mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-31 01:34:23 +02:00
Merge branch 'master' into master
This commit is contained in:
Michael Boelen
GitHub
commit
e75a7b9547
7
.editorconfig
Normal file
7
.editorconfig
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# See: https://editorconfig.org/
|
||||||
|
|
||||||
|
root = true
|
||||||
|
|
||||||
|
[*]
|
||||||
|
indent_style = space
|
||||||
|
indent_size = 4
|
||||||
33
CHANGELOG.md
33
CHANGELOG.md
@ -3,11 +3,42 @@
|
|||||||
## Lynis 3.1.2 (not released yet)
|
## Lynis 3.1.2 (not released yet)
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
- Detection of ALT Linux
|
||||||
- Detection of Athena OS
|
- Detection of Athena OS
|
||||||
|
- Detection of Container-Optimized OS from Google
|
||||||
|
- Detection of Koozali SME Server
|
||||||
|
- Detection of Nobara Linux
|
||||||
- Detection of Open Source Media Center (OSMC)
|
- Detection of Open Source Media Center (OSMC)
|
||||||
|
- Detection of PostmarketOS
|
||||||
|
- CRYP-7932 - macOS FileVault encryption test
|
||||||
|
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
|
||||||
|
- FINT-4344 - Wazuh system running state
|
||||||
|
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
|
||||||
|
- File added: .editorconfig, which is used by editors to standardize formatting
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
- Correction of software EOL database and inclusion of AIX entries
|
- Correction of software EOL database and inclusion of AIX entries
|
||||||
|
- Support sysctl value perf_event_paranoid -> 2|3
|
||||||
|
- Update of Turkish translation
|
||||||
|
- Grammar and spell improvements
|
||||||
|
- Improved package detection on Alpine Linux
|
||||||
|
- Slackware support to check installed packges (functionPackageIsInstalled())
|
||||||
|
- Added words prosecute/report to LEGAL_BANNER_STRINGS
|
||||||
|
- Busybox support: Replace newer tr command syntax with older ascii specific operations
|
||||||
|
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
|
||||||
|
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
|
||||||
|
- CONT-8104 - Checking for errors, not only warning in docker info output
|
||||||
|
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
|
||||||
|
- FILE-6344 - Test kernel version (major/minor)
|
||||||
|
- KRNL-5622 - Use systemctl get-default instead of following link
|
||||||
|
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
|
||||||
|
- MACF-6234 - Test if semanage binary is available
|
||||||
|
- MALW-3200 - ESET Endpoint Antivirus added
|
||||||
|
- MALW-3280 - McAfee Antivirus for Linux deprecated
|
||||||
|
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
|
||||||
|
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
|
||||||
|
- PKGS-7303 - Added version numbers to brew packages
|
||||||
|
- PKGS-7370 - Cron job check for debsums improved
|
||||||
|
|
||||||
---------------------------------------------------------------------------------
|
---------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq"
|
|||||||
STATUS_YES="Bəli"
|
STATUS_YES="Bəli"
|
||||||
TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
|
TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
|
TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -107,3 +107,4 @@ STATUS_WARNING="警告"
|
|||||||
STATUS_YES="是"
|
STATUS_YES="是"
|
||||||
TEXT_UPDATE_AVAILABLE="有可以更新的版本"
|
TEXT_UPDATE_AVAILABLE="有可以更新的版本"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙"
|
TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="SVAG"
|
|||||||
STATUS_YES="JA"
|
STATUS_YES="JA"
|
||||||
TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
|
TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
|
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="SCHWACH"
|
|||||||
STATUS_YES="JA"
|
STATUS_YES="JA"
|
||||||
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
|
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
|
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
|
|||||||
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
|
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
|
||||||
SECTION_VIRTUALIZATION="Virtualization"
|
SECTION_VIRTUALIZATION="Virtualization"
|
||||||
SECTION_WEBSERVER="Software: webserver"
|
SECTION_WEBSERVER="Software: webserver"
|
||||||
|
SECTION_KERBEROS="Kerberos"
|
||||||
STATUS_ACTIVE="ACTIVE"
|
STATUS_ACTIVE="ACTIVE"
|
||||||
STATUS_CHECK_NEEDED="CHECK NEEDED"
|
STATUS_CHECK_NEEDED="CHECK NEEDED"
|
||||||
STATUS_DEBUG="DEBUG"
|
STATUS_DEBUG="DEBUG"
|
||||||
|
|||||||
@ -107,3 +107,4 @@ STATUS_WEAK="DÉBIL"
|
|||||||
STATUS_YES="SÍ"
|
STATUS_YES="SÍ"
|
||||||
TEXT_UPDATE_AVAILABLE="Actualización disponible"
|
TEXT_UPDATE_AVAILABLE="Actualización disponible"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro"
|
TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="VAROITUS"
|
|||||||
STATUS_YES="KYLLÄ"
|
STATUS_YES="KYLLÄ"
|
||||||
TEXT_UPDATE_AVAILABLE="päivitys saatavilla"
|
TEXT_UPDATE_AVAILABLE="päivitys saatavilla"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston"
|
TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="FAIBLE"
|
|||||||
STATUS_YES="OUI"
|
STATUS_YES="OUI"
|
||||||
TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
|
TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
|
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ"
|
|||||||
STATUS_YES="ΝΑΙ"
|
STATUS_YES="ΝΑΙ"
|
||||||
TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση"
|
TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής"
|
TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="אזהרה"
|
|||||||
STATUS_YES="כן"
|
STATUS_YES="כן"
|
||||||
TEXT_UPDATE_AVAILABLE="עדכון זמין"
|
TEXT_UPDATE_AVAILABLE="עדכון זמין"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג"
|
TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS"
|
|||||||
STATUS_YES="IGEN"
|
STATUS_YES="IGEN"
|
||||||
TEXT_UPDATE_AVAILABLE="frissítés elérhető"
|
TEXT_UPDATE_AVAILABLE="frissítés elérhető"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -105,3 +105,5 @@ STATUS_WEAK="WEAK"
|
|||||||
STATUS_YES="YES"
|
STATUS_YES="YES"
|
||||||
TEXT_UPDATE_AVAILABLE="update tersedia"
|
TEXT_UPDATE_AVAILABLE="update tersedia"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"
|
TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
#STATUS_NOT_ACTIVE="NOT ACTIVE"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="DEBOLE"
|
|||||||
STATUS_YES="SI"
|
STATUS_YES="SI"
|
||||||
TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
|
TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
|
TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="警告"
|
|||||||
STATUS_YES="はい"
|
STATUS_YES="はい"
|
||||||
TEXT_UPDATE_AVAILABLE="アップデートが利用可能"
|
TEXT_UPDATE_AVAILABLE="アップデートが利用可能"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="취약"
|
|||||||
STATUS_YES="예"
|
STATUS_YES="예"
|
||||||
TEXT_UPDATE_AVAILABLE="업데이트 가능"
|
TEXT_UPDATE_AVAILABLE="업데이트 가능"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
|
TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="ADVARSEL"
|
|||||||
STATUS_YES="JA"
|
STATUS_YES="JA"
|
||||||
TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig"
|
TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil"
|
TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="ZWAK"
|
|||||||
STATUS_YES="JA"
|
STATUS_YES="JA"
|
||||||
TEXT_UPDATE_AVAILABLE="update beschikbaar"
|
TEXT_UPDATE_AVAILABLE="update beschikbaar"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
|
TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_NOT_ACTIVE="NOT ACTIVE"
|
|||||||
#STATUS_YES="YES"
|
#STATUS_YES="YES"
|
||||||
#TEXT_UPDATE_AVAILABLE="update available"
|
#TEXT_UPDATE_AVAILABLE="update available"
|
||||||
#TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
#TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="ATENÇÃO"
|
|||||||
STATUS_YES="SIM"
|
STATUS_YES="SIM"
|
||||||
TEXT_UPDATE_AVAILABLE="Atualização disponível"
|
TEXT_UPDATE_AVAILABLE="Atualização disponível"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log"
|
TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WEAK="СЛАБЫЙ"
|
|||||||
STATUS_YES="ДА"
|
STATUS_YES="ДА"
|
||||||
