commit c0ae2e217b7f1fb0171017ce5afb8eb8898470db Author: mboelen Date: Tue Aug 26 17:33:55 2014 +0200 Initial import diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 00000000..42ed4aed --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,1529 @@ + +================================================================================ + + Lynis - Changelog + +================================================================================ + + Author: Michael Boelen (michael@rootkit.nl) + Description: Security and system auditing tool + Website: http://cisofy.com/lynis/ + http://www.rootkit.nl/projects/lynis.html + + Support policy: See section 'Support' (README file); + Commercial support and plugins available via CISOfy + http://cisofy.com + + Documentation: See web site, README, FAQ and CHANGELOG file + +================================================================================ + + * 1.6.0 (2014-08-xx) + + New: + - Added files plugin to default profile + - HostID detection for AIX + + Changes: + - Improvements for log file + - Improved detection of security repository for Debian based systems [PKGS-7388] + - Set default values for update check, to avoid error message on screen + - Cleanup for mail section, adding IMAP and POP3 protocols + + -- + + * 1.5.9 (2014-07-31) + + New: + - New NetBSD test for vulnerable software packages [PKGS-7380] + - Test if Debian based systems need a reboot [KRNL-5830] + - Test for running Sendmail daemon [MAIL-8880] + - Test for availability of mtree [FINT-4330] + - Check for lp daemon (printing) [PRNT-2314] + - Added Qmail status detection [MAIL-8860] + - New NetBSD boot loader test [BOOT-5126] + - Added test for automation tools like Cfengine and Puppet [TOOL-5002] + - Added KRNL-5830 control to website + - Added detection for Puppet + - Added tooling category + + Changes: + - Security repository test extended with /etc/apt/sources.list.d [PKGS-7388] + - Added exception case for CUPS configuration (listen statement) [PRNT-2308] + - Improved detection of TMOUT setting in shell profile file [SHLL-6220] + - Perform promiscuous interfaces test for NetBSD as well [NETW-3014] + - Perform swap partition parameters test on all systems [FILE-6336] + - Also check password file on DragonFlyBSD and NetBSD [AUTH-9208] + - Show message regarding toor user for all systems [AUTH-9204] + - Check for available interfaces on NetBSD as well [NETW-3004] + - Extended UFS file system test with FFS support [FILE-6329] + - Improvements for step-tickers file test [TIME-3160] + - Perform sockstat test for NetBSD [NETW-3012] + - Gather IP addresses for NetBSD [NETW-3008] + - Test MAC addresses on NetBSD [NETW-3006] + - Added /usr/X11R7/bin directory to search for binaries + - Improved full qualified domain name (FQDN) check for Linux + - Don't show follow-up hints when there are no warnings or suggestions + - Improved IsRunning function to better target processes + - Several smaller adjustments in text and descriptions + - Extended ReportException function with logging text + - Improved GetHostID function for NetBSD and Solaris + - Added printing_daemon and mail_daemon to report + - Binaries extended with tools like kstat, puppet + + -- + + * 1.5.8 (2014-07-24) + + New: + - Testing for commercial anti-virus solutions like McAfee and Sophos [MALW-3280] + - New control text for MALW-3280 - http://cisofy.com/controls/malw-3280/ + + Changes: + - Extended GRUB test with encrypted password (SHA1) [BOOT-5121] + - Check /etc/profile for multiple umask values [AUTH-9328] + - Extended PHP disabled functions test [PHP-2320] + - Add gpgcheck parameter to YUM test [PKGS-7387] + - Squid configuration file permissions test adjusted and control added to website [SQD-3613] + - Logging has been extended and exceptional event text adjusted + + -- + + * 1.5.7 (2014-07-09) + + New: + - Implementation of SafePerms function + - Added notification when exceptions are found + + Changes: + - Fix for error_log handling in nginx + + -- + + * 1.5.6 (2014-06-12) + + New: + - Test for PHP binary and PHP version + - Don't perform register_global test for systems running PHP 5.4.0 and later [PHP-2368] + - Debug function (can be activated via --debug or profile) + + Changes: + - Extended IsRunning function + - Removed suggestion from secure shell test [SHLL-6202] + - Check for idle session handlers [SHLL-6220] + - Also check for apache2 binary (file instead of directory) + - New report values: session_timeout_enabled and session_timeout_method + - New report value for plugins: plugins_enabled + - Fixed test to determine active TCP sessions on Linux [NETW-3012] + + -- + + * 1.5.5 (2014-06-08) + + New: + - Check for nginx access logging [HTTP-6712] + - Check for missing error logs in nginx [HTTP-6714] + - Check for debug mode in nginx [HTTP-6716] + + Changes: + - Extended SSL test for nginx when using listen statements + - Allow debugging via profile (config:debug:yes) + - Check if discovered httpd file is actually a file + - Improved temporary file creation related to security notice + - Adjustments to screen output + + Security Note: + This releases solves two issues regarding the usage of temporary + files (predictability of the file names). You are advised to upgrade + to this version as soon as possible. For more information see the + our blog post: http://linux-audit.com/lynis-security-notice-154-and-older/ + + -- + + * 1.5.4 (2014-06-04) + + New: + - Check additional configuration files for nginx [HTTP-6706] + - Analysis of nginx settings [HTTP-6708] + - New test for SSL configuration of nginx [HTTP-6710] + + Changes: + - Altered SMBD version check for Mac OS + - Small adjustments to report for readability + + -- + + * 1.5.3 (2014-05-19) + + New: + - Support for zypper package manager + - Gather installed packages with Zypper on SuSE systems [PKGS-728] + - Check for vulnerable packages with Zypper package manager [PKGS-7330] + + Changes: + - Check for aide.conf also in /etc [FINT-4315] + - Adjusted screen output for unreliable NTP peers [TIME-3120] + - Adjusted check kernel test for non-Linux systems [KRNL-5730] + - Improved screen output on AIX systems with echo command + + -- + + * 1.5.2 (2014-05-05) + + New: + - Support for runlevel in binaries test + + Changes: + - Added suggestion for kernel availability check [KRNL-5788] + - Added suggestion for services at startup and proper binary call [BOOT-5180] + - Added suggestion to configure accounting on FreeBSD [ACCT-2754] + - Added suggestion to configure Linux process accounting [ACCT-9622] + - Several new controls listed on website + - Adjusted hardening index if total score was zero + - Added suggestion for auditd.conf file [ACCT-9632] + - Removed suggestion for audit log file [ACCT-9634] + - Removed warning from NTP falsetickers test, added data to report [TIME-3132] + - Removed warning from NTP selected time source test [TIME-3124] + + -- + + * 1.5.1 (2014-04-22) + + Changes: + - Extended reporting with running databases and frameworks + - Adjusted Oracle status in test [DBS-1840] + - Extended grsecurity test [RBAC-6272] + - Redirect rpcinfo errors to /dev/null + - Adjusted color scheme + + -- + + * 1.5.0 (2014-04-10) + + New: + - Support for Amazon Linux + - NTP check for step-tickers file (Red Hat and clones) [TIME-3160] + + Changes: + - Minor textual changes in description of several controls + - Removed several warnings (usage of suggestions instead) + - Website has now more information for several controls + - Extended detection for Oracle Linux + - Updated the FAQ and README files + + -- + + * 1.4.9 (2014-04-03) + + New: + - Added links in report to related control documentation on website + - Detect Linux I/O kernel scheduler [KRNL-5730] + + Changes: + - Check for non-unique accounts on several platforms [AUTH-9208] + - Set initial discover value for PAM modules to zero [AUTH-9268] + + -- + + * 1.4.8 (2014-03-27) + + Changes: + - Adjusted resolv.conf domain setting in report [NAME-4016] + - Extend account test with /var/log/pacct [ACCT-9620] + - Added suggestion to DNS domain name test [NAME-4028] + - Changed text strings of ZFS test [FILE-6330] + - Extend LILO password test [BOOT-5139] + - Set default value for pf firewall + + -- + + * 1.4.7 (2014-03-21) + + New: + - New configuration item to set group name + - Search for AIDE configuration file (aide.conf) [FINT-4315] + - Check for usage of SHA256/SHA512 in AIDE configuration [FINT-4316] + - Added grep to list of binaries + + Changes: + - Added suggestion when using NIS or NIS+ [NAME-4302] + - Clean-up of unneeded plugin section + - Small typo fix + + -- + + * 1.4.6 (2014-03-14) + + New: + - Check for GPG signing in yum.conf [PKGS-7387] + - Check CUPS configuration file permissions [PRNT-2307] + + Changes: + - Screen cleanup + + -- + + * 1.4.5 (2014-03-08) + + New: + - Support for Chakra Linux + - Support for pacman binary (package manager) + - Query installed packages on systems with pacman [PKGS-7310] + + Changes: + - Avoid logging to screen when falsetickets are found [TIME-3132] + - Skipping FIFO file on Solaris systems when checking for cron jobs [TIME-3104] + - Extended uptime test for Solaris systems [BOOT-5202] + - Added /usr/lib/security to PAM locations to scan + - Report cronjobs to report [SCHD-7704] + - HostID support for Solaris + - Improved color scheme + - Extended logging + + -- + + * 1.4.4 (2014-03-03) + + New: + - Detect tune2fs binary + - Added ExitFatal() function + - Added egrep binary to binaries + - Initial plugin support (phase 1) + - Added InsertPluginSection() function + + Changes: + - Adjusted disabled functions tests to properly find functions [PHP-2320] + - Extended time test with egrep binary replace for Solaris [TIME-3104] + - Adjusted color for SNMP test when warning is found [SNMP-3306] + - Adjusted text for PHP risky functions [PHP-2320] + - Refer to discovered binaries for ifconfig, lsmod, tune2fs + - Test plugin