tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed unneeded field

This commit is contained in:
Michael Boelen 2016-08-10 07:24:10 +02:00
parent fc2d9b935c
commit f9b2993f35
17 changed files with 37 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/helper_audit_dockerfile
View File

@ -97,7 +97,7 @@ InsertSection "Basics"
FIND=`egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g'`
if [ "${FIND}" = "" ]; then
ReportWarning "dockerfile" "L" "No maintainer found. Unclear who created this file."
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
else
MAINTAINER=`echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}'`
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
@ -125,7 +125,7 @@ InsertSection "Basics"
FIND=`egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#"`
if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "L" "Possible development utilities found, which is not advised for production environment"
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
LogText "Details: ${FIND}"
fi
@ -160,7 +160,7 @@ InsertSection "Basics"
FIND=`grep "^ADD http" ${AUDIT_FILE}`
if [ ! "${FIND}" = "" ]; then
FILE_DOWNLOAD=1
ReportWarning "dockerfile" "L" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
LogText "Details: ${FIND}"
fi
@ -193,7 +193,7 @@ InsertSection "Basics"
FIND=`grep -i "chmod 777" ${AUDIT_FILE}`
if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "L" "Warning: chmod 777 found"
ReportWarning "dockerfile" "Warning: chmod 777 found"
fi
#
##################################################################################################

2
include/tests_accounting
View File

@ -235,7 +235,7 @@
else
LogText "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk"
fi
fi
#

4
include/tests_authentication
View File

@ -782,7 +782,7 @@
else
LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
ReportWarning ${TEST_NO} "No password needed for single user mode login"
AddHP 0 1
fi
else
@ -891,7 +891,7 @@
if [ ${FOUND} -eq 0 ]; then
LogText "Result: option not set, no password needed at single user mode boot"
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "No password set for single mode"
ReportWarning ${TEST_NO} "No password set for single mode"
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
AddHP 0 2
else

2
include/tests_banners
View File

@ -75,7 +75,7 @@
# if IsWorldWritable /etc/motd; then
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
# LogText "Result: /etc/motd is world writable. Users can change this file!"
# ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
# ReportWarning ${TEST_NO} "/etc/motd is world writable"
# else
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
# LogText "Result: /etc/motd is not world writable."

2
include/tests_boot_services
View File

@ -658,7 +658,7 @@
LogText "Test: Checking ${CHECKFILE} file for writable bit"
if IsWorldWritable ${CHECKFILE}; then
FOUND=1
ReportWarning ${TEST_NO} "H" "Found writable startup script ${CHECKFILE}"
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
LogText "Result: warning, file ${CHECKFILE} is world writable"
else
LogText "Result: good, file ${CHECKFILE} not world writable"

2
include/tests_databases
View File

@ -76,7 +76,7 @@
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "H" "No MySQL root password set"
ReportWarning ${TEST_NO} "No MySQL root password set"
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
AddHP 0 5
else

4
include/tests_filesystems
View File

@ -283,7 +283,7 @@
else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
fi
@ -367,7 +367,7 @@
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
ReportWarning ${TEST_NO} "No sticky bit found on /tmp directory, which can be dangerous!"
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
AddHP 0 3
fi

6
include/tests_firewalls
View File

@ -156,7 +156,7 @@
FIREWALL_EMPTY_RULESET=1
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
else
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
@ -181,7 +181,7 @@
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
LogText "Output: iptables rule numbers: ${FIND}"
#ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)"
#ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
fi
@ -272,7 +272,7 @@
else
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file"
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else

2
include/tests_kernel
View File

@ -587,7 +587,7 @@
AddHP 5 5
elif [ ${REBOOT_NEEDED} -eq 1 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed"
ReportWarning ${TEST_NO} "Reboot of system is most likely needed"
AddHP 0 5
else
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW

8
include/tests_logging
View File

@ -92,7 +92,7 @@
else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
ReportWarning ${TEST_NO} "Found one or more problems in Syslog-NG configuration file"
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi
fi
@ -191,7 +191,7 @@
else
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
fi
else
LogText "Result: test skipped, because other facility is being used to log kernel messages"
@ -214,7 +214,7 @@
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running"
fi
fi
#
@ -327,7 +327,7 @@
else
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "L" "No loghost entry found"
ReportWarning ${TEST_NO} "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
fi
fi

6
include/tests_nameservices
View File

@ -84,7 +84,7 @@
if [ ${N} -gt 6 ]; then
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
@ -100,7 +100,7 @@
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
fi
@ -280,7 +280,7 @@
else
LogText "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)"
ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)"
fi
else
LogText "Result: skipped, can't find unbound-checkconf utility"

8
include/tests_networking
View File

@ -147,7 +147,7 @@
LogText "Result: nameserver ${I} does NOT respond"
LogText "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
fi
else
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
@ -169,7 +169,7 @@
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
@ -487,7 +487,7 @@
# Check if this interface was whitelisted
if [ ${WHITELISTED} -eq 0 ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
@ -522,7 +522,7 @@
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"

10
include/tests_ports_packages
View File

@ -313,7 +313,7 @@
else
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u`
LogText "List of vulnerable packages/version:"
@ -447,7 +447,7 @@
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade"
ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
else
@ -711,7 +711,7 @@
else
LogText "Result: One or more duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
ReportWarning ${TEST_NO} "Found one or more duplicate packages installed"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
fi
@ -724,7 +724,7 @@
else
LogText "Result: One or more problems found in package database"
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
ReportWarning ${TEST_NO} "Found one or more problems in the package database"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
fi
else
@ -1012,7 +1012,7 @@
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED
LogText "Result: found ${FIND} security updates with glsa-check"
ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check."
ReportWarning "${TEST_NO}" "Found ${FIND} security update(s) with glsa-check."
LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
AddHP 0 25
fi

2
include/tests_shells
View File

@ -392,7 +392,7 @@
fi
if [ ${FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "H" "System vulnerable to Shellshock (bash)"
ReportWarning ${TEST_NO} "System vulnerable to Shellshock (bash)"
AddHP 0 25
else
AddHP 5 5

2
include/tests_squid
View File

@ -257,7 +257,7 @@
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
AddHP 0 1
fi
done

2
include/tests_time
View File

@ -259,7 +259,7 @@
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output"
ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
ReportWarning ${TEST_NO} "Found one or more stratum 16 peers"
fi
fi
fi

4
lynis
View File

@ -906,7 +906,7 @@ ${NORMAL}
. ${INCLUDE_FILE}
else
LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "H" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
# Insert a section and warn user also on screen
InsertSection "General"
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
@ -933,7 +933,7 @@ ${NORMAL}
. ${INCLUDEDIR}/tests_custom
else
LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "H" "Invalid permissions on custom tests file"
ReportWarning "NONE" "Invalid permissions on custom tests file"
Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED
fi
else