tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-27 07:44:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove incomplete tests, code enhancements

Browse Source
This commit is contained in:
mboelen 2015-07-22 17:37:11 +02:00
parent ba11e87b3c
commit afd01ece5d
14 changed files with 50 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/tests_filesystems
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -623,4 +623,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

8
include/tests_firewalls
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -30,10 +30,6 @@
#
#################################################################################
#
# YYY Improvement needed for iptables to check if kernel modules are used or not.
# If they are not used and iptables is not found in configuration, no checks should be performed.
#
# Test : FIRE-4511
# Description : Check iptables kernel module
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"

20
include/tests_homedirs
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -28,7 +28,6 @@
#
#################################################################################
#
# Test : HOME-9302
# Description : Create list with home directories
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
@ -100,19 +99,6 @@
logtext "Output: ${IGNORE_HOME_DIRS}"
fi
fi
#YYY
#echo -n " - Checking PATH variable vulnerabilities"
#
#FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
#if [ "${FIND}" = "" ]
# then
# logtext "Result: Ok, no special things found in the PATH variable"
# else
# echo "[ ${WARNING}WARNING${NORMAL} ]"
# logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}"
#fi
#
#
#################################################################################
#
@ -121,4 +107,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

2
include/tests_printers_spools
View File

@ -293,4 +293,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

26
include/tests_scheduling
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -139,16 +139,16 @@
# Description : Check atd status
Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1
else
logtext "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi
logtext "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1
else
logtext "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi
fi
#
#################################################################################
@ -247,4 +247,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

6
include/tests_solaris
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
# Web site: http://cisofy.com
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

59
include/tests_squid
View File

@ -103,15 +103,6 @@
fi
#
#################################################################################
#
# # Test : SQD-3608
# # Description : Check Squid build options
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : SQD-3610
# Description : Check Squid configuration options
@ -129,15 +120,6 @@
fi
#
#################################################################################
#
# # Test : SQD-3612
# # Description : Check Squid additional configuration files
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : SQD-3613
# Description : Check Squid configuration options
@ -315,7 +297,6 @@
#
#################################################################################
#
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -338,46 +319,6 @@
#################################################################################
#
# Squid
#Hardening:
# $1 $3
# acl snmp_community
# acl maxconn
# acl max_user_ip
#
# follow_x_forwarded_for
#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
#Read cache_peer_domain
#Read cache_peer_access
#Read icp_access
#Read icp_port
#Read htcp_access
#Read htcp_port
#Read http_port
#Read https_port
#Read cache_dir
#Read access_log
#Read coredump_dir
#Read quick_abort_min / max /pct
#
# Memory tuning
#Read cache_mem
#Read maximum_object_size_in_memory
#Read maximum_object_size
#Read cache_swap_low
#Read cache_swap_high
# Security
#cache_effective_user
# off
#forwarded_for
#wccp
#
#################################################################################
#
wait_for_keypress
#

82
include/tests_ssh
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -79,28 +79,6 @@
fi
#
#################################################################################
#
# # Test : SSH-7406
# # Description : Check for a running SSH daemon
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon"
# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
# if [ ${FOUND} -eq 1 ]; then
# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
# # Check if this output is numeric and usuable for later (e.g. in netstat output)
# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN
# logtext "Result: setting port number to ${FIND}"
# SSH_DAEMON_PORT="${FIND}"
# else
# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE
# logtext "Result: setting port to default number, as no other port has been configured"
# SSH_DAEMON_PORT="22"
# fi
# fi
#
#################################################################################
#
# Test : SSH-7408
# Description : Check SSH specific defined options
@ -202,32 +180,6 @@
fi
#
#################################################################################
#
# Test : SSH-7418
# Description : Check SSH Port option
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: check allowed SSH protocol versions"
# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
# logtext "Result: Protocol option is set to allow SSH protocol version 1"
# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
# AddHP 0 3
# else
# if [ "${FIND}" = "2" ]; then
# logtext "Result: only protocol 2 is allowed"
# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
# AddHP 3 3
# else
# logtext "Result: value of Protocol is unknown (not defined)"
# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
# fi
# fi
# fi
#
#################################################################################
#
# Test : SSH-7440
# Description : AllowUsers / AllowGroups
@ -269,33 +221,7 @@
#
#################################################################################
#
# Test : SSH-7464
# Description : HashKnownHosts
#if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts"
#if [ ${SKIPTEST} -eq 0 ]; then
# /etc/ssh/ssh_config
# ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks"
#AddHP 2 2
#fi
#
#################################################################################
#
# Test : SSH-7480
# Description : AllowUsers / AllowGroups
# Goal : Scan SSH daemon
#if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
#if [ ${SKIPTEST} -eq 0 ]; then
# First determine what port the local instance of SSH daemon is running on. If unknown, use port 22
# FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"`
#
#################################################################################
#
# sshd -T can provide additional insights
#
#################################################################################
#
report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#report "ssh_daemon_port=${SSH_DAEMON_PORT}"
@ -303,4 +229,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

12
include/tests_storage
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -108,14 +108,6 @@
#
#################################################################################
#
# Use modprobe --showconfig to test for options
# NetBSD: amd (auto mount daemon)
#
#################################################################################
#
wait_for_keypress

6
include/tests_storage_nfs
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -177,4 +177,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

16
include/tests_time
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -22,6 +22,7 @@
#
#################################################################################
#
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
NTP_DAEMON=""
NTP_DAEMON_RUNNING=0
NTP_CONFIG_FOUND=0
@ -29,9 +30,7 @@
NTP_CONFIG_TYPE_SCHEDULED=0
NTP_CONFIG_TYPE_EVENTBASED=0
NTP_CONFIG_TYPE_STARTUP=0
# Specific for ntpd
NTPD_RUNNING=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
NTPD_RUNNING=0 # Specific for ntpd
SYSTEMD_NTP_ENABLED=0
#
#################################################################################
@ -117,10 +116,6 @@
fi
done
##########################
# To do: test on Solaris #
##########################
# Don't run check in cron job directory on Solaris
# /etc/cron.d/FIFO is a special file and test get stuck at this file
FOUND_IN_CRON=0
@ -360,7 +355,6 @@
#
# Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux)
# Notes : Test could be improved by checking every host (YYY)
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
@ -460,4 +454,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

6
include/tests_tooling
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -125,4 +125,4 @@
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

11
include/tests_virtualization
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -29,9 +29,9 @@
# # Initialise
# VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status"
# #YYY check memory driver file
# #YYY check LKM list
# #YYY check vmware tools
# # check memory driver file
# # check LKM list
# # check vmware tools
# logtext "Test: checking VMware tools daemon presence"
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# logtext "Result: VMware tools binary found"
@ -46,9 +46,8 @@
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

11
include/tests_webservers
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -693,11 +693,6 @@
# Description : Nginx: Check for server_tokens off in configuration files
#
#################################################################################
#
# Scan for websites
#/etc/apache2/sites-available
#
#################################################################################
#
# Remove temp file (double check)
@ -709,4 +704,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com