tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,283 Commits 2 Branches 62 Tags 17 MiB
Commit Graph

2157 Commits

Author SHA1 Message Date
0ri0n f988e573db
Add missing PHP 7.4 check for BSD 2020-07-27 13:59:46 -04:00
0ri0n 9b388518de
Add PHP 7.4 Detection Paths 2020-07-26 23:33:34 -04:00
Thomas Sjögren baf5f7ad4d add Microsoft Defender ATP, malware scanner 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-07-21 23:56:47 +02:00
Simon Biewald e27208a342
use STATBINARY, put filename in variable 2020-07-10 00:48:12 +02:00
Simon Biewald 7ba220811f
use = instead of == 2020-07-10 00:41:45 +02:00
Simon Biewald 092fe08c40
shellcheck: check exit code directly 2020-07-10 00:40:36 +02:00
Simon Biewald d4639b3c6a
find more cron ntp clients, iterate over cron files with glob 2020-07-10 00:29:35 +02:00
Simon Biewald 9107867fa1
use correct regex and comparison to match peers 2020-07-09 18:57:01 +02:00
Simon Biewald df7c6257a5
compare correct stuff in openntpd tests 
I accidentially compared rubbish in the openntpd tests,
thus they were not executed at all.
Additionally, == was used instead of =.
 2020-07-09 18:41:09 +02:00
Simon Biewald 38b6105c60
add new test to test database 2020-07-09 18:27:02 +02:00
Simon Biewald b2be7c160e
detect and test for timesyncd w/o working timedatectl 
On systems without dbus timedatectl does not work.

Thus it is checked if timesyncd currently runs and when
/run/systemd/timesyncd/synchronized was last modified.
Timesyncd touches this file on any sucessfull synchronization.
This is documented in systemd-timesyncd(8).

The new test for successfull documentation has the id TIME-3185.
 2020-07-09 18:19:35 +02:00
Kepi a2e752a8db [functions] ParseNginx: Ignore empty included wildcards 
Its ok to have empty directories included. We should not output errors with
lsbinary unable to find anything there.
 2020-07-07 15:38:19 +02:00
Kepi de18ddc2c0 [functions] ParseNginx: Support include on absolute paths 
Includes can be absolute paths too. This is quick fix counting on fact that
absolute paths have slash at start.
 2020-07-07 15:37:56 +02:00
Michael Boelen 9165cb76fa
Merge pull request #972 from igloonet/fix/FILE-6425-no-modprobe-d 
[FILE-6430] Don't grep nonexistant modprobe.d files
 2020-07-07 12:29:11 +02:00
Michael Boelen 6eae35e564
Fix for too short IDs due to hexdump output missing leading or trailing zeroes 2020-07-06 09:26:27 +02:00
Kepi f94817f66f Command line option for slow test threshold 
IMHO it should be OK to run long tests if we count with it.

Example:

    lynis audit system --slow-warning 300

Will warn when test takes longer than 300 seconds, instead of default 10.
 2020-07-02 23:42:28 +02:00
Kepi 9d52395952 [FILE-6430] Don't grep nonexistant modprobe.d files 
We don't want to grep files in modprobe.d when dir is empty. Uses same approach
as in USB-1000.
 2020-07-02 18:22:03 +02:00
Michael Boelen ea38da3439
Add /etc/os-release detection of Linux Mint 2020-06-28 14:58:23 +02:00
Chris Lynch 5b11c468eb Fix for Issues #964 - Pop!_OS added to osdetection 2020-06-27 10:44:31 +01:00
Michael Boelen 96e7ba5aaa
Activate test for all operating systems, remove function keyword 2020-06-27 10:21:24 +02:00
Wes Price dcf9bd0938 [AUTH-9229] resolving syntax error on MacOS Catalina 2020-06-26 12:29:40 -10:00
Michael Boelen e6c6fdc9a8
[AUTH-9229] Undo escaping exclamation mark and disabling test for AIX and macOS 2020-06-26 10:24:37 +02:00
Michael Boelen 871f95cbf3
Use BSD style format when calling stat 2020-06-26 09:53:23 +02:00
Michael Boelen 9f0bbf52ea
[FIRE-4534] set initial state 2020-06-26 09:44:39 +02:00
Michael Boelen 68c6bdff16
[AUTH-9229] escaped exclamation mark 2020-06-26 09:34:40 +02:00
Michael Boelen 8a5b2a4099
Merge pull request #920 from jsrc27/Fix-KRNL-5730 
Fix KRNL-5730 to properly check /proc/config.gz
 2020-06-24 09:21:32 +02:00
Michael Boelen c707b7d100
[MALW-3280] added additional BitDefender process 2020-06-24 08:09:12 +02:00
Michael Boelen 36f86d76c4
[AUTH-9229] added option to look for LOCKED accounts 2020-06-23 13:57:14 +02:00
Michael Boelen 610f70d5aa
[INSE-8312] corrected text 2020-06-23 13:56:13 +02:00
Alexander Lackner d7870e3f5c Added macOS Big Sur (11.0) 2020-06-22 20:44:58 +02:00
Michael Boelen b980223d42
Merge pull request #958 from Steve8291/patch-2 
fix stderr output from cryptsetup status
 2020-06-22 14:26:47 +02:00
Michael Boelen 75738ceeab
Fix for language detection, unset LANG as right place 2020-06-22 10:25:02 +02:00
Michael Boelen a2f8bdc5f8
[BOOT-5122] presence check for grub.d added 2020-06-22 10:18:01 +02:00
Steve8291 c02ce49ce3
fix stderr output from cryptsetup status 
Redirected stderr to /dev/null to silence output of `cryptsetup status /swap.img`
This was causing error output from my cron script.
Otherwise, if the swap file is not encrypted then the following error will be printed:
`Device swap.img not found`
 2020-06-21 10:47:28 -04:00
Michael Boelen 6d9b530bf4
[KRNL-5830] improved detection for non-symlinked kernel on disk 2020-06-21 13:14:08 +02:00
Michael Boelen aebd5ed9b3
Remove unneeded line in log to prevent double entry 2020-06-21 12:57:05 +02:00
Michael Boelen b2350f2f6c
Add log entry to help troubleshooting users that still use old-style configuration entries in profile 2020-06-21 12:52:50 +02:00
Michael Boelen 6a9e94befb
Reordered items, added Kali Linux, improved exception message 2020-06-19 11:10:22 +02:00
Michael Boelen 3b9eda53cc
CVE-2019-13033 - Discovered by Sander Bos 2020-06-18 12:36:04 +02:00
Michael Boelen 2398c74783
Merge pull request #941 from iain-cuthbertson-siftware/bugfix/allow-mixed-case-hostnames 
Adds uppercase option to the hostname validation regex
 2020-06-02 18:50:35 +02:00
Michael Boelen 05ea9f873d
[FILE-6330] corrected description 2020-06-02 16:34:35 +02:00
Iain Cuthbertson 0b8c775a01 Adds uppercase option to the hostname validation regex 2020-06-02 15:33:32 +01:00
Michael Boelen b285623ac2
Remove double space 2020-06-02 16:30:43 +02:00
Michael Boelen 9fdfc062dd
Add Gentoo 2020-06-02 14:09:49 +02:00
Aditya Shastri 2b0a0ba2e1 Addedd OS detection for Oracle Linux 2020-05-14 20:51:11 -07:00
Jeremias Cordoba f081a9ed7e Fix KRNL-5730 to properly check /proc/config.gz 
When KRNL-5728 locates the kernel config it does not properly set LINUXCONFIGFILE
if config is found as /proc/config.gz. This causes KRNL-5730 to fail due to missing prereqs,
despite a kernel config existing.

