tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,857 Commits 2 Branches 62 Tags 17 MiB
Commit Graph

1908 Commits

Author SHA1 Message Date
Michael Boelen db117ae644
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-25 10:11:34 +01:00
Michael Boelen f644927a42
Improved warning message with 'how to resolve' 2020-03-25 10:11:25 +01:00
Topi Miettinen 339e0c3207
[FILE-6374]: Summarize unhardened file system 
Report total numbers of unhardened filesystems.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-25 09:18:16 +02:00
Michael Boelen 3c8e3b0adb
Merge pull request #862 from topimiettinen/blacklist-fs 
FS module tests: check if modules are blacklisted
 2020-03-24 13:34:05 +01:00
Michael Boelen 3c3feecbfb
Merge pull request #824 from Varbin/master 
Add detection of OpenNTPD
 2020-03-24 13:29:02 +01:00
Michael Boelen f83025a283
Merge pull request #860 from topimiettinen/harden-mount-options 
Harden mount options for /var, check also /dev and /run
 2020-03-24 13:27:50 +01:00
Michael Boelen dbfadc5446
Merge pull request #879 from topimiettinen/enhance-tomoyo-check 
Enhance TOMOYO Linux check
 2020-03-24 13:26:33 +01:00
Michael Boelen 18a570c0b8
Merge pull request #880 from konstruktoid/grphashrounds 
Add test for group password hash rounds
 2020-03-24 13:24:12 +01:00
Thomas Sjögren bc09f921f0 fix indentation 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-03-24 11:53:50 +01:00
Thomas Sjögren 0b9e2d85d6 fix tabs 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-03-24 11:45:05 +01:00
Thomas Sjögren 5341fa7b29 AUTH-9229 isnt related to login.defs, add AUTH-9230 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-03-24 11:44:14 +01:00
Topi Miettinen e09fe98b89 Enhance TOMOYO Linux check 
Count and log unconfined processes, which are not using policy
profile 3.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 18:44:21 +02:00
Topi Miettinen 0da82a18cb
FS module tests: check if modules are blacklisted 
Check if FS modules are blacklisted.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 17:43:53 +02:00
Topi Miettinen 8913374092 Run 'systemd-analyze security' 
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 17:31:32 +02:00
Michael Boelen 7bba7bd4af
Removed incorrect process name from list, enable --full as it is required for matching jitterentropy-rngd 2020-03-23 16:13:39 +01:00
Michael Boelen dcddfdb6cc
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-23 15:56:03 +01:00
Michael Boelen 1e74f9be9a
Fixed 'lynis show details' output 2020-03-23 15:55:40 +01:00
Michael Boelen 8f77116ce7
Merge pull request #876 from topimiettinen/enhance-apparmor-check 
Enhance AppArmor check
 2020-03-23 15:24:52 +01:00
Michael Boelen 7d1fe1231a
[CRYP-8005] added haveged, match against process name instead of full command line, code cleanup 2020-03-23 14:29:47 +01:00
Michael Boelen 1eb9218986
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-23 13:19:29 +01:00
Michael Boelen 17bbaa8f7a
[AUTH-9229] make test only available for root 2020-03-23 13:19:10 +01:00
Michael Boelen 32cefdea0a
Merge pull request #878 from topimiettinen/check-ima-evm 
Check IMA/EVM, dm-integrity and dm-verity statuses
 2020-03-23 13:18:16 +01:00
Michael Boelen 122619d01f
Merge pull request #874 from topimiettinen/check-password-hashing-methods 
Check password hashing methods
 2020-03-23 12:49:20 +01:00
Michael Boelen 17ac4d2c1c
[AUTH-9252] corrected permission check 2020-03-23 10:44:45 +01:00
Topi Miettinen 8ea39314f2
Check for dm-integrity and dm-verity 
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 10:35:38 +02:00
Michael Boelen 058b071ea2
Merge pull request #877 from bginsbach/auth-9268-add-bsd 
Add FreeBSD and NetBSD to AUTH-9268
 2020-03-22 15:16:09 +01:00
Topi Miettinen 203a4d3480
Check IMA/EVM status 
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-22 11:21:52 +02:00
Brian Ginsbach 33ba896b41 Add FreeBSD and NetBSD to AUTH-9268 
Add FreeBSD and NetBSD as both support PAM. Simplify the PREQS_MET
test by using a case rather than a long if or.
 2020-03-21 20:03:37 -05:00
Brian Ginsbach f56c3b5f94 Combine NetBSD and OpenBSD AUTH-9234 check 
Both NetBSD and OpenBSD have `useradd(8)`, so they can share logic
checking `/etc/usermgmt.conf` for the default user UID range.
 2020-03-21 16:16:34 -05:00
Brian Ginsbach 044c78452b Add AUTH-9234 for NetBSD 2020-03-21 16:10:05 -05:00
Topi Miettinen e0e2096a25
Enhance AppArmor check 
Count and log unconfined processes which have no AppArmor profile
applied.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-21 17:14:55 +02:00
Topi Miettinen 26a54991ba
Check for software pseudo random number generators 
Check for running audio-entropyd, havegd or jitterentropy-rngd.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-21 16:26:30 +02:00
Michael Boelen 148e5b5c14
Merge pull request #870 from bginsbach/boot-5260-linux 
Make BOOT-5260 Linux only
 2020-03-21 13:54:21 +01:00
Michael Boelen 1bb35b86b8
Merge pull request #873 from topimiettinen/fix-developer-profile 
Fix developer profile
 2020-03-21 13:50:03 +01:00
Michael Boelen 357b059c12
Merge pull request #871 from bginsbach/fix-find-not 
Fix uses of non-standard find not operator
 2020-03-21 13:43:28 +01:00
Topi Miettinen 4a51ad031b
Check password hashing methods 
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-21 12:50:38 +02:00
Topi Miettinen e98fcb9b73
Fix developer profile 
Initialialize a few variables to let --profile developer.prf pass.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-20 22:26:51 +02:00
Brian Ginsbach 9c5451d29d Make BOOT-5260 Linux only 
Linux is the only OS with systemd so no need to check for systemd
single user mode on other operatings systems.
 2020-03-20 14:40:20 -05:00
Brian Ginsbach 32d1155953 Fix uses of non-standard find not operator 
Use ! rather than the non-standard -not find(1) operator.
 2020-03-20 14:37:56 -05:00
Brian Ginsbach 52344913d3 Add a way to signify undetermined EOL 
Replace setting an artificaly high date and converted date for
operating systems with no EOL (rolling) or the EOL is still to
be determined. This makes it easier for humans and saves making
a comparison (when using an artifically high converted time)
will always be false (EOL=0).

