tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1070 from jsoref/spelling 

Spelling improvements
This commit is contained in:
Michael Boelen 2020-11-09 10:35:49 +01:00 committed by GitHub
parent 499cf1cdb9 358fc02402
commit 7bfbbb5184
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 41 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
CHANGELOG.md
View File

@ -46,7 +46,7 @@
- CRYP-7902 - Added support for certificates in DER format - CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report - CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files - FILE-6430 - Don't grep nonexistent modprobe.d files
- FIRE-4535 - Set initial firewall state - FIRE-4535 - Set initial firewall state
- INSE-8312 - Corrected text on screen - INSE-8312 - Corrected text on screen
- KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5728 - Handle zipped kernel configuration correctly
@ -164,7 +164,7 @@ Using the relevant options, the scan will change base on the intended goal.
- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD - AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD
- AUTH-9282 - fix: temporary variable was overwritten - AUTH-9282 - fix: temporary variable was overwritten
- AUTH-9408 - added support for pam_tally2 to log failed logins - AUTH-9408 - added support for pam_tally2 to log failed logins
- AUTH-9489 - test removedd as it is merged with AUTH-9218 - AUTH-9489 - test removed as it is merged with AUTH-9218
- BANN-7126 - additional words for login banner are accepted - BANN-7126 - additional words for login banner are accepted
- BOOT-5122 - check for defined password in all GRUB configuration files - BOOT-5122 - check for defined password in all GRUB configuration files
- CONT-8106 - support newer 'docker info' output - CONT-8106 - support newer 'docker info' output
@ -450,7 +450,7 @@ Tests:
* [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell * [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell
* [DNS-1600] - Initial work on DNSSEC validation testing * [DNS-1600] - Initial work on DNSSEC validation testing
* [NETW-2704] - Added support for local resolver 127.0.0.53 * [NETW-2704] - Added support for local resolver 127.0.0.53
* [PHP-2379] - Suhosin test disbled * [PHP-2379] - Suhosin test disabled
* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting * [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting
* [TIME-3160] - Improvements to detect step-tickers file and entries * [TIME-3160] - Improvements to detect step-tickers file and entries
@ -697,7 +697,7 @@ Changes:
* Renamed some variables to better indicate their purpose (counting, data type) * Renamed some variables to better indicate their purpose (counting, data type)
* Removal of unused code and comments * Removal of unused code and comments
* Deleted unused tests from database file * Deleted unused tests from database file
* Correct levels of identation * Correct levels of indentation
* Support for older mac OS X versions (Lion and Mountain Lion) * Support for older mac OS X versions (Lion and Mountain Lion)
* Initialized variables for more binaries * Initialized variables for more binaries
* Additional sysctls are tested * Additional sysctls are tested
@ -1358,7 +1358,7 @@ Functions
* AddSetting - New function to store settings (lynis show settings) * AddSetting - New function to store settings (lynis show settings)
* ContainsString - New function to search for a string in another one * ContainsString - New function to search for a string in another one
* Display - Added --debug, showing details on screen in debug mode * Display - Added --debug, showing details on screen in debug mode
- Reset identation for lines which are too long - Reset indentation for lines which are too long
* DisplayToolTip - New function to display tooltips * DisplayToolTip - New function to display tooltips
* IsDebug - Check for usage of --debug * IsDebug - Check for usage of --debug
* IsDeveloperMode - Status for development and debugging (--developer) * IsDeveloperMode - Status for development and debugging (--developer)
@ -1431,7 +1431,7 @@ release.
------------ ------------
The biggest change in this release is the optimization of several functions. It The biggest change in this release is the optimization of several functions. It
allows for better detection, and dealing with the quirks, of every single allows for better detection, and dealing with the quirks, of every single
operating system. Some functions were fortified to handle unexcepted results operating system. Some functions were fortified to handle unexpected results
better, like missing a particular binary, or not returning the hostname. better, like missing a particular binary, or not returning the hostname.
This release also enables tests to be shorter, by adding new functions. Some This release also enables tests to be shorter, by adding new functions. Some
