mirror of https://github.com/CISOfy/lynis.git
Merge branch 'master' into master
This commit is contained in:
commit
e75a7b9547
|
@ -0,0 +1,7 @@
|
|||
# See: https://editorconfig.org/
|
||||
|
||||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = space
|
||||
indent_size = 4
|
33
CHANGELOG.md
33
CHANGELOG.md
|
@ -3,11 +3,42 @@
|
|||
## Lynis 3.1.2 (not released yet)
|
||||
|
||||
### Added
|
||||
- Detection of ALT Linux
|
||||
- Detection of Athena OS
|
||||
- Detection of Container-Optimized OS from Google
|
||||
- Detection of Koozali SME Server
|
||||
- Detection of Nobara Linux
|
||||
- Detection of Open Source Media Center (OSMC)
|
||||
- Detection of PostmarketOS
|
||||
- CRYP-7932 - macOS FileVault encryption test
|
||||
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
|
||||
- FINT-4344 - Wazuh system running state
|
||||
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
|
||||
- File added: .editorconfig, which is used by editors to standardize formatting
|
||||
|
||||
### Changed
|
||||
- Correction of software EOL database and inclusion of AIX entries
|
||||
- Correction of software EOL database and inclusion of AIX entries
|
||||
- Support sysctl value perf_event_paranoid -> 2|3
|
||||
- Update of Turkish translation
|
||||
- Grammar and spell improvements
|
||||
- Improved package detection on Alpine Linux
|
||||
- Slackware support to check installed packges (functionPackageIsInstalled())
|
||||
- Added words prosecute/report to LEGAL_BANNER_STRINGS
|
||||
- Busybox support: Replace newer tr command syntax with older ascii specific operations
|
||||
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
|
||||
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
|
||||
- CONT-8104 - Checking for errors, not only warning in docker info output
|
||||
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
|
||||
- FILE-6344 - Test kernel version (major/minor)
|
||||
- KRNL-5622 - Use systemctl get-default instead of following link
|
||||
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
|
||||
- MACF-6234 - Test if semanage binary is available
|
||||
- MALW-3200 - ESET Endpoint Antivirus added
|
||||
- MALW-3280 - McAfee Antivirus for Linux deprecated
|
||||
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
|
||||
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
|
||||
- PKGS-7303 - Added version numbers to brew packages
|
||||
- PKGS-7370 - Cron job check for debsums improved
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq"
|
|||
STATUS_YES="Bəli"
|
||||
TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -107,3 +107,4 @@ STATUS_WARNING="警告"
|
|||
STATUS_YES="是"
|
||||
TEXT_UPDATE_AVAILABLE="有可以更新的版本"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="SVAG"
|
|||
STATUS_YES="JA"
|
||||
TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="SCHWACH"
|
|||
STATUS_YES="JA"
|
||||
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
|
|||
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
|
||||
SECTION_VIRTUALIZATION="Virtualization"
|
||||
SECTION_WEBSERVER="Software: webserver"
|
||||
SECTION_KERBEROS="Kerberos"
|
||||
STATUS_ACTIVE="ACTIVE"
|
||||
STATUS_CHECK_NEEDED="CHECK NEEDED"
|
||||
STATUS_DEBUG="DEBUG"
|
||||
|
|
|
@ -107,3 +107,4 @@ STATUS_WEAK="DÉBIL"
|
|||
STATUS_YES="SÍ"
|
||||
TEXT_UPDATE_AVAILABLE="Actualización disponible"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="VAROITUS"
|
|||
STATUS_YES="KYLLÄ"
|
||||
TEXT_UPDATE_AVAILABLE="päivitys saatavilla"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="FAIBLE"
|
|||
STATUS_YES="OUI"
|
||||
TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ"
|
|||
STATUS_YES="ΝΑΙ"
|
||||
TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="אזהרה"
|
|||
STATUS_YES="כן"
|
||||
TEXT_UPDATE_AVAILABLE="עדכון זמין"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS"
|
|||
STATUS_YES="IGEN"
|
||||
TEXT_UPDATE_AVAILABLE="frissítés elérhető"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -105,3 +105,5 @@ STATUS_WEAK="WEAK"
|
|||
STATUS_YES="YES"
|
||||
TEXT_UPDATE_AVAILABLE="update tersedia"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
#STATUS_NOT_ACTIVE="NOT ACTIVE"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="DEBOLE"
|
|||
STATUS_YES="SI"
|
||||
TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="警告"
|
|||
STATUS_YES="はい"
|
||||
TEXT_UPDATE_AVAILABLE="アップデートが利用可能"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="취약"
|
|||
STATUS_YES="예"
|
||||
TEXT_UPDATE_AVAILABLE="업데이트 가능"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="ADVARSEL"
|
|||
STATUS_YES="JA"
|
||||
TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="ZWAK"
|
|||
STATUS_YES="JA"
|
||||
TEXT_UPDATE_AVAILABLE="update beschikbaar"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_NOT_ACTIVE="NOT ACTIVE"
|
|||
#STATUS_YES="YES"
|
||||
#TEXT_UPDATE_AVAILABLE="update available"
|
||||
#TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="ATENÇÃO"
|
|||
STATUS_YES="SIM"
|
||||
TEXT_UPDATE_AVAILABLE="Atualização disponível"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WEAK="СЛАБЫЙ"
|
|||
STATUS_YES="ДА"
|
||||
TEXT_UPDATE_AVAILABLE="доступно обновление"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="VARNING"
|
|||
STATUS_YES="JA"
|
||||
TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -106,3 +106,4 @@ STATUS_WARNING="VAROVANIE"
|
|||
STATUS_YES="ÁNO"
|
||||
TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
173
db/languages/tr
173
db/languages/tr
|
@ -1,108 +1,109 @@
|
|||
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış"
|
||||
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış"
|
||||
GEN_CHECKING="Kontrol ediyor"
|
||||
GEN_CURRENT_VERSION="Mevcut Sürüm"
|
||||
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı"
|
||||
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı"
|
||||
GEN_CHECKING=" Denetleniyor"
|
||||
GEN_CURRENT_VERSION="Geçerli sürüm"
