tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,463 Commits 2 Branches 62 Tags 17 MiB
Commit Graph

1631 Commits

Author SHA1 Message Date
Michael Boelen 054ca21ee3
Fix: split directories 2019-07-08 21:19:28 +02:00
Michael Boelen 2c17c14c3b
New profile option to ignore specified certificate directories 2019-07-08 15:08:56 +02:00
Michael Boelen 1854e51e7e
New function: Equals 2019-07-08 15:05:28 +02:00
Michael Boelen 16146aabc0
Added option: ssl-certificate-paths-to-ignore 2019-07-08 14:27:40 +02:00
Michael Boelen 5217db95b1
Add deprecation message for old format and added check for unexpected/invalid characters in profile (additional security measure) 2019-07-07 18:49:01 +02:00
Michael Boelen 7a816ece8a
Added DisplayWarning function 2019-07-07 18:47:55 +02:00
Michael Boelen 05012f60fd
Added new colors and regrouping 2019-07-07 18:46:55 +02:00
Michael Boelen 007faf47c3
Cleanup of default profile and migration of permdir/permfile 2019-07-07 18:46:23 +02:00
Michael Boelen c639cb4f6e
Only check empty binaries when we did a full scan, as for some commands the binary scanning is not performed 2019-07-05 18:37:10 +02:00
Michael Boelen 8d4fd1a7aa
Add Readonly() function 2019-07-05 18:35:45 +02:00
Michael Boelen 0443d643da
Show tip to use 'lynis generate hostids' when they are missing 2019-07-05 18:35:10 +02:00
Michael Boelen ade3117307
New option to disable plugins via profile 2019-07-03 15:39:26 +02:00
Michael Boelen 2e1ec2c32f
Change variable name to better indicate what it does 2019-07-03 15:07:46 +02:00
Michael Boelen bc88775d0e
When PATH is defined, only locations from variable 2019-07-01 07:39:32 +02:00
Michael Boelen 76c3ea0edb
Fall back to echo if ECHOCMD is empty early during execution of program 2019-06-30 20:38:05 +02:00
Michael Boelen cb77d5a3f7
Show text when stopping execution 2019-06-30 20:37:33 +02:00
Michael Boelen cfaea21430
Security: test all parameters and arguments for the presence of control characters 2019-06-30 19:29:48 +02:00
Michael Boelen fdacc00b45
Security: test PATH and warn or exit on discovery of dangerous location 2019-06-30 19:21:07 +02:00
Michael Boelen 5e4e44bdf3
Added check to ensure that common system tools are defined as extra safety measure 2019-06-30 18:27:31 +02:00
Michael Boelen 08e8e59197
New function: SafeInput 2019-06-29 19:34:12 +02:00
Michael Boelen dde57ce870
Merge branch 'master' of https://github.com/CISOfy/lynis 2019-06-24 15:47:39 +02:00
Michael Boelen ec519dc976
Minor cleanups 2019-06-24 15:40:38 +02:00
Michael Boelen d0377c563d
Added TLSv1 as weak protocol (nginx) 2019-06-24 15:40:18 +02:00
Michael Boelen 94e0a4e40d
Added Suricata (IDS) 2019-06-24 15:38:34 +02:00
Michael Boelen 8d16a62bbd
Added Bro (IDS) 2019-06-24 15:37:40 +02:00
Michael Boelen b0f966ae48
Check number of arguments for 'audit dockerfile' 2019-06-24 15:33:42 +02:00
Michael Boelen 6f3c268c57
Non-functional code removed as it does not work as intended and lacks required validation controls - Thanks to Sander Bos for reporting 2019-06-24 15:23:30 +02:00
Michael Boelen a312968dd6
Merge pull request #714 from deltablot/issue628 
Add PHP ini file locations for Ubuntu 18.04. Fix #628
