mirror of https://github.com/CISOfy/lynis.git
Merge remote-tracking branch 'origin/master' into eol
This commit is contained in:
Steve Kolenich
commit
80e13f2742
|
|
@ -36,3 +36,5 @@ its development, even after 12+ years!
|
|||
* Catalyst.net IT - January 2020
|
||||
Lynis gave us great insight in to the security state of our systems, as well as where we can improve.
|
||||
|
||||
* David Osipov - October 2021
|
||||
Lynis opened my eyes on Linux security hardening best practices. As a newbie, I learn a lot about Linux system architecture while trying to harden my system.
|
||||
|
|
|
|||
140
db/languages/ru
140
db/languages/ru
|
|
@ -4,7 +4,7 @@ GEN_CHECKING="Проверка"
|
|||
GEN_CURRENT_VERSION="Текущая версия"
|
||||
GEN_DEBUG_MODE="Режим отладки"
|
||||
GEN_INITIALIZE_PROGRAM="Инициализация программы"
|
||||
#GEN_LATEST_VERSION="Latest version"
|
||||
GEN_LATEST_VERSION="Последняя версия"
|
||||
GEN_PHASE="Стадия"
|
||||
GEN_PLUGINS_ENABLED="Плагины включены"
|
||||
GEN_UPDATE_AVAILABLE="доступно обновление"
|
||||
|
|
@ -14,94 +14,94 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые ис
|
|||
NOTE_EXCEPTIONS_FOUND="Найдены исключения"
|
||||
NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения"
|
||||
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима"
|
||||
#SECTION_ACCOUNTING="Accounting"
|
||||
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
|
||||
#SECTION_BASICS="Basics"
|
||||
#SECTION_BOOT_AND_SERVICES="Boot and services"
|
||||
#SECTION_CONTAINERS="Containers"
|
||||
#SECTION_CRYPTOGRAPHY="Cryptography"
|
||||
SECTION_ACCOUNTING="Учёт"
|
||||
SECTION_BANNERS_AND_IDENTIFICATION="Баннеры и идентификаторы"
|
||||
SECTION_BASICS="Основное"
|
||||
SECTION_BOOT_AND_SERVICES="Загрузка и сервисы"
|
||||
SECTION_CONTAINERS="Контейнеры"
|
||||
SECTION_CRYPTOGRAPHY="Криптография"
|
||||
SECTION_CUSTOM_TESTS="Пользовательские тесты"
|
||||
#SECTION_DATABASES="Databases"
|
||||
#SECTION_DATA_UPLOAD="Data upload"
|
||||
#SECTION_DOWNLOADS="Downloads"
|
||||
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
|
||||
#SECTION_FILE_INTEGRITY="Software: file integrity"
|
||||
#SECTION_FILE_PERMISSIONS="File Permissions"
|
||||
#SECTION_FILE_SYSTEMS="File systems"
|
||||
#SECTION_FIREWALLS="Software: firewalls"
|
||||
#SECTION_GENERAL="General"
|
||||
#SECTION_HARDENING="Hardening"
|
||||
#SECTION_HOME_DIRECTORIES="Home directories"
|
||||
#SECTION_IMAGE="Image"
|
||||
#SECTION_INITIALIZING_PROGRAM="Initializing program"
|
||||
#SECTION_INSECURE_SERVICES="Insecure services"
|
||||
#SECTION_KERNEL_HARDENING="Kernel Hardening"
|
||||
#SECTION_KERNEL="Kernel"
|
||||
#SECTION_LDAP_SERVICES="LDAP Services"
|
||||
#SECTION_LOGGING_AND_FILES="Logging and files"
|
||||
SECTION_DATABASES="Базы данных"
|
||||
SECTION_DATA_UPLOAD="Отправка данных"
|
||||
SECTION_DOWNLOADS="Загрузки"
|
||||
SECTION_EMAIL_AND_MESSAGING="Программное обеспечение: e-mail и отправка сообщений"
|
||||
SECTION_FILE_INTEGRITY="Программное обеспечение: целостность файлов"
|
||||
SECTION_FILE_PERMISSIONS="Права доступа к файлам"
|
||||
SECTION_FILE_SYSTEMS="Файловые системы"
|
||||
SECTION_FIREWALLS="Программное обеспечение: firewall"
|
||||
SECTION_GENERAL="Общее"
|
||||
SECTION_HARDENING="Усиление"
|
||||
SECTION_HOME_DIRECTORIES="Домашние директории"
|
||||
SECTION_IMAGE="Образы"
|
||||
SECTION_INITIALIZING_PROGRAM="Инициализация программы"
|
||||
SECTION_INSECURE_SERVICES="Небезопасные сервисы"
|
||||
SECTION_KERNEL_HARDENING="УСиления ядра"
|
||||
SECTION_KERNEL="Ядро"
|
||||
SECTION_LDAP_SERVICES="Сервисы LDAP"
|
||||
SECTION_LOGGING_AND_FILES="Логирование и файлы"
|
||||
SECTION_MALWARE="Вредоносное ПО"
|
||||
SECTION_MEMORY_AND_PROCESSES="Память и процессы"
|
||||
#SECTION_NAME_SERVICES="Name services"
|
||||
#SECTION_NETWORKING="Networking"
|
||||
#SECTION_PERMISSIONS="Permissions"
|
||||