|
||||
GEN_DEBUG_MODE="Hata ayıklama modu"
|
||||
GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
|
||||
GEN_LATEST_VERSION="Son sürüm"
|
||||
GEN_PHASE="faz"
|
||||
GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler"
|
||||
GEN_UPDATE_AVAILABLE="güncelleme mevcut"
|
||||
GEN_VERBOSE_MODE="Detay modu"
|
||||
GEN_LATEST_VERSION="En son sürüm"
|
||||
GEN_PHASE="evre"
|
||||
GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler"
|
||||
GEN_UPDATE_AVAILABLE="güncelleme var"
|
||||
GEN_VERBOSE_MODE="Ayrıntılı mod"
|
||||
GEN_WHAT_TO_DO="Yapılması gerekenler"
|
||||
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu"
|
||||
NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
|
||||
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir"
|
||||
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu"
|
||||
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir"
|
||||
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
|
||||
#SECTION_ACCOUNTING="Accounting"
|
||||
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
|
||||
#SECTION_BASICS="Basics"
|
||||
#SECTION_BOOT_AND_SERVICES="Boot and services"
|
||||
#SECTION_CONTAINERS="Containers"
|
||||
#SECTION_CRYPTOGRAPHY="Cryptography"
|
||||
SECTION_ACCOUNTING="Hesaplama"
|
||||
SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama"
|
||||
SECTION_BASICS="Temel Bilgiler"
|
||||
SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler"
|
||||
SECTION_CONTAINERS="Konteynerler"
|
||||
SECTION_CRYPTOGRAPHY="Kriptografi"
|
||||
SECTION_CUSTOM_TESTS="Özel testler"
|
||||
#SECTION_DATABASES="Databases"
|
||||
#SECTION_DATA_UPLOAD="Data upload"
|
||||
#SECTION_DOWNLOADS="Downloads"
|
||||
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
|
||||
#SECTION_FILE_INTEGRITY="Software: file integrity"
|
||||
#SECTION_FILE_PERMISSIONS="File Permissions"
|
||||
#SECTION_FILE_SYSTEMS="File systems"
|
||||
#SECTION_FIREWALLS="Software: firewalls"
|
||||
#SECTION_GENERAL="General"
|
||||
#SECTION_HARDENING="Hardening"
|
||||
#SECTION_HOME_DIRECTORIES="Home directories"
|
||||
#SECTION_IMAGE="Image"
|
||||
#SECTION_INITIALIZING_PROGRAM="Initializing program"
|
||||
#SECTION_INSECURE_SERVICES="Insecure services"
|
||||
#SECTION_KERNEL_HARDENING="Kernel Hardening"
|
||||
#SECTION_KERNEL="Kernel"
|
||||
#SECTION_LDAP_SERVICES="LDAP Services"
|
||||
#SECTION_LOGGING_AND_FILES="Logging and files"
|
||||
SECTION_MALWARE="Kötücül yazılım"
|
||||
SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler"
|
||||
#SECTION_NAME_SERVICES="Name services"
|
||||
#SECTION_NETWORKING="Networking"
|
||||
#SECTION_PERMISSIONS="Permissions"
|
||||
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
|
||||
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
|
||||
#SECTION_PROGRAM_DETAILS="Program Details"
|
||||
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
|
||||
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
|
||||
#SECTION_SHELLS="Shells"
|
||||
#SECTION_SNMP_SUPPORT="SNMP Support"
|
||||
#SECTION_SOFTWARE="Software"
|
||||
#SECTION_SQUID_SUPPORT="Squid Support"
|
||||
#SECTION_SSH_SUPPORT="SSH Support"
|
||||
#SECTION_STORAGE="Storage"
|
||||
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
|
||||
#SECTION_SYSTEM_TOOLING="Software: System tooling"
|
||||
#SECTION_SYSTEM_TOOLS="System tools"
|
||||
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
|
||||
#SECTION_USB_DEVICES="USB Devices"
|
||||
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
|
||||
#SECTION_VIRTUALIZATION="Virtualization"
|
||||
#SECTION_WEBSERVER="Software: webserver"
|
||||
#STATUS_ACTIVE="ACTIVE"
|
||||
#STATUS_CHECK_NEEDED="CHECK NEEDED"
|
||||
#STATUS_DEBUG="DEBUG"
|
||||
#STATUS_DEFAULT="DEFAULT"
|
||||
#STATUS_DIFFERENT="DIFFERENT"
|
||||
STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ"
|
||||
SECTION_DATA_UPLOAD="Veri yükleme"
|
||||
SECTION_DATABASES="Veri tabanları"
|
||||
SECTION_DOWNLOADS="İndirilenler"
|
||||
SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma"
|
||||
SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü"
|
||||
SECTION_FILE_PERMISSIONS="Dosya izinleri"
|
||||
SECTION_FILE_SYSTEMS="Dosya sistemleri"
|
||||
SECTION_FIREWALLS="Yazılım: güvenlik duvarları"
|
||||
SECTION_GENERAL="Genel"
|
||||
SECTION_HARDENING="Sıkılaştırma"
|
||||
SECTION_HOME_DIRECTORIES="Ev dizinleri"
|
||||
SECTION_IMAGE="Kalıp"
|
||||
SECTION_INITIALIZING_PROGRAM="Program başlatılıyor"
|
||||
SECTION_INSECURE_SERVICES="Güvensiz hizmetler"
|
||||
SECTION_KERNEL="Çekirdek"
|
||||
SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma"
|
||||
SECTION_LDAP_SERVICES="LDAP Hizmetleri"
|
||||
SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar"
|
||||
SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım"
|
||||
SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler"
|
||||
SECTION_NAME_SERVICES="Ad hizmetleri"
|
||||
SECTION_NETWORKING="Ağ İletişimi"
|
||||
SECTION_PERMISSIONS="İzinler"
|
||||
SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler"
|
||||
SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler"
|
||||
SECTION_PROGRAM_DETAILS="Program Ayrıntıları"
|
||||
SECTION_SCHEDULED_TASKS="Zamanlanan görevler"
|
||||
SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri"
|
||||
SECTION_SHELLS="Kabuklar"
|
||||
SECTION_SNMP_SUPPORT="SNMP Desteği"
|
||||
SECTION_SOFTWARE="Yazılım"
|
||||
SECTION_SQUID_SUPPORT="Squid Desteği"
|
||||
SECTION_SSH_SUPPORT="SSH Desteği"
|
||||
SECTION_STORAGE="Depolama"
|
||||
SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü"
|
||||
SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları"
|
||||
SECTION_SYSTEM_TOOLS="Sistem araçları"
|
||||
SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama"
|
||||
SECTION_USB_DEVICES="USB Aygıtları"
|
||||
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama"
|
||||
SECTION_VIRTUALIZATION="Sanallaştırma"
|
||||
