------
|
||||||
Initial support to test UEFI settings, including Secure Boot option
|
Initial support to test UEFI settings, including Secure Boot option
|
||||||
Options boot_uefi_booted and boot_uefi_booted_secure added to report file
|
Options boot_uefi_booted and boot_uefi_booted_secure added to report file
|
||||||
|
|
||||||
* Virtual machines and Containers
|
* Virtual machines and Containers
|
||||||
---------------------------------
|
---------------------------------
|
||||||
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
|
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
|
||||||
like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
|
like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
|
||||||
Check file permissions for Docker files, like socket file [CONT-8108]
|
Check file permissions for Docker files, like socket file [CONT-8108]
|
||||||
|
|
||||||
* Individual tests
|
* Individual tests
|
||||||
------------------
|
------------------
|
||||||
[AUTH-9204] Exclude NIS entries to avoid false positives
|
[AUTH-9204] Exclude NIS entries to avoid false positives
|
||||||
[AUTH-9230] Removed test as it was merged into AUTH-9228
|
[AUTH-9230] Removed test as it was merged into AUTH-9228
|
||||||
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
|
[AUTH-9288] Test for expired passwords
|
||||||
[BOOT-5106] New test to test boot loader on Mac OS X
|
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
|
||||||
[BOOT-5180] Only gets executed if runlevel 2 is found
|
[BOOT-5106] New test to test boot loader on Mac OS X
|
||||||
[CONT-8108] New test to test for Docker file permissions
|
[BOOT-5180] Only gets executed if runlevel 2 is found
|
||||||
[FILE-6410] Added /var/lib/locatedb as search path
|
[CONT-8108] New test to test for Docker file permissions
|
||||||
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
|
[FILE-6410] Added /var/lib/locatedb as search path
|
||||||
[PKGS-7308] Split package name and version for RPM based package manager
|
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
|
||||||
[MALW-3278] New test to detect LMD (Linux Malware Detect)
|
[PKGS-7308] Split package name and version for RPM based package manager
|
||||||
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
|
[MALW-3278] New test to detect LMD (Linux Malware Detect)
|
||||||
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
|
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
|
||||||
|
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
|
||||||
|
[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable
|
||||||
|
|
||||||
* Functions
|
* Functions
|
||||||
-----------
|
-----------
|
||||||
[DigitsOnly] New function to extract only numbers from a text string
|
[DigitsOnly] New function to extract only numbers from a text string
|
||||||
[DisplayManual] New function to show text on screen without any markup
|
[DisplayManual] New function to show text on screen without any markup
|
||||||
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
|
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
|
||||||
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
|
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
|
||||||
[IsWordWritable] Changed return codes for easier usage of the function
|
[IsWordWritable] Changed return codes for easier usage of the function
|
||||||
[LogText] Replaces the older logtext function
|
[LogText] Replaces the older logtext function
|
||||||
[Report] Replaces the older report function
|
[RandomString] Creates a random string of characters
|
||||||
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
|
[Report] Replaces the older report function
|
||||||
[ReportWarning] Like ReportSuggestion() has additional parameters
|
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
|
||||||
[ShowComplianceFinding] Display compliance findings
|
[ReportWarning] Like ReportSuggestion() has additional parameters
|
||||||
[ShowSymlinkPath] Ensure readlink is available
|
[ShowComplianceFinding] Display compliance findings
|
||||||
|
[ShowSymlinkPath] Ensure readlink is available
|
||||||
|
|
||||||
* General improvements
|
* General improvements
|
||||||
----------------------
|
----------------------
|
||||||
- When using pentest mode, it will continue without any delays (=quick mode).
|
- When using pentest mode, it will continue without any delays (=quick mode).
|
||||||
- Data uploads: provide help when self-signed certificates are used.
|
- Data uploads: provide help when self-signed certificates are used.
|
||||||
- Improved output for tests which before showed results as a warning, while actually are just suggestions.
|
- Improved output for tests which before showed results as a warning, while actually are just suggestions.
|
||||||
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
|
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
|
||||||
- Preparations to allow compressing the Lynis report file and enhance uploads.
|
- Preparations to allow compressing the Lynis report file and enhance uploads.
|
||||||
- Tool tips are displayed, to make Lynis even easier to use.
|
- Tool tips are displayed, to make Lynis even easier to use.
|
||||||
- PID file has additional checks, including cleanups.
|
- PID file has additional checks, including cleanups.
|
||||||
|
|
||||||
* Plugins
|
* Special thanks
|
||||||
---------
|
----------------
|
||||||
[PAM] New plugin available in all versions of Lynis
|
We like to specifically thank Kamil Boratyński for his contributions to this release.
|
||||||
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
|
|
||||||
|
|
||||||
--------------------------------------------------------------
|
* Plugins
|
||||||
|
---------
|
||||||
|
[PAM] New plugin available in all versions of Lynis
|
||||||
|
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
|
||||||
|
|
||||||
|
--------------------------------------------------------------
|
||||||
|
|
||||||
= Lynis 2.1.1 (2015-07-22) =
|
= Lynis 2.1.1 (2015-07-22) =
|
||||||
|
|
||||||
|
@ -130,6 +130,7 @@ unset LANG
|
|||||||
PRIVILEGED=0
|
PRIVILEGED=0
|
||||||
PROFILEVALUE=""
|
PROFILEVALUE=""
|
||||||
PSBINARY="ps"
|
PSBINARY="ps"
|
||||||
|
REMOTE_LOGGING_ENABLED=0
|
||||||
RKHUNTERBINARY=""
|
RKHUNTERBINARY=""
|
||||||
RPMBINARY=""
|
RPMBINARY=""
|
||||||
RUN_HELPERS=0
|
RUN_HELPERS=0
|
||||||
|
@ -346,13 +346,26 @@
|
|||||||
FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
|
FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! "${FIND}" = "" ]; then
|
||||||
LogText "Result: remote logging enabled"
|
LogText "Result: remote logging enabled"
|
||||||
AddHP 5 5
|
REMOTE_LOGGING_ENABLED=1
|
||||||
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
|
else
|
||||||
else
|
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
|
||||||
|
DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'`
|
||||||
|
for DESTINATION in ${DESTINATIONS}; do
|
||||||
|
FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"`
|
||||||
|
if [ ! "${FIND2}" = "" ]; then
|
||||||
|
LogText "Result: found destination ${DESTINATION} configured for remote logging"
|
||||||
|
REMOTE_LOGGING_ENABLED=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
|
||||||
LogText "Result: no remote logging found"
|
LogText "Result: no remote logging found"
|
||||||
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
|
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
|
||||||
AddHP 1 3
|
AddHP 1 3
|
||||||
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
|
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
|
||||||
|
else
|
||||||
|
AddHP 5 5
|
||||||
|
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
|
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user