Signed-off-by: Jeremias Cordoba <js.cordoba8321@gmail.com>
 2020-05-04 15:51:03 -07:00
Topi Miettinen fcdc07f8d9
[CRYP-7902] Check also certificates in DER format 
Check also certificates in DER (*.cer, *.der) format. Add
/etc/refind.d/keys to list of certificate paths.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-04-25 00:06:58 +03:00
Thomas Sjögren 51dfc34663 accept more restrictive file permissions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-04-22 10:34:58 +02:00
Michael Boelen ce3c80b44f
Merge pull request #883 from topimiettinen/check-encrypted-swap-devices 
Check if system uses encrypted swap devices
 2020-04-12 16:22:22 +02:00
Topi Miettinen de848cb76a
Check for registered non-native binary formats 
Examine /proc/sys/fs/binfmt_misc (Linux) for additional registered
binary formats. Those are probably emulated and their emulation could
be less tested, more buggy and more vulnerable than native binary
formats, so they should be disabled when not needed.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-04-10 12:54:48 +03:00
Michael Boelen a166691199
Merge pull request #882 from topimiettinen/check-package-certificates 
[CRYP-7902] Check also certificates provided by packages
 2020-04-09 11:01:39 +02:00
Michael Boelen 1163648d89
Merge pull request #896 from Schmuuu/feature/raspi-detect-required-reboot 
extended test KRNL-5830 to detect required reboots on Raspbian
 2020-04-09 09:58:48 +02:00
Michael Boelen 0019cf3297
Merge pull request #904 from bginsbach/krnl-5677 
KRNL-5677 use platform instead of preqs-met
 2020-04-09 09:55:28 +02:00
Brian Ginsbach 95b1ae044b KRNL-5677 use platform instead of preqs-met 2020-04-08 15:55:45 -05:00
Martin Churchill e4d491d574
[CRYP-7902] Fixes issue #902 
[CRYP-7902] Checks for SSL_CERTIFICATE_PATHS_TO_IGNORE fails to ignore sub-directories #902
 2020-04-08 10:02:18 +01:00
Michael Boelen be75a089a7
[PROC-3802] added package manager routine as dependency 2020-04-07 10:53:39 +02:00
Michael Boelen c368846a08
Added support to require a detected and known package manager 2020-04-06 20:47:45 +02:00
Michael Boelen 9da0665929
[NETW-2400] Improved logging 2020-04-04 15:56:00 +02:00
Michael Boelen 032bb6988e
Added new test NETW-2400 2020-04-04 15:28:04 +02:00
Michael Boelen 4680f94d11
[NETW-2706] allow usage of systemd-resolve and resolvectl, improved screen output and logging 2020-04-03 14:02:52 +02:00
Michael Boelen 5288479296
Merge pull request #899 from bginsbach/auth-9218 
AUTH-9218 Improvements
 2020-04-03 09:48:39 +02:00
Michael Boelen f92fe4e03f
Merge pull request #898 from bginsbach/auth-9268 
AUTH-9268 Add DragonFly
 2020-04-03 09:45:21 +02:00
Michael Boelen f25ffdbb1f
[NETW-2706] redirect errors to stderr 2020-04-03 09:40:30 +02:00
Brian Ginsbach ac7ad92f22 AUTH-9218 add NetBSD and OpenBSD 
All of the BSDs have `/etc/master.passwd`.
 2020-04-02 20:09:34 -05:00
Brian Ginsbach 50a60fed87 AUTH-9218 add requires root 
The `/etc/master.passwd` file on BSD systems is (or should be) read/write
root only. Skip the test if not being run as root.
 2020-04-02 20:09:15 -05:00
Brian Ginsbach 6308682cae Combine AUTH-9218 and AUTH-9489 
These two tests are essentially identical. There is no need separate
the DragonFly and FreeBSD tests. This will make it easier to add
support for other BSD systems.
 2020-04-02 20:09:01 -05:00
Brian Ginsbach 4bcd695428 AUTH-9268 Add DragonFly 
DragonFly also supports PAM. Rework to use the `--os` option of `Register`
rather than `--preqs-met` as the former can support a list.
 2020-04-02 15:59:11 -05:00
Kristian S 52b72e7b0f extended test KRNL-5830 to detect required reboots on Raspbian 2020-04-02 21:45:40 +02:00
Michael Boelen 38a5c2cb79
Added new test PHP-2382 2020-04-02 19:46:58 +02:00
Michael Boelen 6eb204a85d
[PRNT-2308] check for Port statement and minor adjustments to test 2020-04-02 14:45:44 +02:00
Michael Boelen ca6fc134dd
Renamed spools to spoolers 2020-04-02 13:20:06 +02:00
Michael Boelen 4fe1cb92a5
[PRNT-2308] check also SSLListen statements 2020-04-02 13:15:03 +02:00
Topi Miettinen 9642bcffc8
[CRYP-7902] Optionally check also certificates provided by packages 
The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.