SECTION_WEBSERVER="Yazılım: web sunucusu"
|
||||
STATUS_ACTIVE=" ETKİN"
|
||||
STATUS_CHECK_NEEDED=" DENETİM GEREKLI"
|
||||
STATUS_DEBUG="HATA AYIKLAMA"
|
||||
STATUS_DEFAULT="ÖNTANIMLI"
|
||||
STATUS_DIFFERENT="FARKLI"
|
||||
STATUS_DISABLED="DEVRE DIŞI BIRAKILDI"
|
||||
STATUS_DONE="TAMAMLANDI"
|
||||
STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ"
|
||||
STATUS_ENABLED="ETKİNLEŞTİRİLDİ"
|
||||
STATUS_ERROR="HATA"
|
||||
#STATUS_EXPOSED="EXPOSED"
|
||||
#STATUS_FAILED="FAILED"
|
||||
#STATUS_FILES_FOUND="FILES FOUND"
|
||||
STATUS_EXPOSED="AÇIKTA BIRAKILDI"
|
||||
STATUS_FAILED="BAŞARISIZ"
|
||||
STATUS_FILES_FOUND="DOSYALAR BULUNDU"
|
||||
STATUS_FOUND="BULUNDU"
|
||||
#STATUS_HARDENED="HARDENED"
|
||||
#STATUS_INSTALLED="INSTALLED"
|
||||
#STATUS_LOCAL_ONLY="LOCAL ONLY"
|
||||
#STATUS_MEDIUM="MEDIUM"
|
||||
STATUS_HARDENED="SIKILAŞTIRILDI"
|
||||
STATUS_INSTALLED="KURULU"
|
||||
STATUS_LOCAL_ONLY="YALNIZCA YEREL"
|
||||
STATUS_MEDIUM="ORTA"
|
||||
STATUS_NO="HAYIR"
|
||||
#STATUS_NON_DEFAULT="NON DEFAULT"
|
||||
STATUS_NO_UPDATE="GÜNCELLEME YOK"
|
||||
STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN"
|
||||
STATUS_NONE="YOK"
|
||||
STATUS_NOT_ACTIVE="NOT ACTIVE"
|
||||
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
|
||||
#STATUS_NOT_DISABLED="NOT DISABLED"
|
||||
#STATUS_NOT_ENABLED="NOT ENABLED"
|
||||
STATUS_NOT_ACTIVE="ETKİN DEĞİL"
|
||||
STATUS_NOT_CONFIGURED="YAPILANDIRILMADI"
|
||||
STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI"
|
||||
STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ"
|
||||
STATUS_NOT_FOUND="BULUNAMADI"
|
||||
STATUS_NOT_RUNNING="ÇALIŞMIYOR"
|
||||
#STATUS_NO_UPDATE="NO UPDATE"
|
||||
STATUS_OFF="KAPALI"
|
||||
STATUS_OK="TAMAM"
|
||||
STATUS_ON="AÇIK"
|
||||
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
|
||||
#STATUS_PROTECTED="PROTECTED"
|
||||
STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI"
|
||||
STATUS_PROTECTED="KORUMALI"
|
||||
STATUS_RUNNING="ÇALIŞIYOR"
|
||||
STATUS_SKIPPED="ATLANDI"
|
||||
STATUS_SUGGESTION="ÖNERİ"
|
||||
STATUS_UNKNOWN="BİLİNMİYOR"
|
||||
#STATUS_UNSAFE="UNSAFE"
|
||||
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
|
||||
STATUS_UNSAFE="GÜVENLİ DEĞİL"
|
||||
STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR"
|
||||
STATUS_WARNING="UYARI"
|
||||
#STATUS_WEAK="WEAK"
|
||||
STATUS_WEAK="ZAYIF"
|
||||
STATUS_YES="EVET"
|
||||
TEXT_UPDATE_AVAILABLE="güncelleme mevcut"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz"
|
||||
TEXT_UPDATE_AVAILABLE="güncelleme var"
|
||||
TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz"
|
||||
#SECTION_KERBEROS="Kerberos"
|
||||
|
|
|
@ -276,6 +276,7 @@ MALW-3284:test:security:malware::Check for clamd:
|
|||
MALW-3286:test:security:malware::Check for freshclam:
|
||||
MALW-3288:test:security:malware::Check for ClamXav:
|
||||
MALW-3290:test:security:malware::Presence of malware scanner:
|
||||
MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus:
|
||||
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
|
||||
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
|
||||
NAME-4020:test:security:nameservices::Check non default options:
|
||||
|
|
|
@ -144,6 +144,7 @@ plugin=software
|
|||
plugin=system-integrity
|
||||
plugin=systemd
|
||||
plugin=users
|
||||
plugin=krb5
|
||||
|
||||
# Disable a particular plugin (will overrule an enabled plugin)
|
||||
#disable-plugin=authentication
|
||||
|
@ -197,7 +198,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k
|
|||
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||
|
|
|
@ -196,6 +196,8 @@
|
|||
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
|
||||
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
|
||||
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
|
||||
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
|
||||
kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
|
||||
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
|
||||
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
|
||||
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
|
||||
|
@ -338,7 +340,7 @@
|
|||
|
||||
# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
|
||||
if [ "${GREPBINARY:-}" ] ; then
|
||||
${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null
|
||||
${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null
|
||||
if [ $? -eq 0 ] ; then
|
||||
EGREPBINARY="${GREPBINARY} -E"
|
||||
fi
|
||||
|
|
|
@ -169,6 +169,7 @@ ETC_PATHS="/etc /usr/local/etc"
|
|||
MACHINEID=""
|
||||
MACHINE_ROLE=""
|
||||
MALWARE_SCANNER_INSTALLED=0
|
||||
MDATPBINARY=""
|
||||
MIN_PASSWORD_LENGTH=-1
|
||||
MONGODB_RUNNING=0
|
||||
MOUNTBINARY=""
|
||||
|
@ -298,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc"
|
|||
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
|
||||
SSL_CERTIFICATE_PATHS=""
|
||||
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
|
||||
STATUS_NOT_ACTIVE=""
|
||||
STUNNELBINARY=""
|
||||
SURICATABINARY=""
|
||||
SWUPDBINARY=""
|
||||
SYSLOGNGBINARY=""
|
||||
SYSTEMCTLBINARY=""
|
||||
|
|
|
@ -2086,6 +2086,10 @@
|
|||
elif [ -n "${PKGINFOBINARY}" ]; then
|
||||
output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
|
||||
exit_code=$? # 0=package installed, 1=package not installed
|
||||
# Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test
|
||||
elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then
|
||||
output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" )
|
||||
exit_code=$?
|
||||
elif [ -n "${RPMBINARY}" ]; then
|
||||
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
|
||||
exit_code=$?
|
||||
|
@ -2099,7 +2103,7 @@
|
|||
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
|
||||
exit_code=$?
|
||||
elif [ -n "${APKBINARY}" ]; then
|
||||
output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package})
|
||||
output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package})
|
||||
exit_code=$?