@ -1709,7 +1709,7 @@ Added tests for CSF's lfd utility for integrity monitoring on directories and
files. Related tests are FINT-4334 and FINT-4336. files. Related tests are FINT-4334 and FINT-4336.
Added support for Chrony time daemon and timesync daemon. Additionally NTP Added support for Chrony time daemon and timesync daemon. Additionally NTP
sychronization status is checked when it is enabled. synchronization status is checked when it is enabled.
Improved single user mode protection on the rescue.service file. Improved single user mode protection on the rescue.service file.
@ -2291,7 +2291,7 @@ Lynis 1.4.2 (2014-02-19)
Changes: Changes:
- Ignore interfaces aliases for HostID - Ignore interfaces aliases for HostID
- Extended umask tests with pam_umask entries [AUTH-9328] - Extended umask tests with pam_umask entries [AUTH-9328]
- Check for supressed version on Squid [SQD-3680] - Check for suppressed version on Squid [SQD-3680]
--------------------------------------------------------------------------------- ---------------------------------------------------------------------------------
@ -2304,7 +2304,7 @@ Lynis 1.4.1 (2014-02-15)
- Added 64 bits locations for Apache modules - Added 64 bits locations for Apache modules
- Add start of new category to logfile - Add start of new category to logfile
- Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626] - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626]
- Extended cron job tests with entries start with asterix (*) [SCHD-7704] - Extended cron job tests with entries start with asterisk (*) [SCHD-7704]
- Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328] - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328]
- Adjusted PHP test for register_globals (explicit test) [PHP-2368] - Adjusted PHP test for register_globals (explicit test) [PHP-2368]
- Small adjustments for upcoming plugin support - Small adjustments for upcoming plugin support
@ -2431,7 +2431,7 @@ Lynis 1.3.6 (2013-12-03)
- Adjusted PHP check to find ini files [PHP-2211] - Adjusted PHP check to find ini files [PHP-2211]
- Skip Apache test for NetBSD [HTTP-6622] - Skip Apache test for NetBSD [HTTP-6622]
- Skip test http version check for NetBSD [HTTP-6624] - Skip test http version check for NetBSD [HTTP-6624]
- Additional check to supress sort error [HTTP-6626] - Additional check to suppress sort error [HTTP-6626]
- Improved the way binaries are checked (less disk reads) - Improved the way binaries are checked (less disk reads)
- Adjusted ReportWarning() function to skip impact rating - Adjusted ReportWarning() function to skip impact rating
- Improved report on screen by leaving out date/time and type - Improved report on screen by leaving out date/time and type
@ -2467,7 +2467,7 @@ Lynis 1.3.5 (2013-11-19)
- Added suggestion about BIND version [NAME-4210] - Added suggestion about BIND version [NAME-4210]
- Merged test NTP daemon test TIME-3108 into TIME-3104 - Merged test NTP daemon test TIME-3108 into TIME-3104
- Improved support for Arch Linux (output, detection) - Improved support for Arch Linux (output, detection)
- Extended common list of directories with SSL certifcates in profile - Extended common list of directories with SSL certificates in profile
- New function GetHostID() to determine an unique identifier of the machine - New function GetHostID() to determine an unique identifier of the machine
- Added a tests_custom file template - Added a tests_custom file template
- Perform file permissions test on tests_custom file - Perform file permissions test on tests_custom file
@ -2510,7 +2510,7 @@ Lynis 1.3.3 (2013-10-24)
Lynis 1.3.2 (2013-10-09) Lynis 1.3.2 (2013-10-09)
New: New:
- Test for PowerDNS authoritive servers (master/slave status) [NAME-4238] - Test for PowerDNS authoritative servers (master/slave status) [NAME-4238]
Changes: Changes:
- CUPS test extended with hardening rules [PRNT-2308] - CUPS test extended with hardening rules [PRNT-2308]
@ -2557,7 +2557,7 @@ Lynis 1.3.0 (2011-12-25)
- Fixed incorrect warning for single user mode [AUTH-9308] - Fixed incorrect warning for single user mode [AUTH-9308]
- Improved output for stratum 16 time servers [TIME-3116] - Improved output for stratum 16 time servers [TIME-3116]
- Added suggestion and screen output for kernel hardening [KRNL-6000] - Added suggestion and screen output for kernel hardening [KRNL-6000]
- Screen layout optimalizations and log file improvements - Screen layout optimizations and log file improvements
- Improved list/layout of scan options - Improved list/layout of scan options
- Improved binary check for compilers - Improved binary check for compilers
- Added configuration option in scan profile (show_tool_tips, default true) - Added configuration option in scan profile (show_tool_tips, default true)
@ -3120,7 +3120,7 @@ Lynis 1.1.5 (2008-06-10)