 2019-06-24 13:46:30 +02:00
Michael Boelen f6f7a69857
Merge pull request #713 from bcs016/patch-1 
Update tests_authentication - AUTH-9402
 2019-06-24 13:43:19 +02:00
Michael Boelen 6cd903e079
Merge pull request #722 from pyllyukko/linux-bsdrc.d 
Detect BSD-style (rc.d) init in Linux systems
 2019-06-24 13:42:17 +02:00
Michael Boelen ef89ee3fc9
[NETW-3012] make ss command output preferred for Linux system and changed output format 2019-06-24 13:39:30 +02:00
Michael Boelen 6d55767c18
Include 'generate' command 2019-06-17 12:16:29 +02:00
pyllyukko 9b02934339
Detect BSD-style (rc.d) init in Linux systems 2019-06-06 15:41:29 +03:00
Michael Boelen 61d8c91eeb
[FILE-6310] filter on correct field for AIX 2019-06-06 14:20:12 +02:00
Michael Boelen 59b102989f
[AUTH-9268] AIX find does not support maxdepth 2019-06-06 14:13:05 +02:00
Michael Boelen 8e61275ff4
Move state recording to report section 2019-05-16 15:23:23 +02:00
Nicolas CARPi 6ca24aae8b Add PHP ini file locations for Ubuntu 18.04. Fix #628 2019-05-08 01:01:43 +02:00
bcs016 10b8da1c6a
Update tests_authentication 
Update AUTH-9402, change name to check in etc/passwd file when device is a QNAP
 2019-04-29 11:47:11 +02:00
Michael Boelen 96c1ea8b0e
[PKGS-7386] Removed suggestion as a warning is already displayed when vulnerable packages were discovered 2019-04-20 14:31:11 +02:00
Michael Boelen 017103e20c
[PKGS-7392] - Skip test for Zypper-based systems 2019-04-17 15:26:43 +02:00
Michael Boelen 121c861446
Non-interactive mode for zypper 2019-04-17 15:07:07 +02:00
Michael Boelen bf5219d9b9
[PKGS-7328/PKGS-7330] added non-interactive global option 2019-04-15 19:30:21 +02:00
Michael Boelen dba2dcb918
Added missing variables 2019-04-15 19:20:31 +02:00
Michael Boelen 2d0c684931
Added new 'generate' command 2019-04-13 13:26:56 +02:00
Michael Boelen e195e7c8e0
Corrected lsvg binary detection 2019-04-09 08:26:16 +02:00
Michael Boelen d90c43d06c
Updated descriptions 2019-04-09 06:52:00 +02:00
Capashenn fe09e4ebaa fix SHLL-6220 description (#673) 2019-04-09 06:49:33 +02:00
Michael Boelen fd8b1e790d
Improved PackageIsInstalled function and its usage 2019-04-08 15:09:18 +02:00
Michael Boelen 256bc1da0f
Undoed submitted pull request as it breaks testing at least on Ubuntu system 2019-04-08 11:07:41 +02:00
Capashenn 137dc6f0cc fix FILE-6374 (#672) 2019-04-08 10:36:17 +02:00
Michael Boelen 71a0c79053
Corrected stdout/stderr redirection for FreeBSD pkg tool 2019-04-08 07:53:04 +02:00
Michael Boelen 08ecd91180
Use ps instead of pgrep on AIX 2019-04-07 19:03:21 +02:00
Michael Boelen 1e134bc1b3
Extended function with more package managers 2019-04-07 15:52:52 +02:00
Michael Boelen f8b390617b
Changed screen output 2019-04-07 15:51:25 +02:00
Michael Boelen 2750e9b7b8
Detect equery binary 2019-04-07 15:50:46 +02:00
Michael Boelen 72ba872a2f
Improve text output for AIX systems 2019-04-04 19:04:42 +02:00
Michael Boelen 9936224278
Merge of several tests, cleanup, minor code enhancements and restructure 2019-04-04 14:42:39 +02:00
Michael Boelen 247eb7d9a6
Corrected if-statement 2019-04-03 12:46:03 +02:00
Capashenn e0ca517aaa Add tests INSE-8310 INSE-8312 (telnet) (#693) 
* Add test INSE-8000