|
||||
else
|
||||
if [ "${package}" != "__dummy__" ]; then
|
||||
|
@ -2758,7 +2762,6 @@
|
|||
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
|
||||
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
|
||||
fi
|
||||
unset SKIPREASON
|
||||
|
||||
# Save timestamp for next time the Register function is called
|
||||
PREVIOUS_TEST="${TEST_NO}"
|
||||
|
@ -3171,7 +3174,7 @@
|
|||
|
||||
if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
|
||||
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
|
||||
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
|
||||
echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})."
|
||||
ExitFatal
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -160,6 +160,11 @@
|
|||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"altlinux")
|
||||
LINUX_VERSION="ALT Linux"
|
||||
OS_NAME="altlinux"
|
||||
OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"amzn")
|
||||
LINUX_VERSION="Amazon Linux"
|
||||
OS_NAME="Amazon Linux"
|
||||
|
@ -221,6 +226,11 @@
|
|||
OS_NAME="CoreOS Linux"
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"cos")
|
||||
LINUX_VERSION="Container-Optimized OS"
|
||||
OS_NAME="Container-Optimized OS from Google"
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"debian")
|
||||
LINUX_VERSION="Debian"
|
||||
OS_NAME="Debian"
|
||||
|
@ -290,6 +300,12 @@
|
|||
OS_NAME="Kali Linux"
|
||||
OS_VERSION="Rolling release"
|
||||
;;
|
||||
"koozali")
|
||||
LINUX_VERSION="Koozali"
|
||||
OS_NAME="Koozali SME Server"
|
||||
OS_REDHAT_OR_CLONE=1
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"linuxmint")
|
||||
LINUX_VERSION="Linux Mint"
|
||||
LINUX_VERSION_LIKE="Ubuntu"
|
||||
|
@ -314,6 +330,13 @@
|
|||
OS_NAME="Manjaro"
|
||||
OS_VERSION="Rolling release"
|
||||
;;
|
||||
"neon")
|
||||
LINUX_VERSION="KDE Neon"
|
||||
LINUX_VERSION_LIKE="Ubuntu"
|
||||
OS_NAME="KDE Neon"
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"nethserver")
|
||||
LINUX_VERSION="NethServer"
|
||||
OS_NAME="NethServer"
|
||||
|
@ -332,6 +355,12 @@
|
|||
OS_REDHAT_OR_CLONE=1
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"nobara")
|
||||
LINUX_VERSION="Nobara"
|
||||
OS_NAME="Nobara Linux"
|
||||
OS_REDHAT_OR_CLONE=1
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"nodistro")
|
||||
LINUX_VERSION="openembedded"
|
||||
OS_NAME="OpenEmbedded"
|
||||
|
@ -381,6 +410,13 @@
|
|||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
OS_NAME="Pop!_OS"
|
||||
;;
|
||||
"postmarketos")
|
||||
LINUX_VERSION="PostmarketOS"
|
||||
LINUX_VERSION_LIKE="Alpine"
|
||||
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
"pureos")
|
||||
LINUX_VERSION="PureOS"
|
||||
LINUX_VERSION_LIKE="Debian"
|
||||
|
@ -445,7 +481,7 @@
|
|||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||
;;
|
||||
*)
|
||||
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
|
||||
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
fi
|
||||
|
||||
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
|
||||
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-')
|
||||
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-')
|
||||
if ! IsEmpty "${DATA}"; then
|
||||
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
|
||||
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
|
||||
|
@ -68,7 +68,7 @@
|
|||
fi
|
||||
|
||||
# Now parse the profile and filter out unwanted characters
|
||||
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
|
||||
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
|
||||
for CONFIGOPTION in ${DATA}; do
|
||||
if ContainsString "^config:" "${CONFIGOPTION}"; then
|
||||
# Old style configuration
|
||||
|
@ -352,7 +352,7 @@
|
|||
|
||||
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
|
||||
skip-test)
|
||||
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
|
||||
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
|
||||
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
||||
;;
|
||||
|
||||
|
@ -371,7 +371,7 @@
|
|||
|
||||
ssl-certificate-paths-to-ignore)
|
||||
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
|
||||
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
|
||||
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ')
|
||||
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
|
||||
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
|
||||
;;
|
||||
|
@ -479,7 +479,7 @@
|
|||
|
||||
# Deprecated: skip tests
|
||||
test_skip_always)
|
||||
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
|
||||
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
|
||||
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
||||
LogText "[deprecated option] Tests to be skipped: ${VALUE}"
|
||||
DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)"
|
||||
|
|
|
@ -717,7 +717,7 @@
|
|||
if [ ${FOUND} -eq 0 ]; then
|
||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: no PAM modules for password strength testing found"
|
||||
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
|
||||
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc"
|
||||
AddHP 0 3
|
||||
else
|
||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
#################################################################################
|
||||
#
|
||||
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
|
||||
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
|
||||
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning"
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
@ -107,7 +107,7 @@
|
|||
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
|
||||
RUN_DOCKER_TESTS=0
|
||||
fi
|
||||
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
|
||||
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found warning(s) in output"
|
||||
for I in ${FIND}; do
|
||||
|
|
|
@ -217,6 +217,33 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : CRYP-7932
|
||||
# Description : Determine if system has enabled macOS FileVault encryption
|
||||
Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if command -v fdesetup &> /dev/null; then
|
||||
case $(fdesetup status) in
|
||||
*"FileVault is On."*)
|
||||
LogText "Result: FileVault is enabled."
|
||||
Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN
|
||||
Report "encryption[]=filevault"
|
||||
AddHP 3 3
|
||||
;;
|
||||
*)
|
||||
LogText "Result: FileVault is not enabled."
|
||||
Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED
|
||||
AddHP 0 3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
LogText "Result: fdesetup command not found. Unable to determine FileVault status."