I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-04-02 12:52:13 +03:00
Michael Boelen b5a2d11738
Added fallback for awk/tr, small code enhancement, added note 2020-04-02 09:28:41 +02:00
Michael Boelen 156f740ff2
The IsRunning function may have not everything defined early on, so added a fallback 2020-04-01 19:02:11 +02:00
Michael Boelen 4432f93044
[LOGG-2190] skip mysqld related entries 2020-04-01 16:32:52 +02:00
Michael Boelen f232b4f9bb
Added quotes 2020-04-01 16:18:03 +02:00
Michael Boelen 7e3c9448df
[TIME-3104] search for files using find and strip potential characters that may be unexpected 2020-04-01 16:16:31 +02:00
Michael Boelen 8c501c7aa8
Merge pull request #885 from sanderu/master 
Adding test FILE-6394
 2020-04-01 13:43:58 +02:00
Michael Boelen c5914c4e0f
Split count values so they are reported as individual items 2020-04-01 11:48:39 +02:00
Topi Miettinen 179f7d3442
Enhance binaries report 
Report also number of set-uid and set-gid binaries found.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-31 19:09:57 +03:00
Michael Boelen 288bca9334
Merge pull request #887 from bginsbach/fix-auth-9229 
AUTH-9229 Do not use long options for sort
 2020-03-31 16:35:48 +02:00
Michael Boelen a38e2b535e
Corrected case where binaries were not checked while we do want to use dmidecode if it available 2020-03-31 16:31:41 +02:00
Michael Boelen 53ad72e791
Removed unneeded complexity regarding dmidecode, as binary checks are already done at this point 2020-03-31 16:25:27 +02:00
Michael Boelen 4ff61a6f46
Merge pull request #890 from bginsbach/add-pkg_info 
Add pkg_info
 2020-03-31 15:49:54 +02:00
Michael Boelen e481d5a173
Merge pull request #888 from bginsbach/fix-auth-9230 
Fix AUTH-9230 for systems without /etc/login.defs
 2020-03-31 11:22:31 +02:00
Brian Ginsbach 94915ac2fe Fix PKGS-7301 message nit 
The comment is correct. It is FreeBSD pkg not NetBSD pkg.
 2020-03-30 14:23:58 -05:00
Brian Ginsbach eb7dbab1ee Add pkg_info to PackageIsInstalled 
The `pkg_info` command is used on a system using NetBSD pkgsrc to
determine which packages are installed.
 2020-03-30 14:12:36 -05:00
Brian Ginsbach 2b1d5fa46f Add NetBSD pkgsrc pkg_info to known binaries 
The NetBSD pkgsrc package management system uses pkg_info for
determining information about packages. This is also the command
used in PKGS-7302.
 2020-03-30 14:09:28 -05:00
Brian Ginsbach f13d919dfa PROC-3802 Only check for prelink package on Linux 
The prelink package is Linux specific no need to check for it on
non-Linux systems.
 2020-03-29 16:19:25 -05:00
Brian Ginsbach 90b17121ba Fix AUTH-9230 for systems without /etc/login.defs 
This fixes a bug where it was determined that /etc/login.defs didn't
exist as a prerequisite but then wasn't used to skip the test. Prevents
warnings from `grep(1)` for "no such file or directory".
 2020-03-29 15:31:41 -05:00
Brian Ginsbach 18daa9f495 AUTH-9229 Do not use long options for sort 
Use the standard `sort(1)` short option `-u` rather than `--unique`,
since not all versions support long options.
 2020-03-29 15:06:36 -05:00
Sander 4732b640ae Adding test FILE-6394 2020-03-28 19:23:00 +00:00
Topi Miettinen 5c5cc43c6f
Check if system uses encrypted swap devices 
Add test CRYP-7931 to check if the system uses any encrypted swap
devices.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-27 13:05:56 +02:00
Michael Boelen 603d5b16a2
[FINT-4339] define what file to check for 2020-03-25 19:40:05 +01:00
Michael Boelen b8cdb04772
Corrected requirements to run tests 2020-03-25 19:33:55 +01:00
Michael Boelen 1e52ed0c0d
Added notes to NETW-3200 for future extending this test 2020-03-25 15:19:21 +01:00
Michael Boelen 04c969752a
[NETW-3200] corrected test 2020-03-25 15:15:42 +01:00
Michael Boelen 9b978a3581
Add specific control ID for warnings regarding usage of deprecated options 2020-03-25 15:03:21 +01:00
Michael Boelen db117ae644
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-25 10:11:34 +01:00
Michael Boelen f644927a42
Improved warning message with 'how to resolve' 2020-03-25 10:11:25 +01:00
Topi Miettinen 339e0c3207
[FILE-6374]: Summarize unhardened file system 
Report total numbers of unhardened filesystems.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-25 09:18:16 +02:00
Michael Boelen 3c8e3b0adb
Merge pull request #862 from topimiettinen/blacklist-fs 
FS module tests: check if modules are blacklisted
 2020-03-24 13:34:05 +01:00
Michael Boelen 3c3feecbfb
Merge pull request #824 from Varbin/master 
Add detection of OpenNTPD
 2020-03-24 13:29:02 +01:00
Michael Boelen f83025a283
Merge pull request #860 from topimiettinen/harden-mount-options 
Harden mount options for /var, check also /dev and /run
 2020-03-24 13:27:50 +01:00
Michael Boelen dbfadc5446
Merge pull request #879 from topimiettinen/enhance-tomoyo-check 
Enhance TOMOYO Linux check
 2020-03-24 13:26:33 +01:00
Michael Boelen 18a570c0b8
Merge pull request #880 from konstruktoid/grphashrounds 
Add test for group password hash rounds