An example entry

        os:AGreatOS 2.0:👎

The converted time (seconds since the epoch) could be specified as
zero but this typically means the OS is out of date (now), A value
of -1 is a convention indicating no EOL.
 2020-03-20 13:42:28 -05:00
Michael Boelen 1f8b5fafde
Add OS to 'show eol' and make output easier to parse 2020-03-20 14:57:56 +01:00
Michael Boelen 38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen 8c0b42cdae
Merge pull request #861 from topimiettinen/enhance-selinux-check 
Enhance SELinux checks
 2020-03-20 14:00:57 +01:00
Michael Boelen bf7bd1415b
Merge pull request #867 from topimiettinen/check-dnssec-resolvectl 
Check DNSSEC status with resolvectl when available
 2020-03-20 09:46:40 +01:00
Topi Miettinen 820d2ec607
Check DNSSEC status with resolvectl when available 
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 23:56:24 +02:00
Topi Miettinen fb9cdb5c43
Enhance SELinux checks 
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 19:45:37 +02:00
Michael Boelen ddcf9bc713
[BOOT-5122] check for defined password in all GRUB configuration files 2020-03-19 15:52:03 +01:00
Topi Miettinen 72e8f572bf
Harden mount options for /var, check also /dev and /run 
There should not be any need for char/block devices in /var, so
propose nodev. Sockets are not affected.

Check also /dev for noexec,nosuid and /run for
nodev,nosuid. Historically there was /dev/MAKEDEV script but that's
long gone.

In case a file system is not found in /etc/fstab, check if they are
mounted otherwise (e.g. via systemd mount units).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 16:39:02 +02:00
Michael Boelen 6d9ebe4136
Merge pull request #857 from topimiettinen/handle-kernel-img.conf 
Check if /vmlinuz is missing due to /etc/kernel-img.conf
 2020-03-19 15:33:47 +01:00
Michael Boelen 51d727d611
Merge pull request #858 from topimiettinen/fix-enabled-running-processes 
Fix logging of running and enabled services
 2020-03-19 15:32:54 +01:00