- Improved FreeBSD pkg_info output, logging output and report data [PKG-7302] - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302]
- Changed shell history file test, searching files with maxdepth 1 [HOME-9310] - Changed shell history file test, searching files with maxdepth 1 [HOME-9310]
- Extended iptables test, to check Linux kernel configuration file [FIRE-4511] - Extended iptables test, to check Linux kernel configuration file [FIRE-4511]
- Added report warning to promicuous test [NETW-3014] - Added report warning to promiscuous test [NETW-3014]
- Fixed yellow color when being used at text display - Fixed yellow color when being used at text display
- Several logging improvements and cleanups - Several logging improvements and cleanups
@ -3189,11 +3189,11 @@ Lynis 1.1.2 (2008-05-11)
- Improved LILO test and removed double message - Improved LILO test and removed double message
- Fixed incorrect message when using --help parameter - Fixed incorrect message when using --help parameter
- Improved portaudit test (FreeBSD) to show unique packages only - Improved portaudit test (FreeBSD) to show unique packages only
- Updated man page, FAQ, extended documention with plugin information - Updated man page, FAQ, extended documentation with plugin information
- Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE)
** Special release notes [package/ports]: ** ** Special release notes [package/ports]: **
- Added several default paths to check for usuable an INCLUDE directory. This - Added several default paths to check for usable INCLUDE directory. This
should make packaging Lynis easier for downstream package providers. should make packaging Lynis easier for downstream package providers.
- When no profile is set, Lynis will check first /etc/lynis/default.prf, - When no profile is set, Lynis will check first /etc/lynis/default.prf,
before setting default.prf (in current work directory) as profile to use. before setting default.prf (in current work directory) as profile to use.
@ -3252,7 +3252,7 @@ Lynis 1.0.9 (2008-03-24)
- Added available shells from /etc/shells to report file - Added available shells from /etc/shells to report file
- Updated man page - Updated man page
- Fixed option in main help window for --man option - Fixed option in main help window for --man option
- Code improvement, splitting up sections to seperated files - Code improvement, splitting up sections to separated files
--------------------------------------------------------------------------------- ---------------------------------------------------------------------------------
@ -3268,7 +3268,7 @@ Lynis 1.0.8 (2008-02-10)
- Changed old temporary files check - Changed old temporary files check
- Changed test to include ubuntu security repository - Changed test to include ubuntu security repository
- Moved UID check to avoid PID creation as non root user - Moved UID check to avoid PID creation as non root user
- Moved most functions to seperated files and several code cleanups - Moved most functions to separated files and several code cleanups
- Improved logging output - Improved logging output
- Extended FreeBSD (Copyright file) test - Extended FreeBSD (Copyright file) test
- Changed indentation for many tests - Changed indentation for many tests
@ -3312,7 +3312,7 @@ Lynis 1.0.7 (2008-01-28)
- Updated year number in program and support files - Updated year number in program and support files
- Added new function Display, to use indentation within lines - Added new function Display, to use indentation within lines
- Added function RemovePIDFile before some exit routines, to clean up PID file - Added function RemovePIDFile before some exit routines, to clean up PID file
- Extracted profile support, parameter support to seperated files - Extracted profile support, parameter support to separated files
- Created file tests_ports_packages for Ports and Packages - Created file tests_ports_packages for Ports and Packages
- Deleted lynis.spec file, since it was not working and will be rewritten later - Deleted lynis.spec file, since it was not working and will be rewritten later
@ -3465,7 +3465,7 @@ Lynis 1.0.0 (2007-11-08)
- Test: query nameservers and test connectivity - Test: query nameservers and test connectivity
- Test: check promiscuous interfaces (FreeBSD) - Test: check promiscuous interfaces (FreeBSD)
- Test: check sticky bit on /tmp directory - Test: check sticky bit on /tmp directory
- Test: check debian.org security brance in /etc/apt/sources.list - Test: check debian.org security branch in /etc/apt/sources.list
- Test: check kernel update on Debian - Test: check kernel update on Debian
- Test: query default Linux run level - Test: query default Linux run level
- Test: query chkconfig to see which services start at boot - Test: query chkconfig to see which services start at boot