 2020-03-24 13:24:12 +01:00
Thomas Sjögren bc09f921f0 fix indentation 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-03-24 11:53:50 +01:00
Thomas Sjögren 0b9e2d85d6 fix tabs 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-03-24 11:45:05 +01:00
Thomas Sjögren 5341fa7b29 AUTH-9229 isnt related to login.defs, add AUTH-9230 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2020-03-24 11:44:14 +01:00
Topi Miettinen e09fe98b89 Enhance TOMOYO Linux check 
Count and log unconfined processes, which are not using policy
profile 3.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 18:44:21 +02:00
Topi Miettinen 0da82a18cb
FS module tests: check if modules are blacklisted 
Check if FS modules are blacklisted.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 17:43:53 +02:00
Topi Miettinen 8913374092 Run 'systemd-analyze security' 
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 17:31:32 +02:00
Michael Boelen 7bba7bd4af
Removed incorrect process name from list, enable --full as it is required for matching jitterentropy-rngd 2020-03-23 16:13:39 +01:00
Michael Boelen dcddfdb6cc
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-23 15:56:03 +01:00
Michael Boelen 1e74f9be9a
Fixed 'lynis show details' output 2020-03-23 15:55:40 +01:00
Michael Boelen 8f77116ce7
Merge pull request #876 from topimiettinen/enhance-apparmor-check 
Enhance AppArmor check
 2020-03-23 15:24:52 +01:00
Michael Boelen 7d1fe1231a
[CRYP-8005] added haveged, match against process name instead of full command line, code cleanup 2020-03-23 14:29:47 +01:00
Michael Boelen 1eb9218986
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-23 13:19:29 +01:00
Michael Boelen 17bbaa8f7a
[AUTH-9229] make test only available for root 2020-03-23 13:19:10 +01:00
Michael Boelen 32cefdea0a
Merge pull request #878 from topimiettinen/check-ima-evm 
Check IMA/EVM, dm-integrity and dm-verity statuses
 2020-03-23 13:18:16 +01:00
Michael Boelen 122619d01f
Merge pull request #874 from topimiettinen/check-password-hashing-methods 
Check password hashing methods
 2020-03-23 12:49:20 +01:00
Michael Boelen 17ac4d2c1c
[AUTH-9252] corrected permission check 2020-03-23 10:44:45 +01:00
Topi Miettinen 8ea39314f2
Check for dm-integrity and dm-verity 
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-23 10:35:38 +02:00
Michael Boelen 058b071ea2
Merge pull request #877 from bginsbach/auth-9268-add-bsd 
Add FreeBSD and NetBSD to AUTH-9268
 2020-03-22 15:16:09 +01:00
Topi Miettinen 203a4d3480
Check IMA/EVM status 
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-22 11:21:52 +02:00
Brian Ginsbach 33ba896b41 Add FreeBSD and NetBSD to AUTH-9268 
Add FreeBSD and NetBSD as both support PAM. Simplify the PREQS_MET
test by using a case rather than a long if or.
 2020-03-21 20:03:37 -05:00
Brian Ginsbach f56c3b5f94 Combine NetBSD and OpenBSD AUTH-9234 check 
Both NetBSD and OpenBSD have `useradd(8)`, so they can share logic
checking `/etc/usermgmt.conf` for the default user UID range.
 2020-03-21 16:16:34 -05:00
Brian Ginsbach 044c78452b Add AUTH-9234 for NetBSD 2020-03-21 16:10:05 -05:00
Topi Miettinen e0e2096a25
Enhance AppArmor check 
Count and log unconfined processes which have no AppArmor profile
applied.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-21 17:14:55 +02:00
Topi Miettinen 26a54991ba
Check for software pseudo random number generators 
Check for running audio-entropyd, havegd or jitterentropy-rngd.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-21 16:26:30 +02:00
Michael Boelen 148e5b5c14
Merge pull request #870 from bginsbach/boot-5260-linux 
Make BOOT-5260 Linux only
 2020-03-21 13:54:21 +01:00
Michael Boelen 1bb35b86b8
Merge pull request #873 from topimiettinen/fix-developer-profile 
Fix developer profile
 2020-03-21 13:50:03 +01:00
Michael Boelen 357b059c12
Merge pull request #871 from bginsbach/fix-find-not 
Fix uses of non-standard find not operator
 2020-03-21 13:43:28 +01:00
Topi Miettinen 4a51ad031b
Check password hashing methods 
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-21 12:50:38 +02:00
Topi Miettinen e98fcb9b73
Fix developer profile 
Initialialize a few variables to let --profile developer.prf pass.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-20 22:26:51 +02:00
Brian Ginsbach 9c5451d29d Make BOOT-5260 Linux only 
Linux is the only OS with systemd so no need to check for systemd
single user mode on other operatings systems.
 2020-03-20 14:40:20 -05:00
Brian Ginsbach 32d1155953 Fix uses of non-standard find not operator 
Use ! rather than the non-standard -not find(1) operator.
 2020-03-20 14:37:56 -05:00
Brian Ginsbach 52344913d3 Add a way to signify undetermined EOL 
Replace setting an artificaly high date and converted date for
operating systems with no EOL (rolling) or the EOL is still to
be determined. This makes it easier for humans and saves making
a comparison (when using an artifically high converted time)
will always be false (EOL=0).