TEXT_UPDATE_AVAILABLE="доступно обновление"
|
TEXT_UPDATE_AVAILABLE="доступно обновление"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
|
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="VARNING"
|
|||||||
STATUS_YES="JA"
|
STATUS_YES="JA"
|
||||||
TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig"
|
TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil"
|
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -106,3 +106,4 @@ STATUS_WARNING="VAROVANIE"
|
|||||||
STATUS_YES="ÁNO"
|
STATUS_YES="ÁNO"
|
||||||
TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii"
|
TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru"
|
TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
173
db/languages/tr
173
db/languages/tr
@ -1,108 +1,109 @@
|
|||||||
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış"
|
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı"
|
||||||
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış"
|
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı"
|
||||||
GEN_CHECKING="Kontrol ediyor"
|
GEN_CHECKING=" Denetleniyor"
|
||||||
GEN_CURRENT_VERSION="Mevcut Sürüm"
|
GEN_CURRENT_VERSION="Geçerli sürüm"
|
||||||
GEN_DEBUG_MODE="Hata ayıklama modu"
|
GEN_DEBUG_MODE="Hata ayıklama modu"
|
||||||
GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
|
GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
|
||||||
GEN_LATEST_VERSION="Son sürüm"
|
GEN_LATEST_VERSION="En son sürüm"
|
||||||
GEN_PHASE="faz"
|
GEN_PHASE="evre"
|
||||||
GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler"
|
GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler"
|
||||||
GEN_UPDATE_AVAILABLE="güncelleme mevcut"
|
GEN_UPDATE_AVAILABLE="güncelleme var"
|
||||||
GEN_VERBOSE_MODE="Detay modu"
|
GEN_VERBOSE_MODE="Ayrıntılı mod"
|
||||||
GEN_WHAT_TO_DO="Yapılması gerekenler"
|
GEN_WHAT_TO_DO="Yapılması gerekenler"
|
||||||
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu"
|
|
||||||
NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
|
NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
|
||||||
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir"
|
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu"
|
||||||
|
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir"
|
||||||
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
|
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
|
||||||
#SECTION_ACCOUNTING="Accounting"
|
SECTION_ACCOUNTING="Hesaplama"
|
||||||
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
|
SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama"
|
||||||
#SECTION_BASICS="Basics"
|
SECTION_BASICS="Temel Bilgiler"
|
||||||
#SECTION_BOOT_AND_SERVICES="Boot and services"
|
SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler"
|
||||||
#SECTION_CONTAINERS="Containers"
|
SECTION_CONTAINERS="Konteynerler"
|
||||||
#SECTION_CRYPTOGRAPHY="Cryptography"
|
SECTION_CRYPTOGRAPHY="Kriptografi"
|
||||||
SECTION_CUSTOM_TESTS="Özel testler"
|
SECTION_CUSTOM_TESTS="Özel testler"
|
||||||
#SECTION_DATABASES="Databases"
|
SECTION_DATA_UPLOAD="Veri yükleme"
|
||||||
#SECTION_DATA_UPLOAD="Data upload"
|
SECTION_DATABASES="Veri tabanları"
|
||||||
#SECTION_DOWNLOADS="Downloads"
|
SECTION_DOWNLOADS="İndirilenler"
|
||||||
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
|
SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma"
|
||||||
#SECTION_FILE_INTEGRITY="Software: file integrity"
|
SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü"
|
||||||
#SECTION_FILE_PERMISSIONS="File Permissions"
|
SECTION_FILE_PERMISSIONS="Dosya izinleri"
|
||||||
#SECTION_FILE_SYSTEMS="File systems"
|
SECTION_FILE_SYSTEMS="Dosya sistemleri"
|
||||||
#SECTION_FIREWALLS="Software: firewalls"
|
SECTION_FIREWALLS="Yazılım: güvenlik duvarları"
|
||||||
#SECTION_GENERAL="General"
|
SECTION_GENERAL="Genel"
|
||||||
#SECTION_HARDENING="Hardening"
|
SECTION_HARDENING="Sıkılaştırma"
|
||||||
#SECTION_HOME_DIRECTORIES="Home directories"
|
SECTION_HOME_DIRECTORIES="Ev dizinleri"
|
||||||
#SECTION_IMAGE="Image"
|
SECTION_IMAGE="Kalıp"
|
||||||
#SECTION_INITIALIZING_PROGRAM="Initializing program"
|
SECTION_INITIALIZING_PROGRAM="Program başlatılıyor"
|
||||||
#SECTION_INSECURE_SERVICES="Insecure services"
|
SECTION_INSECURE_SERVICES="Güvensiz hizmetler"
|
||||||
#SECTION_KERNEL_HARDENING="Kernel Hardening"
|
SECTION_KERNEL="Çekirdek"
|
||||||
#SECTION_KERNEL="Kernel"
|
SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma"
|
||||||
#SECTION_LDAP_SERVICES="LDAP Services"
|
SECTION_LDAP_SERVICES="LDAP Hizmetleri"
|
||||||
#SECTION_LOGGING_AND_FILES="Logging and files"
|
SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar"
|
||||||
SECTION_MALWARE="Kötücül yazılım"
|
SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım"
|
||||||
SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler"
|
SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler"
|
||||||
#SECTION_NAME_SERVICES="Name services"
|
SECTION_NAME_SERVICES="Ad hizmetleri"
|
||||||
#SECTION_NETWORKING="Networking"
|
SECTION_NETWORKING="Ağ İletişimi"
|
||||||
#SECTION_PERMISSIONS="Permissions"
|
SECTION_PERMISSIONS="İzinler"
|
||||||
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
|
SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler"
|
||||||
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
|
SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler"
|
||||||
#SECTION_PROGRAM_DETAILS="Program Details"
|
SECTION_PROGRAM_DETAILS="Program Ayrıntıları"
|
||||||
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
|
SECTION_SCHEDULED_TASKS="Zamanlanan görevler"
|
||||||
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
|
SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri"
|
||||||
#SECTION_SHELLS="Shells"
|
SECTION_SHELLS="Kabuklar"
|
||||||
#SECTION_SNMP_SUPPORT="SNMP Support"
|
SECTION_SNMP_SUPPORT="SNMP Desteği"
|
||||||
#SECTION_SOFTWARE="Software"
|
SECTION_SOFTWARE="Yazılım"
|
||||||
#SECTION_SQUID_SUPPORT="Squid Support"
|
SECTION_SQUID_SUPPORT="Squid Desteği"
|
||||||
#SECTION_SSH_SUPPORT="SSH Support"
|
SECTION_SSH_SUPPORT="SSH Desteği"
|
||||||
#SECTION_STORAGE="Storage"
|
SECTION_STORAGE="Depolama"
|
||||||
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
|
SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü"
|
||||||
#SECTION_SYSTEM_TOOLING="Software: System tooling"
|
SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları"
|
||||||
#SECTION_SYSTEM_TOOLS="System tools"
|
SECTION_SYSTEM_TOOLS="Sistem araçları"
|
||||||
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
|
SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama"
|
||||||
#SECTION_USB_DEVICES="USB Devices"
|
SECTION_USB_DEVICES="USB Aygıtları"
|
||||||
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
|
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama"
|
||||||
#SECTION_VIRTUALIZATION="Virtualization"
|
SECTION_VIRTUALIZATION="Sanallaştırma"
|
||||||
#SECTION_WEBSERVER="Software: webserver"
|
SECTION_WEBSERVER="Yazılım: web sunucusu"
|
||||||
#STATUS_ACTIVE="ACTIVE"
|
STATUS_ACTIVE=" ETKİN"
|
||||||
#STATUS_CHECK_NEEDED="CHECK NEEDED"
|
STATUS_CHECK_NEEDED=" DENETİM GEREKLI"
|
||||||
#STATUS_DEBUG="DEBUG"
|
STATUS_DEBUG="HATA AYIKLAMA"
|
||||||
#STATUS_DEFAULT="DEFAULT"
|
STATUS_DEFAULT="ÖNTANIMLI"
|
||||||
#STATUS_DIFFERENT="DIFFERENT"
|
STATUS_DIFFERENT="FARKLI"
|
||||||
STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ"
|
STATUS_DISABLED="DEVRE DIŞI BIRAKILDI"
|
||||||
STATUS_DONE="TAMAMLANDI"
|
STATUS_DONE="TAMAMLANDI"
|
||||||
STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ"
|
STATUS_ENABLED="ETKİNLEŞTİRİLDİ"
|
||||||
STATUS_ERROR="HATA"
|
STATUS_ERROR="HATA"
|
||||||
#STATUS_EXPOSED="EXPOSED"
|
STATUS_EXPOSED="AÇIKTA BIRAKILDI"
|
||||||
#STATUS_FAILED="FAILED"
|
STATUS_FAILED="BAŞARISIZ"
|
||||||
#STATUS_FILES_FOUND="FILES FOUND"
|
STATUS_FILES_FOUND="DOSYALAR BULUNDU"
|
||||||
STATUS_FOUND="BULUNDU"
|
STATUS_FOUND="BULUNDU"
|
||||||
#STATUS_HARDENED="HARDENED"
|
STATUS_HARDENED="SIKILAŞTIRILDI"
|
||||||
#STATUS_INSTALLED="INSTALLED"
|
STATUS_INSTALLED="KURULU"
|
||||||
#STATUS_LOCAL_ONLY="LOCAL ONLY"
|
STATUS_LOCAL_ONLY="YALNIZCA YEREL"
|
||||||
#STATUS_MEDIUM="MEDIUM"
|
