tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 08:14:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

[FILE-6374] corrected defaults flag, added root directory, and changed logging

Browse Source
This commit is contained in:
Michael Boelen 2019-09-12 16:34:45 +02:00
parent b7445e8d64
commit ca0239b4d9
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
include/tests_filesystems
View File

@ -566,7 +566,7 @@
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking partitions mount options" Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking partitions mount options"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then if [ -f ${ROOTDIR}etc/fstab ]; then
for I in ${FILESYSTEMS_TO_CHECK}; do for I in ${FILESYSTEMS_TO_CHECK}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1) FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1)
EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g') EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g')
@ -578,7 +578,8 @@
fi fi
fi fi
if [ -n "${FS_FSTAB}" ]; then if [ -n "${FS_FSTAB}" ]; then
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') # In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line)
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
LogText "File system: ${FILESYSTEM}" LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Expected flags: ${EXPECTED_FLAGS}"
LogText "Found flags: ${FOUND_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}"
@ -595,26 +596,27 @@
fi fi
done done
if [ ${FULLY_HARDENED} -eq 1 ]; then if [ ${FULLY_HARDENED} -eq 1 ]; then
LogText "Result: marked ${FILESYSTEM} as fully hardenened" LogText "Result: marked ${FILESYSTEM} as fully hardened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
AddHP 5 5 AddHP 5 5
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
LogText "Result: marked ${FILESYSTEM} as fully hardenened" LogText "Result: marked ${FILESYSTEM} as partially hardened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
AddHP 4 5 AddHP 4 5
else else
if [ "${FOUND_FLAGS}" = "defaults" ]; then # if
LogText "Result: marked ${FILESYSTEM} options as default (non hardened)" if ContainsString "defaults" "${FOUND_FLAGS}"; then
LogText "Result: marked ${FILESYSTEM} options as default (not hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
AddHP 3 5 AddHP 3 5
else else
LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)" LogText "Result: marked ${FILESYSTEM} options as non-default (unclear about hardening)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
AddHP 4 5 AddHP 4 5
fi fi
fi fi
else else
LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab" LogText "Result: file system ${FILESYSTEM} not found in ${ROOTDIR}etc/fstab"
fi fi
done done
fi fi