directory when provided by --plugin-dir + - Scan report extended with plugin information + - Extended help for Enterprise options + - Improved IsRunning() function + - Extended color scheme + + -- + + * 1.4.3 (2014-02-23) + + New: + - Support for ClearOS + - Data upload for Lynis Enterprise users (--upload) + - Added debug variable for troubleshooting purposes + - Scan profile option license_key + + Changes: + - Skip password check for Red Hat or clones [AUTH-9282] + - Extended single user login protection [AUTH-9308] + - Adjusted repolist check for yum based systems [PKGS-7383] + - Inserted sleep time when update is found + - Extended report output + + -- + + * 1.4.2 (2014-02-19) + + Changes: + - Ignore interfaces aliases for HostID + - Extended umask tests with pam_umask entries [AUTH-9328] + - Check for supressed version on Squid [SQD-3680] + + -- + + * 1.4.1 (2014-02-15) + + New: + --plugin-dir parameter + + Changes: + - Added 64 bits locations for Apache modules + - Add start of new category to logfile + - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626] + - Extended cron job tests with entries start with asterix (*) [SCHD-7704] + - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328] + - Adjusted PHP test for register_globals (explicit test) [PHP-2368] + - Small adjustments for upcoming plugin support + - Extended man page + + -- + + * 1.4.0 (2014-01-29) + + Changes: + - Removed some warnings, to prevent double messages + - Extended accounting check for Linux [ACCT-9622] + - Added consistency check to time test [TIME-3124] + - Added support for anacron jobs [SCHD-7704] + - Rewrite of YUM repository test [PKGS-7383] + - Use binary variables for hostid creation + - AIX version detection changed + - Added rpcinfo to binaries check + - Ignore LANG global setting + - Improved logging + + -- + + * 1.3.9 (2014-01-09) + + Changes: + - Additional support for Mac OS + - Support for shasum binary + - Performance adjustment for lsof tests + - Extended interface check for hostid creation + - Improved NSCD detection [NAME-4032] + - Bug fix for passwdqc [AUTH-9262] + - Extended vulnerable packages test [PKGS-7392] + - Hide possible sysctl errors [KRNL-5820] + + -- + + * 1.3.8 (2013-12-25) + + New: + - New parameter --view-categories to display available test categories + - Added /etc/hosts check (duplicates) [NAME-4402] + - Added /etc/hosts check (hostname) [NAME-4404] + - Added /etc/hosts check (localhost mapping) [NAME-4406] + - Portmaster test for possible port upgrades [PKGS-7378] + - Check for SPARC improve boot loader (SILO) [BOOT-5142] + - NFS client access test [STRG-1930] + - Check system uptime [BOOT-5202] + - YUM repolist check [PKGS-7383] + - Contributors file added + + Changes: + - Improved locate database check and reporting [FILE-6410] + - Improved PAE/No eXecute test for Linux kernel [KRNL-5677] + - Disabled NIS domain name from test [NAME-4028] + - Extended NIS domain test to check BSD sysctl value [NAME-4306] + - Extended PAM tools check with PAM paths [AUTH-9262] + - Adjusted Apache check to avoid skipping it [HTTP-6622] + - Extended USB state testing [STRG-1840] + - Extended Firewire state testing [STRG-1846] + - Extended core dump test [KRNL-5820] + - Added /lib/i386-linux-gnu/security to PAM directories + - Added /usr/X11R6/bin directory to binary paths + - Improved readability of screen output + - Improved logging for several tests + - Improved Debian version detection + - Added warning to BIND test [NAME-4206] + - Extended binaries with showmount and yum + - Updated man page + + -- + + * 1.3.7 (2013-12-10) + + New: + - Function FileExists() and SearchItem() + + Changes: + - Adjusted yum-security check [PKGS-7386] + - Improved check for iptables binary check + - Extended report with the tests executed and skipped + + -- + + * 1.3.6 (2013-12-03) + + New: + - Support for the dntpd time daemon + - New Apache test for modules [HTTP-6632] + - Apache test for mod_evasive [HTTP-6640] + - Apache test for mod_qos [HTTP-6641] + - Apache test for mod_spamhaus [HTTP-6642] + - Apache test for ModSecurity [HTTP-6643] + - Check for installed package audit tool [PKGS-7398] + - Added initial support for new pkgng and related tools [PKGS-7381] + - Check for ssh-keyscan binary + - ZFS support for FreeBSD [FILE-6330] + - Test for passwordless accounts [AUTH-9283] + - Initial OS support for DragonFly BSD + - Initial OS support for TrueOS (FreeBSD based) + - Initial OS support for elementary OS (Luna) + - GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD + - Check for DHCP client [NETW-3030] + - Initial support for OSSEC (system integrity) [FINT-4328] + - New parameter --log-file to adjust log file location + - New function IsRunning() to check status of processes + - New function RealFilename() to determine file name + - New function CheckItem() for parsing files + - New function ReportManual() and ReportException() to simplify code + - New function DirectoryExists() to check existence of a directory + - Support for dntpd [TIME-3104] + + Changes: + - Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518] + - Extended test to gather listening network ports for Linux [NETW-3012] + - Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190] + - Added suggestion for discovered shells on FreeBSD [AUTH-9218] + - Extended core dump test with additional details [KRNL-5820] + - Properly display suggestion if portaudit is not installed [PKGS-7382] + - Ignore message if no packages are installed (pkg_info) [PKGS-7320] + - Also try using apt-check on Debian systems [PKGS-7392] + - Adjusted logging for RPM binary on systems not using it [PKGS-7308] + - Extended search in cron directories for rdate/ntpdate [TIME-3104] + - Adjusted PHP check to find ini files [PHP-2211] + - Skip Apache test for NetBSD [HTTP-6622] + - Skip test http version check for NetBSD [HTTP-6624] + - Additional check to supress sort error [HTTP-6626] + - Improved the way binaries are checked (less disk reads) + - Adjusted ReportWarning() function to skip impact rating + - Improved report on screen by leaving out date/time and type + - Redirect errors while checking for OpenSSL version + - Extended reporting with firewall status and software + - Adjusted naming of some operating systems to make them more consistent + - Extended update check by using host binary if dig is not installed + - Count number of installed binaries/packages and report them + - Report about log rotation tool and status + - Updated man page + + -- + + * 1.3.5 (2013-11-19) + + New: + - OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux + - Added some initial systemd support (e.g. boot services) + - Test to display if any known MAC framework is implemented [MACF-6290] + + Changes: + - Improved support for Slackware Linux (OS and version detection) + - Added systemd support (boot and running services) for Linux systems [BOOT-5177] + - Added systemd support (default runlevel) for Linux systems [KRNL-5622] + - Extended USB storage check in modprobe.d directory [STRG-1840] + - Improved output, reporting and check for kernel update [KRNL-5788] + - Optimized code and output of test to check writable scripts [BOOT-5184] + - Fixed detection for writable scripts [BOOT-5184] + - Improved detection IPv6 addresses for Slackware and others [NETW-3008] + - Minor addition to SSH PermitRootLogin check [SSH-7412] + - Extended cronjob tests, reporting and logging [SCHD-7704] + - Extended umask check in /etc/profile [AUTH-9328] + - Added suggestion about BIND version [NAME-4210] + - Merged test NTP daemon test TIME-3108 into TIME-3104 + - Improved support for Arch Linux (output, detection) + - Extended common list of directories with SSL certifcates in profile + - New function GetHostID() to determine an unique identifier of the machine + - Added a tests_custom file template + - Perform file permissions test on tests_custom file + - Improved OS detection and extended logging on several tests + - Several layout improvements + - Extended update check functions and output + - Cleaned up reporting and extended it with exceptions + + -- + + * 1.3.4 (2013-11-08) + + New: + - OS detection support for Arch Linux + - Support for systemd journal + + Changes: + - Test for files in /etc/modprobe.d directory [STRG-1840] + - Extended log daemon detection with systemd journal [LOGG-2130] + - Adjusted hardening value for compiler GCC [HRDN-7222] + - Extended IsWorldWritable and IsWorldExecutable functions to support symlinks + - Adjusted PHP test for disabled functions [PHP-2320] + - Extended testing for PHP files in other directories [PHP-2211] + - Improved screen output for several tests and extended logging + + -- + + * 1.3.3 (2013-10-24) + + New: + - Added NTP configuration type to report [TIME-3104] + + Changes: + - Do not warn on empty shells for FreeBSD systems [AUTH-9218] + - Extended checks for presence NTP client or daemon [TIME-3104] + - Extended logging + + -- + + * 1.3.2 (2013-10-09) + + New: + - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238] + + Changes: + - CUPS test extended with hardening rules [PRNT-2308] + - Added hardening points to sticky bit on /tmp [FILE-6362] + - Extended Ubuntu security packages check [PKGS-7392] + - Improved update check, show when no check is performed + - Added additional check for binaries, so checks on CentOS work correctly + - Added word 'restricted' to banner strings + - Adjusted wording for Debian packages purge [PKGS-7346] + - Corrected listing of purgable packages [PKGS-7346] + - Adjusted yum-plugin-security check due to package changes [PKGS-7386] + + -- + + * 1.3.1 (2013-10-02) + + Changes: + - Updated generic references in files + - Fixed detection of several binaries (AFICK/awk) + - Performance tweaks when checking for binaries + - Fixed core dump check and dumpable sysctl [KRNL-5820] + - Force test to always to check for binaries [FILE-7502] + - Changed detection to egrep [DBS-1840] + - Adjusted variable checking for Solaris [HOME-9310] + - Adjusted search in modprobe directory [STRG-1840] [STRG-1846] + + -- + + * 1.3.0 (2011-12-25) + + New: + - Profile option: ignore_home_dir + - TCP wrappers category added + - Tooling category added + - Initial extensions to support plugins in the future + - Test for unpurged Debian packages [PKGS-7346] + - Test for compiler permissions [HRDN-7222] + + Changes: + - Converted all dates to ISO format and updated copyright lines + - Correct suggestion for file integrity tool [FINT-4350] + - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] + - Changed logging for /etc/security/limits.conf file [KRNL-5820] + - Fixed incorrect warning for single user mode [AUTH-9308] + - Improved output for stratum 16 time servers [TIME-3116] + - Added suggestion and screen output for kernel hardening [KRNL-6000] + - Screen layout optimalizations and log file improvements + - Improved list/layout of scan options + - Improved binary check for compilers + - Added configuration option in scan profile (show_tool_tips, default true) + + -- + + * 1.2.9 (2009-12-15) + + New: + - Support for Squid3 + - Added Squid unsafe ports check [SQD-3624] + - Added Squid configuration file permission check [SQD-3613] + - Added Squid test: reply_body_max_size option [SQD-3630] + - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] + - Check PHP option allow_url_include [PHP-2378] + + Changes: + - Extended possible Squid configuration file locations + - Added additional sysctl keys to default profile + - Fixed typo in squid.conf checks + - Improved descriptions, logging and reporting for several tests + - Corrected /etc/security/limits.conf path in test [KRNL-5820] + - Updated man page, limited lines to 80 chars + + -- + + * 1.2.8 (2009-12-08) + + New: + - Squid support added + - Squid daemon detection [SQD-3602] + - Squid configuration file search [SQD-3604] + - Squid version detection [SQD-3606] + - Check /etc/motd banner [BANN-7122] + - Check /etc/issue.net file [BANN-7128] + - Check contents in /etc/issue.net [BANN-7130] + - Solaris single user mode login check (/etc/default/sulogin) [AUTH-9304] + - HP-UX boot authentication check [AUTH-9306] + - Linux single user mode authentication check [AUTH-9308] + - Solaris account locking policy check [AUTH-9340] + + Changes: + - Added prerequisite to SSH test, so the test is skipped properly [SSH-7440] + - Check for /etc/issue symlink [BANN-7124] + - Added file check for possible harmful shells found [AUTH-9218] + - Add user home directories to report [HOME-9302] + - Extended Linux run level test with support for Debian/Ubuntu [KRNL-5622] + - Added /lib64/security to PAM test [AUTH-9262] + - Extended security repository check [PKGS-7388] + - Iptables check should not check for a module in a Linux config [FIRE-4511] + - Ignore APC ups daemon when scanning for CUPS [PRNT-2304] + - Improved kernel logger daemon check [LOGG-2138] + - Added auditctl to binary check [ACCT-9630] + - Log used auditd ruleset [ACCT-9630] + - Corrected logging of Solaris c2audit module [ACCT-9656] + - Fixed warning function for Solaris passwordless accounts [AUTH-9254] + - Commented kern.randompid in default profile + - For sysctl the parameter -n will be used on Linux systems + - Changed syslog daemon detection and state + - Extended report file + + -- + + * 1.2.7 (2009-11-01) + + New: + - Added Kernel Hardening section + - Sysctl audit support in scan profile and related test [KRNL-6000] + - SSH option StrictModes test [SSH-7416] + - Password aging limit check [AUTH-9286] + - Ubuntu packages check (apt-show-versions) [PKGS-7394] + - Check for metalog daemon [LOGG-2210] + - USB storage driver state check [STRG-1840] + - Firewire storage driver state check [STRG-1846] + - PostgreSQL process check [DBS-1826] + - Oracle process check [DBS-1840] + - Default umask check [AUTH-9328] + - Check for rsyslog daemon [LOGG-2230] + - RFC 3195 compliant daemon check [LOGG-2240] + - Qmail SMTP daemon check [MAIL-8940] + - Test for separation of /tmp and /home from root file system [FILE-6310] + - SSH AllowUsers and AllowGroups usage check [SSH-7440] + - AIX support, thanks to Michael Smerdka + + Changes: + - Fixed crontabs path [SCHD-7704] + - Extended locate database paths for Linux and FreeBSD [FILE-6410] + - pflog detection fix [FIRE-4518] + - Skip /proc/meminfo for non Linux systems [PROC-3602] + - Extended text with rsyslogd [LOGG-2130] + - Ignore comment and empty lines for group tests [AUTH-9222/9226] + - Show firewall as active when iptables is available in config file [FIRE-4511] + - Variable fix for SNMP daemon configuration file [SNMP-3304] + - Freshclam check fix [MALW-3286] + - Fixed waiting search for NIS domain [NAME-4306] + - Check for a maximum of 1 search statement in /etc/resolv.conf [NAME-4018] + - Apache test improved [HTTP-6622] + - Skip klogd test if rsyslogd is available [LOGG-2138] + - Added additional CUPS location to search paths + - Only execute PAM test for systems with PAM [AUTH-9268] + - Fixed logging of sudoers file location [AUTH-9250] + - Improved FreeBSD support for NTP client check [TIME-3104] + - Redirect warning "Unknown host" when DNS domain name is empty [NAME-4028] + - Redirect warning when host name is empty + - Fixed warning color [AUTH-9226] + - Fixed FreeBSD COPYRIGHT file test [BANN-7113] + - Changed text for sudoers text [AUTH-9250] + - Improved text for DNS search domain [NAME-4016] + - Skip nginx configuration test if nginx is not available [HTTP-6704] + - Removed portsclean suggestion [PKGS-7348] + - Fixed non unique IDs + - Fixed cosmetic issue when using Debian with default dash shell + - Improved hostname detection for HP-UX + - Added additional php.ini file locations + - Moved Linux default shell check to OS detection functions + - Fixed CUPS daemon test [PRNT-2304] + - Also check for uppercase chars in issue file [BANN-7126] + + -- + + * 1.2.6 (2009-04-05) + + New: + - Sudoers file permissions check [AUTH-9252] + - Core dumps configuration check for Linux [KRNL-5820] + - PHP disabled functions check [PHP-2320] + - PHP enable_dl function check [PHP-2374] + - PHP allow_url_fopen function check [PHP-2376] + - OpenBSD smtpd status check [MAIL-8920] + - /etc/issue check [BANN-7124] + - /etc/issue legal keywords check [BANN-7126] + - Show suggestions in report + + Changes: + - Extended support for Red Hat, CentOS and Fedora + - Extended ACL test to test for default mount options as well [FILE-6368] + - Exim status test fixed [MAIL-8812] + - Corrected yum security check [PKGS-7386] + - Replaced LDAP test AUTH-9238 with [AUTH-9402] + - Removed backquotes when locate database is not available [FILE-6410] + - Added /etc/openldap to search path for OpenLDAP + - Fixed typo in crontab path [SCHD-7704] + - Don't show message "No volume groups found" if LVM isn't used [FILE-6310] + - Corrected Syslog-NG status [LOGG-2132] + - Moved TODO to dev directory + + -- + + * 1.2.5 (2009-03-27) + + New: + - slapd.conf check [LDAP-2224] + - atd status test [SCHD-7718] + - Check LDAP module in PAM [AUTH-9278] + - Check Dovecot status check [MAIL-8838] + - Check log directories from newsyslog.conf [LOGG-2162] + - Check log directories from static list [LOGG-2170] + - Check log directories from logrotate configuration [LOGG-2150] + - syslog check for remote logging [LOGG-2154] + - Open log files check [LOGG-2180] + - Deleted file check [LOGG-2190] + - Solaris active kernel modules check [KRNL-5770] + - Solaris audit daemon status check [ACCT-9650] + - Solaris audit daemon service status [ACCT-9652] + - Solaris audit daemon BSM check [ACCT-9654] + - Solaris audit logging location check [ACCT-9662] + - Solaris audit statistics check [ACCT-9672] + - Check for installed compiler [HRDN-7202] + - BIND process check [NAME-4202] + - BIND configuration file check [NAME-4204] + - BIND configuration consistency check [NAME-4206] + - BIND version check via DNS [NAME-4210] + - Default domain check (/etc/resolv.conf) [NAME-4016] + - Search domains in /etc/resolv.conf check [NAME-4018] + - Parse /etc/resolv.conf options [NAME-4020] + - Solaris /etc/nodename check [NAME-4026] + - DNS domain checks [NAME-4028] + - NSCD status check [NAME-4032] + - PowerDNS presence check [NAME-4230] + - PowerDNS configuration file check [NAME-4232] + - PowerDNS backend check [NAME-4236] + - ypbind status check [NAME-4302] + - Log specific defined SSH daemon options [SSH-7408] + - SSH protocol version check [SSH-7414] + - NIS domain checks [NAME-4304] + - Check pending at jobs [SCHD-7724] + - LVM volume group scan [FILE-6310] + - LVM volumes check [FILE-6312] + - Locate database check [FILE-6410] + - nginx configuration file check [HTTP-6704] + - Exim status check [MAIL-8802] + - Postfix status check [MAIL-8814] + + Changes: + - atd needs to run before testing at files [SCHD-7720] + - Removed Solaris OS requirement from logrotate test [LOGG-2148] + - Sanitized output from logrotate test [LOGG-2148] + - Skip comment fields in loghost check [LOGG-2152] + - Changed auditd tests to Linux only + - Binary scan optimized and partially combined with other check + - Only perform iptables tests if kernel module is active + - Don't show message when /etc/shells can't be found [SHLL-6211] + - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] + - Renumbered FreeBSD test SHLL-7225 [SHLL-6202] + - Renumbered malware test MALW-3292 [HRDN-7230] + - Improved grep on process status [PRNT-2304] + - Ignore comment lines for nginx log file check [HTTP-6720] + - Added file check for nginx log files [HTTP-6720] + - Display IP addresses only of NTP tests [TIME-3124] + - Fixed Postfix configuration directory path [MAIL-8816] + - Redirected output of yum package duplicate check [PKGS-7384] + - Ignore comment lines for lilo test [BOOT-5139] + - Fixed incorrect iptables status and correct logging [FIRE-4511] + - Check SNMP configuration only if SNMP daemon