STATUS_MEDIUM="ORTA"
|
||||||
STATUS_NO="HAYIR"
|
STATUS_NO="HAYIR"
|
||||||
#STATUS_NON_DEFAULT="NON DEFAULT"
|
STATUS_NO_UPDATE="GÜNCELLEME YOK"
|
||||||
|
STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN"
|
||||||
STATUS_NONE="YOK"
|
STATUS_NONE="YOK"
|
||||||
STATUS_NOT_ACTIVE="NOT ACTIVE"
|
STATUS_NOT_ACTIVE="ETKİN DEĞİL"
|
||||||
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
|
STATUS_NOT_CONFIGURED="YAPILANDIRILMADI"
|
||||||
#STATUS_NOT_DISABLED="NOT DISABLED"
|
STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI"
|
||||||
#STATUS_NOT_ENABLED="NOT ENABLED"
|
STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ"
|
||||||
STATUS_NOT_FOUND="BULUNAMADI"
|
STATUS_NOT_FOUND="BULUNAMADI"
|
||||||
STATUS_NOT_RUNNING="ÇALIŞMIYOR"
|
STATUS_NOT_RUNNING="ÇALIŞMIYOR"
|
||||||
#STATUS_NO_UPDATE="NO UPDATE"
|
|
||||||
STATUS_OFF="KAPALI"
|
STATUS_OFF="KAPALI"
|
||||||
STATUS_OK="TAMAM"
|
STATUS_OK="TAMAM"
|
||||||
STATUS_ON="AÇIK"
|
STATUS_ON="AÇIK"
|
||||||
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
|
STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI"
|
||||||
#STATUS_PROTECTED="PROTECTED"
|
STATUS_PROTECTED="KORUMALI"
|
||||||
STATUS_RUNNING="ÇALIŞIYOR"
|
STATUS_RUNNING="ÇALIŞIYOR"
|
||||||
STATUS_SKIPPED="ATLANDI"
|
STATUS_SKIPPED="ATLANDI"
|
||||||
STATUS_SUGGESTION="ÖNERİ"
|
STATUS_SUGGESTION="ÖNERİ"
|
||||||
STATUS_UNKNOWN="BİLİNMİYOR"
|
STATUS_UNKNOWN="BİLİNMİYOR"
|
||||||
#STATUS_UNSAFE="UNSAFE"
|
STATUS_UNSAFE="GÜVENLİ DEĞİL"
|
||||||
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
|
STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR"
|
||||||
STATUS_WARNING="UYARI"
|
STATUS_WARNING="UYARI"
|
||||||
#STATUS_WEAK="WEAK"
|
STATUS_WEAK="ZAYIF"
|
||||||
STATUS_YES="EVET"
|
STATUS_YES="EVET"
|
||||||
TEXT_UPDATE_AVAILABLE="güncelleme mevcut"
|
TEXT_UPDATE_AVAILABLE="güncelleme var"
|
||||||
TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz"
|
TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz"
|
||||||
|
#SECTION_KERBEROS="Kerberos"
|
||||||
|
|||||||
@ -276,6 +276,7 @@ MALW-3284:test:security:malware::Check for clamd:
|
|||||||
MALW-3286:test:security:malware::Check for freshclam:
|
MALW-3286:test:security:malware::Check for freshclam:
|
||||||
MALW-3288:test:security:malware::Check for ClamXav:
|
MALW-3288:test:security:malware::Check for ClamXav:
|
||||||
MALW-3290:test:security:malware::Presence of malware scanner:
|
MALW-3290:test:security:malware::Presence of malware scanner:
|
||||||
|
MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus:
|
||||||
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
|
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
|
||||||
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
|
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
|
||||||
NAME-4020:test:security:nameservices::Check non default options:
|
NAME-4020:test:security:nameservices::Check non default options:
|
||||||
|
|||||||
@ -144,6 +144,7 @@ plugin=software
|
|||||||
plugin=system-integrity
|
plugin=system-integrity
|
||||||
plugin=systemd
|
plugin=systemd
|
||||||
plugin=users
|
plugin=users
|
||||||
|
plugin=krb5
|
||||||
|
|
||||||
# Disable a particular plugin (will overrule an enabled plugin)
|
# Disable a particular plugin (will overrule an enabled plugin)
|
||||||
#disable-plugin=authentication
|
#disable-plugin=authentication
|
||||||
@ -197,7 +198,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k
|
|||||||
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
|
|||||||
@ -196,6 +196,8 @@
|
|||||||
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
|
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
|
||||||
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
|
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
|
||||||
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
|
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
|
||||||
|
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
|
||||||
|
kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
|
||||||
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
|
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
|
||||||
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
|
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
|
||||||
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
|
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
|
||||||
@ -338,7 +340,7 @@
|
|||||||
|
|
||||||
# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
|
# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
|
||||||
if [ "${GREPBINARY:-}" ] ; then
|
if [ "${GREPBINARY:-}" ] ; then
|
||||||
${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null
|
${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null
|
||||||
if [ $? -eq 0 ] ; then
|
if [ $? -eq 0 ] ; then
|
||||||
EGREPBINARY="${GREPBINARY} -E"
|
EGREPBINARY="${GREPBINARY} -E"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -169,6 +169,7 @@ ETC_PATHS="/etc /usr/local/etc"
|
|||||||
MACHINEID=""
|
MACHINEID=""
|
||||||
MACHINE_ROLE=""
|
MACHINE_ROLE=""
|
||||||
MALWARE_SCANNER_INSTALLED=0
|
MALWARE_SCANNER_INSTALLED=0
|
||||||
|
MDATPBINARY=""
|
||||||
MIN_PASSWORD_LENGTH=-1
|
MIN_PASSWORD_LENGTH=-1
|
||||||
MONGODB_RUNNING=0
|
MONGODB_RUNNING=0
|
||||||
MOUNTBINARY=""
|
MOUNTBINARY=""
|
||||||
@ -298,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc"
|
|||||||
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
|
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
|
||||||
SSL_CERTIFICATE_PATHS=""
|
SSL_CERTIFICATE_PATHS=""
|
||||||
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
|
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
|
||||||
|
STATUS_NOT_ACTIVE=""
|
||||||
STUNNELBINARY=""
|
STUNNELBINARY=""
|
||||||
|
SURICATABINARY=""
|
||||||
SWUPDBINARY=""
|
SWUPDBINARY=""
|
||||||
SYSLOGNGBINARY=""
|
SYSLOGNGBINARY=""
|
||||||
SYSTEMCTLBINARY=""
|
SYSTEMCTLBINARY=""
|
||||||
|
|||||||
@ -2086,6 +2086,10 @@
|
|||||||
elif [ -n "${PKGINFOBINARY}" ]; then
|
elif [ -n "${PKGINFOBINARY}" ]; then
|
||||||
output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
|
output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
|
||||||
exit_code=$? # 0=package installed, 1=package not installed
|
exit_code=$? # 0=package installed, 1=package not installed
|
||||||
|
# Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test
|
||||||
|
elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then
|
||||||
|
output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" )
|
||||||
|
exit_code=$?
|
||||||
elif [ -n "${RPMBINARY}" ]; then
|
elif [ -n "${RPMBINARY}" ]; then
|
||||||
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
|
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
@ -2099,7 +2103,7 @@
|
|||||||
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
|
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
elif [ -n "${APKBINARY}" ]; then
|
elif [ -n "${APKBINARY}" ]; then
|
||||||
output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package})
|
output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package})
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
else
|
else
|
||||||
if [ "${package}" != "__dummy__" ]; then
|
if [ "${package}" != "__dummy__" ]; then
|
||||||
@ -2758,7 +2762,6 @@
|
|||||||
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
|
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
|
||||||
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
|
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
|
||||||
fi
|
fi
|
||||||
unset SKIPREASON
|
|
||||||
|
|
||||||
# Save timestamp for next time the Register function is called
|
# Save timestamp for next time the Register function is called
|
||||||
PREVIOUS_TEST="${TEST_NO}"
|
PREVIOUS_TEST="${TEST_NO}"
|
||||||
@ -3171,7 +3174,7 @@
|
|||||||
|
|
||||||
if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
|
if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
|
||||||
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
|
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
|
||||||
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
|
echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})."
