From f7ec431a659acae07bcca0feff73888721fa8055 Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Mon, 7 Sep 2015 17:31:18 +0200 Subject: [PATCH 1/3] /usr/sbin/httpd on OpenBSD is builtin non-Apache webserver, do not run with -v If Apache is installed it is detected in /usr/local/sbin/httpd nevertheless --- include/tests_webservers | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/tests_webservers b/include/tests_webservers index bb5db39d..35194eea 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -50,9 +50,13 @@ # Test : HTTP-6622 # Description : Test for Apache installation # Notes : Do not run on NetBSD, -v is unknown option for httpd binary + # On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence" if [ ${SKIPTEST} -eq 0 ]; then + if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then + HTTPDBINARY="" + fi if [ "${HTTPDBINARY}" = "" ]; then Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE else From 3cdd9ea949379a8ad06daa06e739d1e65e4a52bc Mon Sep 17 00:00:00 2001 From: Laurent Quillerou Date: Mon, 7 Sep 2015 18:35:07 +0300 Subject: [PATCH 2/3] Delete trailing whitespace --- CHANGELOG | 32 ++++++++++++++++---------------- CONTRIBUTIONS.md | 2 +- FAQ | 2 +- db/fileperms.db | 2 +- db/hints.db | 2 +- db/malware-susp.db | 2 +- db/malware.db | 2 +- db/sbl.db | 2 +- debian/README.Debian | 8 ++++---- debian/rules | 4 ++-- default.prf | 6 +++--- extras/README | 2 +- extras/build-lynis.sh | 4 ++-- include/functions | 8 ++++---- include/tests_crypto | 2 +- include/tests_databases | 2 +- include/tests_file_integrity | 2 +- include/tests_filesystems | 2 +- include/tests_kernel | 6 +++--- include/tests_mac_frameworks | 4 ++-- include/tests_malware | 2 +- include/tests_memory_processes | 2 +- include/tests_nameservices | 4 ++-- include/tests_ports_packages | 2 +- include/tests_storage_nfs | 6 +++--- include/tests_webservers | 10 +++++----- lynis | 2 +- 27 files changed, 62 insertions(+), 62 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index db90546e..147c35b7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -921,7 +921,7 @@ - Added Squid test: reply_body_max_size option [SQD-3630] - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] - Check PHP option allow_url_include [PHP-2378] - + Changes: - Extended possible Squid configuration file locations - Added additional sysctl keys to default profile @@ -1098,7 +1098,7 @@ - nginx configuration file check [HTTP-6704] - Exim status check [MAIL-8802] - Postfix status check [MAIL-8814] - + Changes: - atd needs to run before testing at files [SCHD-7720] - Removed Solaris OS requirement from logrotate test [LOGG-2148] @@ -1108,7 +1108,7 @@ - Binary scan optimized and partially combined with other check - Only perform iptables tests if kernel module is active - Don't show message when /etc/shells can't be found [SHLL-6211] - - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] + - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] - Renumbered FreeBSD test SHLL-7225 [SHLL-6202] - Renumbered malware test MALW-3292 [HRDN-7230] - Improved grep on process status [PRNT-2304] @@ -1298,10 +1298,10 @@ New: - New test: Passwordless Solaris accounts test [AUTH-9254] - New test: AFICK file integrity [FINT-4310] - - New test: AIDE file integrity [FINT-4314] - - New test: Osiris file integrity [FINT-4318] - - New test: Samhain file integrity [FINT-4322] - - New test: Tripwire file integrity [FINT-4326] + - New test: AIDE file integrity [FINT-4314] + - New test: Osiris file integrity [FINT-4318] + - New test: Samhain file integrity [FINT-4322] + - New test: Tripwire file integrity [FINT-4326] - New tests: NIS and NIS+ authentication test [AUTH-9240/42] - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire @@ -1327,12 +1327,12 @@ - New test: Promiscuous network interfaces (Linux) [NETW-3015] - Report option 'bootloader' added to several tests - Added readlink binary check - + Changes: - Extended file check (IsWorldWritable) for symlinks - Show result if no default gateway is found [NETW-3001] - Added /usr/local/etc to sudoers test [AUTH-9250] - - Improved FreeBSD banner output [BANN-7113] + - Improved FreeBSD banner output [BANN-7113] - Removed incorrect line at promiscuous interface test [NETW-3014] - Fix: Show only once the GRUB test output [BOOT-5121] - Fix: Typo in NTP test [TIME-3104] @@ -1380,7 +1380,7 @@ - New test: checking for heavy IO waiting processes [PROC-3614] - Initial HP-UX support (untested) - Initial AIX support (untested) - - Added iptables binary check + - Added iptables binary check - Added dig check, for DNS related tests - Added option --no-colors to remove all colors from screen output - Added option --reverse-colors for optimizing output at light backgrounds @@ -1400,7 +1400,7 @@ - Several tests have their warning reporting improved - Improved SuSE Linux detection - Improved syslog-ng detection - - Adjusted README with link to online (extended) documentation + - Adjusted README with link to online (extended) documentation -- @@ -1410,7 +1410,7 @@ - New test: Check writable startup scripts [BOOT-5184] - New test: Syslog-NG consistency check [LOGG-2134] - New test: Check yum-utils package and scanning package database [PKGS-7384] - - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] + - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] - New test: Check for expired SSL certificates [CRYP-7902] - New test: Check for LDAP authentication support [AUTH-9238] - New test: Read available crontab/cron files [SCHD-7704] @@ -1449,7 +1449,7 @@ * 1.1.5 (2008-06-10) New: - - Assigned ID to Apache configuration file test [HTTP-6624] + - Assigned ID to Apache configuration file test [HTTP-6624] - Added pause_between_tests to profile file, to regulate the speed of a scan - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] - Assigned ID to Solaris package test [PKG-7306] @@ -1732,12 +1732,12 @@ -- * 1.0.3 (2007-11-19) - + New: - Added check for sockstat - Test: added test for GRUB and password option - Test: query listening ports (sockstat) - + Changes: - Fixed NTPd check (bug) - Extended help for 'double installed package' check (BSD systems, pkg_info) @@ -1789,7 +1789,7 @@ Changes: - [bug] Changed skel directory check - Fixed display Apache configuration file - + -- * 1.0.0 (2007-11-08) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index ba03583b..dd032453 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -36,4 +36,4 @@ To ensure all pull requests can be easily checked and merged, here are some tips * Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. * Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. * Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. -* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) \ No newline at end of file +* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) diff --git a/FAQ b/FAQ index 858bddfd..e0bd9736 100644 --- a/FAQ +++ b/FAQ @@ -58,7 +58,7 @@ have a dark background, so it gives extra attention to the message. However if you have a white background (for example Mac OS X), you can run Lynis with --no-colors to strip colors or --reverse-colors to reverse the color - scheme. Another option is to change your terminal colors within Mac OS. + scheme. Another option is to change your terminal colors within Mac OS. Q: Some tests take very long to finish, what to do? A: Use a second console (or connection) and check the output of ps/lsof etc, diff --git a/db/fileperms.db b/db/fileperms.db index a4bbcf18..327db5ea 100644 --- a/db/fileperms.db +++ b/db/fileperms.db @@ -9,7 +9,7 @@ # 5) file group owner # 6) operating system, or systems # 7) operating system special -# 8) +# 8) # #================================================== file:/etc/group:644:root:root:Linux: diff --git a/db/hints.db b/db/hints.db index 1504cb30..18a7c680 100644 --- a/db/hints.db +++ b/db/hints.db @@ -1,2 +1,2 @@ #version=20091015 -100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: \ No newline at end of file +100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: diff --git a/db/malware-susp.db b/db/malware-susp.db index 5c6ace24..6c0c982f 100644 --- a/db/malware-susp.db +++ b/db/malware-susp.db @@ -1,4 +1,4 @@ #version=2009101500 vuln.txt::: crack*::: -exploit*::: \ No newline at end of file +exploit*::: diff --git a/db/malware.db b/db/malware.db index 7844f1f3..28ffcb28 100644 --- a/db/malware.db +++ b/db/malware.db @@ -41,4 +41,4 @@ /tmp/.b:::Slapper::: /usr/man/.sman/sk:::Superkit::: /usr/lib/.tbd:::TBD::: -/sbin/.login:::Login backdoor::: \ No newline at end of file +/sbin/.login:::Login backdoor::: diff --git a/db/sbl.db b/db/sbl.db index 323303b4..d493e510 100644 --- a/db/sbl.db +++ b/db/sbl.db @@ -1,2 +1,2 @@ #version=2008052800 -php:5.2.5 \ No newline at end of file +php:5.2.5 diff --git a/debian/README.Debian b/debian/README.Debian index 60820ff7..8a6f45c5 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,20 +1,20 @@ lynis for Debian ---------------- -When execute Lynis from Debian menu, the program runs with the following +When execute Lynis from Debian menu, the program runs with the following parameter: lynis --no-colors -It makes a full system check, with the default profile file +It makes a full system check, with the default profile file (/etc/lynis/default.prf). Please adjust this config file with your needs. For better perform, launch Lynis from a terminal, as root user, with your best configuration. Lynis can be executed directly: -# lynis -c -or +# lynis -c +or # lynis After Lynis runs the system check, it creates the following two files with the diff --git a/debian/rules b/debian/rules index 468f07a6..5ea1eafc 100755 --- a/debian/rules +++ b/debian/rules @@ -12,13 +12,13 @@ clean: dh_testdir dh_testroot rm -f build-stamp - dh_clean + dh_clean install: build dh_testdir dh_testroot - dh_prep + dh_prep # Add here commands to install the package into debian/lynis. install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis diff --git a/default.prf b/default.prf index 