diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 00000000..08dce83e --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,21 @@ +name: Mark stale issues and pull requests + +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + + runs-on: ubuntu-latest + + steps: + - uses: actions/stale@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'Stale issue message' + stale-pr-message: 'Stale pull request message' + stale-issue-label: 'no-issue-activity' + stale-pr-label: 'no-pr-activity' + days-before-stale: 14 + days-before-close: 90 diff --git a/CHANGELOG.md b/CHANGELOG.md index a0da6223..0728f8c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,322 @@ # Lynis Changelog -## Lynis 2.7.2 (not released yet) +## Lynis 3.0.1 (2020-10-05) ### Added -- Support for end-of-life detection of the operating system +- Detection of Alpine Linux +- Detection of CloudLinux +- Detection of Kali Linux +- Detection of Linux Mint +- Detection of macOS Big Sur (11.0) +- Detection of Pop!_OS +- Detection of PHP 7.4 +- Malware detection tool: Microsoft Defender ATP +- New flag: --slow-warning to allow tests more time before showing a warning +- Test TIME-3185 to check systemd-timesyncd synchronized time +- rsh host file permissions + +### Changed +- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions +- BOOT-5122 - Presence check for grub.d added +- CRYP-7902 - Added support for certificates in DER format +- CRYP-7931 - Added data to report +- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- FILE-6430 - Don't grep nonexistant modprobe.d files +- FIRE-4535 - Set initial firewall state +- INSE-8312 - Corrected text on screen +- KRNL-5728 - Handle zipped kernel configuration correctly +- KRNL-5830 - Improved version detection for non-symlinked kernel +- MALW-3280 - Extended detection of BitDefender +- TIME-3104 - Find more time synchronization commands +- TIME-3182 - Corrected detection of time peers +- Fix: hostid generation routine would sometimes show too short IDs +- Fix: language detection +- Generic improvements for macOS +- German translation updated +- End-of-life database updated +- Several minor code enhancements --------------------------------------------------------------------------------- +## Lynis 3.0.0 (2020-06-18) + +This is a major release of Lynis and includes several big changes. +Some of these changes may break your current usage of the tool, so test before +deployment! + +### Security issues +This release resolves two security issues +* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova +* CVE-2019-13033 - Discovered by Sander Bos + +### Breaking change: Non-interactive by default +Lynis now runs non-interactive by default, to be more in line with the Unix +philosophy. So the previously used '--quick' option is now default, and the tool +will only wait when using the '--wait' option. + +### Breaking change: Deprecated options +- Option: -c +- Option: --check-update/--info +- Option: --dump-options +- Option: --license-key + +### Breaking change: Profile options +The format of all profile options are converted (from key:value to key=value). +You may have to update the changes you made in your custom.prf. + +### Security +An important focus area for this release is on security. We added several +measures to further tighten any possible misuse. + +## New: DevOps, Forensics, and pentesting mode +This release adds initial support to allow defining a specialized type of audit. +Using the relevant options, the scan will change base on the intended goal. + +### Added +- Security: test PATH and warn or exit on discovery of dangerous location +- Security: additional safeguard by testing if common system tools are available +- Security: test parameters and arguments for presence of control characters +- Security: filtering out unexpected characters from profiles +- Security: test if setuid bit is set on Lynis binary +- New function: DisplayException +- New function: DisplayWarning +- New function: Equals +- New function: GetReportData +- New function: HasCorrectFilePermissions +- New function: Readonly +- New function: SafeFile +- New function: SafeInput +- New option: --usecwd - run from the current working directory +- New profile option: disable-plugin - disables a single plugin +- New profile option: ssl-certificate-paths-to-ignore - ignore a path +- New test: AUTH-9229 - check used password hashing methods +- New test: AUTH-9230 - check group password hashing rounds +- New test: BOOT-5109 - test presence rEFInd boot loader +- New test: BOOT-5264 - run systemd-analyze security +- New test: CRYP-7930 - test for LUKS encryption +- New test: CRYP-7931 - determine if system uses encrypted swap +- New test: CRYP-8004 - presence of hardware random number generator +- New test: CRYP-8005 - presence of software random number generator +- New test: DBS-1828 - PostgreSQL configuration files +- New test: FILE-6394 - test virtual memory swappiness (Linux) +- New test: FINT-4316 - presence of AIDE database and size test +- New test: FINT-4340 - check dm-integrity status (Linux) +- New test: FINT-4341 - verify status of dm-verity (Linux) +- New test: INSE-8314 - test for NIS client +- New test: INSE-8316 - test for NIS server +- New test: NETW-2400 - test hostname for valid characters and length +- New test: NETW-2706 - check DNSSEC (systemd) +- New test: NETW-3200 - determine enabled network protocols +- New test: PHP-2382 - detect listen option in PHP (FPM) +- New test: PROC-3802 - check presence of prelink tooling +- New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD +- New test: TIME-3181 - check status of OpenNTPD time synchronisation +- New test: TIME-3182 - check OpenNTPD has working peers +- New report key: openssh_daemon_running +- New command: lynis generate systemd-units +- Sending USR1 signal to Lynis process will show active status +- Measure timing of tests and report slow tests (10+ seconds) +- Initial support for Clear Linux OS +- Initial support for PureOS +- Support for X Binary Package (xbps) +- Added end-of-life data for Arch Linux and Debian +- Detection and end-of-life data added for Amazon Linux +- Detection of linux-lts on Arch Linux +- Translations: Russian added + +### Changed +- Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped) +- Function: IsRunning supports the --user flag to define a related user +- Function: PackageIsInstalled extended with pacman support +- Profiles: unused options removed +- Profiles: message is displayed when old format "key:value" is used +- Binaries: skip pacman when it is the game instead of package manager +- Security: the 'nounset' (set -u) parameter is now activated by default +- AUTH-9228 - HP-UX support +- AUTH-9234 - NetBSD support +- AUTH-9252 - corrected permission check +- AUTH-9266 - skip .pam-old files in /etc/pam.d +- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD +- AUTH-9282 - fix: temporary variable was overwritten +- AUTH-9408 - added support for pam_tally2 to log failed logins +- AUTH-9489 - test removedd as it is merged with AUTH-9218 +- BANN-7126 - additional words for login banner are accepted +- BOOT-5122 - check for defined password in all GRUB configuration files +- CONT-8106 - support newer 'docker info' output +- CRYP-7902 - optionally check also certificates provided by packages +- CRYP-8002 - gather kernel entropy on Linux systems +- FILE-6310 - support for HP-UX +- FILE-6330 - corrected description +- FILE-6374 - changed log and allow root location to be changed +- FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab +- FILE-6430 - minor code improvements and show suggestion with more details +- FILE-7524 - optimized file permissions testing +- FINT-4328 - corrected text in log +- FINT-4334 - improved process detection for lfd +- HOME-9304 - improved selection for normal users +- HOME-9306 - improved selection for normal users +- INSE-8050 - added com.apple.ftp-proxy and improved text output +- INSE-8050 - corrected function call for showing suggestion +- INSE-8116 - added rsync service +- INSE-8314 - changed text of suggestion +- INSE-8318 - test for TFTP client tools +- INSE-8320 - test