|
||||
Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW
|
||||
AddHP 0 3
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : CRYP-8002
|
||||
# Description : Gather available kernel entropy
|
||||
|
|
|
@ -186,8 +186,10 @@
|
|||
# Test : DBS-1826
|
||||
# Description : Check if PostgreSQL is being used
|
||||
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
|
||||
for PROCES in postgres postmaster
|
||||
do
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if IsRunning "postgres"; then
|
||||
if IsRunning "${PROCES}"; then
|
||||
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: PostgreSQL is active"
|
||||
POSTGRESQL_RUNNING=1
|
||||
|
@ -195,9 +197,10 @@
|
|||
Report "postgresql_running=${POSTGRESQL_RUNNING}"
|
||||
else
|
||||
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
||||
LogText "Result: PostgreSQL process not active"
|
||||
LogText "Result: PostgreSQL process ${PROCES} not active"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -211,14 +214,15 @@
|
|||
# Arch /var/lib/postgres/data/postgresql.conf
|
||||
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
|
||||
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
|
||||
# FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf
|
||||
|
||||
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
|
||||
|
||||
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
|
||||
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
|
||||
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
|
||||
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]"
|
||||
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
|
||||
for CF in ${CONFIG_FILES}; do
|
||||
Report "postgresql_config_file[]=${CF}"
|
||||
LogText "Found configuration file (${CF})"
|
||||
|
|
|
@ -346,7 +346,13 @@
|
|||
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
|
||||
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
|
||||
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
|
||||
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then
|
||||
PREQS_MET="YES";
|
||||
elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then
|
||||
PREQS_MET="YES";
|
||||
else
|
||||
PREQS_MET="NO";
|
||||
fi
|
||||
else
|
||||
PREQS_MET="NO";
|
||||
fi
|
||||
|
@ -726,11 +732,45 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6398 TODO
|
||||
# Test : FILE-6398
|
||||
# Description : Check if JBD (Journal Block Device) driver is loaded
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
||||
Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking if JBD (Journal Block Device) driver is loaded"
|
||||
NOTINUSE=0
|
||||
# Cannot check if driver is loaded/present if kernel is monolithic
|
||||
if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then
|
||||
JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd)
|
||||
if [ -n "${JBD}" ]; then
|
||||
LogText "Result: JBD driver is loaded"
|
||||
INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}')
|
||||
if [ -n "${INUSE}" ]; then
|
||||
LogText "Result: JBD driver is in use by drivers: ${INUSE}"
|
||||
Report "JBD driver is in use by drivers: ${INUSE}"
|
||||
Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
NOTINUSE=1
|
||||
LogText "Result: JBD driver loaded, but not in use"
|
||||
Report "JBD driver is loaded, but not in use."
|
||||
Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
fi
|
||||
else
|
||||
NOTINUSE=2
|
||||
LogText "Result: JBD driver not loaded"
|
||||
Report "JBD driver not loaded."
|
||||
Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW
|
||||
fi
|
||||
if [ ${NOTINUSE} -eq 1 ]; then
|
||||
ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash."
|
||||
elif [ ${NOTINUSE} -eq 2 ]; then
|
||||
ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted."
|
||||
fi
|
||||
else
|
||||
LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
|
||||
Report "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
|
||||
Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color RED
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
@ -0,0 +1,188 @@
|
|||
#!/bin/sh
|
||||
|
||||
InsertSection "${SECTION_KERBEROS}"
|
||||
|
||||
#
|
||||
#########################################################################
|
||||
#
|
||||
|
||||
# Test : KRB-1000
|
||||
# Description : Check that Kerberos principals have passwords that expire
|
||||
Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
|
||||
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
|
||||
then
|
||||
PREQS_MET="YES"
|
||||
# Make sure krb5 debugging doesn't mess up the output
|
||||
unset KRB5_TRACE
|
||||
PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')"
|
||||
if [ -z "${PRINCS}" ]
|
||||
then
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
else
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
if [ "${PREQS_MET}" = "YES" ]; then
|
||||
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
||||
# Test : KRB-1010
|
||||
# Description : Check that Kerberos principals have passwords that expire
|
||||
Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
|
||||
if [ "${FIND}" = "Password expiration date: [never]" ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
|
||||
else
|
||||
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB-1020
|
||||
# Description : Check last password change for Kerberos principals
|
||||
Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
|
||||
if [ "${FIND}" = "[never]" ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
|
||||
FOUND=1
|
||||
else
|
||||
J="$(date -d "${FIND}" +%s)"
|
||||
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
|
||||
FOUND=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
|
||||
else
|
||||
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB-1030
|
||||
# Description : Check that Kerberos principals have a policy associated to them
|
||||
Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
|
||||
if [ "${FIND}" = "Policy: [none]" ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
|
||||
FOUND=1
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
|
||||
else
|
||||
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB-1040
|
||||
# Description : Check various attributes for Kerberos principals
|
||||
Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
|
||||
if ContainsString "^K/M@" "${I}" || \
|
||||
ContainsString "^kadmin/admin@" "${I}" || \
|
||||
ContainsString "^kadmin/changepw@" "${I}" || \
|
||||
ContainsString "^krbtgt/" "${I}"
|
||||
then
|
||||
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
|
||||
then
|
||||
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
|
||||
FOUND=1
|
||||
fi
|
||||
elif ContainsString "/admin@" "${I}"
|
||||
then
|
||||
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
|
||||
then
|
||||
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
|
||||
FOUND=1
|
||||
fi
|
||||
elif ContainsString "^[^/$]+@" "${I}"
|
||||
then
|
||||
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
|
||||
then
|
||||
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
|
||||
FOUND=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
|
||||
else
|
||||
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB-1050
|
||||
# Description : Check for weak crypto
|
||||
Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
|
||||
if [ -n "${FIND}" ]; then
|
||||
while read I J
|
||||
do
|
||||
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
|
||||
done << EOF
|
||||
${FIND}
|
||||
EOF
|
||||
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
|
||||
else
|
||||
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
unset PRINCS
|
||||
unset I
|
||||
unset J
|
||||
|
||||
#EOF
|
|
@ -41,28 +41,17 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Checking if we can find the systemd default target
|
||||
LogText "Test: Checking for systemd default.target"
|
||||
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
|
||||
LogText "Result: symlink found"
|
||||
if HasData "${READLINKBINARY}"; then
|
||||
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
|
||||
if ! HasData "${FIND}"; then
|
||||
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
|
||||
ReportException "${TEST_NO}:01"
|
||||
else
|
||||
FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical")
|
||||
if HasData "${FIND2}"; then
|
||||
LogText "Result: Found match on runlevel5/graphical"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
|
||||
Report "linux_default_runlevel=5"
|
||||
else
|
||||
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
|
||||
Report "linux_default_runlevel=3"
|
||||
fi
|
||||
fi
|
||||
if [ $(${SYSTEMCTLBINARY} get-default) ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} get-default)
|
||||
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
|
||||
if HasData "${FIND2}"; then
|
||||
LogText "Result: Found match on runlevel5/graphical"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
|
||||
Report "linux_default_runlevel=5"
|
||||
else
|
||||
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
|
||||
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
|
||||
Report "linux_default_runlevel=3"
|
||||
fi
|
||||
else
|
||||
LogText "Result: no systemd found, so trying inittab"
|
||||
|
@ -467,7 +456,7 @@
|
|||
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
|
||||
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
|
||||
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
|
||||
# check conf files in possibly existing coredump.conf.d folders
|
||||
# check conf files in possibly existing coredump.conf.d folders
|
||||
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
|
||||
# while there could be multiple files overwriting each other, we are checking the number of occurrences
|
||||
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
|
||||
|
@ -531,7 +520,7 @@
|
|||
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# Limits options
|
||||
for DIR in "/" "/usr/"; do
|
||||
LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
|
||||
|
@ -692,7 +681,7 @@
|
|||
else
|
||||
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
|
||||
# Note: ignore a rescue kernel (e.g. CentOS)
|
||||
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
|
||||
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1)
|
||||
LogText "Result: found ${FOUND_VMLINUZ}"
|
||||
fi
|
||||
|
||||
|
@ -840,7 +829,7 @@
|
|||
else
|
||||
LogText "Result: Skipping this test, as extracting the seconds of package date failed"
|
||||
fi
|
||||
|
||||
|
||||
if [ -n "${UNAME_OUTPUT}" ]; then
|
||||
LogText "Result: Got an output from 'uname -v'"
|
||||
LogText "Check: Trying to extract kernel build date from 'uname -v' output"
|
||||
|
@ -911,8 +900,7 @@
|
|||
else
|
||||
LogText "Result: Did not get output from 'uname -v'. Skipping test."