|
||||||
ExitFatal
|
ExitFatal
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -160,6 +160,11 @@
|
|||||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
;;
|
;;
|
||||||
|
"altlinux")
|
||||||
|
LINUX_VERSION="ALT Linux"
|
||||||
|
OS_NAME="altlinux"
|
||||||
|
OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
;;
|
||||||
"amzn")
|
"amzn")
|
||||||
LINUX_VERSION="Amazon Linux"
|
LINUX_VERSION="Amazon Linux"
|
||||||
OS_NAME="Amazon Linux"
|
OS_NAME="Amazon Linux"
|
||||||
@ -221,6 +226,11 @@
|
|||||||
OS_NAME="CoreOS Linux"
|
OS_NAME="CoreOS Linux"
|
||||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
;;
|
;;
|
||||||
|
"cos")
|
||||||
|
LINUX_VERSION="Container-Optimized OS"
|
||||||
|
OS_NAME="Container-Optimized OS from Google"
|
||||||
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
;;
|
||||||
"debian")
|
"debian")
|
||||||
LINUX_VERSION="Debian"
|
LINUX_VERSION="Debian"
|
||||||
OS_NAME="Debian"
|
OS_NAME="Debian"
|
||||||
@ -290,6 +300,12 @@
|
|||||||
OS_NAME="Kali Linux"
|
OS_NAME="Kali Linux"
|
||||||
OS_VERSION="Rolling release"
|
OS_VERSION="Rolling release"
|
||||||
;;
|
;;
|
||||||
|
"koozali")
|
||||||
|
LINUX_VERSION="Koozali"
|
||||||
|
OS_NAME="Koozali SME Server"
|
||||||
|
OS_REDHAT_OR_CLONE=1
|
||||||
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
;;
|
||||||
"linuxmint")
|
"linuxmint")
|
||||||
LINUX_VERSION="Linux Mint"
|
LINUX_VERSION="Linux Mint"
|
||||||
LINUX_VERSION_LIKE="Ubuntu"
|
LINUX_VERSION_LIKE="Ubuntu"
|
||||||
@ -314,6 +330,13 @@
|
|||||||
OS_NAME="Manjaro"
|
OS_NAME="Manjaro"
|
||||||
OS_VERSION="Rolling release"
|
OS_VERSION="Rolling release"
|
||||||
;;
|
;;
|
||||||
|
"neon")
|
||||||
|
LINUX_VERSION="KDE Neon"
|
||||||
|
LINUX_VERSION_LIKE="Ubuntu"
|
||||||
|
OS_NAME="KDE Neon"
|
||||||
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
;;
|
||||||
"nethserver")
|
"nethserver")
|
||||||
LINUX_VERSION="NethServer"
|
LINUX_VERSION="NethServer"
|
||||||
OS_NAME="NethServer"
|
OS_NAME="NethServer"
|
||||||
@ -332,6 +355,12 @@
|
|||||||
OS_REDHAT_OR_CLONE=1
|
OS_REDHAT_OR_CLONE=1
|
||||||
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
;;
|
;;
|
||||||
|
"nobara")
|
||||||
|
LINUX_VERSION="Nobara"
|
||||||
|
OS_NAME="Nobara Linux"
|
||||||
|
OS_REDHAT_OR_CLONE=1
|
||||||
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
;;
|
||||||
"nodistro")
|
"nodistro")
|
||||||
LINUX_VERSION="openembedded"
|
LINUX_VERSION="openembedded"
|
||||||
OS_NAME="OpenEmbedded"
|
OS_NAME="OpenEmbedded"
|
||||||
@ -381,6 +410,13 @@
|
|||||||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
OS_NAME="Pop!_OS"
|
OS_NAME="Pop!_OS"
|
||||||
;;
|
;;
|
||||||
|
"postmarketos")
|
||||||
|
LINUX_VERSION="PostmarketOS"
|
||||||
|
LINUX_VERSION_LIKE="Alpine"
|
||||||
|
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
|
;;
|
||||||
"pureos")
|
"pureos")
|
||||||
LINUX_VERSION="PureOS"
|
LINUX_VERSION="PureOS"
|
||||||
LINUX_VERSION_LIKE="Debian"
|
LINUX_VERSION_LIKE="Debian"
|
||||||
@ -445,7 +481,7 @@
|
|||||||
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
|
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -56,7 +56,7 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
|
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
|
||||||
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-')
|
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-')
|
||||||
if ! IsEmpty "${DATA}"; then
|
if ! IsEmpty "${DATA}"; then
|
||||||
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
|
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
|
||||||
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
|
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
|
||||||
@ -68,7 +68,7 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Now parse the profile and filter out unwanted characters
|
# Now parse the profile and filter out unwanted characters
|
||||||
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
|
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
|
||||||
for CONFIGOPTION in ${DATA}; do
|
for CONFIGOPTION in ${DATA}; do
|
||||||
if ContainsString "^config:" "${CONFIGOPTION}"; then
|
if ContainsString "^config:" "${CONFIGOPTION}"; then
|
||||||
# Old style configuration
|
# Old style configuration
|
||||||
@ -352,7 +352,7 @@
|
|||||||
|
|
||||||
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
|
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
|
||||||
skip-test)
|
skip-test)
|
||||||
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
|
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
|
||||||
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@ -371,7 +371,7 @@
|
|||||||
|
|
||||||
ssl-certificate-paths-to-ignore)
|
ssl-certificate-paths-to-ignore)
|
||||||
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
|
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
|
||||||
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
|
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ')
|
||||||
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
|
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
|
||||||
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
|
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
|
||||||
;;
|
;;
|
||||||
@ -479,7 +479,7 @@
|
|||||||
|
|
||||||
# Deprecated: skip tests
|
# Deprecated: skip tests
|
||||||
test_skip_always)
|
test_skip_always)
|
||||||
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
|
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
|
||||||
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
||||||
LogText "[deprecated option] Tests to be skipped: ${VALUE}"
|
LogText "[deprecated option] Tests to be skipped: ${VALUE}"
|
||||||
DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)"
|
DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)"
|
||||||
|
|||||||
@ -717,7 +717,7 @@
|
|||||||
if [ ${FOUND} -eq 0 ]; then
|
if [ ${FOUND} -eq 0 ]; then
|
||||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
|
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||||
LogText "Result: no PAM modules for password strength testing found"
|
LogText "Result: no PAM modules for password strength testing found"
|
||||||
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
|
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc"
|
||||||
AddHP 0 3
|
AddHP 0 3
|
||||||
else
|
else
|
||||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
|
||||||
|
|||||||
@ -27,7 +27,7 @@
|
|||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
|
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
|
||||||
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
|
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning"
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|||||||
@ -107,7 +107,7 @@
|
|||||||
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
|
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
|
||||||
RUN_DOCKER_TESTS=0
|
RUN_DOCKER_TESTS=0
|
||||||
fi
|
fi
|
||||||
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
|
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! "${FIND}" = "" ]; then
|
||||||
LogText "Result: found warning(s) in output"
|
LogText "Result: found warning(s) in output"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
|
|||||||
@ -217,6 +217,33 @@
|
|||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : CRYP-7932
|
||||||
|
# Description : Determine if system has enabled macOS FileVault encryption
|
||||||
|
Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
if command -v fdesetup &> /dev/null; then
|
||||||
|
case $(fdesetup status) in
|
||||||
|
*"FileVault is On."*)
|
||||||
|
LogText "Result: FileVault is enabled."
|
||||||
|
Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN
|
||||||
|
Report "encryption[]=filevault"
|
||||||
|
AddHP 3 3
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
LogText "Result: FileVault is not enabled."
|
||||||
|
Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED
|
||||||
|
AddHP 0 3
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
LogText "Result: fdesetup command not found. Unable to determine FileVault status."
|
||||||
|
Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW
|
||||||
|
AddHP 0 3
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : CRYP-8002
|
# Test : CRYP-8002
|
||||||
# Description : Gather available kernel entropy
|
# Description : Gather available kernel entropy
|
||||||
|
|||||||
@ -186,8 +186,10 @@
|
|||||||
# Test : DBS-1826
|
# Test : DBS-1826
|
||||||
# Description : Check if PostgreSQL is being used
|
# Description : Check if PostgreSQL is being used
|
||||||
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
|
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
|
||||||
|
for PROCES in postgres postmaster
|
||||||
|
do
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if IsRunning "postgres"; then
|
if IsRunning "${PROCES}"; then
|
||||||
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: PostgreSQL is active"
|
LogText "Result: PostgreSQL is active"
|
||||||
POSTGRESQL_RUNNING=1
|
POSTGRESQL_RUNNING=1
|
||||||
@ -195,9 +197,10 @@
|
|||||||
Report "postgresql_running=${POSTGRESQL_RUNNING}"
|
Report "postgresql_running=${POSTGRESQL_RUNNING}"
|
||||||
else
|
else
|
||||||
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
||||||
LogText "Result: PostgreSQL process not active"
|
LogText "Result: PostgreSQL process ${PROCES} not active"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -211,14 +214,15 @@
|
|||||||
# Arch /var/lib/postgres/data/postgresql.conf
|
# Arch /var/lib/postgres/data/postgresql.conf
|
||||||
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
|
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
|
||||||
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
|
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
|
||||||
|
# FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf
|
||||||
|
|
||||||
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
|
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
|
||||||
|
|
||||||
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
|
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
|
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
|
||||||
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
|
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]"
|
||||||
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
|
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
|
||||||
for CF in ${CONFIG_FILES}; do
|
for CF in ${CONFIG_FILES}; do
|
||||||
Report "postgresql_config_file[]=${CF}"
|
Report "postgresql_config_file[]=${CF}"
|
||||||
LogText "Found configuration file (${CF})"
|
LogText "Found configuration file (${CF})"
|
||||||
|
|||||||
@ -346,7 +346,13 @@
|
|||||||
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
|
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
|
||||||
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
|
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
|
||||||
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
|
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
|
||||||
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then
|
||||||
|
PREQS_MET="YES";
|
||||||
|
elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then
|
||||||
|
PREQS_MET="YES";
|
||||||
|
else
|
||||||
|
PREQS_MET="NO";
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
PREQS_MET="NO";
|
PREQS_MET="NO";
|
||||||
fi
|
fi
|
||||||
@ -726,11 +732,45 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : FILE-6398 TODO
|
# Test : FILE-6398
|
||||||
# Description : Check if JBD (Journal Block Device) driver is loaded
|
# Description : Check if JBD (Journal Block Device) driver is loaded
|
||||||
|
Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded"
|
||||||
# Want to contribute to Lynis? Create this test
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
LogText "Test: Checking if JBD (Journal Block Device) driver is loaded"
|
||||||
|
NOTINUSE=0
|
||||||
|
# Cannot check if driver is loaded/present if kernel is monolithic
|
||||||
|
if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then
|
||||||
|
JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd)
|
||||||
|
if [ -n "${JBD}" ]; then
|
||||||
|
LogText "Result: JBD driver is loaded"
|
||||||
|
INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}')
|
||||||
|
if [ -n "${INUSE}" ]; then
|
||||||
|
LogText "Result: JBD driver is in use by drivers: ${INUSE}"
|
||||||
|
Report "JBD driver is in use by drivers: ${INUSE}"
|
||||||
|
Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN
|
||||||
|
else
|
||||||
|
NOTINUSE=1
|
||||||
|
LogText "Result: JBD driver loaded, but not in use"
|
||||||
|
Report "JBD driver is loaded, but not in use."
|
||||||
|
Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
NOTINUSE=2
|
||||||
|
LogText "Result: JBD driver not loaded"
|
||||||
|
Report "JBD driver not loaded."
|
||||||
|
Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW
|
||||||
|
fi
|
||||||
|
if [ ${NOTINUSE} -eq 1 ]; then
|
||||||
|
ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash."