for TFTP server tools +- INSE-8342 - renamed to INSE-8304 +- KRNL-5788 - don't complain about missing /vmlinuz for Raspi +- KRNL-5820 - extended check to include limits.d directory +- KRNL-5830 - skip test partially when running non-privileged +- KRNL-5830 - detect required reboots on Raspbian +- LOGG-2154 - added support for rsyslog configurations +- LOGG-2190 - skip mysqld related entries +- MACF-6234 - SELinux tests extended +- MAIL-8804 - replaced static strings with translation-aware strings +- MALW-3280 - Kaspersky detection added +- MALW-3280 - CrowdStrike falcon-sensor detection added +- NAME-4402 - check if /etc/hosts exists before performing test +- NAME-4404 - improved screen and log output +- NAME-4408 - corrected Report function call +- NETW-3032 - small rewrite of test and extended with addrwatch +- PHP-2372 - don't look in the cli configuration files +- PKGS-7388 - only perform check for Debian/Ubuntu/Mint +- PKGS-7410 - use multiple package managers when available +- PKGS-7410 - added support for Zypper to test number of kernels +- PRNT-2308 - check also for Port and SSLListen statements +- PROC-3602 - allow different root directory +- PROC-3612 - show 'Not found' instead of 'OK' +- PROC-3614 - show 'Not found' instead of 'OK' +- PROC-3802 - limit to Linux only (prelink package check) +- SCHD-7702 - removed hardening points +- SINT-7010 - limit test to only macOS systems +- SSH-7402 - detect other SSH daemons like dropbear +- SSH-7406 - strip OpenSSH patch version and remove characters (carriage return) +- SSH-7408 - changed text in suggestion and report +- SSH-7408 - added forced-commands-only option +- SSH-7408 - VerifyReverseMapping removed (deprecated) +- SSH-7408 - corrected OpenSSH server version check +- STRG-1840 - renamed to USB-1000 +- STRG-1842 - added default authorized devices and renamed to USB-2000 +- TIME-3104 - use find to discover files in cron directories +- TOOL-5002 - differentiate between a discovered binary and running process +- TOOL-5160 - added support for OSSEC agent daemon +- Perform additional check to ensure pacman package manager is used +- Use 'pre-release/release' (was: 'dev/final') with 'lynis show release' +- Use only locations from PATH environment variable, unless it is not defined +- Show tip to use 'lynis generate hostids' when host IDs are missing +- The 'show changelog' command works again for newer versions +- Several code cleanups, simplification of commands, and code standardization +- Tests using lsof may ignore individual threads (if supported) +- Corrected end-of-life detection for CentOS 7 and CentOS 8 +- Tests can require detected package manager (--package-manager-required) +- Do not show tool tips when quiet option is used +- Improved screen output in several tests +- Extended output of 'lynis update info' +- Improved support for NetBSD +- Test if profiles are readable +- systemd service file adjusted +- bash completion script extended +- Updated man page + +--------------------------------------------------------------------------------- + +## Lynis 2.7.5 (2019-06-24) + +### Added +- Danish translation +- Slackware end-of-life information +- Detect BSD-style (rc.d) init in Linux systems +- Detection of Bro and Suricata (IDS) + +### Changed +- Corrected end-of-life entries for CentOS 5 and 6 +- AUTH-9204 - change name to check in /etc/passwd file for QNAP devices +- AUTH-9268 - AIX enhancement to use correct find statement +- FILE-6310 - Filter on correct field for AIX +- NETW-3012 - set ss command as preferred option for Linux and changed output format +- List of PHP ini file locations has been extended +- Removed several pieces of the code as part of cleanup and code health +- Extended help + +--------------------------------------------------------------------------------- + +## Lynis 2.7.4 (2019-04-21) + +This is a bigger release than usual, including several new tests created by +Capashenn (GitHub). It is a coincidence that it is released exactly one month +after the previous version and on Easter. No easter eggs, only improvements! + +### Added +- FILE-6324 - Discover XFS mount points +- INSE-8000 - Installed inetd package +- INSE-8100 - Installed xinetd package +- INSE-8102 - Status of xinet daemon +- INSE-8104 - xinetd configuration file +- INSE-8106 - xinetd configuration for inactive daemon +- INSE-8200 - Usage of TCP wrappers +- INSE-8300 - Presence of rsh client +- INSE-8302 - Presence of rsh server +- Detect equery binary detection +- New 'generate' command + +### Changed +- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems +- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages +- PKGS-7420 - Detect toolkit to automatically download and apply upgrades +- PKGS-7328 - Added global Zypper option --non-interactive +- PKGS-7330 - Added global Zypper option --non-interactive +- PKGS-7386 - Only show warning when vulnerable packages were discovered +- PKGS-7392 - Skip test for Zypper-based systems +- Minor changes to improve text output, test descriptions, and logging +- Changed CentOS identifiers in end-of-life database +- AIX enhancement for IsRunning function +- Extended PackageIsInstalled function +- Improve text output on AIX systems +- Corrected lsvg binary detection + +--------------------------------------------------------------------------------- + +## Lynis 2.7.3 (2019-03-21) + +### Added +- Detection for Lynis being scheduled (e.g. cronjob) + +### Changed +- HTTP-6624 - Improved logging for test +- KRNL-5820 - Changed color for default fs.suid_dumpable value +- LOGG-2154 - Adjusted test to search in configuration file correctly +- NETW-3015 - Added support for ip binary +- SQD-3610 - Description of test changed +- SQD-3613 - Corrected description in code +- SSH-7408 - Increased values for MaxAuthRetries +- Improvements to allow tailored tool tips in future +- Corrected detection of blkid binary +- Minor textual changes and cleanups + +--------------------------------------------------------------------------------- + +## Lynis 2.7.2 (2019-03-07) + +### Added +- AUTH-9409 - Support for doas (OpenBSD) +- AUTH-9410 - Test file permissions of doas configuration +- BOOT-5117 - Support for systemd-boot boot loader added +- BOOT-5177 - Simplify service filter and allow multiple dots in service names +- BOOT-5262 - Check OpenBSD boot daemons +- BOOT-5263 - Test permissions for boot files and scripts +- Support for end-of-life detection of the operating system +- New 'lynis show eol' command +- Korean translation + +### Changed +- AUTH-9252 - Adds support for files in sudoers.d +- AUTH-9252 - Test extended to check file and directory ownership +- BOOT-5122 - Use NONE instead of WARNING if no password is set +- FIRE-4540 - Modify test to better measure rules +- KRNL-5788 - Resolve false positive warning on missing /vmlinuz +- NETW-2704 - Ignore inline comments in /etc/resolv.conf +- PKGS-7388 - Improve detection for security archive +- RPi/Raspian path to PAM_FILE_LOCATIONS + +--------------------------------------------------------------------------------- ## Lynis 2.7.1 (2019-01-30) @@ -2708,10 +3018,10 @@ Lynis 1.1.7 (2008-06-28) - Added dig availability check to DNS test [NETW-2704] - Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512] - Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384] - - Bugfix: Fixed prequisits for grpck test [AUTH-9216] + - Bugfix: Fixed prerequisites for grpck test [AUTH-9216] - Improved MySQL check [DBS-1804] - Changed color at chkconfig boot services test [BOOT-5177] - - Added missing prequisits output to portaudit test [PKGS-7382] + - Added missing prerequisites output to portaudit test [PKGS-7382] - Test output for FreeBSD mounts (UFS) improved [FILE-6329] - Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219] - Several tests have their warning reporting improved diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f31b9eb3..66a7b19b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,3 +1,4 @@ + # Contributions ## Helping out @@ -6,13 +7,13 @@ Run the tool in debug mode (use lynis audit system --profile developer.prf) and see if it shows any error. ### Report