tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity
3,307 Commits 2 Branches 63 Tags
Commit Graph

2170 Commits

Author SHA1 Message Date
Brian Ginsbach
32d1155953 Fix uses of non-standard find not operator 
Use ! rather than the non-standard -not find(1) operator.
 2020-03-20 14:37:56 -05:00
Brian Ginsbach
52344913d3 Add a way to signify undetermined EOL 
Replace setting an artificaly high date and converted date for
operating systems with no EOL (rolling) or the EOL is still to
be determined. This makes it easier for humans and saves making
a comparison (when using an artifically high converted time)
will always be false (EOL=0).

An example entry

        os:AGreatOS 2.0:👎

The converted time (seconds since the epoch) could be specified as
zero but this typically means the OS is out of date (now), A value
of -1 is a convention indicating no EOL.
 2020-03-20 13:42:28 -05:00
Michael Boelen
1f8b5fafde
Add OS to 'show eol' and make output easier to parse 2020-03-20 14:57:56 +01:00
Michael Boelen
38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen
8c0b42cdae
Merge pull request #861 from topimiettinen/enhance-selinux-check 
Enhance SELinux checks
 2020-03-20 14:00:57 +01:00
Michael Boelen
bf7bd1415b
Merge pull request #867 from topimiettinen/check-dnssec-resolvectl 
Check DNSSEC status with resolvectl when available
 2020-03-20 09:46:40 +01:00
Topi Miettinen
820d2ec607
Check DNSSEC status with resolvectl when available 
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 23:56:24 +02:00
Topi Miettinen
fb9cdb5c43
Enhance SELinux checks 
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 19:45:37 +02:00
Michael Boelen
ddcf9bc713
[BOOT-5122] check for defined password in all GRUB configuration files 2020-03-19 15:52:03 +01:00
Topi Miettinen
72e8f572bf
Harden mount options for /var, check also /dev and /run 
There should not be any need for char/block devices in /var, so
propose nodev. Sockets are not affected.

Check also /dev for noexec,nosuid and /run for
nodev,nosuid. Historically there was /dev/MAKEDEV script but that's
long gone.

In case a file system is not found in /etc/fstab, check if they are
mounted otherwise (e.g. via systemd mount units).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 16:39:02 +02:00
Michael Boelen
6d9ebe4136
Merge pull request #857 from topimiettinen/handle-kernel-img.conf 
Check if /vmlinuz is missing due to /etc/kernel-img.conf
 2020-03-19 15:33:47 +01:00
Michael Boelen
51d727d611
Merge pull request #858 from topimiettinen/fix-enabled-running-processes 
Fix logging of running and enabled services
 2020-03-19 15:32:54 +01:00
Topi Miettinen
3aaeeea856
Check for rEFInd boot loader 
Detect rEFInd boot loader (https://www.rodsbooks.com/refind/).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 15:44:30 +02:00
Topi Miettinen
80a67914c3
Fix logging of running and enabled services 
Log lines for running and enabled services were mixed up, fix.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 15:25:59 +02:00
Topi Miettinen
f15fbfa6ed
Check if /vmlinuz is missing due to /etc/kernel-img.conf 
If /etc/kernel-img.conf has the line do_symlinks=No, Debian (probably
also Ubuntu) kernel packages will not update /vmlinuz
etc. symlinks. In that case, guess the kernel from uname -r.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-19 15:16:37 +02:00
Michael Boelen
671c443641
Merge pull request #845 from maczniak/master 
[SSH-7408] fix OpenSSH server version check
 2020-03-19 11:00:38 +01:00
Michael Boelen
b523352a59
Merge pull request #830 from Schmuuu/fix/vmlinuz-check 
restructered test and fixed vmlinuz detection
 2020-03-19 10:58:27 +01:00
Michael Boelen
bc4146555c
[PKGS-7388] Only perform test when all conditions are correct 2020-03-19 10:51:02 +01:00
Michael Boelen
8a42643373
Merge pull request #822 from pyllyukko/vmlinuz-raspbian 
KRNL-5788 in Raspi: don't complain about missing /vmlinuz
 2020-03-18 11:39:58 +01:00
Michael Boelen
6a5ea9471e
Merge pull request #828 from gfelkel/patch-1 
FILE-6310 for HP-UX
 2020-03-18 11:35:03 +01:00
Michael Boelen
6e3e93d585
[PKGS-7388] only perform check for Debian, Mint, Ubuntu 2020-03-17 16:05:14 +01:00
Michael Boelen
77dd0e0bbe
Merge pull request #853 from deltablot/php 
Skip the PHP cli configuration file when looking for expose_php
 2020-03-17 14:02:51 +01:00
Michael Boelen
d1db448c51
Skip pacman when it is the game instead of package manager 2020-03-17 13:02:59 +01:00
Michael Boelen
0b0b0ea905
Style improvement 2020-03-12 16:01:11 +01:00
Michael Boelen
83a9470b72
Merge pull request #829 from gfelkel/patch-2 
AUTH-9228 for HP-UX
 2020-03-12 15:59:33 +01:00
Michael Boelen
2f9f25a2bf
Merge pull request #842 from chifu1234/master 
add basic xbps/void support
 2020-03-11 15:53:57 +01:00
Michael Boelen
efc591c791
Merge pull request #846 from Skactor/patch-2 
Update tests_shells
 2020-03-11 15:52:33 +01:00
Michael Boelen
73491ec850
Merge pull request #843 from Skactor/patch-1 
Update tests_ports_packages
 2020-03-10 15:21:08 +01:00
Nicolas CARPi
600cb84310 Use a POSIX implementation to check for substring 
This works with all shells, even busybox.
 2020-03-05 21:42:54 +01:00
Nicolas CARPi
0593c69f2f Skip the PHP cli configuration file when looking for expose_php 
The expose_php configuration option is only relevant for non-cli PHP and
thus lynis should not look for it in config files that are for cli