|
||||||
|
elif [ ${NOTINUSE} -eq 2 ]; then
|
||||||
|
ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
|
||||||
|
Report "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
|
||||||
|
Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color RED
|
||||||
|
fi
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|||||||
188
include/tests_kerberos
Normal file
188
include/tests_kerberos
Normal file
@ -0,0 +1,188 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
InsertSection "${SECTION_KERBEROS}"
|
||||||
|
|
||||||
|
#
|
||||||
|
#########################################################################
|
||||||
|
#
|
||||||
|
|
||||||
|
# Test : KRB-1000
|
||||||
|
# Description : Check that Kerberos principals have passwords that expire
|
||||||
|
Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
|
||||||
|
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
|
||||||
|
then
|
||||||
|
PREQS_MET="YES"
|
||||||
|
# Make sure krb5 debugging doesn't mess up the output
|
||||||
|
unset KRB5_TRACE
|
||||||
|
PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')"
|
||||||
|
if [ -z "${PRINCS}" ]
|
||||||
|
then
|
||||||
|
PREQS_MET="NO"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
PREQS_MET="NO"
|
||||||
|
fi
|
||||||
|
if [ "${PREQS_MET}" = "YES" ]; then
|
||||||
|
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
|
||||||
|
else
|
||||||
|
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Test : KRB-1010
|
||||||
|
# Description : Check that Kerberos principals have passwords that expire
|
||||||
|
Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
for I in ${PRINCS}
|
||||||
|
do
|
||||||
|
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
|
||||||
|
if [ "${FIND}" = "Password expiration date: [never]" ]
|
||||||
|
then
|
||||||
|
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
|
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
|
||||||
|
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
|
||||||
|
else
|
||||||
|
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
|
||||||
|
# Test : KRB-1020
|
||||||
|
# Description : Check last password change for Kerberos principals
|
||||||
|
Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
for I in ${PRINCS}
|
||||||
|
do
|
||||||
|
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
|
||||||
|
if [ "${FIND}" = "[never]" ]
|
||||||
|
then
|
||||||
|
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
|
||||||
|
FOUND=1
|
||||||
|
else
|
||||||
|
J="$(date -d "${FIND}" +%s)"
|
||||||
|
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
|
||||||
|
then
|
||||||
|
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
|
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
|
||||||
|
ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
|
||||||
|
else
|
||||||
|
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
|
||||||
|
# Test : KRB-1030
|
||||||
|
# Description : Check that Kerberos principals have a policy associated to them
|
||||||
|
Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
for I in ${PRINCS}
|
||||||
|
do
|
||||||
|
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
|
||||||
|
if [ "${FIND}" = "Policy: [none]" ]
|
||||||
|
then
|
||||||
|
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
|
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
|
||||||
|
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
|
||||||
|
else
|
||||||
|
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
|
||||||
|
# Test : KRB-1040
|
||||||
|
# Description : Check various attributes for Kerberos principals
|
||||||
|
Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
for I in ${PRINCS}
|
||||||
|
do
|
||||||
|
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
|
||||||
|
if ContainsString "^K/M@" "${I}" || \
|
||||||
|
ContainsString "^kadmin/admin@" "${I}" || \
|
||||||
|
ContainsString "^kadmin/changepw@" "${I}" || \
|
||||||
|
ContainsString "^krbtgt/" "${I}"
|
||||||
|
then
|
||||||
|
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
|
||||||
|
then
|
||||||
|
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
elif ContainsString "/admin@" "${I}"
|
||||||
|
then
|
||||||
|
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
|
||||||
|
then
|
||||||
|
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
elif ContainsString "^[^/$]+@" "${I}"
|
||||||
|
then
|
||||||
|
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
|
||||||
|
then
|
||||||
|
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
|
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
|
||||||
|
ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
|
||||||
|
else
|
||||||
|
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
|
||||||
|
# Test : KRB-1050
|
||||||
|
# Description : Check for weak crypto
|
||||||
|
Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
|
||||||
|
if [ -n "${FIND}" ]; then
|
||||||
|
while read I J
|
||||||
|
do
|
||||||
|
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
|
||||||
|
done << EOF
|
||||||
|
${FIND}
|
||||||
|
EOF
|
||||||
|
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
|
||||||
|
ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
|
||||||
|
else
|
||||||
|
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
|
||||||
|
unset PRINCS
|
||||||
|
unset I
|
||||||
|
unset J
|
||||||
|
|
||||||
|
#EOF
|
||||||
@ -41,28 +41,17 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# Checking if we can find the systemd default target
|
# Checking if we can find the systemd default target
|
||||||
LogText "Test: Checking for systemd default.target"
|
LogText "Test: Checking for systemd default.target"
|
||||||
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
|
if [ $(${SYSTEMCTLBINARY} get-default) ]; then
|
||||||
LogText "Result: symlink found"
|
FIND=$(${SYSTEMCTLBINARY} get-default)
|
||||||
if HasData "${READLINKBINARY}"; then
|
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
|
||||||
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
|
if HasData "${FIND2}"; then
|
||||||
if ! HasData "${FIND}"; then
|
LogText "Result: Found match on runlevel5/graphical"
|
||||||
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
|
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
|
||||||
ReportException "${TEST_NO}:01"
|
Report "linux_default_runlevel=5"
|
||||||
else
|
|
||||||
FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical")
|
|
||||||
if HasData "${FIND2}"; then
|
|
||||||
LogText "Result: Found match on runlevel5/graphical"
|
|
||||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
|
|
||||||
Report "linux_default_runlevel=5"
|
|
||||||
else
|
|
||||||
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
|
|
||||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
|
|
||||||
Report "linux_default_runlevel=3"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
|
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
|
||||||
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
|
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
|
||||||
|
Report "linux_default_runlevel=3"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: no systemd found, so trying inittab"
|
LogText "Result: no systemd found, so trying inittab"
|
||||||
@ -467,7 +456,7 @@
|
|||||||
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
|
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
|
||||||
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
|
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
|
||||||
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
|
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
|
||||||
# check conf files in possibly existing coredump.conf.d folders
|
# check conf files in possibly existing coredump.conf.d folders
|
||||||
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
|
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
|
||||||
# while there could be multiple files overwriting each other, we are checking the number of occurrences
|
# while there could be multiple files overwriting each other, we are checking the number of occurrences
|
||||||
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
|
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
|
||||||
@ -531,7 +520,7 @@
|
|||||||
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
|
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Limits options
|
# Limits options
|
||||||
for DIR in "/" "/usr/"; do
|
for DIR in "/" "/usr/"; do
|
||||||
LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
|
LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
|
||||||
@ -692,7 +681,7 @@
|
|||||||
else
|
else
|
||||||
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
|
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
|
||||||
# Note: ignore a rescue kernel (e.g. CentOS)
|
# Note: ignore a rescue kernel (e.g. CentOS)
|
||||||
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
|
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1)
|
||||||
LogText "Result: found ${FOUND_VMLINUZ}"
|
LogText "Result: found ${FOUND_VMLINUZ}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -840,7 +829,7 @@
|
|||||||
else
|
else
|
||||||
LogText "Result: Skipping this test, as extracting the seconds of package date failed"
|
LogText "Result: Skipping this test, as extracting the seconds of package date failed"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "${UNAME_OUTPUT}" ]; then
|
if [ -n "${UNAME_OUTPUT}" ]; then
|
||||||
LogText "Result: Got an output from 'uname -v'"
|
LogText "Result: Got an output from 'uname -v'"
|
||||||
LogText "Check: Trying to extract kernel build date from 'uname -v' output"
|
LogText "Check: Trying to extract kernel build date from 'uname -v' output"
|
||||||
@ -911,8 +900,7 @@
|
|||||||
else
|
else
|
||||||
LogText "Result: Did not get output from 'uname -v'. Skipping test."
