Process output from journalctl (v245) like: "Archived and active
journals take up xxx.xM in the file system."
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
PAM rules may have a leading '-' character to indicate that if the
module is missing, the error will be ignored, so let's ignore it in
the check.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
* fix testname in one Register and four comments
* remove db dup MAIL-8816; add db AUTH-9489 BOOT-5261 CORE-1000 FILE-6363 FILE-6439 KRNL-5831 MAIL-8817 SINT-7010 USB-3000
* fix description PLGN-3856
* Use PAM_DIRECTORY variable where appropriate
* Skip checking FreeBSD/NetBSD pam.d/README as a PAM file
FreeBSD and NetBSD install a README file in /etc/pam.d. Attempting
to check this file as a PAM file just generates a lot of garbage
exceptions in the log.
* Handle 'include' as a PAM control-flag
OpenPAM and some versions of Linux PAM can have a configuration
where the control-flag is 'include'. Skip further processing as
these files will be processed separately.
* Add missing commonly seen specific PAMs
Add some missing commonly seen specific PAMs from FreeBSD, NetBSD,
and OS X/macOS. The OS X/macOS PAMs were taken from a 10.5 (Leopard)
and 10.10 (Yosemite) system respectively.
Both FreeBSD and NetBSD come with a pam_ssh PAM. Add a warning
when found confitured as it presents a potential security risk (see
pam_ssh(8) on FreeBSD/NetBSD).
* Description fix: SafePerms works on files not dirs.
All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).
* Lots of whitespace cleanups.
Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces. But sometimes
it's 1, sometimes 3, sometimes 8.
These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).
This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.
FWIW I identified instances to check by using:
perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)
Which produced output like:
./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated"
./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then
./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists"
...There's probably formal shellscript-beautification tools that
I'm oblivious about.
* More whitespace standardization.
* Fix a syntax error.
This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.
* Add whitespace before closing ].
Without it, the shell thinks the ] is part of the last string, and
emits warnings like:
.../lynis/include/tests_authentication: line 1028: [: missing `]'
* Typo fix.
* Style change: always use $(), never ``.
The Lynis code already mostly used $(), but backticks were sprinkled
around. Converted all of them.
* Lots of minor spelling/typo fixes.
FWIW these were found with:
find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less
And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.