tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,817 Commits 2 Branches 63 Tags 18 MiB
Commit Graph

124 Commits

Author SHA1 Message Date
Michael Boelen 38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen 8c0b42cdae
Merge pull request #861 from topimiettinen/enhance-selinux-check 
Enhance SELinux checks
 2020-03-20 14:00:57 +01:00
Topi Miettinen 820d2ec607
Check DNSSEC status with resolvectl when available 
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 23:56:24 +02:00
Topi Miettinen fb9cdb5c43
Enhance SELinux checks 
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 19:45:37 +02:00
Michael Boelen d1db448c51
Skip pacman when it is the game instead of package manager 2020-03-17 13:02:59 +01:00
Kevin 42b2831f75 add basic xbps/void support 2020-02-21 08:06:24 +01:00
Michael Boelen f00447fd1b
Style change, add curly brackets 2019-12-06 15:55:59 +01:00
Kristian Schuster 4898e48e16
don't fail relative paths check with spaces in PATH 2019-10-22 21:43:37 +02:00
Kristian Schuster 7b52ff52c7
add check for disabled coredumps in etc/profile and systemd 2019-10-13 22:06:50 +02:00
Michael Boelen a1b6d463b2
Fixed a typo 2019-09-21 16:31:06 +02:00
Michael Boelen 36627a4eb7
Style improvements 2019-09-19 14:05:15 +02:00
Michael Boelen 5c38a0bdb4
Tests using lsof may ignore threads (if supported) 2019-09-13 11:47:39 +02:00
Michael Boelen a714568842
Merge pull request #731 from chr0mag/cryp-7930 
[CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
 2019-08-21 12:31:36 +02:00
Michael Boelen 48ba463376
Added support for swupd (Clear Linux OS) 2019-08-04 19:37:55 +02:00
Julian Phillips 84dd024887 [CRYP-7930] Modify to use 'lsblk' and 'cryptsetup' 
There are several challenges with the existing method of using
/etc/crypttab:

1)encrypted rootfs partitions are not typically listed in this
file (users are prompted for password in early boot instead)

2)the 'luks' option is the default option so it is possible for
/etc/crypttab entries to never have this set explicitly and any
block device configured as such will be missed currently

3)any device mounted manually, or using any other mechanism aside
from /etc/crypttab will be missed

This commit executes 'cryptsetup isLuks' on every block device in
the system to determine whether it is a LUKS device. This handles
all 3 cases mentioned above.

Test case wording was also updated to reflect the fact that it
only checks for LUKS entrypted block devices. So, plain dm-crypt
and TrueCrypt/VeraCrypt block device encryption is not detected.
Nor is any file system level encryption such as eCryptfs, EncFs,
gocryptfs.
 2019-07-17 16:18:12 -07:00
Michael Boelen fa8bad20db
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00
Michael Boelen 96434508d4
Disable testing for other tools, as xxd is not present on all systems by default 2019-07-14 12:18:22 +02:00
Michael Boelen c639cb4f6e
Only check empty binaries when we did a full scan, as for some commands the binary scanning is not performed 2019-07-05 18:37:10 +02:00
Michael Boelen bc88775d0e
When PATH is defined, only locations from variable 2019-07-01 07:39:32 +02:00
Michael Boelen fdacc00b45
Security: test PATH and warn or exit on discovery of dangerous location 2019-06-30 19:21:07 +02:00
Michael Boelen 5e4e44bdf3
Added check to ensure that common system tools are defined as extra safety measure 2019-06-30 18:27:31 +02:00
Michael Boelen 94e0a4e40d
Added Suricata (IDS) 2019-06-24 15:38:34 +02:00
Michael Boelen 8d16a62bbd
Added Bro (IDS) 2019-06-24 15:37:40 +02:00
Michael Boelen e195e7c8e0
Corrected lsvg binary detection 2019-04-09 08:26:16 +02:00
Michael Boelen 2750e9b7b8
Detect equery binary 2019-04-07 15:50:46 +02:00
Michael Boelen de2ef2c3e7
Add apt and dpkg binaries 2019-03-29 12:23:45 +01:00
Michael Boelen 703a856e82
Corrected blkid detection 2019-03-14 13:15:07 +01:00
chr0mag 341612418f BOOT-5117 adds systemd-boot bootloader detection (#634) 
Adds a test to detect systemd-boot. The 'bootctl' binary is also
added as this is the utility used to inspect the systemd-boot
configuration.