Fix #849
 2020-03-05 00:53:27 +01:00
Michael Boelen
3f883106c9
Merge pull request #840 from deltablot/ssh 
Remove the test for ssh config VerifyReverseMapping
 2020-03-04 19:36:56 +01:00
Michael Boelen
28bd36d9c6
Added Fedora 2020-03-04 15:09:10 +01:00
Michael Boelen
c0158da38e
Corrected test ID 2020-03-04 15:04:54 +01:00
Michael Boelen
5faf69af16
Code enhancement to avoid repetition 2020-03-04 15:02:39 +01:00
Michael Boelen
6e5f638640
Merge pull request #852 from craigcomstock/pureos 
Added detection of PureOS in /etc/os-release
 2020-03-04 14:58:59 +01:00
Michael Boelen
e008907ff1
Remove 's' from word 'colours' 2020-03-04 14:51:13 +01:00
Michael Boelen
b011b7a8d5
Merge pull request #850 from gcsgithub/soerelease 
Soerelease
 2020-03-04 14:48:19 +01:00
Craig Comstock
22ceeaa926
Added detection of PureOS in /etc/os-release 2020-03-03 13:56:33 -06:00
Mark Garrett
0cd256372c fix whitespace 2020-03-01 10:31:52 +11:00
Mark Garrett
b2f676da7b allow for correct spelling for colour should drop the s from colours but didnt 2020-03-01 10:19:33 +11:00
Mark Garrett
30b1e4170b macosx add Catalina 10.15 2020-03-01 10:18:33 +11:00
Skactor
fc7c5fb723
Update tests_shells 
Write function as variable due to careless error
 2020-02-25 15:48:55 +08:00
maczniak
d8a3bc8afa fix CISOfy/lynis#844 2020-02-24 23:17:09 +09:00
Skactor
35e568e695
Update tests_ports_packages 
Incorrect constant name spelling
 2020-02-24 20:44:05 +08:00
Kevin
42b2831f75 add basic xbps/void support 2020-02-21 08:06:24 +01:00
Nicolas CARPi
91ad10d464 Remove the test for ssh config VerifyReverseMapping 
This option is deprecated since 2003. Having it in a config file raises
a warning and UseDNS (that is on by default) includes the
VerifyReverseMapping check.

See
3a961dc0d3

See #528
 2020-02-18 22:19:45 +01:00
Michael Boelen
3bbe34ea73
[CRYP-8004] enhanced after pulling in initital test 2020-02-15 14:09:56 +01:00
Michael Boelen
5ca8baf7a8
[USB-2000] improved testing for USB devices and filtering out possible incorrect state 2020-02-15 14:09:23 +01:00
Michael Boelen
af70303aeb
Set preferred option to skip plugin executiont o --no-plugins, as that is more in line with the other 'no' options 2020-02-14 11:49:32 +01:00
Michael Boelen
3f834e6ad5
Merge pull request #821 from pyllyukko/CRYP-8004 
Added CRYP-8004
 2020-02-13 13:40:10 +01:00