mirror of https://github.com/CISOfy/lynis.git
Michael Boelen
GitHub
commit
7bfbbb5184
40
CHANGELOG.md
40
CHANGELOG.md
|
|
@ -46,7 +46,7 @@
|
|||
- CRYP-7902 - Added support for certificates in DER format
|
||||
- CRYP-7931 - Added data to report
|
||||
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
|
||||
- FILE-6430 - Don't grep nonexistant modprobe.d files
|
||||
- FILE-6430 - Don't grep nonexistent modprobe.d files
|
||||
- FIRE-4535 - Set initial firewall state
|
||||
- INSE-8312 - Corrected text on screen
|
||||
- KRNL-5728 - Handle zipped kernel configuration correctly
|
||||
|
|
@ -164,7 +164,7 @@ Using the relevant options, the scan will change base on the intended goal.
|
|||
- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD
|
||||
- AUTH-9282 - fix: temporary variable was overwritten
|
||||
- AUTH-9408 - added support for pam_tally2 to log failed logins
|
||||
- AUTH-9489 - test removedd as it is merged with AUTH-9218
|
||||
- AUTH-9489 - test removed as it is merged with AUTH-9218
|
||||
- BANN-7126 - additional words for login banner are accepted
|
||||
- BOOT-5122 - check for defined password in all GRUB configuration files
|
||||
- CONT-8106 - support newer 'docker info' output
|
||||
|
|
@ -450,7 +450,7 @@ Tests:
|
|||
* [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell
|
||||
* [DNS-1600] - Initial work on DNSSEC validation testing
|
||||
* [NETW-2704] - Added support for local resolver 127.0.0.53
|
||||
* [PHP-2379] - Suhosin test disbled
|
||||
* [PHP-2379] - Suhosin test disabled
|
||||
* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting
|
||||
* [TIME-3160] - Improvements to detect step-tickers file and entries
|
||||
|
||||
|
|
@ -697,7 +697,7 @@ Changes:
|
|||
* Renamed some variables to better indicate their purpose (counting, data type)
|
||||
* Removal of unused code and comments
|
||||
* Deleted unused tests from database file
|
||||
* Correct levels of identation
|
||||
* Correct levels of indentation
|
||||
* Support for older mac OS X versions (Lion and Mountain Lion)
|
||||
* Initialized variables for more binaries
|
||||
* Additional sysctls are tested
|
||||
|
|
@ -1358,7 +1358,7 @@ Functions
|
|||
* AddSetting - New function to store settings (lynis show settings)
|
||||
* ContainsString - New function to search for a string in another one
|
||||
* Display - Added --debug, showing details on screen in debug mode
|
||||
- Reset identation for lines which are too long
|
||||
- Reset indentation for lines which are too long
|
||||
* DisplayToolTip - New function to display tooltips
|
||||
* IsDebug - Check for usage of --debug
|
||||
* IsDeveloperMode - Status for development and debugging (--developer)
|
||||
|
|
@ -1431,7 +1431,7 @@ release.
|
|||
------------
|
||||
The biggest change in this release is the optimization of several functions. It
|
||||
allows for better detection, and dealing with the quirks, of every single
|
||||
operating system. Some functions were fortified to handle unexcepted results
|
||||
operating system. Some functions were fortified to handle unexpected results
|
||||
better, like missing a particular binary, or not returning the hostname.
|
||||
|
||||
This release also enables tests to be shorter, by adding new functions. Some
|
||||
|
|
@ -1709,7 +1709,7 @@ Added tests for CSF's lfd utility for integrity monitoring on directories and
|
|||
files. Related tests are FINT-4334 and FINT-4336.
|
||||
|
||||
Added support for Chrony time daemon and timesync daemon. Additionally NTP
|
||||
sychronization status is checked when it is enabled.
|
||||
synchronization status is checked when it is enabled.
|
||||
|
||||
Improved single user mode protection on the rescue.service file.