|
||||
fi
|
||||
|
||||
|
||||
|
||||
else
|
||||
LogText "Result: /var/cache/apt/archives/ does not exist"
|
||||
fi
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
METALOG_RUNNING=0
|
||||
RFC3195D_RUNNING=0
|
||||
RSYSLOG_RUNNING=0
|
||||
WAZUH_AGENT_RUNNING=0
|
||||
SOLARIS_LOGHOST=""
|
||||
SOLARIS_LOGHOST_FOUND=0
|
||||
SOLARIS_LOGHOST_LOCALHOST=0
|
||||
|
@ -220,6 +221,23 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : LOGG-2144
|
||||
# Description : Check for wazuh-agent presence on Linux systems
|
||||
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Result: Searching for wazuh-agent instances in the process list"
|
||||
if IsRunning "wazuh-agent"; then
|
||||
LogText "Result: Found wazuh-agent in process list"
|
||||
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
|
||||
WAZUH_AGENT_RUNNING=1
|
||||
else
|
||||
LogText "Result: wazuh-agent NOT found in process list"
|
||||
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : LOGG-2146
|
||||
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
|
||||
|
@ -446,6 +464,21 @@
|
|||
fi
|
||||
fi
|
||||
|
||||
# Test wazuh-agent configuration for syslog configuration
|
||||
if [ ${WAZUH_AGENT_RUNNING} ]; then
|
||||
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
|
||||
fi
|
||||
|
||||
if [ -f ${WAZUH_AGENT_CONF} ]; then
|
||||
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
|
||||
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
|
||||
if [ "${FIND}" ]; then
|
||||
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
|
||||
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
|
||||
REMOTE_LOGGING_ENABLED=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Show result
|
||||
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
|
||||
Report "remote_syslog_configured=0"
|
||||
|
|
|
@ -158,10 +158,14 @@
|
|||
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
Display --indent 8 --text "Current SELinux mode: ${FIND}"
|
||||
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
|
||||
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
|
||||
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
|
||||
LogText "Permissive SELinux object types: ${PERMISSIVE}"
|
||||
if [ -n "${SEMANAGEBINARY}" ]; then
|
||||
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
|
||||
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
|
||||
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
|
||||
LogText "Permissive SELinux object types: ${PERMISSIVE}"
|
||||
else
|
||||
LogText "Result: semanage binary NOT found, can't analyse permissive domains"
|
||||
fi
|
||||
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
|
||||
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
|
||||
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
|
||||
|
|
|
@ -44,6 +44,7 @@
|
|||
SYMANTEC_SCANNER_RUNNING=0
|
||||
SYNOLOGY_DAEMON_RUNNING=0
|
||||
TRENDMICRO_DSA_DAEMON_RUNNING=0
|
||||
WAZUH_DAEMON_RUNNING=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -53,16 +54,12 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking presence McAfee VirusScan for Command Line"
|
||||
if [ -x /usr/local/uvscan/uvscan ]; then
|
||||
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN
|
||||
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
|
||||
LogText "Result: Found ${MCAFEECLBINARY}"
|
||||
MALWARE_SCANNER_INSTALLED=1
|
||||
AddHP 2 2
|
||||
Report "malware_scanner[]=mcafeecl"
|
||||
else
|
||||
LogText "Result: McAfee VirusScan for Command Line not found"
|
||||
fi
|
||||
AddHP 0 2
|
||||
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : MALW-3275
|
||||
|
@ -187,8 +184,8 @@
|
|||
fi
|
||||
|
||||
# ESET security products
|
||||
LogText "Test: checking process esets_daemon"
|
||||
if IsRunning "esets_daemon"; then
|
||||
LogText "Test: checking process esets_daemon or oaeventd (ESET)"
|
||||
if IsRunning "esets_daemon" || IsRunning "oaeventd"; then
|
||||
FOUND=1
|
||||
ESET_DAEMON_RUNNING=1
|
||||
MALWARE_DAEMON_RUNNING=1
|
||||
|
@ -323,6 +320,19 @@
|
|||
Report "malware_scanner[]=trend-micro-av"
|
||||
fi
|
||||
|
||||
# Wazuh agent
|
||||
LogText "Test: checking process wazuh-agent to test for Wazuh agent"
|
||||
if IsRunning "wazuh-agent"; then
|
||||
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
|
||||
LogText "Result: found Wazuh component"
|
||||
FOUND=1
|
||||
WAZUH_DAEMON_RUNNING=1
|
||||
MALWARE_DAEMON_RUNNING=1
|
||||
MALWARE_SCANNER_INSTALLED=1
|
||||
ROOTKIT_SCANNER_FOUND=1
|
||||
Report "malware_scanner[]=wazuh"
|
||||
fi
|
||||
|
||||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Result: no commercial anti-virus tools found"
|
||||
AddHP 0 3
|
||||
|
@ -369,6 +379,24 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : MALW-3291
|
||||
# Description : Check if Microsoft Defender Antivirus is installed
|
||||
Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking presence mdatp"
|
||||
if [ ! "${MDATPBINARY}" = "" ]; then
|
||||
Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found ${MDATPBINARY}"
|
||||
MALWARE_SCANNER_INSTALLED=1
|
||||
AddHP 2 2
|
||||
Report "malware_scanner[]=mdatp"
|
||||
else
|
||||
LogText "Result: mdatp couldn't be found"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : MALW-3286
|
||||
# Description : Check running freshclam if clamd process is running
|
||||
|
|
|
@ -485,7 +485,7 @@
|
|||
LogText "Result: ypldap is running"
|
||||
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
|
||||
ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
|
||||
fi
|
||||
else
|
||||
LogText "Result: ypbind is not active"
|
||||
|
|
|
@ -750,7 +750,7 @@
|
|||
UNCOMMON_PROTOCOL_DISABLED=0
|
||||
# First check modprobe.conf
|
||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
|
||||
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf)
|
||||
if [ -n "${DATA}" ]; then
|
||||
LogText "Result: found ${P} module disabled via modprobe.conf"
|
||||
UNCOMMON_PROTOCOL_DISABLED=1
|
||||
|
@ -759,7 +759,7 @@
|
|||
# Then additional modprobe configuration files
|
||||
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
||||
# Return file names (-l) and suppress errors (-s)
|
||||
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
|
||||
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*)
|
||||
if [ -n "${DATA}" ]; then
|
||||
UNCOMMON_PROTOCOL_DISABLED=1
|
||||
for F in ${DATA}; do
|
||||
|
|
|
@ -30,8 +30,6 @@
|
|||
# Possible locations of php.ini
|
||||
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