runs [SNMP-3304] + - Don't scan PAM directories which are symlinks [AUTH-9268] + - Changed hardening category to hardening_tools + - Adjusted hardening points of several tests + - Log and display improvements for several tests + + -- + + * 1.2.4 (2009-03-17) + + New: + - NTP daemon process test [TIME-3108] + - NTP association ID's check from peer list [TIME-3112] + - NTP time source candidates test [TIME-3128] + - NTP falseticker check [TIME-3132] + - NTP protocol version check [TIME-3136] + - Stratum 16 ntp peers check [TIME-3116] + - Unreliable ntp peers check [TIME-3120] + - Preferred NTP time source test [TIME-3124] + - auditd presence check [ACCT-9628] + - auditd rules check [ACCT-9630] + - auditd configuration file check [ACCT-9632] + - auditd log file location check [ACCT-9634] + - cupsd status check [PRNT-2304] + - cupsd configuration file check [PRNT-2306] + - cupsd address configuration test [PRNT-2308] + - pam.conf configuration check [AUTH-9264] + - pam.d configuration file scan [AUTH-9266] + - PAM modules check [AUTH-9268] + - rpcinfo query [STRG-1902] + - NFS version number check [STRG-1904] + - NFS protocol and port number check [STRG-1906] + - NFS status check [STRG-1920] + - NFS exports check [STRG-1926] + - NFS empty /etc/exports [STRG-1928] + - SSH PermitRootLogin option check [SSH-7412] + - at.allow and at.deny check [SCHD-7720] + - File integrity tool check [FINT-4350] + - nginx process check [HTTP-6702] + - nginx log file test [HTTP-6720] + - ClamAV clamscan presence test [MALW-3282] + - ClamAV daemon check [MALW-3284] + - ClamAV freshclam check [MALW-3286] + - Check for presence malware scanner [MALW-3292] + - clamscan, ntpq binary check + - NTP daemon role and profile option + - Parameter --tests-category, to scan one or more categories + - Category added (Storage: NFS) + - Added hardening points to tests + - Display hardening index to report + + Changes: + - Extended logrotate test [LOGG-2148] + - Added check for inetd.conf before performing test [INSE-8016] + - Added /var/spool/crontabs to search path [TIME-3104] + - Added log line to sysstat test [ACCT-9626] + - Improved screen output on Solaris + - Checking for both rdate and ntpdate in cron files [TIME-3104] + - Changed yum-security package check [PKGS-7386] + - Change output if dig isn't available [NETW-2705] + - Added IPv6 support and output adjustment [NETW-2704] + - Cosmetic change for host based firewall check [FIRE-4590] + - Corrected output in log file [PKGS-7388] + - Corrected passwd options for Red Hat [AUTH-9282] + - Changed text if everything is ok (no warnings) + - Log improvements + + -- + + * 1.2.3 (2009-03-02) + + New: + - Added syslog-NG daemon check [LOGG-2132] + - Added klogd status test [LOGG-2138] + - Added check to determine minilogd presence [LOGG-2142] + - Added logrotate configuration test [LOGG-2146] + - Added check for loghost entry on Solaris machines [LOGG-2152] + - Added ipf test for Solaris [FIRE-4526] + - Added uname -n test (Solaris) [NAME-4024] + - Added ssh daemon configuration file check [SSH-7404] + - Added BSD newsyslog.conf file check [LOGG-2160] + - Added inetd status check [INSE-8002] + - Added inetd.conf configuration check [INSE-8004] + - Added check for inetd.conf when inetd is not active [INSE-8006] + - Added telnet check via inetd [INSE-8016] + - Added ACL check on root file system [FILE-6368] + - Added check for firewall/packet filter on system [FIRE-4590] + - Added lograte file check [LOGG-2148] + - Added snmp daemon status test [SNMP-3302] + - Added snmp configuration file test [SNMP-3304] + - Added default snmp community strings test [SNMP-3306] + - Added categories: Insecure services and SNMP + - Added binary searches for awk, ipf + + Changes: + - Changed profile name in default profile + - Added path /usr/ucb to binary paths + - Changed color to white if slapd is not running [LDAP-2219] + - Changed test PKG-7345 into PKGS-7345 + - Changed logging for several tests [PKGS-7302] [NETW-3004] + - Extended FAQ + - Changed default profile header + + Fixes: + - Hostname detection under Solaris + - Disabled tests PROC-3612 PROC3614 for Solaris machines + - Disabled NTP check in cron.d directory on Solaris [TIME-3104] + - Added result at line when querying system users [AUTH-9234] + - Counters (N+1) fixed for some shells, like Solaris + - Removed unneeded line for Solaris test [PROC-3604] + - Disabled grsecurity test for Solaris [RBAC-6272] + - Correct display of files with spaces [FILE-6354] + - Changed several tests so they work correctly with Solaris + + -- + + * 1.2.2 (2009-02-15) + + New: + - Support for MySQL client + - New test: Test for empty MySQL root password [DBS-1816] + - New test: SSH daemon status test [SSH-7402] + - New test: sysstat account information [ACCT-9626] + - New test: connections in WAIT state [NETW-3028] + - Lynis displays a warning now, if current version is really outdated + - New parameter option (log_tests_incorrect_os) to minimize logging + + Changes: + - Several adjustments to default profile + - Fixed option 'skip_test_always' to let it function properly + - Fixed passwd check for SuSE systems [AUTH-9282] + - Added error redirect for dpkg test [PKG-7345] + - Improved NTP test and messages, excluded check when using xen [TIME-3104] + - Extended DNS nameserver check with local resolver [NETW-2704] + - Skip double nameserver check when a local resolver is found [NETW-2705] + - Renamed tests_nameserver to tests_nameservices + - Improved log output [AUTH-9218] + + Notes: + - Custom profiles should be compared to the default profile, due small changes + in the structure. + + -- + + * 1.2.1 (2008-09-05) + + New: + - Added support for Samba + - Added support for SELinux framework + - New test: SELinux presence test [MACF-6232] + - New test: SELinux status checks [MACF-6234] + - New test: password PAM availability check [AUTH-9262] + - New test: expire date check for accounts [AUTH-9282] + - Added new option --tests, to run a small set of tests only + + Changes: + - Report and logging messages improved + - Output reduced when using --tests + - Added suggestion to PHP expose_php option [PHP-2372] + - Improved log message for PHP register_globals option [PHP-2368] + - Added virtual host count to log file [HTTP-6626] + - Improved Red Hat and clones detection and display + - Fix: Improved promiscuous detection for Linux [NETW-3015] + - Fix: AUTH-9204 test triggered on group ids as well + - Fix: Only display unique MAC addresses [NETW-3006] + - Extended Postfix test [MAIL-8818] + - Don't show /proc/meminfo if not present [PROC-3602] + - Don't show YABOOT information if not present [BOOT-5155] + - Improved portaudit test (FreeBSD) [PKGS-7382] + - Improved portsclean test (FreeBSD) [PKGS-7348] + - Added --quiet and --tests options to help and man page + + -- + + * 1.2.0 (2008-08-26) + + New: + - New test: Passwordless Solaris accounts test [AUTH-9254] + - New test: AFICK file integrity [FINT-4310] + - New test: AIDE file integrity [FINT-4314] + - New test: Osiris file integrity [FINT-4318] + - New test: Samhain file integrity [FINT-4322] + - New test: Tripwire file integrity [FINT-4326] + - New tests: NIS and NIS+ authentication test [AUTH-9240/42] + - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire + + Changes: + - Changed text of grsecurity test [RBAC-6272] + - Optimized FreeBSD boot services test [BOOT-5165] + - Optimized UID 0 test [AUTH-9204] + - Extended login shells test [AUTH-9218] + - PID file message extended and small output improvement + - A log entry will be written when PID files are removed + - Added operating system name to log file when a test is skipped + - Added file available check when using --view-manpage + - Most program variables are initialized now for future additions + + -- + + * 1.1.9 (2008-08-09) + + New: + - New test: AppArmor framework check [MACF-6204] + - New test: FreeBSD boot loader test [BOOT-5124] + - New test: PHP option register_globals [PHP-2368] + - New test: Promiscuous network interfaces (Linux) [NETW-3015] + - Report option 'bootloader' added to several tests + - Added readlink binary check + + Changes: + - Extended file check (IsWorldWritable) for symlinks + - Show result if no default gateway is found [NETW-3001] + - Added /usr/local/etc to sudoers test [AUTH-9250] + - Improved FreeBSD banner output [BANN-7113] + - Removed incorrect line at promiscuous interface test [NETW-3014] + - Fix: Show only once the GRUB test output [BOOT-5121] + - Fix: Typo in NTP test [TIME-3104] + - Fix: Skip NTP test in /etc/cron.d if empty [TIME-3104] + - Fix: Initialize values when performing an update check without connection + - Fix: Solaris id function has been fixed + - Disabled FreeBSD double packages tests, due minor issues [PKGS-7303] + - Changed LDAP/MySQL running states [LDAP-2219] [DBS-1804] + - Replaced ifconfig calls with IFCONFIGBINARY + - Renamed tests_auditing to tests_mac_frameworks + - Several tests improved with extended logging + + -- + + * 1.1.8 (2008-07-16) + + New: + - Mac OS X support extended and new options added + + Changes: + - Extended default profile + - Improved several screen output lines + - User ID check improved, so it works better with older Solaris versions + - Hostname in output and reports will contain only host now, not FQDN + - Added extra php.ini locations to tests_php + - Replaced 'ps' in tests with PSBINARY value for better support + - Added output to zones test [VIRT-1902] + - Updated description [AUTH-9218] + - Extended ntp daemon/ntpdate check [TIME-3104] + - Added suggestion to bootable scripts check [BOOT_5184] + - Bugfix and improvement for FreeBSD portsclean test [PKGS-7348] + - Added Mac OS support to MAC address gathering test [NETW-3006] + - Added MAC OS support to inet and inet6 addresses test [NETW-3008] + - Extended PHP expose_php test to support additional options [PHP-2372] + - Improved LDAP test so it skips correctly on Mac OS