* Add xinetd support in insecure_services

* fix issue #662

* Check for talk via xinetd

* Check for chargen via xinetd

* Check for daytime via xinetd

* Check discard via xinetd

* Check echo via xinatd

* Check time via xinetd

* Check tftp via xinetd

* Check rsync via xinetd

* Add test INSE-8200

* Add test INSE-8300 INSE-8302 INSE-8304 (rsh)

* Add tests INSE-8310 INSE-8312 (telnet)
 2019-04-02 11:15:31 +02:00
Michael Boelen 2c83037cba
Minor cleanup 2019-04-02 07:58:10 +02:00
Capashenn 7b7086566d Add test FILE-6324 check XFS file systems (#699) 2019-04-02 07:46:04 +02:00
Michael Boelen d0df518426
[PKGS-7420] corrected typo 2019-03-30 13:58:23 +01:00
Michael Boelen 3660043308
[PKGS-7420] limit test to specific OS, add dnf-automatic support, extend logging 2019-03-30 13:31:03 +01:00
Capashenn 295a2699d3 bugfix HOME-9304 HOME-9306 2019-03-29 16:37:30 +01:00
Michael Boelen 3702ae67b5
[PKGS-7420] Detect toolkit to automatically download and apply upgrades 2019-03-29 12:53:13 +01:00
Michael Boelen 8a9edeb40b
[AUTH-9278] style change, description, allow different root directory 2019-03-29 12:30:12 +01:00
Capashenn f9bcf26f25 fix issue #612 (#677) 
LDAP support for Red Hat and others (fix issue #612)
 2019-03-29 12:26:12 +01:00
Michael Boelen de2ef2c3e7
Add apt and dpkg binaries 2019-03-29 12:23:45 +01:00
Michael Boelen 605c381eb6
[PKGS-7410] add support for DPKG-based systems to gather installed kernel packages 2019-03-29 12:22:20 +01:00
Capashenn 3ba94b9700 fix issue #610 STRG-1842 2019-03-25 18:37:06 +01:00
Capashenn 06cdf6c50f fix issue #659 2019-03-25 14:48:43 +01:00
Capashenn c8af37c069 fix issues #666 #667 2019-03-25 14:10:20 +01:00
Capashenn 52dd096e0f fix issue #621 2019-03-25 10:53:46 +01:00
Michael Boelen ea8c032ea9
[NETW-3015] added support for ip binary 2019-03-21 09:34:26 +01:00
Michael Boelen 943e09db01
[LOGG-2180] minor cleanup 2019-03-21 09:07:05 +01:00
Michael Boelen 928023ec6a
[HTTP-6624] improved logging for test 2019-03-19 13:07:12 +01:00
Michael Boelen 303050dda3
[LOGG-2154] Adjusted test to search in configuration file correctly 2019-03-15 14:25:00 +01:00
Michael Boelen 048815abc0
[SSH-7408] Increased values for MaxAuthRetries as sometimes SSH key-based authentication may need it 2019-03-15 14:00:47 +01:00
Michael Boelen 4a47bde240
Adjusted descriptions 2019-03-15 13:52:55 +01:00
Michael Boelen 89782f1e98
Add logging status of tool tips 2019-03-14 14:15:59 +01:00
Michael Boelen 703a856e82
Corrected blkid detection 2019-03-14 13:15:07 +01:00
Michael Boelen 48195ce221
Initial work to detect Lynis in cronjobs 2019-03-14 12:32:19 +01:00
Michael Boelen 3e7b319ec7
Readability changes and show when plugin execution is skipped 2019-03-14 12:31:39 +01:00
Michael Boelen 3cf64ff5a6
Preparations for user tips to improve usage of tool 2019-03-14 12:30:37 +01:00
Michael Boelen 95c11f8270
[KRNL-5820] Changed color for default value - fixes GitHub #655 2019-03-11 14:06:17 +01:00
Michael Boelen ec4d89b978
[BOOT-5122] don't use WARNING, but show NONE if no protection is implemented 2019-03-07 10:15:16 +01:00
chr0mag e33ca1ec58 [BOOT 5177] Simplify service filter & support multiple periods in names (#633) 
* Handle service names with multiple periods

The current awk filter produces truncated output if the service
name contains multiple periods.

eg. dbus-org.freedesktop.resolve1.service and
dbus-org.freedesktop.network1.service both appear as 'dbus-org' in
the resulting service list.