An example entry

        os:AGreatOS 2.0:👎

The converted time (seconds since the epoch) could be specified as
zero but this typically means the OS is out of date (now), A value
of -1 is a convention indicating no EOL.
 2020-03-20 13:42:28 -05:00
Michael Boelen 1f8b5fafde
Add OS to 'show eol' and make output easier to parse 2020-03-20 14:57:56 +01:00
Michael Boelen 38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen 8c0b42cdae
Merge pull request #861 from topimiettinen/enhance-selinux-check 
Enhance SELinux checks
 2020-03-20 14:00:57 +01:00
Michael Boelen bf7bd1415b
Merge pull request #867 from topimiettinen/check-dnssec-resolvectl 
Check DNSSEC status with resolvectl when available
 2020-03-20 09:46:40 +01:00
Topi Miettinen 820d2ec607
Check DNSSEC status with resolvectl when available 
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 23:56:24 +02:00
Topi Miettinen fb9cdb5c43
Enhance SELinux checks 
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 19:45:37 +02:00
Michael Boelen ddcf9bc713
[BOOT-5122] check for defined password in all GRUB configuration files 2020-03-19 15:52:03 +01:00
Topi Miettinen 72e8f572bf
Harden mount options for /var, check also /dev and /run 
There should not be any need for char/block devices in /var, so
propose nodev. Sockets are not affected.

Check also /dev for noexec,nosuid and /run for
nodev,nosuid. Historically there was /dev/MAKEDEV script but that's
long gone.

