mirror of https://github.com/CISOfy/lynis.git
115 lines
3.5 KiB
Plaintext
115 lines
3.5 KiB
Plaintext
|
|
================================================================================
|
|
|
|
Lynis - To Do
|
|
|
|
================================================================================
|
|
|
|
Author: Michael Boelen (michael@rootkit.nl)
|
|
Description: Security and system auditing tool
|
|
Website: http://www.rootkit.nl/projects/lynis.html
|
|
Support policy: See section 'Support' (README file)
|
|
Documentation: See web site, README, FAQ and CHANGELOG file
|
|
|
|
================================================================================
|
|
|
|
|
|
[+] Open issues
|
|
-------------------------------
|
|
|
|
|
|
[+] Project
|
|
-------------------------------
|
|
|
|
|
|
[+] General
|
|
-------------------------------
|
|
- Activate warning when default profile is being used
|
|
- Add list of manual audit items, depending on performed tests
|
|
- Replace awk instances with ${AWKBINARY}
|
|
|
|
|
|
[+] Forensics
|
|
-------------------------------
|
|
- Add MD5/SHA1 database
|
|
|
|
|
|
[+] Generic Tests
|
|
-------------------------------
|
|
- NFS: Check if there is no localhost line in the /etc/export file
|
|
- Check /etc/crontab entries (permissions, locations)
|
|
- Search for all setuid/setgid files and compare against baseline
|
|
- Skel: Red Hat files are hidden, check with ls -al?
|
|
- Add MacOS X test for /tmp dir (or redirect location of symlink)
|
|
- Samba: make sure it does listen only at one interface (not at WAN)
|
|
- Cleanup some tests by combining options (like NETW-3006)
|
|
- Check for latest versions of programs
|
|
- Check if multiple users have group '0'
|
|
- When using --quiet, use long warnings instead of default lines
|
|
- Don't show section headers when using --tests
|
|
- Show Last logon dates for user accounts
|
|
- Show passwords 30 days or older / trivial passwords / password shadowing
|
|
- Show duplicate usernames, UIDs and GIDs
|
|
- System wide policies including: default files creation mask, login timeout intervals, lockout durations...
|
|
- Permissions on selected sensitive files / directories
|
|
|
|
|
|
[+] Applications
|
|
-------------------------------
|
|
- Debian/Ubuntu: check if apt-listbugs is installed
|
|
|
|
[+] Databases
|
|
-------------------------------
|
|
- Warn if MySQL is running on a network interface
|
|
- Check for empty root login
|
|
- Check Oracle things (tm)
|
|
|
|
|
|
[+] Programming languages/interfaces
|
|
-------------------------------
|
|
- Paranoid option: set binaries to 750 for perl, python, ruby, cc, gcc, *cc* etc
|
|
|
|
|
|
[+] DNS
|
|
-------------------------------
|
|
- Bind: check if version is disabled
|
|
|
|
|
|
[+] Firewalls
|
|
-------------------------------
|
|
- iptables: show chain numbers when rules are unused
|
|
|
|
|
|
[+] Shell/interface/X
|
|
-------------------------------
|
|
- Check for autolog or timeoutd package
|
|
|
|
|
|
[+] MTA
|
|
-------------------------------
|
|
- Sendmail: check banner, check file permissions of configuration files
|
|
- Exim: check banner
|
|
- SMTP (if running): check if a version shows up in banner
|
|
|
|
|
|
[+] Printers/spools
|
|
-------------------------------
|
|
- Printcap consistency check for Linux/Solaris/MacOS
|
|
|
|
|
|
[+] Tomcat
|
|
-------------------------------
|
|
- Check if iptables has rules for port 8080, 8009, 8443
|
|
- Check if /WEB-INF/ and /META-INF/ are denied in httpd.conf
|
|
|
|
[+] Reporting
|
|
-------------------------------
|
|
- Add possibility to mail directly (instead of log to file)
|
|
- Find audit templates for reporting (direct post to webserver?)
|
|
- Allow bonus points, however check a maximum index score of 100
|
|
|
|
|
|
================================================================================
|
|
Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands
|
|
http://www.rootkit.nl
|