AUTH-9238] + - Bugfix: MySQL status check gave incorrect output [DBS-1804] + + -- + + * 1.1.7 (2008-06-28) + + New: + - New test: check for unused iptables rules [FIRE-4513] + - New test: checking for dead and zombie processes [PROC-3612] + - New test: checking for heavy IO waiting processes [PROC-3614] + - Initial HP-UX support (untested) + - Initial AIX support (untested) + - Added iptables binary check + - Added dig check, for DNS related tests + - Added option --no-colors to remove all colors from screen output + - Added option --reverse-colors for optimizing output at light backgrounds + (Konsole, MacOS terminal etc) + + Changes: + - Improved grpck test for SuSE [AUTH-9216] + - Added dig availability check to DNS test [NETW-2704] + - Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512] + - Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384] + - Bugfix: Fixed prequisits for grpck test [AUTH-9216] + - Improved MySQL check [DBS-1804] + - Changed color at chkconfig boot services test [BOOT-5177] + - Added missing prequisits output to portaudit test [PKGS-7382] + - Test output for FreeBSD mounts (UFS) improved [FILE-6329] + - Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219] + - Several tests have their warning reporting improved + - Improved SuSE Linux detection + - Improved syslog-ng detection + - Adjusted README with link to online (extended) documentation + + -- + + * 1.1.6 (2008-06-19) + + New: + - New test: Check writable startup scripts [BOOT-5184] + - New test: Syslog-NG consistency check [LOGG-2134] + - New test: Check yum-utils package and scanning package database [PKGS-7384] + - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] + - New test: Check for expired SSL certificates [CRYP-7902] + - New test: Check for LDAP authentication support [AUTH-9238] + - New test: Read available crontab/cron files [SCHD-7704] + - New test: Query Solaris running zones [VIRT-1902] + - New test: Check availability sudoers file for future tests [AUTH-9250] + - New test: Query all home directories from passwd file [HOME-9302] + - Syslog-NG support added (binary and version check) + - Added new sections: Scheduling, Time and Synchronization, Virtualization + + Changes: + - Extended several tests with suggestions and warnings + - Extended GRUB test with GRUB2 check [BOOT-5121] + - Extended iptables firewall test [FIRE-4511] + - Fixed incorrect variable at Linux kernel config display [KRNL-5728] + - Fixed display for file system test [FILE-6023] + - Reassigned some ID's to match others in category + - Improvement of several logging sections and profile options + - Assigned ID to Ubuntu security update check + - Assigned ID to pwck test for Solaris [AUTH-9230] + - Assigned ID to FreeBSD unused distfiles check [PKGS-7348] + - Assigned ID to RPM package query test [PKGS-7308] + - Assigned ID to /tmp sticky bit test [FILE-6362] + - Assigned ID to old temporary files check [FILE-6354] + - Assigned ID to passwd ID 0 test [AUTH-9204] + - Assigned ID to FreeBSD swap partitions [FILE-6332] + - Assigned ID to FreeBSD swap mount options [FILE-6336] + - Assigned ID to nameserver tests [NETW-2704 and NETW-2705] + - Assigned ID to pf consistency check [FIRE-4520] + - Assigned ID to Postfix configuration check [MAIL-8816] + - Assigned ID to Postfix banner check [MAIL-8818] + - Assigned ID to FreeBSD promiscuous port test [NETW-3014] + - Assigned ID to file permissions check [FILE-7524] + + -- + + * 1.1.5 (2008-06-10) + + New: + - Assigned ID to Apache configuration file test [HTTP-6624] + - Added pause_between_tests to profile file, to regulate the speed of a scan + - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] + - Assigned ID to Solaris package test [PKG-7306] + - New test: which gathers virtual hosts from Apache configuration files [HTTP-6626] + - New test: read all loaded kernel modules (Linux) [KRNL-5726] + - New test: query available FreeBSD network interfaces [NETW-3004] + - New test: query available IPv4 and IPv6 network addresses [NETW-3008] + - New test: for MAC addresses [NETW-3006] + - New test: check if a Linux kernel configuration file is available [KRNL-5728] + - New test: check boot services for Debian/Ubuntu [BOOT-5180] + - Added Lynx, Nmap, Wget version to log file + - Added support for Oracle enterprise Linux (Unbreakable Linux) + - Added new function ReportWarning for better logging to report file + + Changes: + - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302] + - Changed shell history file test, searching files with maxdepth 1 [HOME-9310] + - Extended iptables test, to check Linux kernel configuration file [FIRE-4511] + - Added report warning to promicuous test [NETW-3014] + - Fixed yellow color when being used at text display + - Several logging improvements and cleanups + + -- + + * 1.1.4 (2008-05-31) + + New: + - Added option to disable Lynis upgrade availability test (profile option) + - Added new option --check-update, to display (update) information + - Added stub for malware and file permissions database + - New section 'LDAP Services' + - Support for OpenLDAP added + - Place holders for new tests are added + - Default profile extended + - [FILE-6023] Added test for Linux ext2, ext3, ext4 file systems + - [BOOT-5155] Added check for YABOOT boot loader + + Changes: + - [BANN-7119] Improved MOTD banner check + - Improved Apache tests for SuSE and Debian systems + - Debian/Ubuntu file tests improved + - Extended man page + + -- + + * 1.1.3 (2008-05-21) + + New: + - Added security updates check for Fedora, RHEL 5.x, CentOS 5.x + - Added Linux kernel version check + - Most stable tests have an unique ID now + - Skipped tests have their reason to skip logged + - Added /etc/lynis/plugins to searchable plugin directory targets + - Added Register() function, to handle tests, prerequisites and counter + - Added new crypto tests + - Added profile option "test_skip_always" to blacklist a specific test + + Changes: + - Extended default profile location for FreeBSD + - Extended accounting test to include pacct as well + - Improved tests from categories: shells + - Disabled skel tests + - Several tests log their warnings into the report file now + - Changed Linux default runlevel test + - Extended man page + + Fixes: + - Auditor name didn't get logged properly to report file. + - Changed Debian/Ubuntu kernel update test, so it won't be tested on others + - Exim test failed, due to using an incorrect variable name + + -- + + * 1.1.2 (2008-05-11) + + New: + - Added memory test for Solaris (tested on OpenSolaris) + - Password file consistency check for Solaris + - 32/64 bits OS mode check for Solaris + - Added Slackware detection + - Plugin support (see documentation) + - Added monolithic/modular test for Linux kernels + + Changes: + - Improved LILO test and removed double message + - Fixed incorrect message when using --help parameter + - Improved portaudit test (FreeBSD) to show unique packages only + - Updated man page, FAQ, extended documention with plugin information + - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) + + ** Special release notes [package/ports]: ** + - Added several default paths to check for usuable an INCLUDE directory. This + should make packaging Lynis easier for downstream package providers. + - When no profile is set, Lynis will check first /etc/lynis/default.prf, + before setting default.prf (in current work directory) as profile to use. + - New directory added to be installed for future versions: plugins + + -- + + * 1.1.1 (2008-04-13) + + New: + - Added Solaris package manager (pkginfo) to obtain installed packages + - Added new option to profile to whitelist promiscuous interfaces (if_promisc) + - Added vulnerable packages check for Debian/Ubuntu + - Added package database consistency check for Debian/Ubuntu + + Changes: + - Only perform boot.conf check for OpenBSD when running on i386 + - Changed RemovePIDFile to prevent incorrect file presence check (ie on OpenBSD) + - Better OS detection and display output for Ubuntu systems + - Improved text alignment (display) and logging + - Commented out some of the default profile options + - Updated FAQ, readme, man page + + Bug fixes: + - Added missing space at OS detection function + - Fixed /etc/group tests to ignore commented lines + - Fixed sticky bit checking on /tmp, so it won't give incorrect results on + SuSE/Debian systems + + -- + + * 1.1.0 (2008-04-09) + + New: + - Added test: default gateway (Linux/BSD) + - Added boot tasks to report file (boottask) + - Added vulnerable packages to report file (vulnerable_package) + + Changes: + - Fixed some typos + - Several improvements in log output + - Changed display of operating system version (Linux) + - Fixed PHP check + + -- + + * 1.0.9 (2008-03-24) + + New: + - Added --quiet option (currently not 100% quiet yet) + - Added a spec file to the project page (see web site) + - Added small INSTALL document + + Changes: + - Changed check for PHP (php.ini location) + - Added available shells from /etc/shells to report file + - Updated man page + - Fixed option in main help window for --man option + - Code improvement, splitting up sections to seperated files + + -- + + * 1.0.8 (2008-02-10) + + New: + - Added pf filter rule test + - Added our PID to PID file + - Added warnings, real users, mount points, total tests to report file + + Changes: + - Changed Apache configuration file test + - Changed old temporary files check + - Changed test to include ubuntu security repository + - Moved UID check to avoid PID creation as non root user + - Moved most functions to seperated files and several code cleanups + - Improved logging output + - Extended FreeBSD (Copyright file) test + - Changed indentation for many tests + - Changed some typos in notice/warning messages + + -- + + * 1.0.7 (2008-01-28) + + New: + - Test: UFS mount point check (FreeBSD) + - Test: Check swap partitions (FreeBSD) + - Test: find old