bugs -Create an GitHub issue on the issue tracker +Create a GitHub issue on the issue tracker. ### Suggest changes (pull request) When you find something that can be improved, fork the project and create a pull request. ### Translations -See the db/languages directory +See the db/languages directory. ## Developer Guidelines @@ -30,13 +31,13 @@ Identation should be 4 spaces (no tab character). ### Comments Comments: use # sign followed by a space. When needed, create a comment block. -Blank lines: allowed, one line maximum +Blank lines: allowed, one line maximum. ### Functions All functions use CamelCase to clearly show a difference between shell built-in commands, or external commands. ### Variables -Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) +Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1). ## Pull Requests @@ -56,7 +57,7 @@ to this repository, you agree that you: 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution -If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com) +If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com). ## Unlimited Rights diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 6386c453..419c3e72 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -39,12 +39,14 @@ These people made a significant impact to the development of Lynis: * C.J. Adams-Collier, US * Charlie Heselton, US * Dave Vehrs +* David Marzal Cánovas, Spain * Eric Light, New Zealand * Kamil Boratyński, Poland * Mike Slifcak, US * Mikko Lehtisalo, Finland * Steve Bosek, France * Thomas Siebel, Germany +* Topi Miettinen, Finland * Zach Crownover diff --git a/FAQ b/FAQ index 80f8b934..f2891428 100644 --- a/FAQ +++ b/FAQ @@ -98,4 +98,4 @@ ================================================================================ - Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com diff --git a/HAPPY_USERS.md b/HAPPY_USERS.md new file mode 100644 index 00000000..53677c52 --- /dev/null +++ b/HAPPY_USERS.md @@ -0,0 +1,38 @@ +# Happy users of the Lynis project + +## Community + +Since 2007, the Lynis project helped many system administrators and security +professionals to scan their systems and perform system hardening. Happy users +and contributors are the foundation of a healthy project. + + +## Your contribution + +Are you also using Lynis? Contribute to the project by let others know: +1) What you like about the tool +2) How you use it + +Your addition to the guestbook below will help existing and new users learn more +about how Lynis can help them. + +### How to + +Create a pull request and add your name above the first entry. Thanks! + + +## Our guestbook + + +* YOUR NAME AND STORY + + +* Michael Boelen - September 2019 +The development of Lynis learned me a lot about Linux and Unix security. It is +installed on all my systems to uncover unexpected configuration issues. The +valuable feedback and contributions give me the energy to continue to work on +its development, even after 12+ years! + +* Catalyst.net IT - January 2020 +Lynis gave us great insight in to the security state of our systems, as well as where we can improve. + diff --git a/INSTALL b/INSTALL index 1f7784fa..b79a8b35 100644 --- a/INSTALL +++ b/INSTALL @@ -6,7 +6,7 @@ ================================================================================ Author: 2007-2013, Michael Boelen (michael.boelen@cisofy.com) - 2013-2016, CISOfy development team + 2013-now, CISOfy development team Description: Security and system auditing tool Web site: https://cisofy.com Support: See 'Support' and https://cisofy.com/support/ @@ -48,4 +48,4 @@ ================================================================================ - Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com diff --git a/README.md b/README.md index c60ab786..67706f14 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ + [![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/) [![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96) @@ -14,7 +15,7 @@ Do you like this software? **Star the project** and become a [stargazer](https:/ > Lynis - Security auditing and hardening tool, for UNIX-based systems. -Lynis is a security auditing for system based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team", nowadays penetration testers also have Lynis in their toolkit. +Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team," nowadays penetration testers also have Lynis in their toolkit. We believe software should be **simple**, **updated on a regular basis**, and **open**. You should be able to trust, understand, and have the option to change the software. Many agree with us, as the software is being used by thousands every day to protect their systems. @@ -55,18 +56,21 @@ Typical users of the software: If you want to run the software as `root`, we suggest changing the ownership of the files. Use `chown -R 0:0` to recursively alter the owner and group and set it to user ID `0` (`root`). -### Package +### Software Package -Stable releases of Lynis are packaged and made available as RPM or DEB package. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running : +For Linux, BSD, and macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. -### Enterprise version +Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) +If they don't provide an up-to-date version, consider the CISOfy repository, tarball (website), or GitHub release. + +### Enterprise Version This software component is also part of an enterprise solution. Same quality, yet with more functionality. Focus areas include compliance (`PCI DSS`, `HIPAA`, `ISO27001`, and others). The Enterprise version comes with: -* a web interface and features a dashboard ; -* hardening snippets ; +* a web interface and features a dashboard; +* hardening snippets; * and an improvement plan. ## Documentation @@ -100,7 +104,7 @@ Lynis is collecting some awards and we are proud of that. > We love contributors. -Do you have something to share? Or help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com. +Do you have something to share? Want to help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com. More details can be found in the [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTING.md). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..7f5895cd --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 3.x.x | :white_check_mark: | +| 2.x.x | :white_check_mark: | +| < 2.x | :x: | + +## Reporting a Vulnerability + +To report a vulnerability, use security@cisofy.com + +See our [security page](https://cisofy.com/security/) for more details. + +## Preferred language + +English + +## Acknowledgments + +https://cisofy.com/security/#thanks + +## Other + +See the latest 'security.txt' at https://cisofy.com/.well-known/security.txt diff --git a/db/languages/da b/db/languages/da new file mode 100644 index 00000000..d26c1220 --- /dev/null +++ b/db/languages/da @@ -0,0 +1,41 @@ +ERROR_NO_LICENSE="Ingen licensnøgle konfigureret" +ERROR_NO_UPLOAD_SERVER="Ingen upload server konfigureret" +GEN_CHECKING="Tjekker" +GEN_CURRENT_VERSION="Nuværende version" +GEN_DEBUG_MODE="Fejlfindingstilstand" +GEN_INITIALIZE_PROGRAM="Initialiserer program" +GEN_LATEST_VERSION="Seneste version" +GEN_PHASE="Fase" +GEN_PLUGINS_ENABLED="Plugins aktiverede" +GEN_UPDATE_AVAILABLE="opdatering tilgængelig" +GEN_VERBOSE_MODE="Detaljeret tilstand" +GEN_WHAT_TO_DO="At gøre" +NOTE_EXCEPTIONS_FOUND="Undtagelser fundet" +NOTE_EXCEPTIONS_FOUND_DETAILED="Nogle usædvanlige hændelser eller information var fundet" +NOTE_PLUGINS_TAKE_TIME="Bemærk: plugins har mere omfattende tests og kan tage flere minutter at fuldføre" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Sprang over tests på grund af ikke-privilegeret tilstand" +SECTION_CUSTOM_TESTS="Brugerdefinerede Tests" +SECTION_MALWARE="Malware" +SECTION_MEMORY_AND_PROCESSES="Hukommelse og Processer" +STATUS_DISABLED="DEAKTIVERET" +STATUS_DONE="FÆRDIG" +STATUS_ENABLED="AKTIVERET" +STATUS_NOT_ENABLED="IKKE AKTIVERET" +STATUS_ERROR="FEJL" +STATUS_FOUND="FUNDET" +STATUS_YES="JA" +STATUS_NO="NEJ" +STATUS_OFF="FRA" +STATUS_OK="OK" +STATUS_ON="TIL" +STATUS_NONE="INGEN" +STATUS_NOT_FOUND="IKKE