Commit Graph

104 Commits

Author SHA1 Message Date
Roeland Jansen 2d03e1821d tumbleweed: added /usr/etc/ssh to SSH_DAEMON_CONFIG_LOCS var 2024-05-20 12:36:00 +02:00
katleese 8d7c30fd9a changed AllowUsers to AllowGroups in test SSH-7440 2024-04-29 10:21:59 +02:00
xnoguer 6f1797fb59 Using grep -E 2023-04-23 17:38:21 -04:00
Thomas Sjögren e124499e27 Only test Compression if sshd version < 7.4
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2022-05-04 10:51:35 +02:00
Michael Boelen e5f5750bfa
Improved log message 2022-01-31 13:55:55 +01:00
Michael Boelen da1c1eca10
Preparation for release 3.0.3 2021-01-07 15:22:19 +01:00
Stéphane 67d04f2536
Add translate function for all sections
+ add EN and FR up to date languages files
2020-10-22 00:13:42 +02:00
Michael Boelen 38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen 671c443641
Merge pull request #845 from maczniak/master
[SSH-7408] fix OpenSSH server version check
2020-03-19 11:00:38 +01:00
maczniak d8a3bc8afa fix CISOfy/lynis#844 2020-02-24 23:17:09 +09:00
Nicolas CARPi 91ad10d464 Remove the test for ssh config VerifyReverseMapping
This option is deprecated since 2003. Having it in a config file raises
a warning and UseDNS (that is on by default) includes the
VerifyReverseMapping check.

See
3a961dc0d3

See #528
2020-02-18 22:19:45 +01:00
Michael Boelen 09f29a5e64
Code style improvement: quote argument 2019-12-18 12:17:46 +01:00
Michael Boelen 98017c78ca
Implemented several code style improvements 2019-09-17 14:04:30 +02:00
Michael Boelen 79e5b52419
[SSH-7408] added forced-commands-only 2019-09-12 11:17:18 +02:00
Michael Boelen fa8bad20db
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00
Michael Boelen 591bc05f4d
[SSH-7408] changed text in suggestion and report 2019-07-14 14:43:35 +02:00
Michael Boelen 1a512984c1
[SSH-7406] instead of just carriage return, strip all control characters 2019-07-14 08:43:06 +02:00
Michael Boelen 0bdcb57763
Merge branch 'master' into patch_3 2019-07-14 08:36:47 +02:00
Michael Boelen ae474c72c6
[SSH-7402] detect other SSH daemons like dropbear and split SSH daemon from OpenSSH daemon 2019-07-09 11:16:59 +02:00
Capashenn 52dd096e0f fix issue #621 2019-03-25 10:53:46 +01:00
Michael Boelen 048815abc0
[SSH-7408] Increased values for MaxAuthRetries as sometimes SSH key-based authentication may need it 2019-03-15 14:00:47 +01:00
Michael Boelen 66066ae226
Changed year and preparing for new release 2019-01-31 14:47:35 +01:00
Michael Boelen 5028aa2f70
Added SSH-7406 to detect OpenSSH version + condition based checking in SSH-7408 2018-10-23 17:14:47 +02:00
Michael Boelen 3f9d1308bb
[SSH-7408] adjusted classification of root login with keys 2018-07-25 13:35:00 +02:00
aram535 1caf9ad12d Updated tests_ssh, removed extra ssh in the test (#557)
Seems like in the patch there was an extra 'ssh' added in the command line, which is breaking the ssh tests.  Removing the ssh keyword... -T -C ... fixes the problem.
2018-06-22 12:29:25 +02:00
Michael Boelen 84faf57b30
[SSH-7402] when SSH configuration has Match block, allow evaluation of full configuration 2018-05-14 08:29:30 +02:00
Thomas Sjögren c25910cb31 delayed is a legacy synonym (#531)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2018-04-23 10:57:27 +02:00
Michael Boelen 4ba9882335
Added notes 2018-01-23 17:37:27 +01:00
mslifcak 84ea9530d7 restore UsePrivilegeSeparation to list of ssh daemon checks (#509) 2018-01-23 17:35:34 +01:00
Michael Boelen 66f8cb2441
Changed year 2018-01-11 09:50:26 +01:00
Michael Boelen 76b4afb14d
[SSH-7408] set default 'delayed' compression as a sane value 2017-09-18 19:18:11 +02:00
Lukas Pirl b3dffbf750 remove test for deprecated sshd option UsePrivilegeSeparation (#432)
see also https://www.openssh.com/txt/release-7.5
2017-08-16 20:33:33 +02:00
Michael Boelen 70ea29483a
Code enhancements 2017-04-23 20:06:54 +02:00
hlein e054e9757c Lots of cleanups (#366)
* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 19:23:08 +00:00
hlein b595cc0fb5 Various cleanups (#363)
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00
Michael Boelen d15ba9607f [SSH-7408] Corrected variable and allow a few more retries to prevent issues with public key authentication 2017-03-01 16:07:32 +01:00
Michael Boelen a817bf2f1b [SSH-7408] allow filtering for multiple options and new SSH value for PermitRootLogin 2017-02-15 13:14:54 +01:00
Michael Boelen 34ba1ba184 Changed date and preparing for release 2017-02-09 13:35:40 +01:00
Michael Boelen 82ededed31 Style improvements and command replacements 2016-09-08 21:04:17 +02:00
Michael Boelen 679e8c628e Use detected binaries 2016-08-25 15:31:33 +02:00
Michael Boelen 2f4c854ba7 Rename of categories, introduction of groups 2016-07-24 17:22:00 +02:00
Lukas Pirl f19f5927a5 added test for AllowAgentForwarding being turned off (#222)
for reasons, see links below:
  https://wiki.mozilla.org/Security/Guidelines/OpenSSH#SSH_agent_forwarding
  https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/
2016-07-11 11:25:51 +02:00
Michael Boelen 983e293eb1 Replaced text strings to allow translations 2016-06-18 11:14:01 +02:00
Michael Boelen 52ad74c5ce [SSH-7408] Show SSH items as a suggestion on screen, like in the report 2016-06-11 14:45:17 +02:00
Eric Light 47748c8fd8 UseDNS = No is a safer configuration (#204)
See Issue #197.  

References:
 - https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371/comments/11
 - https://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option
 - https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
2016-05-19 19:58:52 +02:00
mboelen 6e2640c4d5 Retrieve SSH settings from active configuration and store earlier, test with lowercase settings for other tests 2016-05-02 15:04:40 +02:00
mboelen 42607ceaf5 Replaced old function names with new ones 2016-04-28 12:31:57 +02:00
mboelen 5757837e28 Show skipped items when running in verbose mode 2016-04-20 12:08:10 +02:00
Eric Light a6393bd8a0 Display skipped atomic tests (#169)
Added section to log & display skipped atomic tests.
2016-04-20 10:46:40 +02:00
mboelen a2594fc370 [SSH-7408] Allow skipping some of the SSH tests 2016-04-19 12:37:40 +02:00