|
||||
|
||||
|
|
@ -2291,7 +2291,7 @@ Lynis 1.4.2 (2014-02-19)
|
|||
Changes:
|
||||
- Ignore interfaces aliases for HostID
|
||||
- Extended umask tests with pam_umask entries [AUTH-9328]
|
||||
- Check for supressed version on Squid [SQD-3680]
|
||||
- Check for suppressed version on Squid [SQD-3680]
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
|
||||
|
|
@ -2304,7 +2304,7 @@ Lynis 1.4.1 (2014-02-15)
|
|||
- Added 64 bits locations for Apache modules
|
||||
- Add start of new category to logfile
|
||||
- Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626]
|
||||
- Extended cron job tests with entries start with asterix (*) [SCHD-7704]
|
||||
- Extended cron job tests with entries start with asterisk (*) [SCHD-7704]
|
||||
- Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328]
|
||||
- Adjusted PHP test for register_globals (explicit test) [PHP-2368]
|
||||
- Small adjustments for upcoming plugin support
|
||||
|
|
@ -2431,7 +2431,7 @@ Lynis 1.3.6 (2013-12-03)
|
|||
- Adjusted PHP check to find ini files [PHP-2211]
|
||||
- Skip Apache test for NetBSD [HTTP-6622]
|
||||
- Skip test http version check for NetBSD [HTTP-6624]
|
||||
- Additional check to supress sort error [HTTP-6626]
|
||||
- Additional check to suppress sort error [HTTP-6626]
|
||||
- Improved the way binaries are checked (less disk reads)
|
||||
- Adjusted ReportWarning() function to skip impact rating
|
||||
- Improved report on screen by leaving out date/time and type
|
||||
|
|
@ -2467,7 +2467,7 @@ Lynis 1.3.5 (2013-11-19)
|
|||
- Added suggestion about BIND version [NAME-4210]
|
||||
- Merged test NTP daemon test TIME-3108 into TIME-3104
|
||||
- Improved support for Arch Linux (output, detection)
|
||||
- Extended common list of directories with SSL certifcates in profile
|
||||
- Extended common list of directories with SSL certificates in profile
|
||||
- New function GetHostID() to determine an unique identifier of the machine
|
||||
- Added a tests_custom file template
|
||||
- Perform file permissions test on tests_custom file
|
||||
|
|
@ -2510,7 +2510,7 @@ Lynis 1.3.3 (2013-10-24)
|
|||
Lynis 1.3.2 (2013-10-09)
|
||||
|
||||
New:
|
||||
- Test for PowerDNS authoritive servers (master/slave status) [NAME-4238]
|
||||
- Test for PowerDNS authoritative servers (master/slave status) [NAME-4238]
|
||||
|
||||
Changes:
|
||||
- CUPS test extended with hardening rules [PRNT-2308]
|
||||
|
|
@ -2557,7 +2557,7 @@ Lynis 1.3.0 (2011-12-25)
|
|||
- Fixed incorrect warning for single user mode [AUTH-9308]
|
||||
- Improved output for stratum 16 time servers [TIME-3116]
|
||||
- Added suggestion and screen output for kernel hardening [KRNL-6000]
|
||||
- Screen layout optimalizations and log file improvements
|
||||
- Screen layout optimizations and log file improvements
|
||||
- Improved list/layout of scan options
|
||||
- Improved binary check for compilers
|
||||
- Added configuration option in scan profile (show_tool_tips, default true)
|
||||
|
|
@ -3120,7 +3120,7 @@ Lynis 1.1.5 (2008-06-10)
|
|||
- Improved FreeBSD pkg_info output, logging output and report data [PKG-7302]
|
||||
- Changed shell history file test, searching files with maxdepth 1 [HOME-9310]
|
||||
- Extended iptables test, to check Linux kernel configuration file [FIRE-4511]
|
||||
- Added report warning to promicuous test [NETW-3014]
|
||||
- Added report warning to promiscuous test [NETW-3014]
|
||||
- Fixed yellow color when being used at text display
|
||||
- Several logging improvements and cleanups
|
||||
|
||||
|
|
@ -3189,11 +3189,11 @@ Lynis 1.1.2 (2008-05-11)
|
|||
- Improved LILO test and removed double message
|
||||
- Fixed incorrect message when using --help parameter
|
||||
- Improved portaudit test (FreeBSD) to show unique packages only
|
||||
- Updated man page, FAQ, extended documention with plugin information
|
||||
- Updated man page, FAQ, extended documentation with plugin information
|
||||
- Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE)
|
||||
|
||||
** Special release notes [package/ports]: **
|
||||
- Added several default paths to check for usuable an INCLUDE directory. This
|
||||
- Added several default paths to check for usable INCLUDE directory. This
|
||||
should make packaging Lynis easier for downstream package providers.
|
||||
- When no profile is set, Lynis will check first /etc/lynis/default.prf,
|
||||
before setting default.prf (in current work directory) as profile to use.