FUNDET" +STATUS_NOT_RUNNING="KØRER IKKE" +STATUS_RUNNING="KØRER" +STATUS_SKIPPED="SPRUNGET OVER" +STATUS_SUGGESTION="FORSLAG" +STATUS_UNKNOWN="UKENDT" +STATUS_WARNING="ADVARSEL" +STATUS_WEAK="SVAG" +TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil" +TEXT_UPDATE_AVAILABLE="opdatering tilgængelig" diff --git a/db/languages/de b/db/languages/de index 34b909e2..ef6711c8 100644 --- a/db/languages/de +++ b/db/languages/de @@ -1,38 +1,45 @@ -GEN_PHASE="Phase" +ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" +ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" GEN_CHECKING="Überprüfung" GEN_CURRENT_VERSION="Aktuelle Version" GEN_DEBUG_MODE="Debug-Modus" -GEN_INITIALIZE_PROGRAM="Initiiere Programm" +GEN_INITIALIZE_PROGRAM="Initialisiere Programm" +GEN_LATEST_VERSION="Aktuellste Version" +GEN_PHASE="Phase" GEN_PLUGINS_ENABLED="Plugins aktiviert" -GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar" +GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_WHAT_TO_DO="Was zu tun ist" NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests" +SECTION_DATA_UPLOAD="Daten hochladen" +SECTION_INITIALIZING_PROGRAM="Initialisiere Programm" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse" +SECTION_SYSTEM_TOOLS="Systemwerkzeuge" +STATUS_DISABLED="DEAKTIVIERT" STATUS_DONE="FERTIG" +STATUS_ENABLED="AKTIVIERT" +STATUS_ERROR="FEHLER" +STATUS_FAILED="FEHLERHAFT" STATUS_FOUND="GEFUNDEN" -STATUS_YES="JA" STATUS_NO="NEIN" +STATUS_NONE="NICHTS" +STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" +STATUS_NOT_FOUND="NICHT GEFUNDEN" +STATUS_NOT_RUNNING="LÄUFT NICHT" STATUS_OFF="AUS" STATUS_OK="OK" STATUS_ON="AN" -STATUS_NONE="NICHTS" -STATUS_NOT_FOUND="NICHT GEFUNDEN" -STATUS_NOT_RUNNING="LÄUFT NICHT" STATUS_RUNNING="LÄUFT" STATUS_SKIPPED="ÜBERSPRUNGEN" STATUS_SUGGESTION="VORSCHLAG" STATUS_UNKNOWN="UNBEKANNT" STATUS_WARNING="WARNUNG" -TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" +STATUS_WEAK="SCHWACH" +STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" -STATUS_DISABLED="DEAKTIVIERT" -STATUS_ENABLED="AKTIVIERT" -STATUS_ERROR="FEHLER" -ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" -ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" +TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" diff --git a/db/languages/de-AT b/db/languages/de-AT new file mode 120000 index 00000000..c42e816f --- /dev/null +++ b/db/languages/de-AT @@ -0,0 +1 @@ +de \ No newline at end of file diff --git a/db/languages/en b/db/languages/en index fbd62435..7b697896 100644 --- a/db/languages/en +++ b/db/languages/en @@ -14,27 +14,32 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found" NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" -SECTION_CUSTOM_TESTS="Custom Tests" +SECTION_CUSTOM_TESTS="Custom tests" +SECTION_DATA_UPLOAD="Data upload" +SECTION_INITIALIZING_PROGRAM="Initializing program" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memory and Processes" +SECTION_SYSTEM_TOOLS="System tools" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" +STATUS_FAILED="FAILED" STATUS_FOUND="FOUND" -STATUS_YES="YES" STATUS_NO="NO" +STATUS_NONE="NONE" +STATUS_NOT_CONFIGURED="NOT CONFIGURED" +STATUS_NOT_FOUND="NOT FOUND" +STATUS_NOT_RUNNING="NOT RUNNING" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" -STATUS_NONE="NONE" -STATUS_NOT_FOUND="NOT FOUND" -STATUS_NOT_RUNNING="NOT RUNNING" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" -TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +STATUS_YES="YES" TEXT_UPDATE_AVAILABLE="update available" +TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" diff --git a/db/languages/ko b/db/languages/ko new file mode 100644 index 00000000..df13cf7f --- /dev/null +++ b/db/languages/ko @@ -0,0 +1,40 @@ +ERROR_NO_LICENSE="라이선스 키가 없습니다" +ERROR_NO_UPLOAD_SERVER="업로드 서버가 설정되지 않았습니다" +GEN_CHECKING="확인중입니다" +GEN_CURRENT_VERSION="현재 버전" +GEN_DEBUG_MODE="디버그 모드" +GEN_INITIALIZE_PROGRAM="프로그램을 초기화합니다" +GEN_LATEST_VERSION="최신 버전" +GEN_PHASE="phase" +GEN_PLUGINS_ENABLED="플러그인이 활성화되었습니다" +GEN_UPDATE_AVAILABLE="업데이트 가능" +GEN_VERBOSE_MODE="상세 모드" +GEN_WHAT_TO_DO="할 일" +NOTE_EXCEPTIONS_FOUND="예외 발견" +NOTE_EXCEPTIONS_FOUND_DETAILED="몇 가지 예외 이벤트나 정보가 발견되었습니다" +NOTE_PLUGINS_TAKE_TIME="참고: 플러그인은 광범위한 테스트를 거치며 완료될 때까지 몇 분의 시간이 소요됩니다" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="비특권 모드로 인해 테스트를 생략했습니다" +SECTION_CUSTOM_TESTS="사용자정의 테스트" +SECTION_MALWARE="악성코드" +SECTION_MEMORY_AND_PROCESSES="메모리와 프로세스" +STATUS_DISABLED="비활성화됨" +STATUS_DONE="완료" +STATUS_ENABLED="활성화됨" +STATUS_ERROR="에러" +STATUS_FOUND="발견" +STATUS_YES="예" +STATUS_NO="아니오" +STATUS_OFF="끔" +STATUS_OK="OK" +STATUS_ON="켬" +STATUS_NONE="없음" +STATUS_NOT_FOUND="발견되지않음" +STATUS_NOT_RUNNING="동작하지않음" +STATUS_RUNNING="동작중" +STATUS_SKIPPED="생략" +STATUS_SUGGESTION="추천" +STATUS_UNKNOWN="알수없음" +STATUS_WARNING="경고" +STATUS_WEAK="취약" +TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다" +TEXT_UPDATE_AVAILABLE="업데이트 가능" diff --git a/db/languages/nl b/db/languages/nl index 21700617..31a694ee 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -1,38 +1,45 @@ +ERROR_NO_LICENSE="Geen licentiecode geconfigureerd" +ERROR_NO_UPLOAD_SERVER="Geen upload server geconfigureerd" GEN_CHECKING="Zoeken naar" +GEN_CURRENT_VERSION="Huidige versie" +GEN_DEBUG_MODE="Debug modus" +GEN_INITIALIZE_PROGRAM="Programma initialiseren" +GEN_LATEST_VERSION="Laatste versie" GEN_PHASE="fase" -GEN_INITIALIZE_PROGRAM="Initialiseren van programma" -NOTE_PLUGINS_TAKE_TIME="Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren" -NOTE_EXCEPTIONS_FOUND="Uitzonderingen gevonden" -SECTION_CUSTOM_TESTS="Eigen Testen" +GEN_PLUGINS_ENABLED="Plugins geactiveerd" +GEN_VERBOSE_MODE="Verbose modus" +GEN_UPDATE_AVAILABLE="Update beschikbaar" +GEN_WHAT_TO_DO="Wat te doen" +NOTE_EXCEPTIONS_FOUND="Bijzonderheden gevonden" +NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele bijzondere gebeurtenissen of informatie gevonden" +NOTE_PLUGINS_TAKE_TIME="Let op: plugins hebben uitgebreidere testen en kunnen daardoor enkele minuten duren" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten" +SECTION_CUSTOM_TESTS="Eigen testen" +SECTION_DATA_UPLOAD="Data upload" +SECTION_INITIALIZING_PROGRAM="Programma initialiseren" SECTION_MALWARE="Kwaadaardige software (malware)" SECTION_MEMORY_AND_PROCESSES="Geheugen en Processen" -STATUS_DONE="KLAAR" +SECTION_SYSTEM_TOOLS="Systeem gereedschap" STATUS_DISABLED="UITGESCHAKELD" +STATUS_DONE="KLAAR" STATUS_ENABLED="INGESCHAKELD" +STATUS_ERROR="FOUT" +STATUS_FAILED="MISLUKT" STATUS_FOUND="GEVONDEN" -STATUS_NO="NEE" -STATUS_NONE="GEEN" -STATUS_NOT_FOUND="NIET GEVONDEN" -STATUS_NOT_RUNNING="NIET ACTIEF" +STATUS_OFF="UIT" STATUS_OK="OK" STATUS_ON="AAN" -STATUS_OFF="UIT" -STATUS_YES="JA" +STATUS_NO="NEE" +STATUS_NONE="GEEN" +STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD" +STATUS_NOT_FOUND="NIET GEVONDEN" +STATUS_NOT_RUNNING="NIET ACTIEF" STATUS_RUNNING="ACTIEF" STATUS_SKIPPED="OVERGESLAGEN" STATUS_SUGGESTION="SUGGESTIE" STATUS_UNKNOWN="ONBEKEND" STATUS_WARNING="WAARSCHUWING" -GEN_CURRENT_VERSION="Huidige versie" -GEN_DEBUG_MODE="Debug mode" -GEN_PLUGINS_ENABLED="Plugins geactiveerd" -GEN_VERBOSE_MODE="Verbose mode" -GEN_UPDATE_AVAILABLE="update beschikbaar" -GEN_WHAT_TO_DO="Wat te doen" -NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele uitzonderingen gevonden" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten" +STATUS_WEAK="ZWAK" +STATUS_YES="JA" TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen" TEXT_UPDATE_AVAILABLE="update beschikbaar" -STATUS_ERROR="FOUT" -ERROR_NO_LICENSE="geen licentiecode configureerd" -ERROR_NO_UPLOAD_SERVER="geen server configureerd voor uploads" diff --git a/db/languages/ru b/db/languages/ru index e16f1062..5153a319 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -1,38 +1,38 @@ -GEN_CHECKING="Checking" -GEN_CURRENT_VERSION="Current version" -GEN_DEBUG_MODE="Debug mode" -GEN_INITIALIZE_PROGRAM="Initializing program" -GEN_PHASE="phase" -GEN_PLUGINS_ENABLED="Plugins enabled" -GEN_VERBOSE_MODE="Verbose mode" -GEN_UPDATE_AVAILABLE="update available" -GEN_WHAT_TO_DO="What to do" -NOTE_EXCEPTIONS_FOUND="Exceptions