This test is only executed if systemd is installed, the bootctl
utility exists and the system is booted in UEFI mode.
 2019-03-07 10:07:52 +01:00
jirib 0dafe4a02b better OpenBSD support (#641) 2019-03-05 19:03:44 +01:00
Michael Boelen 66066ae226
Changed year and preparing for new release 2019-01-31 14:47:35 +01:00
theycallhimpat 0f32d2725c Fix printed error when wget comes from busybox (#602) 
Busybox's wget does't provide the -V parameter to get the version, so
redirect stderr to /dev/null to hide the printed error message
 2018-12-17 09:53:27 +01:00
Deon Spengler 72796f5757 Added support for TOMOYO Linux Mandatory Access Control (#589) 
* Added binary for TOMOYO Linux

* Added support for TOMOYO Linux Mandatory Access Control
 2018-10-17 14:20:52 +02:00
Michael Boelen c53072e31e
Ensure a parent directory with binaries is scanned - issue #517 on GitHub 2018-02-06 10:45:41 +01:00
Michael Boelen 7b664a7560
Reverse PATH search 2018-01-25 19:43:51 +01:00
Michael Boelen 3a4bc4db9c
Use binary paths from both PATH and predefined list to improve detection on all platforms 2018-01-25 19:14:58 +01:00
Dave Vehrs 8f689d4723 Adding USBGuard to checks for USB Devices. (#499) 
* Added kernel.dmesg_restrict to sysctl checks.

* Initial addition of tests_usb_devices

* More updates for tests_usb_devices

* More updates

* Updated logging and other output.
 2018-01-24 19:29:50 +01:00
Michael Boelen 3957ca32cd
Minor code enhancements 2018-01-18 16:23:23 +01:00
Michael Boelen 173068b402
Added getcap and grpck back 2018-01-18 11:10:11 +01:00
Michael Boelen 4f751c9037
Remove service manager reference from systemctl, minor cleanup 2018-01-18 10:23:39 +01:00
Michael Boelen 182ce09bc1
Additional code enhancements 2018-01-18 09:19:06 +01:00
mslifcak 173843bdfd Pin svc mgr (#506) 
* systemctl does not mean systemd is used

* Check for systemd active

* determine service manager if not already set
 2018-01-17 15:56:19 +01:00
Michael Boelen 9ba5d200ad
Enhancements to reduce file access and removing unneeded variables 2018-01-17 14:46:29 +01:00
mslifcak 2c774b8795 sort BIN_PATHS before process (#510) 2018-01-17 13:49:07 +01:00
Michael Boelen b4758e0b23
Use PATH variable as first method to scan directories 2018-01-11 12:05:21 +01:00
Michael Boelen 66f8cb2441
Changed year 2018-01-11 09:50:26 +01:00
Michael Boelen 4042c45954
Changes for new plugin class 'hardware' 2017-12-08 09:37:55 +01:00
Michael Boelen 499f7d5015
Improve process detection 2017-09-16 14:08:26 +02:00
Brian Ginsbach 30c58dd1ed Don't assume sshd version is in first line (#452) 
There are some versions of OpenSSH where the version information
isn't in the first line (like NetBSD's with the HPN patches).
 2017-09-04 15:33:28 +02:00
Michael Boelen 00648a636c
Improve systemd detection 2017-08-17 20:28:32 +02:00
Michael Boelen 4ecb9d4d05
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests 2017-04-30 17:59:35 +02:00