|
||||
${ROOTDIR}etc/php/php.ini \
|
||||
${ROOTDIR}etc/php5.5/php.ini \
|
||||
${ROOTDIR}etc/php5.6/php.ini \
|
||||
${ROOTDIR}etc/php7.0/php.ini \
|
||||
${ROOTDIR}etc/php7.1/php.ini \
|
||||
${ROOTDIR}etc/php7.2/php.ini \
|
||||
|
@ -42,11 +40,6 @@
|
|||
${ROOTDIR}etc/php8.2/php.ini \
|
||||
${ROOTDIR}etc/php8.3/php.ini \
|
||||
${ROOTDIR}etc/php8.4/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php5/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php5/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php5/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
|
||||
|
@ -57,16 +50,11 @@
|
|||
${ROOTDIR}etc/php/apache2-php8.2/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php8.3/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php8.4/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php7.4/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php8.0/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php8.1/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php8.2/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php5.5/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php7.0/php.ini \
|
||||
|
@ -79,8 +67,6 @@
|
|||
${ROOTDIR}etc/php/cli-php8.2/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php8.3/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php8.4/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php5.5/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php7.1/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php7.2/php.ini \
|
||||
|
@ -91,24 +77,14 @@
|
|||
${ROOTDIR}etc/php/embed-php8.2/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php8.3/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php8.4/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php5/cgi/php.ini \
|
||||
${ROOTDIR}etc/php5/cli/php.ini \
|
||||
${ROOTDIR}etc/php5/cli-php5.4/php.ini \
|
||||
${ROOTDIR}etc/php5/cli-php5.5/php.ini \
|
||||
${ROOTDIR}etc/php5/cli-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php5/apache2/php.ini \
|
||||
${ROOTDIR}etc/php5/fpm/php.ini \
|
||||
${ROOTDIR}private/etc/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
|
||||
${ROOTDIR}etc/php/7.0/apache2/php.ini \
|
||||
${ROOTDIR}etc/php/7.1/apache2/php.ini \
|
||||
${ROOTDIR}etc/php/7.2/apache2/php.ini \
|
||||
|
@ -139,12 +115,30 @@
|
|||
${ROOTDIR}etc/php/8.3/fpm/php.ini \
|
||||
${ROOTDIR}etc/php/8.4/cli/php.ini \
|
||||
${ROOTDIR}etc/php/8.4/fpm/php.ini \
|
||||
${ROOTDIR}opt/alt/php70/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php71/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php72/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php73/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php74/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php80/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php81/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php82/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php83/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php84/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
|
||||
${ROOTDIR}private/etc/php.ini \
|
||||
${ROOTDIR}var/www/conf/php.ini \
|
||||
${ROOTDIR}usr/local/etc/php.ini \
|
||||
${ROOTDIR}usr/local/lib/php.ini \
|
||||
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
|
||||
${ROOTDIR}usr/local/php54/lib/php.ini \
|
||||
${ROOTDIR}usr/local/php56/lib/php.ini \
|
||||
${ROOTDIR}usr/local/php70/lib/php.ini \
|
||||
${ROOTDIR}usr/local/php71/lib/php.ini \
|
||||
${ROOTDIR}usr/local/php72/lib/php.ini \
|
||||
|
@ -157,36 +151,6 @@
|
|||
${ROOTDIR}usr/local/php84/lib/php.ini \
|
||||
${ROOTDIR}usr/local/zend/etc/php.ini \
|
||||
${ROOTDIR}usr/pkg/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php44/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php51/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php52/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php53/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php54/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php55/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php56/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php70/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php71/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php72/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php73/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php74/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php80/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php81/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php82/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php83/etc/php.ini \
|
||||
${ROOTDIR}opt/alt/php84/etc/php.ini \
|
||||
${ROOTDIR}etc/opt/remi/php56/php.ini \
|
||||
${ROOTDIR}etc/opt/remi/php70/php.ini \
|
||||
${ROOTDIR}etc/opt/remi/php71/php.ini \
|
||||
|
@ -198,28 +162,12 @@
|
|||
${ROOTDIR}etc/opt/remi/php82/php.ini\
|
||||
${ROOTDIR}etc/opt/remi/php83/php.ini \
|
||||
${ROOTDIR}etc/opt/remi/php84/php.ini"
|
||||
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
|
||||
PHPINILOCS="${PHPINILOCS} \
|
||||
${ROOTDIR}etc/php-5.6.ini \
|
||||
${ROOTDIR}etc/php-7.0.ini \
|
||||
${ROOTDIR}etc/php-7.1.ini \
|
||||
${ROOTDIR}etc/php-7.2.ini \
|
||||
${ROOTDIR}etc/php-7.3.ini \
|
||||
${ROOTDIR}etc/php-7.4.ini \
|
||||
${ROOTDIR}etc/php-8.0.ini \
|
||||
${ROOTDIR}etc/php-8.1.ini \
|
||||
${ROOTDIR}etc/php-8.2.ini\
|
||||
${ROOTDIR}etc/php-8.3.ini\
|
||||
${ROOTDIR}etc/php-8.4.ini"
|
||||
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
|
||||
${ROOTDIR}etc/php/7.0/cli/conf.d \
|
||||
|
||||
PHPINIDIRS="${ROOTDIR}etc/php/7.0/cli/conf.d \
|
||||
${ROOTDIR}etc/php/7.1/cli/conf.d \
|
||||
${ROOTDIR}etc/php/7.2/cli/conf.d \
|
||||
${ROOTDIR}etc/php/7.3/cli/conf.d \
|
||||
${ROOTDIR}etc/php/7.4/cli/conf.d \
|
||||
${ROOTDIR}etc/php/8.0/cli/conf.d \
|
||||
${ROOTDIR}etc/php/8.1/cli/conf.d \
|
||||
${ROOTDIR}etc/php/8.2/cli/conf.d \
|
||||
${ROOTDIR}etc/php/7.0/fpm/conf.d \
|
||||
${ROOTDIR}etc/php/7.1/fpm/conf.d \
|
||||
${ROOTDIR}etc/php/7.2/fpm/conf.d \
|
||||
|
@ -231,9 +179,6 @@
|
|||
${ROOTDIR}etc/php/8.3/fpm/conf.d \
|
||||
${ROOTDIR}etc/php/8.4/fpm/conf.d \
|
||||
${ROOTDIR}etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
|
||||
|
@ -244,13 +189,6 @@
|
|||
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
|
||||