found" -NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" -NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" -SECTION_CUSTOM_TESTS="Custom Tests" -SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Memory and Processes" -STATUS_DONE="DONE" -STATUS_FOUND="FOUND" -STATUS_YES="YES" -STATUS_NO="NO" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" -STATUS_NONE="NONE" -STATUS_NOT_FOUND="NOT FOUND" -STATUS_NOT_RUNNING="NOT RUNNING" -STATUS_RUNNING="RUNNING" -STATUS_SKIPPED="SKIPPED" -STATUS_SUGGESTION="SUGGESTION" -STATUS_UNKNOWN="UNKNOWN" -STATUS_WARNING="WARNING" -TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" -TEXT_UPDATE_AVAILABLE="update available" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" -STATUS_DISABLED="DISABLED" -STATUS_ENABLED="ENABLED" -STATUS_ERROR="ERROR" -ERROR_NO_LICENSE="No license key configured" -ERROR_NO_UPLOAD_SERVER="No upload server configured" +GEN_CHECKING="Проверка" +GEN_CURRENT_VERSION="Текущая версия" +GEN_DEBUG_MODE="Режим отладки" +GEN_INITIALIZE_PROGRAM="Инициализация программы" +GEN_PHASE="Стадия" +GEN_PLUGINS_ENABLED="Плагины включены" +GEN_VERBOSE_MODE="Подробный режим" +GEN_UPDATE_AVAILABLE="доступно обновление" +GEN_WHAT_TO_DO="Что сделать" +NOTE_EXCEPTIONS_FOUND="Найдены исключения" +NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация" +NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения" +SECTION_CUSTOM_TESTS="Пользовательские тесты" +SECTION_MALWARE="Вредоносное ПО" +SECTION_MEMORY_AND_PROCESSES="Память и процессы" +STATUS_DONE="Завершено" +STATUS_FOUND="Найдено" +STATUS_YES="ДА" +STATUS_NO="НЕТ" +STATUS_OFF="Выключено" +STATUS_OK="ОК" +STATUS_ON="Включено" +STATUS_NONE="Отсутствует" +STATUS_NOT_FOUND="НЕ НАЙДЕНО" +STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО" +STATUS_RUNNING="ЗАПУЩЕНО" +STATUS_SKIPPED="ПРОПУЩЕНО" +STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ" +STATUS_UNKNOWN="НЕИЗВЕСТНО" +STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ" +TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл" +TEXT_UPDATE_AVAILABLE="доступно обновление" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима" +STATUS_DISABLED="ОТКЛЮЧЕНО" +STATUS_ENABLED="ВКЛЮЧЕНО" +STATUS_ERROR="ОШИБКА" +ERROR_NO_LICENSE="Лицензионный ключ не настроен" +ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен" diff --git a/db/software-eol.db b/db/software-eol.db index 9bf96c12..2412a203 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -1,22 +1,176 @@ +# # End-of-life for operating systems and software -# FreeBSD - https://www.freebsd.org/releases/ -os:FreeBSD 9.3:2014-07-01: -os:FreeBSD 10.0:2014-01-01: -os:FreeBSD 10.1:2014-11-01: -os:FreeBSD 10.2:2015-08-01: -os:FreeBSD 10.3:2016-04-01: -os:FreeBSD 10.4:2017-10-01: -os:FreeBSD 11.0:2016-10-01: -os:FreeBSD 11.1:2017-07-01: -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack -os:Ubuntu 14.04:2019-05-01: -os:Ubuntu 14.10:2015-07-01: -os:Ubuntu 15.04:2016-01-01: -os:Ubuntu 15.10:2016-07-01: -os:Ubuntu 16.04:2021-05-01: -os:Ubuntu 16.10:2017-07-01: -os:Ubuntu 17.04:2018-01-01: -os:Ubuntu 17.10:2018-07-01: -os:Ubuntu 18.04:2023-05-01: -os:Ubuntu 18.10:2019-07-01: -os:Ubuntu 19.04:2020-01-01: \ No newline at end of file +# +# This file has 4 fields: +# 1) category +# 2) name +# 3) date (human-readable) or empty +# 4) converted date (seconds since epoch) or -1 +# +# Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' +# +# Notes: +# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. +# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. +# +# Amazon Linux +# +# Note: shortest entry is listed at end due to regular expression matching being used +os:Amazon Linux 2:2023-06-26:1687730400: +os:Amazon Linux:2020-06-30:1593468000: +# +# Arch Linux +# +os:Arch Linux::-1: +# +# CentOS +# +os:CentOS release 5:2017-03-31:1490911200: +os:CentOS release 6:2020-11-30:1606690800: +os:CentOS Linux 7:2024-06-30:1719698400: +os:CentOS Linux 8:2029-05-31:1874872800: +# +# Debian - https://wiki.debian.org/DebianReleases#Production_Releases +# +os:Debian 5.0:2012-02-06:1328482800: +os:Debian 6.0:2016-02-29:1456700400: +os:Debian 7:2018-05-31:1527717600: +os:Debian 8:2020-06-30:1593468000: +os:Debian 9:2022-01-01:1640991600: +os:Debian 10:2022-01-01:1640991600: +# +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200: +os:Fedora release 26:2018-05-29:1527544800: +os:Fedora release 27:2018-11-30:1543532400: +os:Fedora release 28:2019-05-28:1558994400: +os:Fedora release 29:2019-11-26:1574722800: +os:Fedora release 30:2020-05-26:1590444000: +# +# FreeBSD - https://www.freebsd.org/security/unsupported.html +# +os:FreeBSD 9.3:2014-12-31:1419980400: +os:FreeBSD 10.0:2015-02-28:1425078000: +os:FreeBSD 10.1:2016-12-31:1483138800: +os:FreeBSD 10.2:2016-12-31:1483138800: +os:FreeBSD 10.3:2018-04-30:1525039200: +os:FreeBSD 10.4:2018-10-31:1540940400: +os:FreeBSD 11.0:2017-11-30:1511996400: +os:FreeBSD 11.1:2018-09-30:1538258400: +os:FreeBSD 11.2:2019-10-31:1572476400: +os:FreeBSD 12.0:2020-02-29:1582930800: +# +# Linux Mint +# +os:Linux Mint 18:2021-04-01:1617228000: +os:Linux Mint 19:2023-04-01:1680300000: +os:Linux Mint 20:2025-04-01:1743458400: +# +# NetBSD - https://www.netbsd.org/support/security/release.html and +# https://www.netbsd.org/releases/formal.html +# +os:NetBSD 2.0:2008-01-19:1200697200: +os:NetBSD 2.0.1:2008-01-19:1200697200: +os:NetBSD 2.0.2:2008-01-19:1200697200: +os:NetBSD 2.0.3:2008-01-19:1200697200: +os:NetBSD 2.1:2008-01-19:1200697200: +os:NetBSD 3.0:2009-09-29:1254175200: +os:NetBSD 3.0.1:2009-09-29:1254175200: +os:NetBSD 3.0.2:2009-09-29:1254175200: +os:NetBSD 3.1:2009-09-29:1254175200: +os:NetBSD 4.0:2012-11-17:1353106800: +os:NetBSD 4.0.1:2012-11-17:1353106800: +os:NetBSD 5.0:2015-11-17:1447714800: +os:NetBSD 5.0.1:2015-10-17:1445032800: +os:NetBSD 5.0.2:2015-10-17:1445032800: +os:NetBSD 5.1:2015-10-17:1445032800: +os:NetBSD 5.1.1:2015-10-17:1445032800: +os:NetBSD 5.1.2:2015-10-17:1445032800: +os:NetBSD 5.1.3:2015-10-17:1445032800: +os:NetBSD 5.1.4:2015-10-17:1445032800: +os:NetBSD 5.1.5:2015-10-17:1445032800: +os:NetBSD 5.2.1:2015-10-17:1445032800: +os:NetBSD 5.2.2:2015-10-17:1445032800: +os:NetBSD 5.2.3:2015-10-17:1445032800: +os:NetBSD 6.0:2017-09-17:1505599200: +os:NetBSD 6.0.1:2017-09-17:1505599200: +os:NetBSD 6.0.2:2017-09-17:1505599200: +os:NetBSD 6.0.3:2017-09-17:1505599200: +os:NetBSD 6.0.4:2017-09-17:1505599200: +os:NetBSD 6.0.5:2017-09-17:1505599200: +os:NetBSD 6.1:2017-09-17:1505599200: +os:NetBSD 6.1.1:2017-09-17:1505599200: +os:NetBSD 6.1.2:2017-09-17:1505599200: +os:NetBSD 6.1.3:2017-09-17:1505599200: +os:NetBSD 6.1.4:2017-09-17:1505599200: +os:NetBSD 6.1.5:2017-09-17:1505599200: +os:NetBSD 7.0:2020-03-14:1584162000: +os:NetBSD 7.0.1:2020-03-14:1584162000: +os:NetBSD 7.0.2:2020-03-14:1584162000: +os:NetBSD 7.1:2020-03-14:1584162000: +os:NetBSD 7.1.1:2020-03-14:1584162000: +os:NetBSD 7.1.1:2020-03-14:1584162000: +os:NetBSD 7.2:2020-03-14:1584162000: +os:NetBSD 8.0::-1: +os:NetBSD 8.1::-1: +os:NetBSD 9.0::-1: +# +# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history +# +os:OpenBSD 5.8:2016-09-01:1472680800: +os:OpenBSD 5.9:2017-04-11:1491861600: +os:OpenBSD 6.0:2017-09-10:1505001600: +os:OpenBSD 6.1:2018-04-15:1523750400: +os:OpenBSD 6.2:2018-10-18:1539820800: +os:OpenBSD 6.3:2019-05-03:1556841600: +os:OpenBSD 6.4:2019-10-17:1571270400: +os:OpenBSD 6.5:2020-05-19:1589846400: +os:OpenBSD 6.6:2020-10-01:1601510400: +os:OpenBSD 6.7:2021-05-01:1619827200: +# +# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ +# +os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: +os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: +os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: +# +# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases +# +os:Slackware Linux 8.1:2012-08-01:1343768400: +os:Slackware Linux 9.0:2012-08-01:1343768400: +os:Slackware Linux 9.1:2012-08-01:1343768400: +os:Slackware Linux 10.0:2012-08-01:1343768400: +os:Slackware Linux 10.1:2012-08-01:1343768400: +os:Slackware Linux 10.2:2012-08-01:1343768400: +os:Slackware Linux 11.0:2012-08-01:1343768400: +os:Slackware Linux 12.0:2012-08-01:1343768400: +os:Slackware Linux 12.1:2013-12-09:1386540000: +os:Slackware Linux 12.2:2013-12-09:1386540000: +os:Slackware Linux 13.0:2018-07-05:1530738000: +os:Slackware Linux 13.1:2018-07-05:1530738000: +os:Slackware Linux 13.37:2018-07-05:1530738000: +# +# SuSE - https://www.suse.com/lifecycle/ +# +os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200: +os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200: +# +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases +# +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-18:1563400800: +os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400: +# +# EOF diff --git a/db/tests.db b/db/tests.db index cfc6b287..26fc8f87 100644 --- a/db/tests.db +++ b/db/tests.db @@ -22,6 +22,8 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells: AUTH-9222:test:security:authentication::Check for non unique groups: AUTH-9226:test:security:authentication::Check non unique group names: AUTH-9228:test:security:authentication::Check password file consistency with pwck: +AUTH-9229:test:security:authentication::Check password hashing methods: +AUTH-9230:test:security:authentication::Check group password hashing rounds: AUTH-9234:test:security:authentication::Query user accounts: AUTH-9240:test:security:authentication::Query NIS+ authentication support: AUTH-9242:test:security:authentication::Query NIS authentication support: @@ -45,7 +47,8 @@ AUTH-9340:test:security:authentication:Solaris:Solaris account locking: AUTH-9402:test:security:authentication::Query LDAP authentication support: AUTH-9406:test:security:authentication::Query LDAP servers in client configuration: AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs: -AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts: +AUTH-9409:test:security:authentication:OpenBSD:Check for doas file: +AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions: BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file: BANN-7124:test:security:banners::Check issue banner file: BANN-7126:test:security:banners::Check issue banner file contents: @@ -55,7 +58,9 @@ BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device: BOOT-5104:test:security:boot_services::Determine service manager: BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS: BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader: +BOOT-5109:test:security:boot_services:Linux:Test rEFInd boot loader: BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode: +BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader: BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence: BOOT-5122:test:security:boot_services::Check for GRUB boot password: BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader presence: @@ -71,6 +76,9 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: +BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons: +BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts: +BOOT-5264:test:security:boot_services:Linux:Run systemd-analyze security: CONT-8004:test:security:containers:Solaris:Query running Solaris zones: CONT-8102:test:security:containers::Checking Docker status and information: CONT-8104:test:security:containers::Checking Docker info for any warnings: @@ -79,12 +87,18 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers: CONT-8108:test:security:containers::Check file permissions for Docker files: CORE-1000:test:performance:system_integrity::Check all system binaries: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: +CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption: +CRYP-7931:test:security:crypto:Linux:Determine if system uses encrypted swap: +CRYP-8002:test:security:crypto:Linux:Gather kernel entropy: +CRYP-8004:test:security:crypto:Linux:Presence of hardware random number generators: +CRYP-8005:test:security:crypto:Linux:Presence of software pseudo random number generators: DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked: DBS-1804:test:security:databases::Checking active MySQL process: DBS-1816:test:security:databases::Checking MySQL root password: DBS-1818:test:security:databases::MongoDB status: DBS-1820:test:security:databases::Check MongoDB authentication: DBS-1826:test:security:databases::Checking active PostgreSQL processes: +DBS-1828:test:security:databases::PostgreSQL configuration files: DBS-1840:test:security:databases::Checking active Oracle processes: DBS-1860:test:security:databases::Checking active DB2 instances: DBS-1880:test:security:databases::Checking active Redis processes: @@ -106,8 +120,9 @@ FILE-6362:test:security:filesystems::Checking /tmp sticky bit: FILE-6363:test:security:filesystems::Checking /var/tmp sticky bit: FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file system: FILE-6372:test:security:filesystems:Linux:Checking / mount options: -FILE-6374:test:security:filesystems:Linux:Checking /boot mount options: +FILE-6374:test:security:filesystems:Linux:Linux mount options: FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to /tmp: +FILE-6394:test:performance:filesystems:Linux:Test swappiness of virtual memory: FILE-6410:test:security:filesystems::Checking Locate database: FILE-6430:test:security:filesystems::Disable mounting of some filesystems: FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts: @@ -115,6 +130,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check: FINT-4310:test:security:file_integrity::AFICK availability: FINT-4314:test:security:file_integrity::AIDE availability: FINT-4315:test:security:file_integrity::Check AIDE configuration file: +FINT-4316:test:security:file_integirty::Presence of AIDE database and size check: FINT-4318:test:security:file_integrity::Osiris availability: FINT-4322:test:security:file_integrity::Samhain availability: FINT-4326:test:security:file_integrity::Tripwire availability: @@ -123,6 +139,9 @@ FINT-4330:test:security:file_integrity::mtree availability: FINT-4334:test:security:file_integrity::Check lfd daemon status: FINT-4336:test:security:file_integrity::Check lfd configuration status: FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: +FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status +FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status +FINT-4341:test:security:file_integrity:Linux:Check dm-verity status FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: @@ -143,6 +162,8 @@ FIRE-4586:test:security:firewalls::Check firewall logging: FIRE-4590:test:security:firewalls::Check firewall status: FIRE-4594:test:security:firewalls::Check for APF presence: HOME-9302:test:security:homedirs::Create list with home directories: +HOME-9304:test:security:homedirs::Test permissions of user home directories: +HOME-9306:test:security:homedirs::Test ownership of user home directories: HOME-9310:test:security:homedirs::Checking for suspicious shell history files: HOME-9350:test:security:homedirs::Collecting information from home directories: HRDN-7220:test:security:hardening::Check if one or more compilers are installed: @@ -164,11 +185,23 @@ HTTP-6712:test:security:webservers::Check nginx access logging: HTTP-6714:test:security:webservers::Check for missing error logs in nginx: HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx: HTTP-6720:test:security:webservers::Check Nginx log files: -INSE-8002:test:security:insecure_services::Check for enabled inet daemon: -INSE-8004:test:security:insecure_services::Check for enabled inet daemon: -INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled: +INSE-8000:test:security:insecure_services::Installed inetd package: +INSE-8002:test:security:insecure_services::Status of inet daemon: +INSE-8004:test:security:insecure_services::Presence of inetd configuration file: +INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled: INSE-8016:test:security:insecure_services::Check for telnet via inetd: INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems: +INSE-8100:test:security:insecure_services::Installed xinetd package: +INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd: +INSE-8200:test:security:insecure_services::Usage of TCP wrappers: +INSE-8300:test:security:insecure_services::Presence of rsh client: +INSE-8302:test:security:insecure_services::Presence of rsh server: +INSE-8310:test:security:insecure_services::Presence of telnet client: +INSE-8312:test:security:insecure_services::Presence of telnet server: +INSE-8314:test:security:insecure_services::Presence of NIS client: +INSE-8316:test:security:insecure_services::Presence of NIS server: +INSE-8318:test:security:insecure_services::Presence of TFTP client: +INSE-8320:test:security:insecure_services::Presence of TFTP server: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: @@ -255,9 +288,11 @@ NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts: NAME-4404:test:security:nameservices::Check /etc/hosts contains an entry for this server name: NAME-4406:test:security:nameservices::Check server hostname mapping: NAME-4408:test:security:nameservices::Check localhost to IP mapping: +NETW-2400:test:basics:networking::Test hostname for valid characters and length: NETW-2600:test:security:networking:Linux:Checking IPv6 configuration: NETW-2704:test:security:networking::Basic nameserver configuration tests: NETW-2705:test:security:networking::Check availability two nameservers: +NETW-2706:test:security:networking::Check DNSSEC status: NETW-3001:test:security:networking::Find default gateway (route): NETW-3004:test:security:networking::Search available network interfaces: NETW-3006:test:security:networking::Get network MAC addresses: @@ -268,6 +303,7 @@ NETW-3015:test:security:networking:Linux:Checking promiscuous interfaces (Linux) NETW-3028:test:security:networking::Checking connections in WAIT state: NETW-3030:test:security:networking::Checking DHCP client status: NETW-3032:test:security:networking:Linux:Checking for ARP monitoring software: +NETW-3200:test:security:networking::Determine available network protocols: PHP-2211:test:security:php::Check php.ini presence: PHP-2320:test:security:php::Check PHP disabled functions: PHP-2368:test:security:php::Check PHP register_globals option: @@ -276,6 +312,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option: PHP-2376:test:security:php::Check PHP allow_url_fopen option: PHP-2378:test:security:php::Check PHP allow_url_include option: PHP-2379:test:security:php::Check PHP suhosin extension status: +PHP-2382:test:security:php::Check PHP listen option: PKGS-7301:test:security:ports_packages::Query NetBSD pkg: PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info: PKGS-7303:test:security:ports_packages::Query brew package manager: @@ -314,6 +351,7 @@ PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages: PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates: PKGS-7398:test:security:ports_packages::Check for package audit tool: PKGS-7410:test:security:ports_packages::Count installed kernel packages: +PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades: PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency: PRNT-2304:test:security:printers_spools::Check cupsd status: PRNT-2306:test:security:printers_spools::Check CUPSd configuration file: @@ -327,6 +365,7 @@ PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for memory PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory details: PROC-3612:test:security:memory_processes::Check dead or zombie processes: PROC-3614:test:security:memory_processes::Check heavy IO waiting based processes: +PROC-3802:test:security:memory_processes::Check presence of prelink tooling: RBAC-6272:test:security:mac_frameworks::Check grsecurity presence: SCHD-7702:test:security:scheduling::Check status of cron daemon: SCHD-7704:test:security:scheduling::Check crontab/cronjobs: @@ -337,7 +376,7 @@ SHLL-6202:test:security:shells:FreeBSD:Check console TTYs: SHLL-6211:test:security:shells::Checking available and valid shells: SHLL-6220:test:security:shells::Checking available and valid shells: SHLL-6230:test:security:shells::Perform umask check for shell configurations: -SINT-7010:test:security:system_integrity::System Integrity Status: +SINT-7010:test:security:system_integrity:MacOS:System Integrity Status: SNMP-3302:test:security:snmp::Check for running SNMP daemon: SNMP-3304:test:security:snmp::Check SNMP daemon file location: SNMP-3306:test:security:snmp::Check SNMP communities: @@ -357,8 +396,6 @@ SSH-7404:test:security:ssh::Check SSH daemon file location: SSH-7406:test:security:ssh::Detection of OpenSSH server version: SSH-7408:test:security:ssh::Check SSH specific defined options: SSH-7440:test:security:ssh::AllowUsers and AllowGroups: -STRG-1840:test:security:storage:Linux:Check if USB storage is disabled: -STRG-1842:test:security:storage:Linux:Check USB authorizations: STRG-1846:test:security:storage:Linux:Check if firewire storage is disabled: STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs: STRG-1904:test:security:storage_nfs::Check nfs rpc: @@ -379,12 +416,18 @@ TIME-3136:test:security:time:Linux:Check NTP protocol version: TIME-3148:test:performance:time:Linux:Check TZ variable: TIME-3160:test:security:time:Linux:Check empty NTP step-tickers: TIME-3170:test:security:time::Check configuration files: +TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: +TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation +TIME-3182:test:security:time::Check OpenNTPD has working peers +TIME-3185:test:security:time::Check systemd-timesyncd synchronized time TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: -TOOL-5160:test:security:tooling::Check for active OSSEC analysis daemon: +TOOL-5160:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: +USB-1000:test:security:storage:Linux:Check if USB storage is disabled: +USB-2000:test:security:storage:Linux:Check USB authorizations: USB-3000:test:security:storage:Linux:Check for presence of USBGuard: # EOF diff --git a/default.prf b/default.prf index ef474b1f..efd8665e 100644 --- a/default.prf +++ b/default.prf @@ -1,30 +1,33 @@ ################################################################################# # # -# Lynis - Scan Profile (default) -# -# This is the default profile and contains default values. +# Lynis - Default scan profile # # ################################################################################# # # -# SUGGESTION +# This profile provides Lynis with most of its initial values to perform a +# system audit. +# +# +# WARNINGS # ---------- # -# Do NOT make changes to this file, instead copy your preferred settings to -# custom.prf and put it in the same directory as default.prf +# Do NOT make changes to this file. Instead, copy only your changes into +# the file custom.prf and put it in the same directory as default.prf # # To discover where your profiles are located: lynis show profiles # # +# Lynis performs a strict check on profiles to avoid the inclusion of +# possibly harmful injections. See include/profiles for details. +# +# ################################################################################# # # All empty lines or with the # prefix will be skipped # -# More information about this plugin can be found in the documentation: -# https://cisofy.com/documentation/lynis/ -# ################################################################################# # Use colored output @@ -33,6 +36,9 @@ colors=yes # Compressed uploads (set to zero when errors with uploading occur) compressed-uploads=yes +# Amount of connections in WAIT state before reporting it as a suggestion +#connections-max-wait-state=5000 + # Debug mode (for debugging purposes, extra data logged to screen) #debug=yes @@ -42,20 +48,27 @@ error-on-warnings=no # Use Lynis in your own language (by default auto-detected) language= -# Lynis Enterprise license key -license-key= +# Log tests from another guest operating system (default: yes) +#log-tests-incorrect-os=yes + +# Define if available NTP daemon is configured as a server or client on the network +# values: server or client (default: client) +#ntpd-role=client # Defines the role of the system (personal, workstation or server) machine-role=server +# Ignore some stratum 16 hosts (for example when running as time source itself) +#ntp-ignore-stratum-16-peer=127.0.0.1 + # Profile name, will be used as title/description profile-name=Default Audit Template # Number of seconds to pause between every test (0 