mirror of https://github.com/CISOfy/lynis.git
Removed unneeded field
This commit is contained in:
parent
fc2d9b935c
commit
f9b2993f35
|
@ -97,7 +97,7 @@ InsertSection "Basics"
|
|||
|
||||
FIND=`egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g'`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
ReportWarning "dockerfile" "L" "No maintainer found. Unclear who created this file."
|
||||
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
|
||||
else
|
||||
MAINTAINER=`echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}'`
|
||||
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
|
||||
|
@ -125,7 +125,7 @@ InsertSection "Basics"
|
|||
|
||||
FIND=`egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#"`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
ReportWarning "dockerfile" "L" "Possible development utilities found, which is not advised for production environment"
|
||||
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
|
||||
LogText "Details: ${FIND}"
|
||||
fi
|
||||
|
||||
|
@ -160,7 +160,7 @@ InsertSection "Basics"
|
|||
FIND=`grep "^ADD http" ${AUDIT_FILE}`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FILE_DOWNLOAD=1
|
||||
ReportWarning "dockerfile" "L" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
|
||||
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
|
||||
LogText "Details: ${FIND}"
|
||||
fi
|
||||
|
||||
|
@ -193,7 +193,7 @@ InsertSection "Basics"
|
|||
|
||||
FIND=`grep -i "chmod 777" ${AUDIT_FILE}`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
ReportWarning "dockerfile" "L" "Warning: chmod 777 found"
|
||||
ReportWarning "dockerfile" "Warning: chmod 777 found"
|
||||
fi
|
||||
#
|
||||
##################################################################################################
|
||||
|
|
|
@ -235,7 +235,7 @@
|
|||
else
|
||||
LogText "Result: no log file found"
|
||||
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
|
||||
ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -782,7 +782,7 @@
|
|||
else
|
||||
LogText "Result: option present, no password needed at single user mode login"
|
||||
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
|
||||
ReportWarning ${TEST_NO} "No password needed for single user mode login"
|
||||
AddHP 0 1
|
||||
fi
|
||||
else
|
||||
|
@ -891,7 +891,7 @@
|
|||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Result: option not set, no password needed at single user mode boot"
|
||||
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "No password set for single mode"
|
||||
ReportWarning ${TEST_NO} "No password set for single mode"
|
||||
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
|
||||
AddHP 0 2
|
||||
else
|
||||
|
|
|
@ -75,7 +75,7 @@
|
|||
# if IsWorldWritable /etc/motd; then
|
||||
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
|
||||
# LogText "Result: /etc/motd is world writable. Users can change this file!"
|
||||
# ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
|
||||
# ReportWarning ${TEST_NO} "/etc/motd is world writable"
|
||||
# else
|
||||
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
|
||||
# LogText "Result: /etc/motd is not world writable."
|
||||
|
|
|
@ -658,7 +658,7 @@
|
|||
LogText "Test: Checking ${CHECKFILE} file for writable bit"
|
||||
if IsWorldWritable ${CHECKFILE}; then
|
||||
FOUND=1
|
||||
ReportWarning ${TEST_NO} "H" "Found writable startup script ${CHECKFILE}"
|
||||
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
|
||||
LogText "Result: warning, file ${CHECKFILE} is world writable"
|
||||
else
|
||||
LogText "Result: good, file ${CHECKFILE} not world writable"
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: Login succeeded, no MySQL root password set!"
|
||||
ReportWarning ${TEST_NO} "H" "No MySQL root password set"
|
||||
ReportWarning ${TEST_NO} "No MySQL root password set"
|
||||
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
|
||||
AddHP 0 5
|
||||
else
|
||||
|
|
|
@ -283,7 +283,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
|
||||
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
|
||||
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
|
||||
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})"
|
||||
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
|
||||
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
|
||||
fi
|
||||
|
@ -367,7 +367,7 @@
|
|||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
|
||||
ReportWarning ${TEST_NO} "No sticky bit found on /tmp directory, which can be dangerous!"