4
CONTRIBUTING.md
View File

@ -27,7 +27,7 @@ To ensure all pull requests can be easily checked and merged, here are some tips
## Code Guidelines ## Code Guidelines
### General ### General
Identation should be 4 spaces (no tab character). Indentation should be 4 spaces (no tab character).
### Comments ### Comments
Comments: use # sign followed by a space. When needed, create a comment block. Comments: use # sign followed by a space. When needed, create a comment block.
@ -68,6 +68,6 @@ software or computer software documentation in whole or in part, in any manner
and for any purpose whatsoever, and to have or authorize others to do so. and for any purpose whatsoever, and to have or authorize others to do so.
If you want to be named in as a contributor in the CONTRIBUTOR file, then include If you want to be named in as a contributor in the CONTRIBUTOR file, then include
this notition in your pull request. Preferred format: Full Name, and your e-mail this notation in your pull request. Preferred format: Full Name, and your e-mail
address). address).

2
db/tests.db
View File

@ -282,7 +282,7 @@ NAME-4210:test:security:nameservices::Check DNS banner:
NAME-4230:test:security:nameservices::Check PowerDNS status: NAME-4230:test:security:nameservices::Check PowerDNS status:
NAME-4232:test:security:nameservices::Search PowerDNS configuration file: NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
NAME-4236:test:security:nameservices::Check PowerDNS backends: NAME-4236:test:security:nameservices::Check PowerDNS backends:
NAME-4238:test:security:nameservices::Check PowerDNS authoritive status: NAME-4238:test:security:nameservices::Check PowerDNS authoritative status:
NAME-4304:test:security:nameservices::Check NIS ypbind status: NAME-4304:test:security:nameservices::Check NIS ypbind status:
NAME-4306:test:security:nameservices::Check NIS domain: NAME-4306:test:security:nameservices::Check NIS domain:
NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts: NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts:

2
extras/bash_completion.d/lynis
View File

@ -126,7 +126,7 @@ _lynis()
report) report)
return 0 return 0
;; ;;
settiings) settings)
return 0 return 0
;; ;;
tests) tests)

2
include/functions
View File

@ -38,7 +38,7 @@
# DigitsOnly Return only the digits from a string # DigitsOnly Return only the digits from a string
# DirectoryExists Check if a directory exists on the disk # DirectoryExists Check if a directory exists on the disk
# DiscoverProfiles Determine available profiles on system # DiscoverProfiles Determine available profiles on system
# Display Output text to screen with colors and identation # Display Output text to screen with colors and indentation
# DisplayError Show an error on screen # DisplayError Show an error on screen
# DisplayException Show an exception on screen # DisplayException Show an exception on screen
# DisplayManual Output text to screen without any layout # DisplayManual Output text to screen without any layout

2
include/helper_configure
View File

@ -72,7 +72,7 @@
ExitFatal ExitFatal
fi fi
FIND=$(echo ${HELPER_PARAMERS} | grep " ") FIND=$(echo ${HELPER_PARAMS} | grep " ")
if [ ! "${FIND}" = "" ]; then ${ECHOCMD} "Found invalid character (space) in configuration string"; ExitFatal; fi if [ ! "${FIND}" = "" ]; then ${ECHOCMD} "Found invalid character (space) in configuration string"; ExitFatal; fi
CONFIGURE_SETTINGS=$(echo $2 | sed 's/:/ /g') CONFIGURE_SETTINGS=$(echo $2 | sed 's/:/ /g')

2
include/profiles
View File

@ -50,7 +50,7 @@
Display --text " " Display --text " "
Display --text "==================================================================================================" Display --text "=================================================================================================="
Display --text " " Display --text " "
LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries" LogText "Insight: Profile '${PROFILE}' contains one or more old-style configuration entries"
ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries"
sleep 10 sleep 10
fi fi