files in /tmp + - Test: check presence iptables + - Test: check CPU PAE/NX support (Linux) + - Added profile options check + - Added option to skip Debian security repository check (profile option) + - Support for Red Hat and CentOS + + Changes: + - Changed report log location to /var/log instead of current work directory + - Changed --help (and -h) to display general help, instead of man page + - Renamed -man option to --man + - Extended profile file (see default.prf) + - Cleaned up code (rewritten several parts of static code to dynamic + functions) + - Added more comments to the program, for curious auditors, developers and + users. Also regrouped parts of text and cleaned useless white spaces. + - General program output improved (spaces, indentation) + - Logging extended + - Updated lynis.spec file (contrib) + - FAQ and README files extended and updated + + Bugfixes: + - Changed postfix banner check (thanks to Henk Bokhoven for reporting) + - Extended skel directory test, with -A (ls) option to check hidden files + (used with most Linux variants) + + Development: + - Added new mirror + - Updated year number in program and support files + - Added new function Display, to use indentation within lines + - Added function RemovePIDFile before some exit routines, to clean up PID file + - Extracted profile support, parameter support to seperated files + - Created file tests_ports_packages for Ports and Packages + - Deleted lynis.spec file, since it was not working and will be rewritten later + + -- + + * 1.0.6 (2007-12-26) + + New: + - Added Solaris real users test + - Added hostname check + + Changes: + - Added chkconfig binary test and changed related services test + - Added 'xargs' to version checks, to replace unwanted chars + - Added more breaks to log file. + - Added sorting to rpm/dpkg listings + - FAQ extended + + -- + + * 1.0.5 (2007-12-02) + + New: + - Test: unique group names + - Test: unique group IDs + - Added check for rpm, chkrootkit and rkhunter binary + - Added function to cleanup at manual interrupt (INT) + - Support added to run Lynis as cronjob (--cronjob) + - Fedora support added + - Added umask 027, to tighten up file permissions + + Changes: + - Changed FreeBSD ttys test + - Changed grpck test, to operate in read-only mode + - Changed Postfix test, to check for mail_name value as well + - Changed GPL line in script which said GPL v2 + - Extended README + - Show latest update version, if available, at the end of the screen output + - Lots of code cleanup (see Development) + - Some log improvements + - Changed date notation in changelog to preferred European format (with dots + instead of slashes) + + Development: + - New function (ShowResult) to avoid repeating the same result line + within the script for standard status values + - Moved program consts to file (include/consts) + - Moved functions to file (include/functions) + - Moved OS detection to file (include/osdetection) + - Added NEVERBREAK to avoid user input (cronjob support) + + -- + + * 1.0.4 (2007-11-27) + + New: + - Test: query real system users (FreeBSD/Linux) + - Added PID file usage, to warn for unclean program states. + - Added SSHd version test + + Changes: + - Updated documentation + - Changed sticky bit test (/tmp), to skip symlinks + - Changed /etc/motd test, to skip symlinks + - More code cleanup + - Logging extended and improved + - Screen output slightly changed + + -- + + * 1.0.3 (2007-11-19) + + New: + - Added check for sockstat + - Test: added test for GRUB and password option + - Test: query listening ports (sockstat) + + Changes: + - Fixed NTPd check (bug) + - Extended help for 'double installed package' check (BSD systems, pkg_info) + - Extended Debian kernel update check + - Improved OpenBSD support + - Improved Linux specific detection support (Cobalt, CPU Builders, Debian, + E-Smith, Slackware, SuSE/OpenSuSE, Turbo Linux, Yellowdog and others) + - Improved screen output + - Extended logging, with status/impact flags + - [Bugfix] chkconfig test improved + - [Bugfix] Fixed sticky bit test at Debian + - Extended documentation and changelog file + + -- + + * 1.0.2 (2007-11-15) + + New: + - Test: Added check for NTP daemon or client + - Test: file permissions (profile option) + - Added -Q (--quick) parameter, to run the program without needing user + input after every few sections. + + Changes: + - Extended documentation (README file) and performed spell check + - Improved screen output (colors, parameter handling and display) + - Cleaned up source code and fixed some bad typos + - Added much more delimiter lines to logfile + - Added version numbers to logfile for used binaries/tools + - Updated list of parameters within Lynis help + + -- + + * 1.0.1 (2007-11-12) + + New: + - Test: check Exim configuration file location + - Test: added memory check (/proc/meminfo) + - Test: run grpck to check group files (if available) + - Test: boot option check for OpenBSD boot loader + - Test: check if pf (Software: firewall) is active + - Test: check LILO password + - Test: check presence of old distfiles (FreeBSD) + - Added check for binaries: httpd, kldstat, openssl, (s)locate + - Added version check for: exim, openssl + - Added -V (--version) parameter, to show version number + - Added breaks between tests + + Changes: + - [bug] Changed skel directory check + - Fixed display Apache configuration file + + -- + + * 1.0.0 (2007-11-08) + + New: + - Support for CentOS (Tested: 5 Final) + - Support for Debian (Tested: 4.0) + - Support for FreeBSD (Tested: 6.2) + - Support for Mac OS X (Tested: 10.4) + - Test: Apache (ServerTokens option) + - Test: PHP (expose_php option) + - Test: Postfix (smtpd_banner option) + - Test: check valid shells + - Test: query pkg_info/RPM based systems + - Test: query pkg_info for double installed packages + - Test: query chkprintcap (FreeBSD) + - Test: scan binary directories + - Test: check administrator accounts + - Test: check permissions /etc/motd + - Test: read nameservers from /etc/resolv.conf + - Test: query nameservers and test connectivity + - Test: check promiscuous interfaces (FreeBSD) + - Test: check sticky bit on /tmp directory + - Test: check debian.org security brance in /etc/apt/sources.list + - Test: check kernel update on Debian + - Test: query default Linux run level + - Test: query chkconfig to see which services start at boot + - Test /etc/COPYRIGHT banner check for FreeBSD + - Support for program parameters + - Builtin integrity checks + - Color enhanced output for readability + - Support for profiles/templates + - Report file creation (for reporting/monitoring) + - Extended logfile creation (with system suggestions) + - Added lynis.spec file for RPM creation + - Created project page at website + - Added documentation (README), ToDo list (TODO) + - Man page lynis(8) + + Changes: + - No changes + + Bugfixes: + - No bugfixes + + +================================================================================ + Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands + http://www.rootkit.nl diff --git a/CONTRIBUTORS b/CONTRIBUTORS new file mode 100644 index 00000000..e4123e1e --- /dev/null +++ b/CONTRIBUTORS @@ -0,0 +1,27 @@ + +================================================================================ + + Lynis - CONTRIBUTIONS + +================================================================================ + + The Lynis project is very thankful for the following individuals who + contributed to the project by reporting issues or sending in patches. + +================================================================================ + + +[+] Patches, bug fixes and suggestions +------------------------------------------ + + Brian Ginsbach + C.J. Adams-Collier, US + Dave Vehrs + Steve Bosek, France + Thomas Siebel, Germany + + + +================================================================================ + Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands + http://cisofy.com diff --git a/FAQ b/FAQ new file mode 100644 index 00000000..e8dcb244 --- /dev/null +++ b/FAQ @@ -0,0 +1,92 @@ + +================================================================================ + + Lynis - Frequently Asked Questions + +================================================================================ + + Author: Michael Boelen (michael@rootkit.nl) + Description: Security and system auditing tool + Website: http://cisofy.com/lynis/ + http://www.rootkit.nl/projects/lynis.html + Development start: May 2007 + Support policy: See section 'Support' (README file) + Documentation: See web site, README, FAQ and CHANGELOG file + +================================================================================ + +[+] General +------------------------------- + + Q: I don't understand the program (output), what to do? + A: Keep reading this FAQ, then continue with reading the README file, followed + by the log file (default: /var/log/lynis.log). After those sources, check + the documentation on the website. + + Q: I can't find any configuration file for Lynis, where is it? + A: There isn't one (currently), since all options are available as command + parameters. Specific options to control the audit/security scan can be set + or adjusted by changing the 'profile' file you are using (don't use + default.prf for your own custom options, but make a copy of it). + + Q: Why is there no port/package for my operating system? + A: Because there is no maintainer for it yet. If you have the time to keep + the port/package current for your preferred operating system, fill in the + contact form to notify me and confirm no one else is working on it. + + Q: What to do with the report files? + A: The output could be used for monitoring (baseline checks). For user of the + Lynis Enterprise Suite, they will be used to upload data. + + + +[+] Usage problems +------------------------------- + Q: Lynis hangs while testing the group files (grpck) + A: Run