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
|
||||
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
|
||||
#SECTION_PROGRAM_DETAILS="Program Details"
|
||||
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
|
||||
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
|
||||
#SECTION_SHELLS="Shells"
|
||||
#SECTION_SNMP_SUPPORT="SNMP Support"
|
||||
#SECTION_SOFTWARE="Software"
|
||||
#SECTION_SQUID_SUPPORT="Squid Support"
|
||||
#SECTION_SSH_SUPPORT="SSH Support"
|
||||
#SECTION_STORAGE="Storage"
|
||||
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
|
||||
#SECTION_SYSTEM_TOOLING="Software: System tooling"
|
||||
#SECTION_SYSTEM_TOOLS="System tools"
|
||||
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
|
||||
#SECTION_USB_DEVICES="USB Devices"
|
||||
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
|
||||
#SECTION_VIRTUALIZATION="Virtualization"
|
||||
#SECTION_WEBSERVER="Software: webserver"
|
||||
#STATUS_ACTIVE="ACTIVE"
|
||||
#STATUS_CHECK_NEEDED="CHECK NEEDED"
|
||||
#STATUS_DEBUG="DEBUG"
|
||||
#STATUS_DEFAULT="DEFAULT"
|
||||
#STATUS_DIFFERENT="DIFFERENT"
|
||||
SECTION_NAME_SERVICES="Серверы имён"
|
||||
SECTION_NETWORKING="Сети"
|
||||
SECTION_PERMISSIONS="Права доступа"
|
||||
SECTION_PORTS_AND_PACKAGES="Пакеты"
|
||||
SECTION_PRINTERS_AND_SPOOLS="Принтеры и спулеры"
|
||||
SECTION_PROGRAM_DETAILS="Подробности о программе"
|
||||
SECTION_SCHEDULED_TASKS="Запланированные задачи"
|
||||
SECTION_SECURITY_FRAMEWORKS="Фреймворки"
|
||||
SECTION_SHELLS="Командные оболочки"
|
||||
SECTION_SNMP_SUPPORT="Поддержка SNMP"
|
||||
SECTION_SOFTWARE="Программное обеспечение"
|
||||
SECTION_SQUID_SUPPORT="Поддержка Squid"
|
||||
SECTION_SSH_SUPPORT="Поддержка SSH"
|
||||
SECTION_STORAGE="Хранилище"
|
||||
SECTION_SYSTEM_INTEGRITY="Программное обеспечение: целостность системы"
|
||||
SECTION_SYSTEM_TOOLING="SПрограммное обеспечение: системные инструменты"
|
||||
SECTION_SYSTEM_TOOLS="Системные утилиты"
|
||||
SECTION_TIME_AND_SYNCHRONIZATION="Время и его синхронизация"
|
||||
SECTION_USB_DEVICES="USB Устройства"
|
||||
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Пользователи, группы и Аутентификация"
|
||||
SECTION_VIRTUALIZATION="Виртуализация"
|
||||
SECTION_WEBSERVER="Программное обеспечение: веб-серверы"
|
||||
STATUS_ACTIVE="АКТИВЕН"
|
||||
STATUS_CHECK_NEEDED="ТРЕБУЕТСЯ ПРОВЕРКА"
|
||||
STATUS_DEBUG="ОТЛАДКА"
|
||||
STATUS_DEFAULT="ПО УМОЛЧАНИЮ"
|
||||
STATUS_DIFFERENT="ОТЛИЧАЕТСЯ"
|
||||
STATUS_DISABLED="ОТКЛЮЧЕНО"
|
||||
STATUS_DONE="Завершено"
|
||||
STATUS_ENABLED="ВКЛЮЧЕНО"
|
||||
STATUS_ERROR="ОШИБКА"
|
||||
#STATUS_EXPOSED="EXPOSED"
|
||||
#STATUS_FAILED="FAILED"
|
||||
#STATUS_FILES_FOUND="FILES FOUND"
|
||||
STATUS_EXPOSED="УЯЗВИМО"
|
||||
STATUS_FAILED="ПРОВАЛЕНО"
|
||||
STATUS_FILES_FOUND="ФАЙЛЫ НАЙДЕНЫ"
|
||||
STATUS_FOUND="Найдено"
|
||||
#STATUS_HARDENED="HARDENED"
|
||||
#STATUS_INSTALLED="INSTALLED"
|
||||
#STATUS_LOCAL_ONLY="LOCAL ONLY"
|
||||
#STATUS_MEDIUM="MEDIUM"
|
||||
#STATUS_NON_DEFAULT="NON DEFAULT"
|
||||
STATUS_HARDENED="УСИЛЕНО"
|
||||
STATUS_INSTALLED="УСТАНОВЛЕНО"
|
||||
STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО"
|
||||
STATUS_MEDIUM="СРЕДНИЙ"
|
||||
STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ"
|
||||
STATUS_NONE="Отсутствует"
|
||||
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
|
||||
#STATUS_NOT_DISABLED="NOT DISABLED"
|
||||
#STATUS_NOT_ENABLED="NOT ENABLED"
|
||||
STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО"
|
||||
STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО"
|
||||
STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО"
|
||||
STATUS_NOT_FOUND="НЕ НАЙДЕНО"
|
||||
STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО"
|
||||
#STATUS_NO_UPDATE="NO UPDATE"
|
||||
STATUS_NO_UPDATE="ОБНОВЛЕНИЙ НЕТ"
|
||||
STATUS_NO="НЕТ"
|
||||
STATUS_OFF="Выключено"
