tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,112 Commits 2 Branches 62 Tags 17 MiB
Commit Graph

79 Commits

Author SHA1 Message Date
Michael Boelen 84faf57b30
[SSH-7402] when SSH configuration has Match block, allow evaluation of full configuration 2018-05-14 08:29:30 +02:00
Thomas Sjögren c25910cb31 delayed is a legacy synonym (#531) 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2018-04-23 10:57:27 +02:00
Michael Boelen 4ba9882335
Added notes 2018-01-23 17:37:27 +01:00
mslifcak 84ea9530d7 restore UsePrivilegeSeparation to list of ssh daemon checks (#509) 2018-01-23 17:35:34 +01:00
Michael Boelen 66f8cb2441
Changed year 2018-01-11 09:50:26 +01:00
Michael Boelen 76b4afb14d
[SSH-7408] set default 'delayed' compression as a sane value 2017-09-18 19:18:11 +02:00
Lukas Pirl b3dffbf750 remove test for deprecated sshd option UsePrivilegeSeparation (#432) 
see also https://www.openssh.com/txt/release-7.5
 2017-08-16 20:33:33 +02:00
Michael Boelen 70ea29483a
Code enhancements 2017-04-23 20:06:54 +02:00
hlein e054e9757c Lots of cleanups (#366) 
* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
 2017-03-07 19:23:08 +00:00
hlein b595cc0fb5 Various cleanups (#363) 
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
 2017-03-06 07:41:21 +00:00
Michael Boelen d15ba9607f [SSH-7408] Corrected variable and allow a few more retries to prevent issues with public key authentication 2017-03-01 16:07:32 +01:00
Michael Boelen a817bf2f1b [SSH-7408] allow filtering for multiple options and new SSH value for PermitRootLogin 2017-02-15 13:14:54 +01:00
Michael Boelen 34ba1ba184 Changed date and preparing for release 2017-02-09 13:35:40 +01:00
Michael Boelen 82ededed31 Style improvements and command replacements 2016-09-08 21:04:17 +02:00
Michael Boelen 679e8c628e Use detected binaries 2016-08-25 15:31:33 +02:00
Michael Boelen 2f4c854ba7 Rename of categories, introduction of groups 2016-07-24 17:22:00 +02:00
Lukas Pirl f19f5927a5 added test for AllowAgentForwarding being turned off (#222) 
for reasons, see links below:
  https://wiki.mozilla.org/Security/Guidelines/OpenSSH#SSH_agent_forwarding
  https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/
 2016-07-11 11:25:51 +02:00
Michael Boelen 983e293eb1 Replaced text strings to allow translations 2016-06-18 11:14:01 +02:00
Michael Boelen 52ad74c5ce [SSH-7408] Show SSH items as a suggestion on screen, like in the report 2016-06-11 14:45:17 +02:00
Eric Light 47748c8fd8 UseDNS = No is a safer configuration (#204) 
See Issue #197.  

References:
 - https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371/comments/11
 - https://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option
 - https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
 2016-05-19 19:58:52 +02:00
mboelen 6e2640c4d5 Retrieve SSH settings from active configuration and store earlier, test with lowercase settings for other tests 2016-05-02 15:04:40 +02:00
mboelen 42607ceaf5 Replaced old function names with new ones 2016-04-28 12:31:57 +02:00
mboelen 5757837e28 Show skipped items when running in verbose mode 2016-04-20 12:08:10 +02:00
Eric Light a6393bd8a0 Display skipped atomic tests (#169) 
Added section to log & display skipped atomic tests.
 2016-04-20 10:46:40 +02:00
mboelen a2594fc370 [SSH-7408] Allow skipping some of the SSH tests 2016-04-19 12:37:40 +02:00
mboelen 0783b2fd4b Use SSH configuration from sshd instead of configuration file, add more details to report 2016-04-19 12:04:51 +02:00
mboelen 2c815129e4 Added details and changed suggestion text 2016-04-19 09:54:18 +02:00
mboelen 4d52e64b2a Match sshd process running and/or port 22 listening 2016-03-30 13:48:18 +02:00
Kamil Boratyński 232419df8c Modified SSH service checking. 2016-03-22 23:54:38 +01:00
mboelen 8cc47819b4 Removed copyright line, added description 2016-03-13 16:03:46 +01:00
mboelen 6197ac08e7 Added link to website, blog, github 2016-03-13 16:00:39 +01:00
mboelen 62f31a8b82 SSH-7408: use only the last occurrence of a configured option 2016-03-08 08:47:25 +01:00
Eric Light 4f38eb4739 Removed ServerAliveInterval 
Belongs in ssh_config instead.  Ref issue #120
 2016-02-10 09:24:19 +13:00
mboelen c4888fbb8e Added value for ServerAliveInterval setting 2016-02-09 15:53:11 +01:00
mboelen a3b4705508 Reordered SSH options, added ServerAliveInterval, changed TCPKeepAlive suggestion 2016-02-09 12:54:47 +01:00
asiebelt a095ba64a0 Fix scoring logic for "<" 2016-01-02 18:13:07 +01:00
asiebelt 7f462d0a41 Fix typo 2016-01-02 18:07:02 +01:00
asiebelt 81bac124ee Fix Scoring for "<" 2016-01-02 18:03:11 +01:00
asiebelt 99fd20aae0 Fix Test Definition 2016-01-02 17:49:01 +01:00
asiebelt 4234a646ed Update tests_ssh 2016-01-02 17:39:25 +01:00
mboelen d16b38eff8 Rename of logtext and report functions, upcoming year change 2015-12-21 21:17:15 +01:00
Kamil Boratyński 8c544846ab Improved [SSH-7408] with 'AllowTcpForwarding'. 2015-12-07 07:15:48 +01:00
Kamil Boratyński 785119824e Improved [SSH-7408] with 'PermitTunnel'. 2015-12-07 07:15:03 +01:00
Kamil Boratyński 490fd6d5ec Improved [SSH-7408] with 'GatewayPorts'. 2015-12-07 07:14:19 +01:00
Kamil Boratyński 3817ffd299 Improved [SSH-7408] with 'PermitUserEnvironment'. 2015-12-06 01:46:47 +01:00
Kamil Boratyński 5487401aba Improved [SSH-7408] with 'MaxSessions'. 2015-12-06 01:46:47 +01:00
Kamil Boratyński 47576a1bd0 Improved [SSH-7408] with 'MaxStartups'. 2015-12-06 01:46:35 +01:00
Kamil Boratyński 35b663cff9 Improved [SSH-7408] with 'LoginGraceTime'. 2015-12-06 01:45:31 +01:00
Kamil Boratyński 96dfb5cf15 Improved [SSH-7408] with 'Port'. 2015-12-06 01:41:23 +01:00
Kamil Boratyński c394024769 [SSH-7408]: Implemented '!' test type. 2015-12-05 21:46:03 +01:00