the grpck command manually. It will most likely need user input, to + repair incorrect groups. + + Q: Lynis doesn't display all messages on a white background + A: White text is used for general (and important) messages. Most terminals + have a dark background, so it gives extra attention to the message. However + if you have a white background (for example Mac OS X), you can run Lynis + with --no-colors to strip colors or --reverse-colors to reverse the color + scheme. Another option is to change your terminal colors within Mac OS. + + Q: Some tests take very long to finish, what to do? + A: Use a second console (or connection) and check the output of ps/lsof etc, + to see the status of the active subroutine. If a specific test hangs for a + very long time, try to kill that specific process (ie grpck) and see if + Lynis continues. Afterwards, run the command manually to see the cause. + Check the log file for additional information, when possible. + + Q: When running Lynis, it shows me the usage help even while using correct + parameters, why? + A: This can happen with alternative shells. Try using a different shell to + invoke Lynis (example: bash lynis -c). + + Q: One or more tests are giving incorrect output. How to solve that? + A: Check the log file. If that also has incorrect data, fill in the contact + form and describe the issue. + + Q: The program takes long to complete and also uses too much resources. Can it + be tuned? + A: The time it takes to complete is depends on the amount of tests to run. + However the resources it take can be slighty lowered by increasing the + pause_between_tests profile option. Keep in mind this increases the total + length of the scan to complete. + + + +[+] Network related issues +------------------------------- + + Q: Lynis reports promiscuous interfaces, but they are needed for normal operation, + how can I hide this warning? + A: Whitelist the interface in the profile file (if_promisc). + + + +================================================================================ + Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands + http://cisofy.com diff --git a/INSTALL b/INSTALL new file mode 100644 index 00000000..5d22e73a --- /dev/null +++ b/INSTALL @@ -0,0 +1,49 @@ + +================================================================================ + + Lynis - Installation instructions + +================================================================================ + + Author: Michael Boelen (michael@rootkit.nl) + Description: Security and system auditing tool + Web site: http://www.rootkit.nl/projects/lynis.html + Support policy: See section 'Support' + Documentation: See web site, README, FAQ and CHANGELOG file + +================================================================================ + + +[+] Run directly +------------------------------- + + Lynis can be executed directly (unpack tarball, enter lynis directory). + + # sh lynis + or + # ./lynis + + Make sure you have root privileges. + + + +[+] Installation +------------------------------- + + If you want to install Lynis, see the README file (section: Installation) for + more tips about how to install or create a custom package. + + + +[+] Documentation +------------------------------- + + Documentation about Lynis can be found in the man page (man lynis, or + lynis --man-page), README file and website. Also the FAQ file covers some + often asked questions. + + + +================================================================================ + Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands + http://cisofy.com diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..94a9ed02 --- /dev/null +++ b/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/README b/README new file mode 100644 index 00000000..d1b0ea14 --- /dev/null +++ b/README @@ -0,0 +1,136 @@ + +================================================================================ + + Lynis - README + +================================================================================ + + Author: Michael Boelen (michael@rootkit.nl) + Description: Security and system auditing tool + Web site: http://cisofy.com/lynis/ + http://www.rootkit.nl/projects/lynis.html + Development start: May 2007 + Support policy: See section 'Support' + Documentation: See web site, README, FAQ and CHANGELOG file + +================================================================================ + + + == Web site contains up-to-date documentation == + + See http://www.rootkit.nl/files/lynis-documentation.html + + +[+] Introduction +------------------------------- + + Lynis is an auditing tool which tests and gathers (security) information from + Unix based systems. The audience for this tool are security and system + auditors, network specialists and system maintainers. + + Some of the (future) features and usage options: + - System and security audit checks + - File Integrity Assessment + - System and file forensics + - Usage of templates/baselines (reporting and monitoring) + - Extended debugging features + + Everyone is free to use Lynis under the conditions of the GPL v3 license (see + LICENSE file). + + ======================== + Quick facts + ======================== + - Name: Lynis + - Type: audit, security, forensics tool + - License: GPL v3 + - Language: Shell script + - Author: Michael Boelen + - Web site: http://www.rootkit.nl + - Required permissions: root or equivalent + - Other requirements: write access to /var/log and /tmp + + + +[+] Installation +------------------------------- + + Lynis doesn't have to be installed, so it can be used directly from a + (removable) disk. If you want the program to be installed, use one of the + following methods: + + - Create a custom directory (ie. /usr/local/lynis) and unpack the tarball + (tar xfvz lynis-version.tar.gz) into this directory. + - Create a RPM package by using the lynis.spec file (see web site) + run 'rpmbuild -ta lynis-version.tar.gz' (= build RPM package) + run 'rpm -ivh ' (= install RPM package) + + See online documentation for detailed instructions. + + +[+] Supported systems +------------------------------- + + Since the complexity of auditing different systems and platforms, Lynis is + developed on BSD and Linux. + + This tool is tested or confirmed to work with at least: + AIX, Linux, FreeBSD, OpenBSD, Mac OS X, Solaris. See website for the full + list of tested operating systems. + + + +[+] Usage +------------------------------- + + See online documentation for more information about using Lynis. + + + +[+] Development +------------------------------- + + If you have input to improve Lynis, let me know via the contact details (e-mail). + + +[+] Support +------------------------------- + + Lynis is tested on the most common operating systems. The documentation (README, + FAQ) and the debugging information in the log file should cover most questions and + problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by + sending an e-mail. + + NOTE: User related questions should not be asked via the contact form. Read the + documentation, the website resources and the log file for answers to common problems. + + Commercial support is available under strict conditions and depends on the request. + For more information fill in the contact form and describe what kind of service is + requested. + + + +[+] Upgrade to Lynis Enterprise +------------------------------- + + Individuals and companies which use this software for more than 10 systems, should + consider the value of this tool. Get the Lynis Enterprise Suite, to support the + development of open source software. + + + +[+] Thanks +------------------------------- + + Thanks to the community for using and supporting open source software and my tools + in particular. Many comments, bugs/patches and questions are the key to success + and motivation in developing tools like this. + + A special thanks to anyone who donated a book or valuable suggestions in the past! + + + + +================================================================================ + Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands + http://cisofy.com diff --git a/db/fileperms.db b/db/fileperms.db new file mode 100644 index 00000000..a4bbcf18 --- /dev/null +++ b/db/fileperms.db @@ -0,0 +1,19 @@ +#version=2008053000 +# +# Field definitions +# =============================== +# 1) file | dir +# 2) file name +# 3) file permissions +# 4) file owner +# 5) file group owner +# 6) operating system, or systems +# 7) operating system special +# 8) +# +#================================================== +file:/etc/group:644:root:root:Linux: +file:/etc/gshadow:400:root:root:Linux: +file:/etc/passwd:644:root:root:Linux: +file:/etc/shadow:400:root:root:Linux: + diff --git a/db/hints.db b/db/hints.db new file mode 100644 index 00000000..1504cb30 --- /dev/null +++ b/db/hints.db @@ -0,0 +1,2 @@ +#version=20091015 +100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: \ No newline at end of file diff --git a/db/integrity.db b/db/integrity.db new file mode 100644 index 00000000..421d8196 --- /dev/null +++ b/db/integrity.db @@ -0,0 +1,3 @@ +#version=2008062800 +#binary:string:|NOT: +ifconfig:PROMISC:: diff --git a/db/malware-susp.db b/db/malware-susp.db new file mode 100644 index 00000000..5c6ace24 --- /dev/null +++ b/db/malware-susp.db @@ -0,0 +1,4 @@ +#version=2009101500 +vuln.txt::: +crack*::: +exploit*::: \ No newline at end of file diff --git a/db/malware.db b/db/malware.db new file mode 100644 index 00000000..7844f1f3 --- /dev/null +++ b/db/malware.db @@ -0,0 +1,44 @@ +#version=2008062700 +/bin/.log:::Apache worm::: +/bin/.login:::Login backdoor::: +/tmp/.../r:::W55808A::: +/tmp/.../a:::W55808A::: +/usr/share/.aPa:::APAKIT +/usr/lib/.ark?:::ARK::: +/dev/ptyxx/.log:::ARK::: +/dev/ptyxx/.file:::ARK::: +/usr/sbin/arobia:::Beastkit::: +/usr/sbin/idrun:::Beastkit::: +/usr/lib/elm/arobia/elm:::Beastkit::: +/usr/lib/elm/arobia/elm/hk:::Beastkit::: +/usr/lib/elm/arobia/elm/hk.pub:::Beastkit::: +/usr/lib/elm/arobia/elm/sc:::Beastkit::: +/usr/lib/elm/arobia/elm/sd.pp:::Beastkit::: +/usr/lib/elm/arobia/elm/sdco:::Beastkit::: +/usr/lib/elm/arobia/elm/srsd:::Beastkit::: +/tmp/.cinik:::Cinik::: +/dev/mdev:::Dannyboy::: +/usr/lib/libX.a:::Dannyboy::: +/usr/bin/duarawkz/loginpass:::Duarawkz::: +/dev/dev/gaskit/sshd/sshdd:::Gaskit::: +/proc/knark/pids:::Knark::: +/var/lock/subsys/...datafile.../...datafile.../in.smbd.log:::Ohhara::: +/dev/.oz/.nap/rkit/terror:::Oz::: +/usr/man/man5/..