is no pause) pause-between-tests=0 -# Enable quick mode (no waiting for keypresses, same as --quick option) -quick=no +# Quick mode (do not wait for keypresses) +quick=yes # Refresh software repositories to help detecting vulnerable packages refresh-repositories=yes @@ -76,39 +89,21 @@ skip-plugins=no #skip-test=SSH-7408:loglevel #skip-test=SSH-7408:permitrootlogin +# Skip Lynis upgrade availability test (default: no) +#skip-upgrade-test=yes + +# Locations where to search for SSL certificates (separate paths with a colon) +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www +ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: +ssl-certificate-include-packages=no + # Scan type - how deep the audit should be (light, normal or full) test-scan-mode=full -# Upload data to central server -upload=no - -# The hostname/IP address to receive the data -upload-server= - -# Provide options to cURL (or other upload tool) when uploading data. -# upload-options=--insecure --> use HTTPS, but skip certificate check (e.g. self-signed) -upload-options= - # Verbose output verbose=no -################################################################################# -# -# Upgrade and updating -# -------------------- -# -# The old settings to do automatic updating are deprecated. It is suggested to -# use a package or deploy your the tarball via a custom script. -# -# The latest packages can be found at: https://packages.cisofy.com -# -################################################################################# - -# Skip Lynis upgrade availability test (default: no) -#skip-upgrade-test=yes - - ################################################################################# # # Plugins @@ -119,10 +114,11 @@ verbose=no # - Nothing happens if plugin isn't available # - There is no order in execution of plugins # - See documentation about how to use plugins and phases +# - Some are for Lynis Enterprise users only # ################################################################################# -# Lynis Plugins (some are for Lynis Enterprise users only) +# Lynis plugins to enable plugin=authentication plugin=compliance plugin=configuration @@ -149,17 +145,22 @@ plugin=system-integrity plugin=systemd plugin=users +# Disable a particular plugin (will overrule an enabled plugin) +#disable-plugin=authentication ################################################################################# # # Kernel options # --------------- -# sysctl::::: +# config-data=, followed by: # -# Sysctl key = name -# Expected value = value of sysctl key -# Hardening points = Number of hardening points. For most keys 1 HP will be suitable -# Description = Text description of key +# - Type = Set to 'sysctl' +# - Setting = value of sysctl key (e.g. kernel.sysrq) +# - Expected value = Preferred value for key (e.g. 0) +# - Hardening Points = Number of hardening points (typically 1 point per key) (1) +# - Description = Textual description about the sysctl key(Disable magic SysRQ) +# - Related file or command = For example, sysctl -a to retrieve more details +# - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -) # ################################################################################# @@ -269,86 +270,66 @@ config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes ar config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security; -################################################################################# -# -# Apache options -# columns: (1)apache : (2)option : (3)value -# -################################################################################# - -apache:ServerTokens:Prod: - - -################################################################################# -# -# OpenLDAP options -# columns: (1)openldap : (2)file : (3)option : (4)expected value(s) -# -################################################################################# - -openldap:slapd.conf:permissions:640-600: -openldap:slapd.conf:owner:ldap-root: - - - - -################################################################################# -# -# NTP options -# -################################################################################# - -# Ignore some stratum 16 hosts (for example when running as time source itself) -#ntp-ignore-stratum-16-peer=127.0.0.1 - - -################################################################################# -# -# File/directories permissions (currently not used yet) -# -################################################################################# - -# Scan for exact file name match -#[scanfiles] -#scanfile:/etc/rc.conf:FreeBSD configuration: - -# Scan for exact directory name match -#[scandirs] -#scandir:/etc:/etc directory: - - ################################################################################# # # permfile # --------------- -# permfile:file name:file permissions:owner:group:action: +# permfile=file name:file permissions:owner:group:action: # Action = NOTICE or WARN # Examples: -# permfile:/etc/test1.dat:600:root:wheel:NOTICE: -# permfile:/etc/test1.dat:640:root:-:WARN: +# permfile=/etc/test1.dat:600:root:wheel:NOTICE: +# permfile=/etc/test1.dat:640:root:-:WARN: # ################################################################################# -#permfile:/etc/inetd.conf:rw-------:root:-:WARN: -#permfile:/etc/fstab:rw-r--r--:root:-:WARN: -permfile:/etc/lilo.conf:rw-------:root:-:WARN: +#permfile=/etc/inetd.conf:rw-------:root:-:WARN: +#permfile=/etc/fstab:rw-r--r--:root:-:WARN: +permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN: +permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN: +permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN: +permfile=/etc/at.allow:rw-------:root:-:WARN: +permfile=/etc/at.deny:rw-------:root:-:WARN: +permfile=/etc/cron.allow:rw-------:root:-:WARN: +permfile=/etc/cron.deny:rw-------:root:-:WARN: +permfile=/etc/crontab:rw-------:root:-:WARN: +permfile=/etc/group:rw-r--r--:root:-:WARN: +permfile=/etc/group-:rw-r--r--:root:-:WARN: +permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN: +permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN: +permfile=/etc/issue:rw-r--r--:root:root:WARN: +permfile=/etc/issue.net:rw-r--r--:root:root:WARN: +permfile=/etc/lilo.conf:rw-------:root:-:WARN: +permfile=/etc/motd:rw-r--r--:root:root:WARN: +permfile=/etc/passwd:rw-r--r--:root:-:WARN: +permfile=/etc/passwd-:rw-r--r--:root:-:WARN: +permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: +permfile=/root/.shosts:rw-------:root:root:WARN: + +# These permissions differ by OS +#permfile=/etc/gshadow:---------:root:-:WARN: +#permfile=/etc/gshadow-:---------:root:-:WARN: +#permfile=/etc/shadow:---------:root:-:WARN: +#permfile=/etc/shadow-:---------:root:-:WARN: ################################################################################# # # permdir # --------------- -# permdir:directory name:file permissions:owner:group:action when permissions are different: +# permdir=directory name:file permissions:owner:group:action when permissions are different: # ################################################################################# -permdir:/root/.ssh:rwx------:root:-:WARN: - -# Scan for a program/binary in BINPATHs -#scanbinary:Rootkit Hunter:rkhunter: - -# Amount of connections in WAIT state before reporting it as a suggestion -#connections-max-wait-state=5000 +permdir=/root/.ssh:rwx------:root:-:WARN: +permdir=/etc/cron.d:rwx------:root:root:WARN: +permdir=/etc/cron.daily:rwx------:root:root:WARN: +permdir=/etc/cron.hourly:rwx------:root:root:WARN: +permdir=/etc/cron.weekly:rwx------:root:root:WARN: +permdir=/etc/cron.monthly:rwx------:root:root:WARN: # Ignore some specific home directories @@ -356,12 +337,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN: # checks, like file permissions, SSH and other configuration files #ignore-home-dir=/home/user -# Do not log tests with another guest operating system (default: yes) -#log-tests-incorrect-os=no - -# Define if available NTP daemon is configured as a server or client on the network -# values: server or client (default: client) -#ntpd-role=client # Allow promiscuous interfaces #