Commit Graph

21 Commits

Author SHA1 Message Date
Michael Niewöhner 7ae81514b4 Fix 2FA report (#497) 2017-12-14 08:54:28 +01:00
Brian Ginsbach 8e97fc5625 Various PAM cleanups for FreeBSD, NetBSD, and macOS. (#454)
* Use PAM_DIRECTORY variable where appropriate

* Skip checking FreeBSD/NetBSD pam.d/README as a PAM file

FreeBSD and NetBSD install a README file in /etc/pam.d.  Attempting
to check this file as a PAM file just generates a lot of garbage
exceptions in the log.

* Handle 'include' as a PAM control-flag

OpenPAM and some versions of Linux PAM can have a configuration
where the control-flag is 'include'.  Skip further processing as
these files will be processed separately.

* Add missing commonly seen specific PAMs

Add some missing commonly seen specific PAMs from FreeBSD, NetBSD,
and OS X/macOS. The OS X/macOS PAMs were taken from a 10.5 (Leopard)
and 10.10 (Yosemite) system respectively.

Both FreeBSD and NetBSD come with a pam_ssh PAM.  Add a warning
when found confitured as it presents a potential security risk (see
pam_ssh(8) on FreeBSD/NetBSD).
2017-09-04 15:32:57 +02:00
Michael Boelen 4ecb9d4d05
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests 2017-04-30 17:59:35 +02:00
hlein e054e9757c Lots of cleanups (#366)
* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 19:23:08 +00:00
hlein b595cc0fb5 Various cleanups (#363)
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00
Michael Boelen 2c56651698 Added PLGN-0008 to parse /etc/security/pwquality.conf 2017-03-01 16:28:05 +01:00
Michael Boelen d080f8f6b7 Initialize variable 2017-03-01 16:07:45 +01:00
Michael Boelen dfce1a770a Removed local variable assignment to prevent portability issues 2016-05-09 14:20:16 +02:00
mboelen 4913caadbc Replaced old functions and do less logging to increase speed 2016-04-28 12:59:13 +02:00
mboelen 021fd8a98c Reduce debugging for PAM plugin 2016-04-25 15:49:21 +02:00
mboelen 2b7e9a9dc2 Log unknown line types 2016-03-03 12:20:02 +01:00
mboelen 7afc82a8aa Set enable status of pwhistory module at beginning of test 2015-10-23 15:53:22 +02:00
mboelen e2b8b9b18a Enabled status of pwhistory module if remember option is used 2015-10-23 14:37:48 +02:00
mboelen d058ba8bfc Added password history tests to PAM plugin 2015-10-22 15:55:14 +02:00
mboelen 2f9b793b78 Added logging of maximum password retries 2015-10-21 23:26:41 +02:00
mboelen 8cddc58c85 Added logging of maximum password retries 2015-10-21 23:11:03 +02:00
mboelen 4cbeb31078 Changes to improve password strength testing 2015-10-21 22:58:52 +02:00
mboelen 7d76efbb78 Improved parsing of PAM files, related logging, password settings 2015-10-21 21:44:58 +02:00
mboelen 8c5f67f624 Added debugging and several fixes 2015-10-15 20:10:21 +02:00
mboelen 361e70fa13 Changed path and added debugging to log file 2015-10-15 19:54:58 +02:00
mboelen 0e3dac5758 Adding new plugin for parsing PAM configurations 2015-10-08 22:36:20 +02:00