|
||||
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
|
||||
AddHP 0 3
|
||||
fi
|
||||
|
|
|
@ -156,7 +156,7 @@
|
|||
FIREWALL_EMPTY_RULESET=1
|
||||
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
|
||||
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
|
||||
else
|
||||
LogText "Result: one or more rules are available (${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -181,7 +181,7 @@
|
|||
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
|
||||
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
|
||||
LogText "Output: iptables rule numbers: ${FIND}"
|
||||
#ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)"
|
||||
#ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)"
|
||||
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
|
||||
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
|
||||
fi
|
||||
|
@ -272,7 +272,7 @@
|
|||
else
|
||||
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: found one or more warnings in the pf filter rules"
|
||||
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
|
||||
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file"
|
||||
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
|
||||
fi
|
||||
else
|
||||
|
|
|
@ -587,7 +587,7 @@
|
|||
AddHP 5 5
|
||||
elif [ ${REBOOT_NEEDED} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
|
||||
ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed"
|
||||
ReportWarning ${TEST_NO} "Reboot of system is most likely needed"
|
||||
AddHP 0 5
|
||||
else
|
||||
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
|
|
|
@ -92,7 +92,7 @@
|
|||
else
|
||||
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
|
||||
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
|
||||
ReportWarning ${TEST_NO} "Found one or more problems in Syslog-NG configuration file"
|
||||
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
|
||||
fi
|
||||
fi
|
||||
|
@ -191,7 +191,7 @@
|
|||
else
|
||||
LogText "Result: No klogd found"
|
||||
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
|
||||
ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
|
||||
fi
|
||||
else
|
||||
LogText "Result: test skipped, because other facility is being used to log kernel messages"
|
||||
|
@ -214,7 +214,7 @@
|
|||
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: minilogd found in process list"
|
||||
# minilogd daemon seems to be running
|
||||
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
|
||||
ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -327,7 +327,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: No loghost entry found"
|
||||
ReportWarning ${TEST_NO} "L" "No loghost entry found"
|
||||
ReportWarning ${TEST_NO} "No loghost entry found"
|
||||
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -84,7 +84,7 @@
|
|||
if [ ${N} -gt 6 ]; then
|
||||
LogText "Result: Found ${N} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
|
||||
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
|
||||
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
|
||||
else
|
||||
LogText "Result: Found ${N} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -100,7 +100,7 @@
|
|||
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
|
||||
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
|
||||
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
|
||||
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
|
||||
ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
|
||||
else
|
||||
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
|
||||
fi
|
||||
|
@ -280,7 +280,7 @@
|
|||
else
|
||||
LogText "Result: Unbound daemon is not running"
|
||||
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
|
||||
ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)"
|
||||
ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)"
|
||||
fi
|
||||
else
|
||||
LogText "Result: skipped, can't find unbound-checkconf utility"
|
||||
|
|
|
@ -147,7 +147,7 @@
|
|||
LogText "Result: nameserver ${I} does NOT respond"
|
||||
LogText "Exit-code from dig: ${DNSRESPONSE}"
|
||||
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
|
||||
ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
|
||||
ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
|
||||
fi
|
||||
else
|
||||
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
|
||||
|
@ -169,7 +169,7 @@
|
|||
if [ ${NUMBERACTIVENS} -lt 2 ]; then
|
||||
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: less than 2 responsive nameservers found"
|
||||
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
|
||||
ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
|
||||
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
|
||||
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
|
||||
AddHP 1 2
|
||||
|
@ -487,7 +487,7 @@
|
|||
# Check if this interface was whitelisted
|
||||
if [ ${WHITELISTED} -eq 0 ]; then
|
||||
FOUNDPROMISC=1
|
||||
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
|
||||
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
|
||||
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
|
||||
else
|
||||
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
|
||||
|
@ -522,7 +522,7 @@
|
|||
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
|
||||
if [ "${ISWHITELISTED}" = "" ]; then
|
||||
FOUNDPROMISC=1
|
||||
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
|
||||
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
|
||||
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
|
||||
else
|
||||
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
|
||||
|
|
|
@ -313,7 +313,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Zypper found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
|
||||
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
|
||||
FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u`
|
||||
LogText "List of vulnerable packages/version:"
|
||||
|
@ -447,7 +447,7 @@
|
|||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade"
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
|
||||
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
|
||||
else
|
||||
|
@ -711,7 +711,7 @@
|
|||
else
|
||||
LogText "Result: One or more duplicate packages found"
|
||||
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
|
||||
ReportWarning ${TEST_NO} "Found one or more duplicate packages installed"
|
||||
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
|
||||
fi
|
||||
|
||||
|
@ -724,7 +724,7 @@
|
|||
else
|
||||
LogText "Result: One or more problems found in package database"
|
||||
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
|
||||
ReportWarning ${TEST_NO} "Found one or more problems in the package database"
|
||||
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
|
||||
fi
|
||||
else
|
||||
|
@ -1012,7 +1012,7 @@
|
|||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED
|
||||
LogText "Result: found ${FIND} security updates with glsa-check"
|
||||
ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check."
|
||||
ReportWarning "${TEST_NO}" "Found ${FIND} security update(s) with glsa-check."
|
||||
LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
|
||||
AddHP 0 25
|
||||
fi
|
||||
|
|
|
@ -392,7 +392,7 @@
|
|||
fi
|
||||
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
ReportWarning ${TEST_NO} "H" "System vulnerable to Shellshock (bash)"
|
||||
ReportWarning ${TEST_NO} "System vulnerable to Shellshock (bash)"
|
||||
AddHP 0 25
|
||||
else
|
||||
AddHP 5 5
|
||||
|
|
|
@ -257,7 +257,7 @@
|
|||
AddHP 1 1
|
||||
else
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
|
||||
AddHP 0 1
|
||||
fi
|
||||
done
|
||||
|
|
|
@ -259,7 +259,7 @@
|
|||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found one or more high stratum (16) peers)"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output"
|
||||
ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
|
||||
ReportWarning ${TEST_NO} "Found one or more stratum 16 peers"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
|
4
lynis
4
lynis
|
@ -906,7 +906,7 @@ ${NORMAL}
|
|||
. ${INCLUDE_FILE}
|
||||
else
|
||||
LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
|
||||
ReportWarning "NONE" "H" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
|
||||
ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
|
||||
# Insert a section and warn user also on screen
|
||||
InsertSection "General"
|
||||
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
|
||||
|
@ -933,7 +933,7 @@ ${NORMAL}
|
|||
. ${INCLUDEDIR}/tests_custom
|
||||
else
|
||||
LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)"
|
||||
ReportWarning "NONE" "H" "Invalid permissions on custom tests file"
|
||||
ReportWarning "NONE" "Invalid permissions on custom tests file"
|
||||
Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED
|
||||
fi
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue