[LOGG-2154] Check for remote syslogging, more in-depth testing

This commit is contained in:
mboelen 2015-12-22 16:56:15 +01:00
parent 95832c61d1
commit 72b0f65438
3 changed files with 137 additions and 112 deletions

229
CHANGELOG
View File

@ -17,141 +17,152 @@
================================================================================ ================================================================================
= Lynis 2.1.x (2.2.0 release in development) = = Lynis 2.1.6 (development version for 2.2.x) =
This is an major release, which includes both new features and enhancements to existing tests. *** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE ***
* Automation tools We are proud to present this new release of Lynis. It is a major upgrade, and the
------------------ result of many months of work. This version includes new features and tests, and
CFEngine detection has been further extended. Additional logging and reporting of automation tools. many small enhancements, to improve the tool. We encourage all to test and
upgrade to this latest release.
* Authentication * Automation tools
---------------- ------------------
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes CFEngine detection has been further extended. Additional logging and reporting of automation tools.
checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228.
New plugin is introduced to analyze PAM settings. It including items like: * Authentication
- Two-factor authentication methods ----------------
- Minimum password length, password strength and protection status against brute force cracking Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
- Password history checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228.
New plugin is introduced to analyze PAM settings. It including items like:
Report option: auth_failed_logins_logged - Two-factor authentication methods
- Minimum password length, password strength and protection status against brute force cracking
- Password history
* Compliance Report option: auth_failed_logins_logged
------------
Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
Right now these standards can be selected: * Compliance
- CIS benchmarks ------------
- HIPAA This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b
- ISO27001/ISO27002 Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
- PCI DSS
* DNS and Name services Right now these standards can be selected:
----------------------- - CIS benchmarks
Support added for Unbound DNS caching tool [NAME-4034] - HIPAA
Configuration check for Unbound [NAME-4036] - ISO27001/ISO27002
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used - PCI DSS
* Firewalls * DNS and Name services
----------- -----------------------
Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available. Support added for Unbound DNS caching tool [NAME-4034]
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now. Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
* Hardware * Firewalls
---------- -----------
Detection of firewire is enhanced (both ohci and core detected). Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
* Malware * Hardware
--------- ----------
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. Detection of firewire is enhanced (both ohci and core detected).
* Mount points * Malware
-------------- ---------
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
* Networking * Mount points
------------ --------------
NETW-3004 now collects network interface names from most common operating systems. FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
* Operating systems * Networking
------------------- ------------
Improved support for Debian 8 systems. Detection for VMware release has been added. NETW-3004 now collects network interface names from most common operating systems.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.
Support for boot loader detection on Mac OS X * Operating systems
-------------------
Improved support for Debian 8 systems. Detection for VMware release has been added.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.
* Passwords Support for boot loader detection on Mac OS X
-----------
AUTH-9286 change has been extended to both capture minimum and password age.
* Software * Passwords
---------- -----------
Log when vulnerable software packages were found AUTH-9286 change has been extended to both capture minimum and password age.
* SSH * Software and Packages
----- -----------------------
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. Log when vulnerable software packages were found
Special thanks to: Kamil Boratyński * SSH
-----
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
* UEFI and Secure Boot * UEFI and Secure Boot
---------------------- ----------------------
Initial support to test UEFI settings, including Secure Boot option Initial support to test UEFI settings, including Secure Boot option
Options boot_uefi_booted and boot_uefi_booted_secure added to report file Options boot_uefi_booted and boot_uefi_booted_secure added to report file
* Virtual machines and Containers * Virtual machines and Containers
--------------------------------- ---------------------------------
Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
Check file permissions for Docker files, like socket file [CONT-8108] Check file permissions for Docker files, like socket file [CONT-8108]
* Individual tests * Individual tests
------------------ ------------------
[AUTH-9204] Exclude NIS entries to avoid false positives [AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228 [AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. [AUTH-9288] Test for expired passwords
[BOOT-5106] New test to test boot loader on Mac OS X [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
[BOOT-5180] Only gets executed if runlevel 2 is found [BOOT-5106] New test to test boot loader on Mac OS X
[CONT-8108] New test to test for Docker file permissions [BOOT-5180] Only gets executed if runlevel 2 is found
[FILE-6410] Added /var/lib/locatedb as search path [CONT-8108] New test to test for Docker file permissions
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox [FILE-6410] Added /var/lib/locatedb as search path
[PKGS-7308] Split package name and version for RPM based package manager [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[MALW-3278] New test to detect LMD (Linux Malware Detect) [PKGS-7308] Split package name and version for RPM based package manager
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) [MALW-3278] New test to detect LMD (Linux Malware Detect)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable
* Functions * Functions
----------- -----------
[DigitsOnly] New function to extract only numbers from a text string [DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup [DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier [GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
[IsWordWritable] Changed return codes for easier usage of the function [IsWordWritable] Changed return codes for easier usage of the function
[LogText] Replaces the older logtext function [LogText] Replaces the older logtext function
[Report] Replaces the older report function [RandomString] Creates a random string of characters
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) [Report] Replaces the older report function
[ReportWarning] Like ReportSuggestion() has additional parameters [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
[ShowComplianceFinding] Display compliance findings [ReportWarning] Like ReportSuggestion() has additional parameters
[ShowSymlinkPath] Ensure readlink is available [ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available
* General improvements * General improvements
---------------------- ----------------------
- When using pentest mode, it will continue without any delays (=quick mode). - When using pentest mode, it will continue without any delays (=quick mode).
- Data uploads: provide help when self-signed certificates are used. - Data uploads: provide help when self-signed certificates are used.
- Improved output for tests which before showed results as a warning, while actually are just suggestions. - Improved output for tests which before showed results as a warning, while actually are just suggestions.
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
- Preparations to allow compressing the Lynis report file and enhance uploads. - Preparations to allow compressing the Lynis report file and enhance uploads.
- Tool tips are displayed, to make Lynis even easier to use. - Tool tips are displayed, to make Lynis even easier to use.
- PID file has additional checks, including cleanups. - PID file has additional checks, including cleanups.
* Plugins * Special thanks
--------- ----------------
[PAM] New plugin available in all versions of Lynis We like to specifically thank Kamil Boratyński for his contributions to this release.
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
-------------------------------------------------------------- * Plugins
---------
[PAM] New plugin available in all versions of Lynis
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
--------------------------------------------------------------
= Lynis 2.1.1 (2015-07-22) = = Lynis 2.1.1 (2015-07-22) =

View File

@ -130,6 +130,7 @@ unset LANG
PRIVILEGED=0 PRIVILEGED=0
PROFILEVALUE="" PROFILEVALUE=""
PSBINARY="ps" PSBINARY="ps"
REMOTE_LOGGING_ENABLED=0
RKHUNTERBINARY="" RKHUNTERBINARY=""
RPMBINARY="" RPMBINARY=""
RUN_HELPERS=0 RUN_HELPERS=0

View File

@ -346,13 +346,26 @@
FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: remote logging enabled" LogText "Result: remote logging enabled"
AddHP 5 5 REMOTE_LOGGING_ENABLED=1
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN else
else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'`
for DESTINATION in ${DESTINATIONS}; do
FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"`
if [ ! "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
done
fi
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
LogText "Result: no remote logging found" LogText "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3 AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
fi fi
else else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found" LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"