In case a file system is not found in /etc/fstab, check if they are
mounted otherwise (e.g. via systemd mount units).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 16:39:02 +02:00
Michael Boelen 6d9ebe4136
Merge pull request #857 from topimiettinen/handle-kernel-img.conf 
Check if /vmlinuz is missing due to /etc/kernel-img.conf
 2020-03-19 15:33:47 +01:00
Michael Boelen 51d727d611
Merge pull request #858 from topimiettinen/fix-enabled-running-processes 
Fix logging of running and enabled services
 2020-03-19 15:32:54 +01:00
Topi Miettinen 3aaeeea856
Check for rEFInd boot loader 
Detect rEFInd boot loader (https://www.rodsbooks.com/refind/).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 15:44:30 +02:00
Topi Miettinen 80a67914c3
Fix logging of running and enabled services 
Log lines for running and enabled services were mixed up, fix.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 15:25:59 +02:00
Topi Miettinen f15fbfa6ed
Check if /vmlinuz is missing due to /etc/kernel-img.conf 
If /etc/kernel-img.conf has the line do_symlinks=No, Debian (probably
also Ubuntu) kernel packages will not update /vmlinuz
etc. symlinks. In that case, guess the kernel from uname -r.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 15:16:37 +02:00
Michael Boelen 671c443641
Merge pull request #845 from maczniak/master 
[SSH-7408] fix OpenSSH server version check
 2020-03-19 11:00:38 +01:00
Michael Boelen b523352a59
Merge pull request #830 from Schmuuu/fix/vmlinuz-check 
restructered test and fixed vmlinuz detection
 2020-03-19 10:58:27 +01:00
Michael Boelen bc4146555c
[PKGS-7388] Only perform test when all conditions are correct 2020-03-19 10:51:02 +01:00
Michael Boelen 8a42643373
Merge pull request #822 from pyllyukko/vmlinuz-raspbian 
KRNL-5788 in Raspi: don't complain about missing /vmlinuz
 2020-03-18 11:39:58 +01:00
Michael Boelen 6a5ea9471e
Merge pull request #828 from gfelkel/patch-1 
FILE-6310 for HP-UX
 2020-03-18 11:35:03 +01:00
Michael Boelen 6e3e93d585
[PKGS-7388] only perform check for Debian, Mint, Ubuntu 2020-03-17 16:05:14 +01:00
Michael Boelen 77dd0e0bbe
Merge pull request #853 from deltablot/php 
Skip the PHP cli configuration file when looking for expose_php
 2020-03-17 14:02:51 +01:00
Michael Boelen d1db448c51
Skip pacman when it is the game instead of package manager 2020-03-17 13:02:59 +01:00
Michael Boelen 0b0b0ea905
Style improvement 2020-03-12 16:01:11 +01:00
Michael Boelen 83a9470b72
Merge pull request #829 from gfelkel/patch-2 
AUTH-9228 for HP-UX
 2020-03-12 15:59:33 +01:00
Michael Boelen 2f9f25a2bf
Merge pull request #842 from chifu1234/master 
add basic xbps/void support
 2020-03-11 15:53:57 +01:00
Michael Boelen efc591c791
Merge pull request #846 from Skactor/patch-2 
Update tests_shells
 2020-03-11 15:52:33 +01:00
Michael Boelen 73491ec850
Merge pull request #843 from Skactor/patch-1 
Update tests_ports_packages
 2020-03-10 15:21:08 +01:00
Nicolas CARPi 600cb84310 Use a POSIX implementation to check for substring 
This works with all shells, even busybox.
 2020-03-05 21:42:54 +01:00
Nicolas CARPi 0593c69f2f Skip the PHP cli configuration file when looking for expose_php 
The expose_php configuration option is only relevant for non-cli PHP and
thus lynis should not look for it in config files that are for cli