%%/.dir/scannah/asus:::Shutdown::: +/usr/man/man5/..%%/.dir/see:::Shutdown::: +/usr/man/man5/..%%/.dir/nscd:::Shutdown::: +/usr/man/man5/..%%/.dir/alpd:::Shutdown::: +/etc/rc.d/rc.local%%:::Shutdown::: +/tmp/.a:::Scalper::: +/tmp/.uua:::Scalper::: +/tmp/.bugtraq:::Slapper::: +/tmp/.uubugtraq:::Slapper::: +/tmp/.bugtraq.c:::Slapper::: +/tmp/httpd:::Slapper::: +/tmp/.unlock:::Slapper::: +/tmp/update:::Slapper::: +/tmp/.cinik:::Slapper::: +/tmp/.b:::Slapper::: +/usr/man/.sman/sk:::Superkit::: +/usr/lib/.tbd:::TBD::: +/sbin/.login:::Login backdoor::: \ No newline at end of file diff --git a/db/sbl.db b/db/sbl.db new file mode 100644 index 00000000..323303b4 --- /dev/null +++ b/db/sbl.db @@ -0,0 +1,2 @@ +#version=2008052800 +php:5.2.5 \ No newline at end of file diff --git a/default.prf b/default.prf new file mode 100644 index 00000000..dd93b3f7 --- /dev/null +++ b/default.prf @@ -0,0 +1,293 @@ +################################################################################# +# +# Lynis scan profile +# +# This is the default profile and is used as a baseline when testing systems and +# applications. Since there are generally no "best" options, Lynis will assume +# some default values. +# +# All empty lines or with the # prefix will be skipped +# +# This is the default profile and contains default values. You are encouraged to +# copy this file and use it's base for custom audit profiles. +# +################################################################################# + +[configuration] +# Profile name, will be used as title/description +config:profile_name:Default Audit Template: + +# Number of seconds to pause between every test (0 is no pause) +config:pause_between_tests:0: + +# Show inline tips about the tool +config:show_tool_tips:1: + + +################################################################################# +# +# Testing options +# --------------- +# +################################################################################# + +# ** Scan type (how deep test has to be, light, normal or full) ** +# +# config:test_scan_mode:light|normal|full: + + +# ** Skip one or more specific tests ** +# (always ignores scan mode and will make sure the test is skipped) +# +# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012: + + +# ** Define the role(s) of a machine ** +# Values: desktop|server (default: server) +# +#config:machine_role:server: + + +################################################################################# +# +# Plugins +# --------------- +# Define which plugins are enabled (nothing happens if plugin isn't available) +# +################################################################################# +# plugin=security_malware +# plugin=security_rootkit +# plugin=fileperms +plugin=docker +plugin=file-integrity +plugin=files +plugin=filesystems +plugin=firewalls +plugin=processes +plugin=software +plugin=system-integrity + +################################################################################# +# +# Sysctl options +# --------------- +# sysctl::::: +# +# Sysctl key = name +# Expected value = value of sysctl key +# Hardening points = Number of hardening points. For most keys 1 HP will be suitable +# Description = Text description of key +# +################################################################################# + +[processes] +#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: +sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: +sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: + +[kernel] +sysctl:kern.sugid_coredump:0:1:XXX: +sysctl:kernel.core_setuid_ok:0:1:XXX: +sysctl:kernel.core_uses_pid:1:1:XXX: +sysctl:kernel.ctrl-alt-del:0:1:XXX: +sysctl:kernel.exec-shield-randomize:1:1:XXX: +sysctl:kernel.exec-shield:1:1:XXX: +sysctl:kernel.sysrq:0:1:Disable magic SysRQ: +sysctl:kernel.use-nx:0:1:XXX: + +[network] +sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: +sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: +sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: +sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: +sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: +sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: +sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: +sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: +sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: +sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: +sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: +sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: +sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore +#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: +sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: +sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: +sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: +sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: + +[security] +#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: +#security.jail.jailed: 0 +#security.jail.jail_max_af_ips: 255 +#security.jail.mount_allowed: 0 +#security.jail.chflags_allowed: 0 +#security.jail.allow_raw_sockets: 0 +#security.jail.enforce_statfs: 2 +#security.jail.sysvipc_allowed: 0 +#security.jail.socket_unixiproute_only: 1 +#security.jail.set_hostname_allowed: 1 +#security.bsd.suser_enabled: 1 +#security.bsd.unprivileged_proc_debug: 1 +#security.bsd.conservative_signals: 1 +#security.bsd.unprivileged_read_msgbuf: 1 +#security.bsd.hardlink_check_gid: 0 +#security.bsd.hardlink_check_uid: 0 +#security.bsd.unprivileged_get_quota: 0 + + + +################################################################################# +# +# Apache options +# columns: (1)apache : (2)option : (3)value +# +################################################################################# + +apache:ServerTokens:Prod: + + +################################################################################# +# +# OpenLDAP options +# columns: (1)openldap : (2)file : (3)option : (4)expected value(s) +# +################################################################################# + +openldap:slapd.conf:permissions:640-600: +openldap:slapd.conf:owner:ldap-root: + + +################################################################################# +# +# SSL certificates +# +################################################################################# + +# Locations where to search for SSL certificates +ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www: + + +################################################################################# +# +# NTP options +# +################################################################################# + +# Ignore some stratum 16 hosts (for example when running as time source itself) +#ntp:ignore_stratum_16_peer:127.0.0.1: +#ntp:ignore_stratum_16_peer:1.2.3.4: + + +################################################################################# +# +# File/directories permissions (currently not used yet) +# +################################################################################# + +# Scan for exact file name match +#[scanfiles] +#scanfile:/etc/rc.conf:FreeBSD configuration: + +# Scan for exact directory name match +#[scandirs] +#scandir:/etc:/etc directory: + + +################################################################################# +# +# permfile +# --------------- +# permfile:file name:file permissions:owner:group:action: +# Action = NOTICE or WARN +# Examples: +# permfile:/etc/test1.dat:600:root:wheel:NOTICE: +# permfile:/etc/test1.dat:640:root:-:WARN: +# +################################################################################# + +#permfile:/etc/inetd.conf:rw-------:root:-:WARN: +#permfile:/etc/fstab:rw-r--r--:root:-:WARN: +permfile:/etc/lilo.conf:rw-------:root:-:WARN: + + +################################################################################# +# +# permdir +# --------------- +# permdir:directory name:file permissions:owner:group:action when permissions are different: +# +################################################################################# + +permdir:/root/.ssh:rwx------:root:-:WARN: + +# Scan for a program/binary in BINPATHs +#scanbinary:Rootkit Hunter:rkhunter: + + +################################################################################# +# +# Audit customizing +# ----------------- +# +# Most options can contain 'yes' or 'no'. +# +################################################################################# + +# Amount of connections in WAIT state before reporting it as a warning +#config:connections_max_wait_state:50: + +# Skip security repository check for Debian based systems +#config:debian_skip_security_repository:yes: + +# Debug mode (for debugging purposes, extra data logged to screen) +#config:debug:yes: + +# Skip the FreeBSD portaudit test +#config:freebsd_skip_portaudit:yes: + +# Ignore some specific home directories +# One directory per line; directories will be skipped for home directory specific +# checks, like file permissions, SSH and other configuration files +#config:ignore_home_dir:/home/user: + +# Do not log tests with another guest operating system (default: yes) +#config:log_tests_incorrect_os:no: + +# Define if available NTP daemon is configured as a server or client on the network +# values: server or client (default: client) +#config:ntpd_role:client: + +# Allow promiscuous interfaces +#