|
||||
STATUS_OK="ОК"
|
||||
STATUS_ON="Включено"
|
||||
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
|
||||
#STATUS_PROTECTED="PROTECTED"
|
||||
STATUS_PARTIALLY_HARDENED="ЧАСТИЧНО УСИЛЕНО"
|
||||
STATUS_PROTECTED="ЗАЩИЩЕНО"
|
||||
STATUS_RUNNING="ЗАПУЩЕНО"
|
||||
STATUS_SKIPPED="ПРОПУЩЕНО"
|
||||
STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ"
|
||||
STATUS_UNKNOWN="НЕИЗВЕСТНО"
|
||||
#STATUS_UNSAFE="UNSAFE"
|
||||
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
|
||||
STATUS_UNSAFE="НЕБЕЗОПАСНО"
|
||||
STATUS_UPDATE_AVAILABLE="ДОСТУПНЫ ОБНОВЛЕНИЯ"
|
||||
STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ"
|
||||
#STATUS_WEAK="WEAK"
|
||||
STATUS_WEAK="СЛАБЫЙ"
|
||||
STATUS_YES="ДА"
|
||||
TEXT_UPDATE_AVAILABLE="доступно обновление"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
|
||||
|
|
|
|||
|
|
@ -244,6 +244,11 @@
|
|||
OS_NAME="Flatcar Linux"
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"funtoo")
|
||||
LINUX_VERSION="Funtoo"
|
||||
OS_FULLNAME="Funtoo Linux"
|
||||
OS_VERSION="Rolling release"
|
||||
;;
|
||||
"garuda")
|
||||
LINUX_VERSION="Garuda"
|
||||
OS_FULLNAME="Garuda Linux"
|
||||
|
|
|
|||
|
|
@ -112,6 +112,9 @@
|
|||
runit)
|
||||
SERVICE_MANAGER="runit"
|
||||
;;
|
||||
openrc-init)
|
||||
SERVICE_MANAGER="openrc"
|
||||
;;
|
||||
*)
|
||||
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
|
||||
if [ -n "${CONTAINS_SYSTEMD}" ]; then
|
||||
|
|
|
|||
|
|
@ -619,7 +619,6 @@
|
|||
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW
|
||||
AddHP 4 5
|
||||
else
|
||||
# if
|
||||
if ContainsString "defaults" "${FOUND_FLAGS}"; then
|
||||
LogText "Result: marked ${FILESYSTEM} options as default (not hardened)"
|
||||
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_DEFAULT}" --color YELLOW
|
||||
|
|
@ -838,13 +837,13 @@
|
|||
fi
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||
if [ -n "${FIND}" ]; then
|
||||
FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
|
||||
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
|
||||
LogText "Result: module ${FS} is blacklisted"
|
||||
fi
|
||||
fi
|
||||
FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
|
||||
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
|
||||
LogText "Result: module ${FS} is blacklisted"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
|
||||
|
|
|
|||
|
|
@ -750,7 +750,7 @@
|
|||
UNCOMMON_PROTOCOL_DISABLED=0
|
||||
# First check modprobe.conf
|
||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||
DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
|
||||
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
|
||||
if [ -n "${DATA}" ]; then
|
||||
LogText "Result: found ${P} module disabled via modprobe.conf"
|
||||
UNCOMMON_PROTOCOL_DISABLED=1
|
||||
|
|
@ -759,7 +759,7 @@
|
|||
# Then additional modprobe configuration files
|
||||
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
||||
# Return file names (-l) and suppress errors (-s)
|
||||
DATA=$(${GREPBINARY} -l -s "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
|
||||
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
|
||||
if [ -n "${DATA}" ]; then
|
||||
UNCOMMON_PROTOCOL_DISABLED=1
|
||||
for F in ${DATA}; do
|
||||
|
|
|
|||
|
|
@ -296,7 +296,7 @@
|
|||
#
|
||||
# Test : PKGS-7320
|
||||
# Description : Check available of arch-audit
|
||||
if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux"; fi
|
||||
if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ] || [ "${OS_FULLNAME}" = "Garuda Linux" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux and Garuda Linux"; fi
|
||||
Register --test-no PKGS-7320 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking for arch-audit tooling"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -z "${ARCH_AUDIT_BINARY}" ]; then
|
||||
|
|
|
|||
Loading…
Reference in New Issue