|
LogText "Result: Did not get output from 'uname -v'. Skipping test."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
else
|
else
|
||||||
LogText "Result: /var/cache/apt/archives/ does not exist"
|
LogText "Result: /var/cache/apt/archives/ does not exist"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -28,6 +28,7 @@
|
|||||||
METALOG_RUNNING=0
|
METALOG_RUNNING=0
|
||||||
RFC3195D_RUNNING=0
|
RFC3195D_RUNNING=0
|
||||||
RSYSLOG_RUNNING=0
|
RSYSLOG_RUNNING=0
|
||||||
|
WAZUH_AGENT_RUNNING=0
|
||||||
SOLARIS_LOGHOST=""
|
SOLARIS_LOGHOST=""
|
||||||
SOLARIS_LOGHOST_FOUND=0
|
SOLARIS_LOGHOST_FOUND=0
|
||||||
SOLARIS_LOGHOST_LOCALHOST=0
|
SOLARIS_LOGHOST_LOCALHOST=0
|
||||||
@ -220,6 +221,23 @@
|
|||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : LOGG-2144
|
||||||
|
# Description : Check for wazuh-agent presence on Linux systems
|
||||||
|
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
LogText "Result: Searching for wazuh-agent instances in the process list"
|
||||||
|
if IsRunning "wazuh-agent"; then
|
||||||
|
LogText "Result: Found wazuh-agent in process list"
|
||||||
|
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
|
||||||
|
WAZUH_AGENT_RUNNING=1
|
||||||
|
else
|
||||||
|
LogText "Result: wazuh-agent NOT found in process list"
|
||||||
|
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : LOGG-2146
|
# Test : LOGG-2146
|
||||||
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
|
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
|
||||||
@ -446,6 +464,21 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Test wazuh-agent configuration for syslog configuration
|
||||||
|
if [ ${WAZUH_AGENT_RUNNING} ]; then
|
||||||
|
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f ${WAZUH_AGENT_CONF} ]; then
|
||||||
|
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
|
||||||
|
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
|
||||||
|
if [ "${FIND}" ]; then
|
||||||
|
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
|
||||||
|
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
|
||||||
|
REMOTE_LOGGING_ENABLED=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Show result
|
# Show result
|
||||||
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
|
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
|
||||||
Report "remote_syslog_configured=0"
|
Report "remote_syslog_configured=0"
|
||||||
|
|||||||
@ -158,10 +158,14 @@
|
|||||||
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
|
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
|
||||||
fi
|
fi
|
||||||
Display --indent 8 --text "Current SELinux mode: ${FIND}"
|
Display --indent 8 --text "Current SELinux mode: ${FIND}"
|
||||||
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
|
if [ -n "${SEMANAGEBINARY}" ]; then
|
||||||
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
|
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
|
||||||
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
|
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
|
||||||
LogText "Permissive SELinux object types: ${PERMISSIVE}"
|
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
|
||||||
|
LogText "Permissive SELinux object types: ${PERMISSIVE}"
|
||||||
|
else
|
||||||
|
LogText "Result: semanage binary NOT found, can't analyse permissive domains"
|
||||||
|
fi
|
||||||
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
|
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
|
||||||
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
|
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
|
||||||
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
|
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
|
||||||
|
|||||||
@ -44,6 +44,7 @@
|
|||||||
SYMANTEC_SCANNER_RUNNING=0
|
SYMANTEC_SCANNER_RUNNING=0
|
||||||
SYNOLOGY_DAEMON_RUNNING=0
|
SYNOLOGY_DAEMON_RUNNING=0
|
||||||
TRENDMICRO_DSA_DAEMON_RUNNING=0
|
TRENDMICRO_DSA_DAEMON_RUNNING=0
|
||||||
|
WAZUH_DAEMON_RUNNING=0
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -53,16 +54,12 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking presence McAfee VirusScan for Command Line"
|
LogText "Test: checking presence McAfee VirusScan for Command Line"
|
||||||
if [ -x /usr/local/uvscan/uvscan ]; then
|
if [ -x /usr/local/uvscan/uvscan ]; then
|
||||||
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
|
||||||
LogText "Result: Found ${MCAFEECLBINARY}"
|
LogText "Result: Found ${MCAFEECLBINARY}"
|
||||||
MALWARE_SCANNER_INSTALLED=1
|
AddHP 0 2
|
||||||
AddHP 2 2
|
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
|
||||||
Report "malware_scanner[]=mcafeecl"
|
fi
|
||||||
else
|
|
||||||
LogText "Result: McAfee VirusScan for Command Line not found"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
#
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : MALW-3275
|
# Test : MALW-3275
|
||||||
@ -187,8 +184,8 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# ESET security products
|
# ESET security products
|
||||||
LogText "Test: checking process esets_daemon"
|
LogText "Test: checking process esets_daemon or oaeventd (ESET)"
|
||||||
if IsRunning "esets_daemon"; then
|
if IsRunning "esets_daemon" || IsRunning "oaeventd"; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
ESET_DAEMON_RUNNING=1
|
ESET_DAEMON_RUNNING=1
|
||||||
MALWARE_DAEMON_RUNNING=1
|
MALWARE_DAEMON_RUNNING=1
|
||||||
@ -323,6 +320,19 @@
|
|||||||
Report "malware_scanner[]=trend-micro-av"
|
Report "malware_scanner[]=trend-micro-av"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Wazuh agent
|
||||||
|
LogText "Test: checking process wazuh-agent to test for Wazuh agent"
|
||||||
|
if IsRunning "wazuh-agent"; then
|
||||||
|
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
|
||||||
|
LogText "Result: found Wazuh component"
|
||||||
|
FOUND=1
|
||||||
|
WAZUH_DAEMON_RUNNING=1
|
||||||
|
MALWARE_DAEMON_RUNNING=1
|
||||||
|
MALWARE_SCANNER_INSTALLED=1
|
||||||
|
ROOTKIT_SCANNER_FOUND=1
|
||||||
|
Report "malware_scanner[]=wazuh"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ ${FOUND} -eq 0 ]; then
|
if [ ${FOUND} -eq 0 ]; then
|
||||||
LogText "Result: no commercial anti-virus tools found"
|
LogText "Result: no commercial anti-virus tools found"
|
||||||
AddHP 0 3
|
AddHP 0 3
|
||||||
@ -369,6 +379,24 @@
|
|||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : MALW-3291
|
||||||
|
# Description : Check if Microsoft Defender Antivirus is installed
|
||||||
|
Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
LogText "Test: checking presence mdatp"
|
||||||
|
if [ ! "${MDATPBINARY}" = "" ]; then
|
||||||
|
Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
|
||||||
|
LogText "Result: Found ${MDATPBINARY}"
|
||||||
|
MALWARE_SCANNER_INSTALLED=1
|
||||||
|
AddHP 2 2
|
||||||
|
Report "malware_scanner[]=mdatp"
|
||||||
|
else
|
||||||
|
LogText "Result: mdatp couldn't be found"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : MALW-3286
|
# Test : MALW-3286
|
||||||
# Description : Check running freshclam if clamd process is running
|
# Description : Check running freshclam if clamd process is running
|
||||||
|
|||||||
@ -485,7 +485,7 @@
|
|||||||
LogText "Result: ypldap is running"
|
LogText "Result: ypldap is running"
|
||||||
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
|
||||||
else
|
else
|
||||||
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
|
ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: ypbind is not active"
|
LogText "Result: ypbind is not active"
|
||||||
|
|||||||
@ -750,7 +750,7 @@
|
|||||||
UNCOMMON_PROTOCOL_DISABLED=0
|
UNCOMMON_PROTOCOL_DISABLED=0
|
||||||
# First check modprobe.conf
|
# First check modprobe.conf
|
||||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||||
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
|
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf)
|
||||||
if [ -n "${DATA}" ]; then
|
if [ -n "${DATA}" ]; then
|
||||||
LogText "Result: found ${P} module disabled via modprobe.conf"
|
LogText "Result: found ${P} module disabled via modprobe.conf"
|
||||||
UNCOMMON_PROTOCOL_DISABLED=1
|
UNCOMMON_PROTOCOL_DISABLED=1
|
||||||
@ -759,7 +759,7 @@
|
|||||||
# Then additional modprobe configuration files
|
# Then additional modprobe configuration files
|
||||||
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
||||||
# Return file names (-l) and suppress errors (-s)
|
# Return file names (-l) and suppress errors (-s)
|
||||||
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
|
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*)
|
||||||
if [ -n "${DATA}" ]; then
|
if [ -n "${DATA}" ]; then
|
||||||
UNCOMMON_PROTOCOL_DISABLED=1
|
UNCOMMON_PROTOCOL_DISABLED=1
|
||||||
for F in ${DATA}; do
|
for F in ${DATA}; do
|
||||||
|
|||||||
@ -30,8 +30,6 @@
|
|||||||
# Possible locations of php.ini
|
# Possible locations of php.ini
|
||||||
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
|
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
|
||||||
${ROOTDIR}etc/php/php.ini \
|
${ROOTDIR}etc/php/php.ini \
|
||||||
${ROOTDIR}etc/php5.5/php.ini \
|
|
||||||
${ROOTDIR}etc/php5.6/php.ini \
|
|
||||||
${ROOTDIR}etc/php7.0/php.ini \
|
${ROOTDIR}etc/php7.0/php.ini \
|
||||||
${ROOTDIR}etc/php7.1/php.ini \
|
${ROOTDIR}etc/php7.1/php.ini \
|
||||||
${ROOTDIR}etc/php7.2/php.ini \
|
${ROOTDIR}etc/php7.2/php.ini \
|
||||||
@ -42,11 +40,6 @@
|
|||||||
${ROOTDIR}etc/php8.2/php.ini \
|
${ROOTDIR}etc/php8.2/php.ini \
|
||||||
${ROOTDIR}etc/php8.3/php.ini \
|
${ROOTDIR}etc/php8.3/php.ini \
|
||||||
${ROOTDIR}etc/php8.4/php.ini \
|
${ROOTDIR}etc/php8.4/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php5/php.ini \
|
|
||||||
${ROOTDIR}etc/php/cli-php5/php.ini \
|
|
||||||
${ROOTDIR}etc/php/apache2-php5/php.ini \
|
|