This change addresses this by filtering on '.service' instead.

* Simplify systemd service filtering

Added systemctl switches to filter the output based on enabled
or running services. This removes the need for one of the awk
statements.
 2019-03-07 10:10:21 +01:00
chr0mag 341612418f BOOT-5117 adds systemd-boot bootloader detection (#634) 
Adds a test to detect systemd-boot. The 'bootctl' binary is also
added as this is the utility used to inspect the systemd-boot
configuration.

This test is only executed if systemd is installed, the bootctl
utility exists and the system is booted in UEFI mode.
 2019-03-07 10:07:52 +01:00
silentcreek fb567465c9 [KRNL-5788] Fix false positive warning on missing /vmlinuz (#650) 
Not all architectures use a /vmlinuz symlink in Debian. For instance,
armhf systems may only provide a symlink in /boot/vmlinuz. Fall back to
testing /boot/vmlinuz if /vmlinuz is not found.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
 2019-03-07 10:05:12 +01:00
silentcreek 17f2e34660 [PKGS-7388] Fix false positive warning on missing security archive (#651) 
Currently the check for the security archive in Debian/Ubuntu fails, if
the archive is not hosted on security.{debian,ubuntu}.org and the URL
does have trailing slash, such as this:
  deb http://deb.debian.org/debian-security/ stretch/updates main

Change the regular expression to allow for a trailing slash in the URL
when filtering the package sources lists.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
 2019-03-07 10:03:11 +01:00
Michael Boelen 8888b01dcd
Store date and timestamp for EOL 2019-03-05 19:31:36 +01:00
jirib 0dafe4a02b better OpenBSD support (#641) 2019-03-05 19:03:44 +01:00
chr0mag 06bf77cb30 [FIRE-4540] Modify test to better measure rules (#636) 
This test was previously measuring the number of bytes (wc -c)
in the exported JSON which is likely not what was intended and
will lead to false positives anytime the number of bytes exceeds
16.

The export feature is poorly documented and requires the jansson
package on the target system to export as JSON - which may not
always be the case.

Lastly, 16 is an arbitrary and uncessarily high number. A simple
workstation firewall can have only 3 rules and be effective.

This commit makes use of 'nft list ruleset' instead of the export
command, strips out blank lines as well as table & chain headers
before measuring the number of lines in the output. Any result
with more than 3 rules is now considered non-empty. This is more
consistent with the equivalent iptables test case.
 2019-03-05 18:57:58 +01:00
Michael Boelen ff6446a5bc
Added 'show eol' command 2019-03-04 12:33:25 +01:00
Michael Boelen f7a291a62f
Use datestamps instead of date, due to compatibility with other platforms 2019-03-04 12:33:03 +01:00
Michael Boelen 9d8b12e0f8
Initial lookup with awk corrected 2019-03-04 12:13:47 +01:00
Michael Boelen e0b93ed0cc
Replace awk statement with grep to simplify search 2019-03-04 12:08:47 +01:00
Michael Boelen 19921ab001
Style improvements, typo, variable usage 2019-02-28 10:19:09 +01:00
chr0mag 353cf84413 [AUTH-9252] Sudo configuration file/folder check improvements (#637) 
* [AUTH-9252] Adds support for files in sudoers.d

This commit adds permission checks for files found in 'sudoers.d'.
Previously only the main 'sudoers' file is checked. Fixes #600.

* [AUTH-9252] Check drop-in directory permissions

The test case currently only checks file permissions. This adds
logic to check the drop-in directory permissions as well.

* [AUTH-9252] Check file/folder ownership

This test currently only checks file/directory permissions. This
commit adds checks to ensure sudo configuration files/folders are
owned with UID=0 and GID=0.
 2019-02-28 10:15:57 +01:00
dataking 76ec39176a Fix #638. (#640) 
* fix for issue #453; simply add RPi/Raspian path to PAM_FILE_LOCATIONS

* Only use data before # to handle inline comments in /etc/resolv.conf.
 2019-02-28 09:51:57 +01:00