${ROOTDIR}opt/alt/php44/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php51/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php52/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php53/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php54/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php55/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php56/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php70/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php71/etc/php.d.all \
|
||||
${ROOTDIR}opt/alt/php72/etc/php.d.all \
|
||||
|
@ -272,9 +210,8 @@
|
|||
${ROOTDIR}usr/local/php82/lib/php.conf.d \
|
||||
${ROOTDIR}usr/local/php83/lib/php.conf.d \
|
||||
${ROOTDIR}usr/local/php84/lib/php.conf.d"
|
||||
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
|
||||
|
||||
PHPINIDIRS="${PHPINIDIRS} \
|
||||
${ROOTDIR}etc/php-5.6 \
|
||||
${ROOTDIR}etc/php-7.0 \
|
||||
${ROOTDIR}etc/php-7.1 \
|
||||
${ROOTDIR}etc/php-7.2 \
|
||||
|
|
|
@ -127,11 +127,15 @@
|
|||
LogText "Test: Querying brew to get package list"
|
||||
Display --indent 4 --text "- Querying brew for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
GPACKAGES=$(brew list)
|
||||
for J in ${GPACKAGES}; do
|
||||
LogText "Found package ${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
|
||||
done
|
||||
GPACKAGES=$(brew list --versions)
|
||||
while IFS= read -r PKG; do
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done << EOF
|
||||
$GPACKAGES
|
||||
EOF
|
||||
else
|
||||
LogText "Result: brew can NOT be found on this system"
|
||||
fi
|
||||
|
@ -158,6 +162,29 @@
|
|||
LogText "Result: emerge can NOT be found on this system"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7305
|
||||
# Description : Query macOS Apps in /Applications and CoreServices
|
||||
Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Querying Apps in /Applications"
|
||||
Display --indent 4 --text "- Querying macOS Apps in /Applications"
|
||||
LogText "Output:"; LogText "-----"
|
||||
for APP in /Applications/*.app; do
|
||||
PACKAGE_NAME=$(basename "$APP" .app)
|
||||
PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done
|
||||
Display --indent 4 --text "- Querying Apple CoreServices"
|
||||
for CS in /Library/Apple/System/Library/CoreServices/*.app; do
|
||||
PACKAGE_NAME=$(basename "$CS" .app)
|
||||
PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
|
||||
LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -672,9 +699,20 @@
|
|||
# Check in /etc/cron.hourly, daily, weekly, monthly etc
|
||||
COUNT=$(find /etc/cron* -name debsums | wc -l)
|
||||
if [ ${COUNT} -gt 0 ]; then
|
||||
LogText "Result: Cron job is configured for debsums utility."
|
||||
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
CRON_CHECK=""
|
||||
if [ -f ${ROOTDIR}etc/default/debsums ]; then
|
||||
CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}')
|
||||
fi
|
||||
if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then
|
||||
LogText "Result: Cron job is configured for debsums utility."
|
||||
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
LogText "Result: Cron job is not configured for debsums utility."
|
||||
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
AddHP 1 3
|
||||
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)."
|
||||
fi
|
||||
else
|
||||
LogText "Result: Cron job is not configured for debsums utility."
|
||||
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
|
|
|
@ -312,7 +312,7 @@
|
|||
# AllowGroups
|
||||
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: AllowUsers set ${FIND}"
|
||||
LogText "Result: AllowGroups set ${FIND}"
|
||||
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
||||
FOUND=1
|
||||
else
|
||||
|
|
|
@ -48,6 +48,8 @@
|
|||
TMPFILE="${TEMP_FILE}"
|
||||
CreateTempFile || ExitFatal
|
||||
TMPFILE2="${TEMP_FILE}"
|
||||
CreateTempFile || ExitFatal
|
||||
TMPFILE3="${TEMP_FILE}"
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -300,8 +302,42 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6660 TODO
|
||||
# Test : HTTP-6660
|
||||
# Description : Search for "TraceEnable off" in configuration files
|
||||
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for DIR in ${sTEST_APACHE_TARGETS}; do
|
||||
if [ -d ${DIR} ]; then
|
||||
find ${DIR} -name "*.conf" -print >> ${TMPFILE3}
|
||||
fi
|
||||
done
|
||||
|
||||
# Check all Apache conf-files for TraceEnable
|
||||
if [ -f ${TMPFILE3} ]; then
|
||||
Display --indent 2 --text '- Checking TraceEnable setting in:'
|
||||
for APACHE_CONFFILE in $(cat ${TMPFILE3}); do
|
||||
TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' )
|
||||
if [ ! ${TRACEENABLE} ]; then
|
||||
LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}"
|
||||
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
else
|
||||
TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
|
||||
if [ x${TRACEENABLED_SETTING} == x'off' ]; then
|
||||
LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}"
|
||||
Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}"
|
||||
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}"
|
||||
Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}"
|
||||
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only."
|
||||
fi
|
||||
fi
|
||||
done
|
||||
rm -f ${TMPFILE3}
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -608,6 +644,7 @@
|
|||
# Remove temp file (double check)
|
||||
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||
if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi
|
||||
|
||||
WaitForKeyPress
|
||||
|
||||
|
|
4
lynis
4
lynis
|
@ -52,7 +52,7 @@
|
|||
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
|
||||
PROGRAM_PACKAGE="https://packages.cisofy.com/"
|
||||
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
|
||||
PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
|
||||
PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
|
||||
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||
welcome to redistribute it under the terms of the GNU General Public License.
|
||||
See the LICENSE file for details about using this software."
|
||||
|
@ -1018,7 +1018,7 @@ ${NORMAL}
|
|||
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
|
||||
LogText "Info: perform tests from all categories"
|
||||
|
||||
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
|
||||
INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
|
||||
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
|
||||
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
|
||||
insecure_services banners scheduling accounting time crypto virtualization containers \
|
||||
|
|
Loading…
Reference in New Issue