8
include/report
View File

@ -151,14 +151,14 @@
fi fi
# Show suggestions from logfile # Show suggestions from logfile
SSUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g') SUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g')
if [ -z "${SSUGGESTIONS}" ]; then if [ -z "${SUGGESTIONS}" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo "" echo " ${OK}No suggestions${NORMAL}"; echo ""
else else
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do for SUGGESTION in ${SUGGESTIONS}; do
SOLUTION="" SOLUTION=""
SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://') SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}') ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
@ -183,7 +183,7 @@
done done
fi fi
# Show tip on how to continue (next steps) # Show tip on how to continue (next steps)
if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then if [ ! "${SWARNINGS}" = "" -o ! "${SUGGESTIONS}" = "" ]; then
echo " ${CYAN}Follow-up${NORMAL}:" echo " ${CYAN}Follow-up${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}----------------------------${NORMAL}"
echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)" echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)"

2
include/tests_authentication
View File

@ -1068,7 +1068,7 @@
# Test : AUTH-9306 # Test : AUTH-9306
# Description : Check if authentication is needed to boot the system # Description : Check if authentication is needed to boot the system
# Notes : :d_boot_authenticate: is a good option for production machines to # Notes : :d_boot_authenticate: is a good option for production machines to
# avoid unauthorized booting of systems. Option :d_boot_autentication@: # avoid unauthorized booting of systems. Option :d_boot_authentication@:
# disabled a required login. # disabled a required login.
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication" Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then

4
include/tests_dns
View File

@ -45,11 +45,11 @@
# #
# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then # if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
# LogText "Result: received timeout, can't determine DNSSEC validation" # LogText "Result: received timeout, can't determine DNSSEC validation"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" # #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then # elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
# LogText "Result: good signature failed, yet bad signature was accepted" # LogText "Result: good signature failed, yet bad signature was accepted"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" # #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then # elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW

4
include/tests_kernel
View File

@ -485,7 +485,7 @@
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \
( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
LogText "Result: core dumps are explicitely enabled in systemd configuration files" LogText "Result: core dumps are explicitly enabled in systemd configuration files"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
AddHP 0 1 AddHP 0 1
@ -796,7 +796,7 @@
# Attempt to check for Raspbian if reboot is needed # Attempt to check for Raspbian if reboot is needed
# This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename
# and compares that date with the currently running kernel's build date (uname -v). # and compares that date with the currently running kernel's build date (uname -v).
# Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of # Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of
# 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version. # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version.
if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then
LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution" LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution"

2
include/tests_kernel_hardening
View File

@ -28,7 +28,7 @@
# #
# Test : KRNL-6000 # Test : KRNL-6000
# Description : Check sysctl parameters # Description : Check sysctl parameters
# Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1) # Sysctl : net.ipv4.icmp_ignore_bogus_error_responses (=1)
if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile" Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then

6
include/tests_time
View File

@ -86,7 +86,7 @@
# Reason: openntpd syncs only if large time corrections are not required or -s is passed. # Reason: openntpd syncs only if large time corrections are not required or -s is passed.
# This might be not intended by the administrator (-s is NOT the default!) # This might be not intended by the administrator (-s is NOT the default!)
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
# Status code 0 is when communication over the socket is successfull # Status code 0 is when communication over the socket is successful
if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ntpctl)" LogText "result: found openntpd (method: ntpctl)"
@ -97,7 +97,7 @@
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ps)" LogText "result: found openntpd (method: ps)"
else else
LogText "result: running openntpd not found, but ntpctl is instaalled" LogText "result: running openntpd not found, but ntpctl is installed"
fi fi
if [ "${NTP_DAEMON}" = "openntpd" ]; then if [ "${NTP_DAEMON}" = "openntpd" ]; then
@ -106,7 +106,7 @@
fi fi
# Check running processes (ntpd from ntp.org) # Check running processes (ntpd from ntp.org)
# As checking by process name is ambigiouse (openntpd has the same process name), # As checking by process name is ambiguous (openntpd has the same process name),
# this check will be skipped if openntpd has been found. # this check will be skipped if openntpd has been found.
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep") FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep")
if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then

2
lynis
View File

@ -589,7 +589,7 @@ ${NORMAL}
if [ ${SET_STRICT} -eq 0 ]; then if [ ${SET_STRICT} -eq 0 ]; then
set +u # Allow uninitialized variables set +u # Allow uninitialized variables
else else
set -u # Do not allow unitialized variables set -u # Do not allow uninitialized variables
fi fi
# Import a different language when configured # Import a different language when configured