8f79daa5..3a51832a 100644 --- a/default.prf +++ b/default.prf @@ -122,7 +122,7 @@ sysctl:kernel.use-nx:0:1:XXX: [network] sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: @@ -149,9 +149,9 @@ sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: [security] #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: diff --git a/extras/README b/extras/README index c51df06f..57f42d94 100644 --- a/extras/README +++ b/extras/README @@ -6,4 +6,4 @@ - Integrity checks and tools - Development tools -================================================================================ \ No newline at end of file +================================================================================ diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index 9d82bcc6..f0f6cc72 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -364,7 +364,7 @@ Exit #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - echo -n "- Cleaning up OpenBSD package build... " + echo -n "- Cleaning up OpenBSD package build... " if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi echo "DONE" OPENBSD_CONTENTS="openbsd/+CONTENTS" @@ -377,7 +377,7 @@ Exit for I in ${PACKAGE_LIST_FILES}; do echo -n "${I} " - #FULLNAME=`cat files.dat | grep ":file:include: + #FULLNAME=`cat files.dat | grep ":file:include: #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS} FILE="../${I}" diff --git a/include/functions b/include/functions index 89e9c662..2e610fe2 100644 --- a/include/functions +++ b/include/functions @@ -89,10 +89,10 @@ # If 'file' is an directory, use -d if [ -d ${CHECKFILE} ]; then FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` else FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi fi @@ -1060,7 +1060,7 @@ if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi fi - # Skip if test is not in the list + # Skip if test is not in the list if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"` if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi @@ -1146,7 +1146,7 @@ { if [ $1 = "" ]; then TESTID="UNKNOWN"; fi # Status: OK, WARNING, NEUTRAL, SUGGESTION - # Impact: HIGH, SEVERE, LOW, + # Impact: HIGH, SEVERE, LOW, #report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-" # Reset ID before next test TESTID="" diff --git a/include/tests_crypto b/include/tests_crypto index d883e8b8..7a08962b 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -29,7 +29,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 # Check profile for paths to check - sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` + sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` for I in ${sSSL_PATHS}; do if [ -d ${I} ]; then FileIsReadable ${I} diff --git a/include/tests_databases b/include/tests_databases index ca2fb24c..80e7405b 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -79,7 +79,7 @@ Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED AddHP 0 5 else - logtext "Result: Login did not succeed, so a MySQL root password is set" + logtext "Result: Login did not succeed, so a MySQL root password is set" Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN AddHP 2 2 fi diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 7bdc2072..03fa0908 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -94,7 +94,7 @@ Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}` - FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` + FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` if [ "${FIND}" = "" ]; then logtext "Result: Unclear how AIDE is dealing with checksums" Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW diff --git a/include/tests_filesystems b/include/tests_filesystems index ded21fc1..50c7308c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -322,7 +322,7 @@ #SKELDIRS="/etc/skel /usr/share/skel" #for I in ${SKELDIRS}; do - # + # # logtext "Searching skel directory ${I}" # # if [ -d ${I} ]; then diff --git a/include/tests_kernel b/include/tests_kernel index 15c84206..66241526 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -49,7 +49,7 @@ logtext "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN report "linux_default_runlevel=5" - else + else logtext "Result: No match found on runlevel, defaulting to runlevel 3" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN report "linux_default_runlevel=3" @@ -376,7 +376,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then - logtext "Result: file /etc/security/limits.conf exists" + logtext "Result: file /etc/security/limits.conf exists" logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` @@ -438,7 +438,7 @@ FILE="/var/run/reboot-required.pkgs" logtext "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then - logtext "Result: file ${FILE} exists" + logtext "Result: file ${FILE} exists" FIND=`cat ${FILE}` if [ "${FIND}" = "" ]; then logtext "Result: No reboot needed (file empty)" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 4a0bc6dc..9b7fa2c2 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -71,7 +71,7 @@ elif [ ${FIND} -eq 1 ]; then logtext "Result: AppArmor is disabled" Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW - else + else Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" fi @@ -119,7 +119,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN else logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." - ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" + ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" diff --git a/include/tests_malware b/include/tests_malware index 1462646c..75517156 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -47,7 +47,7 @@ ################################################################################# # # Test : MALW-3276 - # Description : Check for installed tool (Rootkit Hunter) + # Description : Check for installed tool (Rootkit Hunter) Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking presence Rootkit Hunter" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index fda6a32e..b78429db 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -64,7 +64,7 @@ # # Test : PROC-3612 # Description : Searching for dead and zombie processes - # Notes : Don't perform test on Solaris + # Notes : Don't perform test on Solaris if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_nameservices b/include/tests_nameservices index 5e59f53f..5131364b 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -94,7 +94,7 @@ # Check amount of search domains (max 1) FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then - logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else @@ -566,7 +566,7 @@ fi fi # Check if we found any NIS domain - if [ ! "${NISDOMAIN}" = "" ]; then + if [ ! "${NISDOMAIN}" = "" ]; then logtext "Found NIS domain: ${NISDOMAIN}" report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 8143113a..c21db924 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -860,7 +860,7 @@ SCAN_PERFORMED=0 # Update portage. # Multiple ways to do this. Some require extra packages to be installed, - # others require potential firewall ports to be open, outbound. This is the + # others require potential firewall ports to be open, outbound. This is the # "most friendly" way. logtext "Action: updating portage with emerge-webrsync" /usr/bin/emerge-webrsync --quiet 2> /dev/null diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 2b3d7d6b..1795aeb6 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -59,7 +59,7 @@ # # Test : STRG-1906 # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo - if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking NFS registered protocols" @@ -114,7 +114,7 @@ # Description : Check NFS exports if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" - if [ ${SKIPTEST} -eq 0 ]; then + if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check /etc/exports" if [ -f /etc/exports ]; then logtext "Result: /etc/exports exists" @@ -139,7 +139,7 @@ # # Test : STRG-1928 # Description : Check for empty exports file while NFS is running - if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then diff --git a/include/tests_webservers b/include/tests_webservers index 51a8d528..b630c7a3 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -194,9 +194,9 @@ # # Configuration specific tests # SERVERTOKENSFOUND=0 # APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf" -# +# # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do -# if [ -f ${APACHE_CONFIGFILE} ]; then +# if [ -f ${APACHE_CONFIGFILE} ]; then # # Check if option ServerTokens is configured # SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then @@ -215,17 +215,17 @@ # else # Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE # fi -# +# # else # # File does not exist, skipping # logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file" # fi # done -# +# # # Display results from checks # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then # Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN -# else +# else # Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # fi diff --git a/lynis b/lynis index d49c4bf9..575e2e06 100755 --- a/lynis +++ b/lynis @@ -488,7 +488,7 @@ echo " Program version: ${PROGRAM_version}" echo " Operating system: ${OS}" echo " Operating system name: ${OS_NAME}" - echo " Operating system version: ${OS_VERSION}" + echo " Operating system version: ${OS_VERSION}" if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi echo " Kernel version: ${OS_KERNELVERSION}" echo " Hardware platform: ${HARDWARE}" From b83c3fbb10600964963b96c4099867822b56fcb0 Mon Sep 17 00:00:00 2001 From: Laurent Quillerou Date: Mon, 7 Sep 2015 18:52:19 +0300 Subject: [PATCH 3/3] Include main nginx.conf so that it generate nginx_config_option --- include/tests_webservers | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_webservers b/include/tests_webservers index b630c7a3..2a0cc79c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -418,6 +418,7 @@ # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi N=0 + cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` for I in ${FIND}; do