Fix #849
 2020-03-05 00:53:27 +01:00
Michael Boelen 3f883106c9
Merge pull request #840 from deltablot/ssh 
Remove the test for ssh config VerifyReverseMapping
 2020-03-04 19:36:56 +01:00
Michael Boelen 28bd36d9c6
Added Fedora 2020-03-04 15:09:10 +01:00
Michael Boelen c0158da38e
Corrected test ID 2020-03-04 15:04:54 +01:00
Michael Boelen 5faf69af16
Code enhancement to avoid repetition 2020-03-04 15:02:39 +01:00
Michael Boelen 6e5f638640
Merge pull request #852 from craigcomstock/pureos 
Added detection of PureOS in /etc/os-release
 2020-03-04 14:58:59 +01:00
Michael Boelen e008907ff1
Remove 's' from word 'colours' 2020-03-04 14:51:13 +01:00
Michael Boelen b011b7a8d5
Merge pull request #850 from gcsgithub/soerelease 
Soerelease
 2020-03-04 14:48:19 +01:00
Craig Comstock 22ceeaa926
Added detection of PureOS in /etc/os-release 2020-03-03 13:56:33 -06:00
Mark Garrett 0cd256372c fix whitespace 2020-03-01 10:31:52 +11:00
Mark Garrett b2f676da7b allow for correct spelling for colour should drop the s from colours but didnt 2020-03-01 10:19:33 +11:00
Mark Garrett 30b1e4170b macosx add Catalina 10.15 2020-03-01 10:18:33 +11:00
Skactor fc7c5fb723
Update tests_shells 
Write function as variable due to careless error
 2020-02-25 15:48:55 +08:00
maczniak d8a3bc8afa fix CISOfy/lynis#844 2020-02-24 23:17:09 +09:00
Skactor 35e568e695
Update tests_ports_packages 
Incorrect constant name spelling
 2020-02-24 20:44:05 +08:00
Kevin 42b2831f75 add basic xbps/void support 2020-02-21 08:06:24 +01:00
Nicolas CARPi 91ad10d464 Remove the test for ssh config VerifyReverseMapping 
This option is deprecated since 2003. Having it in a config file raises
a warning and UseDNS (that is on by default) includes the
VerifyReverseMapping check.

See
3a961dc0d3

See #528
 2020-02-18 22:19:45 +01:00
Michael Boelen 3bbe34ea73
[CRYP-8004] enhanced after pulling in initital test 2020-02-15 14:09:56 +01:00
Michael Boelen 5ca8baf7a8
[USB-2000] improved testing for USB devices and filtering out possible incorrect state 2020-02-15 14:09:23 +01:00
Michael Boelen af70303aeb
Set preferred option to skip plugin executiont o --no-plugins, as that is more in line with the other 'no' options 2020-02-14 11:49:32 +01:00
Michael Boelen 3f834e6ad5
Merge pull request #821 from pyllyukko/CRYP-8004 
Added CRYP-8004
 2020-02-13 13:40:10 +01:00
Sascha Holzleiter 530ad1ef75 NETW-3014: Report correct promisc interface 2020-01-28 21:29:34 +01:00
Kristian Schuster 79a29381a4
restructered test and fixed vmlinuz detection 2020-01-26 19:13:26 +01:00
gfelkel 5bce9d598c
AUTH-9228 for HP-UX 
HP-UX also has /usr/sbin/pwck. For trusted systems, two additional options -s (check inconsistencies with the protected password database) and -l (check encrypted password lengths that are greater than 8 characters) are available.
 2020-01-23 13:30:46 +01:00
gfelkel d3287bd7ef
FILE-6310 for HP-UX 
HP-UX: /usr/sbin/mount reports "/home on /dev/…", so $1 has to be used
 2020-01-22 16:31:49 +01:00
Michael Boelen a7b48e40b0
[NETW-3015] check for promiscuity value that is higher than 0 instead of just 1 2020-01-11 11:31:40 +01:00
Michael Boelen 232b1cdc3f
[KRNL-5820] allow dash to define hard/soft value 2020-01-11 11:27:37 +01:00
Simon Biewald c58e296bd3
add openntpd detection and a few tests for it 2020-01-08 18:53:15 +01:00
pyllyukko 618a843017
KRNL-5788 in Raspi: don't complain about missing /vmlinuz 
The Raspberry Pi kernels reside within raspberrypi-kernel package[1].

[1] https://www.raspberrypi.org/documentation/linux/kernel/updating.md
 2020-01-07 22:27:27 +02:00
pyllyukko 40acdc111d
Added CRYP-8004 2020-01-06 21:22:00 +02:00
Michael Boelen b7da40c6ae
[KRNL-5830] derive kernel version from filename after obtaining symlink target 2019-12-23 15:41:26 +01:00
Michael Boelen ab4291242d
[KRNL-5830] check for symlink 2019-12-23 15:36:26 +01:00
Michael Boelen e5091772c5
Removed -o which had no purpose 2019-12-23 13:59:06 +01:00
Michael Boelen 35d248b74c
[FILE-6430] minor code improvements and show suggestion with more details 2019-12-18 19:20:48 +01:00