|
||||
|
|
@ -3252,7 +3252,7 @@ Lynis 1.0.9 (2008-03-24)
|
|||
- Added available shells from /etc/shells to report file
|
||||
- Updated man page
|
||||
- Fixed option in main help window for --man option
|
||||
- Code improvement, splitting up sections to seperated files
|
||||
- Code improvement, splitting up sections to separated files
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
|
||||
|
|
@ -3268,7 +3268,7 @@ Lynis 1.0.8 (2008-02-10)
|
|||
- Changed old temporary files check
|
||||
- Changed test to include ubuntu security repository
|
||||
- Moved UID check to avoid PID creation as non root user
|
||||
- Moved most functions to seperated files and several code cleanups
|
||||
- Moved most functions to separated files and several code cleanups
|
||||
- Improved logging output
|
||||
- Extended FreeBSD (Copyright file) test
|
||||
- Changed indentation for many tests
|
||||
|
|
@ -3312,7 +3312,7 @@ Lynis 1.0.7 (2008-01-28)
|
|||
- Updated year number in program and support files
|
||||
- Added new function Display, to use indentation within lines
|
||||
- Added function RemovePIDFile before some exit routines, to clean up PID file
|
||||
- Extracted profile support, parameter support to seperated files
|
||||
- Extracted profile support, parameter support to separated files
|
||||
- Created file tests_ports_packages for Ports and Packages
|
||||
- Deleted lynis.spec file, since it was not working and will be rewritten later
|
||||
|
||||
|
|
@ -3465,7 +3465,7 @@ Lynis 1.0.0 (2007-11-08)
|
|||
- Test: query nameservers and test connectivity
|
||||
- Test: check promiscuous interfaces (FreeBSD)
|
||||
- Test: check sticky bit on /tmp directory
|
||||
- Test: check debian.org security brance in /etc/apt/sources.list
|
||||
- Test: check debian.org security branch in /etc/apt/sources.list
|
||||
- Test: check kernel update on Debian
|
||||
- Test: query default Linux run level
|
||||
- Test: query chkconfig to see which services start at boot
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ To ensure all pull requests can be easily checked and merged, here are some tips
|
|||
## Code Guidelines
|
||||
|
||||
### General
|
||||
Identation should be 4 spaces (no tab character).
|
||||
Indentation should be 4 spaces (no tab character).
|
||||
|
||||
### Comments
|
||||
Comments: use # sign followed by a space. When needed, create a comment block.
|
||||
|
|
@ -68,6 +68,6 @@ software or computer software documentation in whole or in part, in any manner
|
|||
and for any purpose whatsoever, and to have or authorize others to do so.
|
||||
|
||||
If you want to be named in as a contributor in the CONTRIBUTOR file, then include
|
||||
this notition in your pull request. Preferred format: Full Name, and your e-mail
|
||||
this notation in your pull request. Preferred format: Full Name, and your e-mail
|
||||
address).
|
||||
|
||||
|
|
|
|||
|
|
@ -282,7 +282,7 @@ NAME-4210:test:security:nameservices::Check DNS banner:
|
|||
NAME-4230:test:security:nameservices::Check PowerDNS status:
|
||||
NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
|
||||
NAME-4236:test:security:nameservices::Check PowerDNS backends:
|
||||
NAME-4238:test:security:nameservices::Check PowerDNS authoritive status:
|
||||
NAME-4238:test:security:nameservices::Check PowerDNS authoritative status:
|
||||
NAME-4304:test:security:nameservices::Check NIS ypbind status:
|
||||
NAME-4306:test:security:nameservices::Check NIS domain:
|
||||
NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts:
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ _lynis()
|
|||
report)
|
||||
return 0
|
||||
;;
|
||||
settiings)
|
||||
settings)
|
||||
return 0
|
||||
;;
|
||||
tests)
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@
|
|||
# DigitsOnly Return only the digits from a string
|
||||
# DirectoryExists Check if a directory exists on the disk
|
||||
# DiscoverProfiles Determine available profiles on system
|
||||
# Display Output text to screen with colors and identation
|
||||
# Display Output text to screen with colors and indentation
|
||||
# DisplayError Show an error on screen
|
||||
# DisplayException Show an exception on screen
|
||||
# DisplayManual Output text to screen without any layout
|
||||
|
|
|
|||
|
|
@ -72,7 +72,7 @@
|
|||
ExitFatal
|
||||
fi
|
||||
|
||||
FIND=$(echo ${HELPER_PARAMERS} | grep " ")
|
||||
FIND=$(echo ${HELPER_PARAMS} | grep " ")
|
||||
if [ ! "${FIND}" = "" ]; then ${ECHOCMD} "Found invalid character (space) in configuration string"; ExitFatal; fi
|
||||
|
||||
CONFIGURE_SETTINGS=$(echo $2 | sed 's/:/ /g')
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@
|
|||
Display --text " "
|
||||
Display --text "=================================================================================================="
|
||||
Display --text " "
|
||||
LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries"
|
||||
LogText "Insight: Profile '${PROFILE}' contains one or more old-style configuration entries"
|
||||
ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries"
|
||||
sleep 10
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -151,14 +151,14 @@
|
|||
fi
|