||||||
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
|
|
||||||
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
|
|
||||||
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
|
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
|
||||||
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
|
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
|
||||||
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
|
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
|
||||||
@ -57,16 +50,11 @@
|
|||||||
${ROOTDIR}etc/php/apache2-php8.2/php.ini \
|
${ROOTDIR}etc/php/apache2-php8.2/php.ini \
|
||||||
${ROOTDIR}etc/php/apache2-php8.3/php.ini \
|
${ROOTDIR}etc/php/apache2-php8.3/php.ini \
|
||||||
${ROOTDIR}etc/php/apache2-php8.4/php.ini \
|
${ROOTDIR}etc/php/apache2-php8.4/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
|
|
||||||
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
|
|
||||||
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
|
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
|
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
|
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
|
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php7.4/php.ini \
|
${ROOTDIR}etc/php/cgi-php7.4/php.ini \
|
||||||
${ROOTDIR}etc/php/cgi-php8.0/php.ini \
|
|
||||||
${ROOTDIR}etc/php/cgi-php8.1/php.ini \
|
|
||||||
${ROOTDIR}etc/php/cgi-php8.2/php.ini \
|
|
||||||
${ROOTDIR}etc/php/cli-php5.5/php.ini \
|
${ROOTDIR}etc/php/cli-php5.5/php.ini \
|
||||||
${ROOTDIR}etc/php/cli-php5.6/php.ini \
|
${ROOTDIR}etc/php/cli-php5.6/php.ini \
|
||||||
${ROOTDIR}etc/php/cli-php7.0/php.ini \
|
${ROOTDIR}etc/php/cli-php7.0/php.ini \
|
||||||
@ -79,8 +67,6 @@
|
|||||||
${ROOTDIR}etc/php/cli-php8.2/php.ini \
|
${ROOTDIR}etc/php/cli-php8.2/php.ini \
|
||||||
${ROOTDIR}etc/php/cli-php8.3/php.ini \
|
${ROOTDIR}etc/php/cli-php8.3/php.ini \
|
||||||
${ROOTDIR}etc/php/cli-php8.4/php.ini \
|
${ROOTDIR}etc/php/cli-php8.4/php.ini \
|
||||||
${ROOTDIR}etc/php/embed-php5.5/php.ini \
|
|
||||||
${ROOTDIR}etc/php/embed-php5.6/php.ini \
|
|
||||||
${ROOTDIR}etc/php/embed-php7.0/php.ini \
|
${ROOTDIR}etc/php/embed-php7.0/php.ini \
|
||||||
${ROOTDIR}etc/php/embed-php7.1/php.ini \
|
${ROOTDIR}etc/php/embed-php7.1/php.ini \
|
||||||
${ROOTDIR}etc/php/embed-php7.2/php.ini \
|
${ROOTDIR}etc/php/embed-php7.2/php.ini \
|
||||||
@ -91,24 +77,14 @@
|
|||||||
${ROOTDIR}etc/php/embed-php8.2/php.ini \
|
${ROOTDIR}etc/php/embed-php8.2/php.ini \
|
||||||
${ROOTDIR}etc/php/embed-php8.3/php.ini \
|
${ROOTDIR}etc/php/embed-php8.3/php.ini \
|
||||||
${ROOTDIR}etc/php/embed-php8.4/php.ini \
|
${ROOTDIR}etc/php/embed-php8.4/php.ini \
|
||||||
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
|
|
||||||
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
|
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
|
||||||
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
|
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
|
||||||
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
|
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
|
||||||
${ROOTDIR}etc/php5/cgi/php.ini \
|
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
|
||||||
${ROOTDIR}etc/php5/cli/php.ini \
|
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
|
||||||
${ROOTDIR}etc/php5/cli-php5.4/php.ini \
|
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
|
||||||
${ROOTDIR}etc/php5/cli-php5.5/php.ini \
|
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
|
||||||
${ROOTDIR}etc/php5/cli-php5.6/php.ini \
|
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
|
||||||
${ROOTDIR}etc/php5/apache2/php.ini \
|
|
||||||
${ROOTDIR}etc/php5/fpm/php.ini \
|
|
||||||
${ROOTDIR}private/etc/php.ini \
|
|
||||||
${ROOTDIR}etc/php/7.0/apache2/php.ini \
|
${ROOTDIR}etc/php/7.0/apache2/php.ini \
|
||||||
${ROOTDIR}etc/php/7.1/apache2/php.ini \
|
${ROOTDIR}etc/php/7.1/apache2/php.ini \
|
||||||
${ROOTDIR}etc/php/7.2/apache2/php.ini \
|
${ROOTDIR}etc/php/7.2/apache2/php.ini \
|
||||||
@ -139,12 +115,30 @@
|
|||||||
${ROOTDIR}etc/php/8.3/fpm/php.ini \
|
${ROOTDIR}etc/php/8.3/fpm/php.ini \
|
||||||
${ROOTDIR}etc/php/8.4/cli/php.ini \
|
${ROOTDIR}etc/php/8.4/cli/php.ini \
|
||||||
${ROOTDIR}etc/php/8.4/fpm/php.ini \
|
${ROOTDIR}etc/php/8.4/fpm/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php70/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php71/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php72/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php73/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php74/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php80/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php81/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php82/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php83/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/alt/php84/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
|
||||||
|
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
|
||||||
|
${ROOTDIR}private/etc/php.ini \
|
||||||
${ROOTDIR}var/www/conf/php.ini \
|
${ROOTDIR}var/www/conf/php.ini \
|
||||||
${ROOTDIR}usr/local/etc/php.ini \
|
${ROOTDIR}usr/local/etc/php.ini \
|
||||||
${ROOTDIR}usr/local/lib/php.ini \
|
${ROOTDIR}usr/local/lib/php.ini \
|
||||||
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
|
|
||||||
${ROOTDIR}usr/local/php54/lib/php.ini \
|
|
||||||
${ROOTDIR}usr/local/php56/lib/php.ini \
|
|
||||||
${ROOTDIR}usr/local/php70/lib/php.ini \
|
${ROOTDIR}usr/local/php70/lib/php.ini \
|
||||||
${ROOTDIR}usr/local/php71/lib/php.ini \
|
${ROOTDIR}usr/local/php71/lib/php.ini \
|
||||||
${ROOTDIR}usr/local/php72/lib/php.ini \
|
${ROOTDIR}usr/local/php72/lib/php.ini \
|
||||||
@ -157,36 +151,6 @@
|
|||||||
${ROOTDIR}usr/local/php84/lib/php.ini \
|
${ROOTDIR}usr/local/php84/lib/php.ini \
|
||||||
${ROOTDIR}usr/local/zend/etc/php.ini \
|
${ROOTDIR}usr/local/zend/etc/php.ini \
|
||||||
${ROOTDIR}usr/pkg/etc/php.ini \
|
${ROOTDIR}usr/pkg/etc/php.ini \
|
||||||
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php44/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php51/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php52/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php53/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php54/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php55/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php56/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php70/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php71/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php72/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php73/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php74/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php80/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php81/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php82/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php83/etc/php.ini \
|
|
||||||
${ROOTDIR}opt/alt/php84/etc/php.ini \
|
|
||||||
${ROOTDIR}etc/opt/remi/php56/php.ini \
|
${ROOTDIR}etc/opt/remi/php56/php.ini \
|
||||||
${ROOTDIR}etc/opt/remi/php70/php.ini \
|
${ROOTDIR}etc/opt/remi/php70/php.ini \
|
||||||
${ROOTDIR}etc/opt/remi/php71/php.ini \
|
${ROOTDIR}etc/opt/remi/php71/php.ini \
|
||||||
@ -198,28 +162,12 @@
|
|||||||
${ROOTDIR}etc/opt/remi/php82/php.ini\
|
${ROOTDIR}etc/opt/remi/php82/php.ini\
|
||||||
${ROOTDIR}etc/opt/remi/php83/php.ini \
|
${ROOTDIR}etc/opt/remi/php83/php.ini \
|
||||||
${ROOTDIR}etc/opt/remi/php84/php.ini"
|
${ROOTDIR}etc/opt/remi/php84/php.ini"
|
||||||
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
|
|
||||||
PHPINILOCS="${PHPINILOCS} \
|
PHPINIDIRS="${ROOTDIR}etc/php/7.0/cli/conf.d \
|
||||||
${ROOTDIR}etc/php-5.6.ini \
|
|
||||||
${ROOTDIR}etc/php-7.0.ini \
|
|
||||||
${ROOTDIR}etc/php-7.1.ini \
|
|
||||||
${ROOTDIR}etc/php-7.2.ini \
|
|
||||||
${ROOTDIR}etc/php-7.3.ini \
|
|
||||||
${ROOTDIR}etc/php-7.4.ini \
|
|
||||||
${ROOTDIR}etc/php-8.0.ini \
|
|
||||||
${ROOTDIR}etc/php-8.1.ini \
|
|
||||||
${ROOTDIR}etc/php-8.2.ini\
|
|
||||||
${ROOTDIR}etc/php-8.3.ini\
|
|
||||||
${ROOTDIR}etc/php-8.4.ini"
|
|
||||||
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
|
|
||||||
${ROOTDIR}etc/php/7.0/cli/conf.d \
|
|
||||||
${ROOTDIR}etc/php/7.1/cli/conf.d \
|
${ROOTDIR}etc/php/7.1/cli/conf.d \
|
||||||
${ROOTDIR}etc/php/7.2/cli/conf.d \
|
${ROOTDIR}etc/php/7.2/cli/conf.d \
|
||||||
${ROOTDIR}etc/php/7.3/cli/conf.d \
|
${ROOTDIR}etc/php/7.3/cli/conf.d \
|
||||||
${ROOTDIR}etc/php/7.4/cli/conf.d \
|
${ROOTDIR}etc/php/7.4/cli/conf.d \
|
||||||
${ROOTDIR}etc/php/8.0/cli/conf.d \
|
|
||||||
${ROOTDIR}etc/php/8.1/cli/conf.d \
|
|
||||||
${ROOTDIR}etc/php/8.2/cli/conf.d \
|
|
||||||
${ROOTDIR}etc/php/7.0/fpm/conf.d \
|
${ROOTDIR}etc/php/7.0/fpm/conf.d \
|
||||||
${ROOTDIR}etc/php/7.1/fpm/conf.d \
|
${ROOTDIR}etc/php/7.1/fpm/conf.d \
|
||||||
${ROOTDIR}etc/php/7.2/fpm/conf.d \
|
${ROOTDIR}etc/php/7.2/fpm/conf.d \
|
||||||
@ -231,9 +179,6 @@
|
|||||||
${ROOTDIR}etc/php/8.3/fpm/conf.d \
|
${ROOTDIR}etc/php/8.3/fpm/conf.d \
|
||||||
${ROOTDIR}etc/php/8.4/fpm/conf.d \
|
${ROOTDIR}etc/php/8.4/fpm/conf.d \
|
||||||
${ROOTDIR}etc/php.d \
|
${ROOTDIR}etc/php.d \
|
||||||
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
|
|
||||||
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
|
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
|
||||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
|
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
|
||||||
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
|
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
|
||||||
@ -244,13 +189,6 @@
|
|||||||
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
|
