Commit Graph

83 Commits

Author SHA1 Message Date
Michael Boelen 240c2b1db4
Merge branch 'master' into issue1376 2024-05-14 11:50:07 +02:00
Thomas Sjögren fe0b40c98d
support perf_event_paranoid=4
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2023-03-10 10:46:04 +01:00
pyllyukko 2e6415a3b3 perf_event_paranoid -> 2|3
The value of 3 was introduced in c76a4ca and the source was this[1].
The documentation in the source notes that the value of 3 requires a
patch for the Linux kernel. Vanilla kernel has the "maximum" value of
2[2].

[1] https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning
[2] https://www.kernel.org/doc/html/v5.7/admin-guide/sysctl/kernel.html#perf-event-paranoid
2022-01-23 10:41:20 +02:00
Michael Boelen c48674beb2
Merge pull request #933 from topimiettinen/check-clip-os-sysctls
[KRNL-6000] Check more sysctls
2020-12-22 14:31:08 +01:00
Michael Boelen 792a202934
Merge pull request #913 from topimiettinen/check-der-certs
[CRYP-7902] Check also certificates in DER format
2020-08-07 11:54:39 +02:00
Michael Boelen 9715c21c71
Merge pull request #957 from Varbin/rsh-permissions
rsh host file permissions
2020-08-07 11:48:13 +02:00
Simon Biewald 5cd33746a0
add (Open)SSH equivalents to rhost files
SSH also supports host based authentication. In contrast to the totally
insecure rsh, the hostnames are checked cryptographically. The
authorization checks are still done with the same syntax as with rsh.
In addition to the old rhosts/rlogin (and eqviv) file, SSH adds the
slogin file. This must not be writable as well, as attackers could
elevate their privileges.
2020-06-20 17:45:34 +02:00
Simon Biewald b7b132721e
check permissions of files used by rsh
The old rsh (remote shell) grants access to users and hosts in the files
/etc/hosts.equiv and ~/r(login|hosts). If attackers can write to those
files, he can logon as a different user or even root (in case of roots
.r(login|hosts) only) to the system. While the rsh daemon usually checks
for non-root owners or write permissions, this may not be the case on
any system.

Those files might affect other services as well (rlogin, rcp, ...).

As hostnames and usernames are not verified securely, the use of rsh and
similar commands discouraged. It may still be in use on legacy systems
even today, so it should be secured as much as possible if not possible
to remove/replace.
2020-06-20 17:08:56 +02:00
Steve8291 10402538fa
Fix typo in kernel options description 2020-06-11 10:46:55 -04:00
Topi Miettinen c76a4ca1a6
[KRNL-6000] Check more sysctls
Add checks for sysctls recommended by CLIP OS (vanilla kernel sysctls
only):
https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-05-23 19:55:12 +03:00
Topi Miettinen fcdc07f8d9
[CRYP-7902] Check also certificates in DER format
Check also certificates in DER (*.cer, *.der) format. Add
/etc/refind.d/keys to list of certificate paths.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-25 00:06:58 +03:00
Topi Miettinen 9642bcffc8
[CRYP-7902] Optionally check also certificates provided by packages
The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.

I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-02 12:52:13 +03:00
Michael Boelen d6324ee29a
Disabled shadow files in default profile as each Linux distribution has its own default 2019-09-14 13:20:26 +02:00
Michael Boelen f49f0a2029
Altered order of entries 2019-07-26 11:59:19 +02:00
Michael Boelen 76e84f4b56
Run non-interactive by default, use --wait to enforce waiting after finishing a group of tests 2019-07-12 14:38:52 +02:00
Michael Boelen 2c17c14c3b
New profile option to ignore specified certificate directories 2019-07-08 15:08:56 +02:00
Michael Boelen 007faf47c3
Cleanup of default profile and migration of permdir/permfile 2019-07-07 18:46:23 +02:00
Michael Boelen 3c7576f36b
Changed description and added note about strict checking 2019-07-07 16:19:10 +02:00
Michael Boelen 34ecd072b1
Merge branch 'master' of https://github.com/CISOfy/lynis 2019-07-03 15:40:37 +02:00
Michael Boelen ade3117307
New option to disable plugins via profile 2019-07-03 15:39:26 +02:00
Capashenn 5dbe4f20fc Add some default permfile/permdir 2019-03-25 10:58:19 +01:00
Michael Boelen 2c9116dc0c
Changed action from flush to clear 2018-03-03 14:42:54 +01:00
Michael Boelen 5711868d9e
Extended help 2018-03-03 14:39:25 +01:00
Michael Boelen 5e9253e8f4
Add host identifier options and use manual configured setting in function 2018-02-16 19:29:08 +01:00
Michael Boelen 35e8c0ab3a
Added kernel.yama.ptrace_scope 2018-01-23 15:09:59 +01:00
Michael Boelen 2bf6a5e038
Overhaul of default profile settings and parsing 2018-01-23 15:01:02 +01:00
Michael Boelen 1504370e41
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00
Michael Boelen 4042c45954
Changes for new plugin class 'hardware' 2017-12-08 09:37:55 +01:00
Michael Boelen e4cb190237
Support for allow-auto-purge option in profiles 2017-11-25 16:11:04 +01:00
Michael Boelen f903b6f079
Allow tags and system-customer-name to be specified 2017-06-22 10:15:39 +02:00
Dave Vehrs 933b01ea1f Added kernel.dmesg_restrict to sysctl checks. (#404) 2017-06-14 14:06:04 +02:00
0ri0n 9e10fdfbc8 Adds Protected Links Checks (#389)
Fixes #386
2017-05-03 09:20:35 +02:00
Michael Boelen 4d2e0e5aab Added another certificate path for Plesk 2017-03-14 16:47:01 +01:00
Michael Boelen 35440d437c Support for Plesk certificates path 2017-03-14 16:42:51 +01:00
Michael Boelen a19a34cbf3 Allow data uploads to be configured in profile 2017-02-21 15:40:06 +01:00
Michael Boelen 8d6bc1ad21 Allow colored output to be configured from profile 2017-02-16 10:27:54 +01:00
Michael Boelen a7838f4d08 Added authentication plugin 2017-02-14 20:06:02 +01:00
Michael Boelen 304a5c20a9 Added paths for SSL certificates 2016-11-29 14:28:16 +01:00
Michael Boelen 13d4d3d6b7 Add remark for automatic updates and packages 2016-11-08 09:03:17 +01:00
marcus-cr 56ce017b4f Updated profiles (#300)
* Updated profiles

Added “personal” machine-role, changed “desktop” to “workstation”.

* Changed Default Profile

Amended roles of system: changed “desktop” to “workstation”, and added
“personal”.
2016-10-26 12:35:47 +02:00
Michael Boelen b6a9d294d8 Added missing separator 2016-10-15 15:15:40 +02:00
Michael Boelen 2cc3adf7ac Added new sysctl values 2016-10-05 09:50:34 +02:00
Michael Boelen 870ac295c6 Show possible solution with findings 2016-09-24 15:51:05 +02:00
Michael Boelen ad678eca74 Changed suggested value for kernel.randomize_va_space 2016-09-13 17:26:44 +02:00
Michael Boelen af00c1e8d1 Added more sysctl keys 2016-08-18 14:52:15 +02:00
Michael Boelen d95ab3d253 Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00
Michael Boelen e176011912 Allow repository update to be disabled 2016-08-11 10:01:29 +02:00
Michael Boelen 07a113e46e Set initial value for language and improve auto detection 2016-07-12 20:32:15 +02:00
Lukas Pirl 77634d578c expect value of sysctl:kernel.kptr_restrict to be 2 (#224)
from https://lwn.net/Articles/420403/:
  """
  The %pK format specifier is designed to hide exposed kernel
  pointers, specifically via /proc interfaces.  Exposing these
  pointers provides an easy target for kernel write vulnerabilities,
  since they reveal the locations of writable structures containing
  easily triggerable function pointers.  The behavior of %pK depends
  on the kptr_restrict sysctl. […] If kptr_restrict is set to 2,
  kernel pointers using %pK are printed as 0's regardless of
  privileges.
  """
2016-07-11 10:11:18 +02:00
Michael Boelen e22322920f More reorganizing as options will be deprecated 2016-07-05 19:57:43 +02:00