||||
|
||||
# Show suggestions from logfile
|
||||
SSUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g')
|
||||
SUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g')
|
||||
|
||||
if [ -z "${SSUGGESTIONS}" ]; then
|
||||
if [ -z "${SUGGESTIONS}" ]; then
|
||||
echo " ${OK}No suggestions${NORMAL}"; echo ""
|
||||
else
|
||||
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
|
||||
echo " ${WHITE}----------------------------${NORMAL}"
|
||||
for SUGGESTION in ${SSUGGESTIONS}; do
|
||||
for SUGGESTION in ${SUGGESTIONS}; do
|
||||
SOLUTION=""
|
||||
SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
|
||||
ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
|
||||
|
|
@ -183,7 +183,7 @@
|
|||
done
|
||||
fi
|
||||
# Show tip on how to continue (next steps)
|
||||
if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
|
||||
if [ ! "${SWARNINGS}" = "" -o ! "${SUGGESTIONS}" = "" ]; then
|
||||
echo " ${CYAN}Follow-up${NORMAL}:"
|
||||
echo " ${WHITE}----------------------------${NORMAL}"
|
||||
echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)"
|
||||
|
|
|
|||
|
|
@ -1068,7 +1068,7 @@
|
|||
# Test : AUTH-9306
|
||||
# Description : Check if authentication is needed to boot the system
|
||||
# Notes : :d_boot_authenticate: is a good option for production machines to
|
||||
# avoid unauthorized booting of systems. Option :d_boot_autentication@:
|
||||
# avoid unauthorized booting of systems. Option :d_boot_authentication@:
|
||||
# disabled a required login.
|
||||
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
|
|
|||
|
|
@ -45,11 +45,11 @@
|
|||
#
|
||||
# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
|
||||
# LogText "Result: received timeout, can't determine DNSSEC validation"
|
||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
|
||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
|
||||
# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
|
||||
# LogText "Result: good signature failed, yet bad signature was accepted"
|
||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
|
||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
|
||||
# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
|
||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
|
|
|
|||
|
|
@ -485,7 +485,7 @@
|
|||
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \
|
||||
( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
|
||||
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
|
||||
LogText "Result: core dumps are explicitely enabled in systemd configuration files"
|
||||
LogText "Result: core dumps are explicitly enabled in systemd configuration files"
|
||||
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
|
||||
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
|
||||
AddHP 0 1
|
||||
|
|
@ -796,7 +796,7 @@
|
|||
# Attempt to check for Raspbian if reboot is needed
|
||||
# This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename
|
||||
# and compares that date with the currently running kernel's build date (uname -v).
|
||||
# Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of
|
||||
# Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of
|
||||
# 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version.
|
||||
if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then
|
||||
LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution"
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
#
|
||||
# Test : KRNL-6000
|
||||
# Description : Check sysctl parameters
|
||||
# Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1)
|
||||
# Sysctl : net.ipv4.icmp_ignore_bogus_error_responses (=1)
|
||||
if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
|
|
|||
|
|
@ -86,7 +86,7 @@
|
|||
# Reason: openntpd syncs only if large time corrections are not required or -s is passed.
|
||||
# This might be not intended by the administrator (-s is NOT the default!)
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
|
||||
# Status code 0 is when communication over the socket is successfull
|
||||
# Status code 0 is when communication over the socket is successful
|
||||
if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
|
||||
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
|
||||
LogText "result: found openntpd (method: ntpctl)"
|
||||
|
|
@ -97,7 +97,7 @@
|
|||
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
|
||||
LogText "result: found openntpd (method: ps)"
|
||||
else
|
||||
LogText "result: running openntpd not found, but ntpctl is instaalled"
|
||||
LogText "result: running openntpd not found, but ntpctl is installed"
|
||||
fi
|
||||
|
||||
if [ "${NTP_DAEMON}" = "openntpd" ]; then
|
||||
|
|
@ -106,7 +106,7 @@
|
|||
fi
|
||||
|
||||
# Check running processes (ntpd from ntp.org)
|
||||
# As checking by process name is ambigiouse (openntpd has the same process name),
|
||||
# As checking by process name is ambiguous (openntpd has the same process name),
|
||||
# this check will be skipped if openntpd has been found.
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep")
|
||||
if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then
|
||||
|
|
|
|||
Loading…
Reference in New Issue