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
|
||||||
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
|
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
|
||||||
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
|
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
|
||||||
${ROOTDIR}opt/alt/php44/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php51/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php52/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php53/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php54/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php55/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php56/etc/php.d.all \
|
|
||||||
${ROOTDIR}opt/alt/php70/etc/php.d.all \
|
${ROOTDIR}opt/alt/php70/etc/php.d.all \
|
||||||
${ROOTDIR}opt/alt/php71/etc/php.d.all \
|
${ROOTDIR}opt/alt/php71/etc/php.d.all \
|
||||||
${ROOTDIR}opt/alt/php72/etc/php.d.all \
|
${ROOTDIR}opt/alt/php72/etc/php.d.all \
|
||||||
@ -272,9 +210,8 @@
|
|||||||
${ROOTDIR}usr/local/php82/lib/php.conf.d \
|
${ROOTDIR}usr/local/php82/lib/php.conf.d \
|
||||||
${ROOTDIR}usr/local/php83/lib/php.conf.d \
|
${ROOTDIR}usr/local/php83/lib/php.conf.d \
|
||||||
${ROOTDIR}usr/local/php84/lib/php.conf.d"
|
${ROOTDIR}usr/local/php84/lib/php.conf.d"
|
||||||
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
|
|
||||||
PHPINIDIRS="${PHPINIDIRS} \
|
PHPINIDIRS="${PHPINIDIRS} \
|
||||||
${ROOTDIR}etc/php-5.6 \
|
|
||||||
${ROOTDIR}etc/php-7.0 \
|
${ROOTDIR}etc/php-7.0 \
|
||||||
${ROOTDIR}etc/php-7.1 \
|
${ROOTDIR}etc/php-7.1 \
|
||||||
${ROOTDIR}etc/php-7.2 \
|
${ROOTDIR}etc/php-7.2 \
|
||||||
|
|||||||
@ -127,11 +127,15 @@
|
|||||||
LogText "Test: Querying brew to get package list"
|
LogText "Test: Querying brew to get package list"
|
||||||
Display --indent 4 --text "- Querying brew for installed packages"
|
Display --indent 4 --text "- Querying brew for installed packages"
|
||||||
LogText "Output:"; LogText "-----"
|
LogText "Output:"; LogText "-----"
|
||||||
GPACKAGES=$(brew list)
|
GPACKAGES=$(brew list --versions)
|
||||||
for J in ${GPACKAGES}; do
|
while IFS= read -r PKG; do
|
||||||
LogText "Found package ${J}"
|
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
|
||||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
|
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
|
||||||
done
|
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||||
|
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||||
|
done << EOF
|
||||||
|
$GPACKAGES
|
||||||
|
EOF
|
||||||
else
|
else
|
||||||
LogText "Result: brew can NOT be found on this system"
|
LogText "Result: brew can NOT be found on this system"
|
||||||
fi
|
fi
|
||||||
@ -158,6 +162,29 @@
|
|||||||
LogText "Result: emerge can NOT be found on this system"
|
LogText "Result: emerge can NOT be found on this system"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : PKGS-7305
|
||||||
|
# Description : Query macOS Apps in /Applications and CoreServices
|
||||||
|
Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
LogText "Test: Querying Apps in /Applications"
|
||||||
|
Display --indent 4 --text "- Querying macOS Apps in /Applications"
|
||||||
|
LogText "Output:"; LogText "-----"
|
||||||
|
for APP in /Applications/*.app; do
|
||||||
|
PACKAGE_NAME=$(basename "$APP" .app)
|
||||||
|
PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
|
||||||
|
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||||
|
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||||
|
done
|
||||||
|
Display --indent 4 --text "- Querying Apple CoreServices"
|
||||||
|
for CS in /Library/Apple/System/Library/CoreServices/*.app; do
|
||||||
|
PACKAGE_NAME=$(basename "$CS" .app)
|
||||||
|
PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
|
||||||
|
LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||||
|
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -672,9 +699,20 @@
|
|||||||
# Check in /etc/cron.hourly, daily, weekly, monthly etc
|
# Check in /etc/cron.hourly, daily, weekly, monthly etc
|
||||||
COUNT=$(find /etc/cron* -name debsums | wc -l)
|
COUNT=$(find /etc/cron* -name debsums | wc -l)
|
||||||
if [ ${COUNT} -gt 0 ]; then
|
if [ ${COUNT} -gt 0 ]; then
|
||||||
LogText "Result: Cron job is configured for debsums utility."
|
CRON_CHECK=""
|
||||||
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
|
if [ -f ${ROOTDIR}etc/default/debsums ]; then
|
||||||
AddHP 3 3
|
CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}')
|
||||||
|
fi
|
||||||
|
if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then
|
||||||
|
LogText "Result: Cron job is configured for debsums utility."
|
||||||
|
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
|
||||||
|
AddHP 3 3
|
||||||
|
else
|
||||||
|
LogText "Result: Cron job is not configured for debsums utility."
|
||||||
|
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||||
|
AddHP 1 3
|
||||||
|
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)."
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: Cron job is not configured for debsums utility."
|
LogText "Result: Cron job is not configured for debsums utility."
|
||||||
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||||
|
|||||||
@ -312,7 +312,7 @@
|
|||||||
# AllowGroups
|
# AllowGroups
|
||||||
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||||
if [ -n "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: AllowUsers set ${FIND}"
|
LogText "Result: AllowGroups set ${FIND}"
|
||||||
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
||||||
FOUND=1
|
FOUND=1
|
||||||
else
|
else
|
||||||
|
|||||||
@ -48,6 +48,8 @@
|
|||||||
TMPFILE="${TEMP_FILE}"
|
TMPFILE="${TEMP_FILE}"
|
||||||
CreateTempFile || ExitFatal
|
CreateTempFile || ExitFatal
|
||||||
TMPFILE2="${TEMP_FILE}"
|
TMPFILE2="${TEMP_FILE}"
|
||||||
|
CreateTempFile || ExitFatal
|
||||||
|
TMPFILE3="${TEMP_FILE}"
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -300,8 +302,42 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : HTTP-6660 TODO
|
# Test : HTTP-6660
|
||||||
# Description : Search for "TraceEnable off" in configuration files
|
# Description : Search for "TraceEnable off" in configuration files
|
||||||
|
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
|
Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
for DIR in ${sTEST_APACHE_TARGETS}; do
|
||||||
|
if [ -d ${DIR} ]; then
|
||||||
|
find ${DIR} -name "*.conf" -print >> ${TMPFILE3}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Check all Apache conf-files for TraceEnable
|
||||||
|
if [ -f ${TMPFILE3} ]; then
|
||||||
|
Display --indent 2 --text '- Checking TraceEnable setting in:'
|
||||||
|
for APACHE_CONFFILE in $(cat ${TMPFILE3}); do
|
||||||
|
TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' )
|
||||||
|
if [ ! ${TRACEENABLE} ]; then
|
||||||
|
LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}"
|
||||||
|
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||||
|
else
|
||||||
|
TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
|
||||||
|
if [ x${TRACEENABLED_SETTING} == x'off' ]; then
|
||||||
|
LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}"
|
||||||
|
Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}"
|
||||||
|
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN
|
||||||
|
else
|
||||||
|
LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}"
|
||||||
|
Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}"
|
||||||
|
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||||
|
ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
rm -f ${TMPFILE3}
|
||||||
|
fi
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -608,6 +644,7 @@
|
|||||||
# Remove temp file (double check)
|
# Remove temp file (double check)
|
||||||
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||||
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||||
|
if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi
|
||||||
|
|
||||||
WaitForKeyPress
|
WaitForKeyPress
|
||||||
|
|
||||||
|
|||||||
4
lynis
4
lynis
@ -52,7 +52,7 @@
|
|||||||
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
|
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
|
||||||
PROGRAM_PACKAGE="https://packages.cisofy.com/"
|
PROGRAM_PACKAGE="https://packages.cisofy.com/"
|
||||||
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
|
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
|
||||||
PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
|
PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
|
||||||
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
||||||
welcome to redistribute it under the terms of the GNU General Public License.
|
welcome to redistribute it under the terms of the GNU General Public License.
|
||||||
See the LICENSE file for details about using this software."
|
See the LICENSE file for details about using this software."
|
||||||
@ -1018,7 +1018,7 @@ ${NORMAL}
|
|||||||
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
|
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
|
||||||
LogText "Info: perform tests from all categories"
|
LogText "Info: perform tests from all categories"
|
||||||
|
|
||||||
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
|
INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
|
||||||
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
|
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
|
||||||
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
|
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
|
||||||
insecure_services banners scheduling accounting time crypto virtualization containers \
|
insecure_services banners scheduling accounting time crypto virtualization containers \
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user