diff options
| author | mboelen <michael@cisofy.com> | 2015-07-22 17:28:11 +0300 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2015-07-22 17:28:11 +0300 |
| commit | 66fb36959339c2b6b4594ca11ffdb0e279164e50 (patch) | |
| tree | 11c7135141b4933dd7b8a0a7f1558d4ca757a76d | |
| parent | 1775590ba70ce52d6362141e395ecc1e80ddc4fa (diff) | |
Copyright line changes and cleanups
| -rw-r--r-- | include/tests_authentication | 41 | ||||
| -rw-r--r-- | include/tests_banners | 20 | ||||
| -rw-r--r-- | include/tests_boot_services | 58 | ||||
| -rw-r--r-- | include/tests_containers | 1 | ||||
| -rw-r--r-- | include/tests_crypto | 1 | ||||
| -rw-r--r-- | include/tests_insecure_services | 15 | ||||
| -rw-r--r-- | include/tests_kernel | 8 | ||||
| -rw-r--r-- | include/tests_kernel_hardening | 6 | ||||
| -rw-r--r-- | include/tests_ldap | 6 | ||||
| -rw-r--r-- | include/tests_logging | 11 | ||||
| -rw-r--r-- | include/tests_mac_frameworks | 24 | ||||
| -rw-r--r-- | include/tests_mail_messaging | 66 | ||||
| -rw-r--r-- | include/tests_malware | 40 | ||||
| -rw-r--r-- | include/tests_memory_processes | 19 | ||||
| -rw-r--r-- | include/tests_nameservices | 9 | ||||
| -rw-r--r-- | include/tests_networking | 28 | ||||
| -rw-r--r-- | include/tests_php | 30 | ||||
| -rw-r--r-- | include/tests_ports_packages | 55 |
18 files changed, 60 insertions, 378 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index 442e20ab..b00ef5ad 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -389,7 +389,6 @@ if [ ${FOUND} -eq 1 ]; then logtext "Result: sudoers file found (${SUDOERS_FILE})" Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN - # YYY add more tests to audit sudoers file else logtext "Result: sudoers file NOT found" Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW @@ -590,7 +589,6 @@ else logtext "Result: LDAP module not found" Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE - # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM fi else logtext "Result: file /etc/pam.d/common-auth not found, skipping test" @@ -673,7 +671,6 @@ logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then - # YYY check if LDAP is used with password policies logtext "Result: password aging limits are not configured" Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" @@ -690,7 +687,7 @@ # # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris - # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY) + # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists (Solaris 10 does not have this file by default) @@ -791,7 +788,6 @@ AddHP 2 2 fi else - # YYY logtext "Result: No inittab or init file found, unsure if system is protected" fi fi @@ -1070,7 +1066,6 @@ Display --indent 6 --text "LDAP server: ${I}" logtext "Result: found LDAP server ${I}" report "ldap_server[]=${I}" - # YYY check if host(s) are reachable/respond to queries done else logtext "Result: ${I} does NOT exist" @@ -1080,38 +1075,6 @@ # ################################################################################# # - # Test : AUTH-92xx - # Description : login.access checks - #Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks" -# -################################################################################# -# -# pam_unix.so -# pam_cracklib.so -# pam_pwcheck.so -# pam_env.so -# pam_xauth.so -# pam_tally.so -# pam_wheel.so -# pam_limits.so -# pam_nologin.so -# pam_deny.so -# pam_securetty.so -# pam_time.so -# pam_access.so -# pam_listfile.so -# pam_lastlog.so -# pam_warn.so -# pam_console.so -# pam_resmgr.so -# pam_devperm.so -# -################################################################################# -# -# sudoers: Check for potential harmful commands like vi, echo, cat -# -################################################################################# -# report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" @@ -1123,4 +1086,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_banners b/include/tests_banners index 610f7cae..96e3998e 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -221,29 +221,9 @@ # ################################################################################# # -# /etc/dt/config/*/Xresources -# /etc/default/telnetd (telnet without TCP wrappers) -# /etc/default/ftpd (ftp without TCP wrappers) -# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris) -# /etc/ftpaccess (HP-UX) -# /etc/ftpmotd (AIX) -# /etc/ftpaccess.ctl (AIX) -# /etc/security/login.cfg (AIX) -# /etc/X11/xdm/Xresources -# /etc/X11/xdm/kdmrc -# /etc/X11/gdm/gdm -# /etc/vsftpd.conf -# -################################################################################# -# wait_for_keypress # -################################################################################# -# -# Notes: -# HPUX: /etc/copyright -# #================================================================================ # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_boot_services b/include/tests_boot_services index 972855e8..5ce609f8 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -144,9 +144,6 @@ GRUBCONFFILE="/boot/grub2/grub.cfg" fi logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})" - # YYY password check, when documentation of GRUB2 project is improved - # YYY Add check permission check (600) - fi # Some OSes like Gentoo do not have /boot mounted by default @@ -263,7 +260,6 @@ logtext "Result: LILO password option set" AddHP 4 4 fi - #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else logtext "Result: can not read ${LILOCONFFILE} (no permission)" fi @@ -318,7 +314,6 @@ if [ -f /etc/yaboot.conf ]; then logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN - #YYY add permission check BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 else @@ -398,11 +393,6 @@ # ################################################################################# # - # Test : BOOT-5166 - # Description : Check for /etc/rc.local file (and contents) -# -################################################################################# -# # Test : BOOT-5177 # Description : Check for Linux boot services (systemd and chkconfig) # Notes : We skip using chkconfig if systemd is being used. @@ -468,47 +458,12 @@ # ################################################################################# # - # Test : BOOT-5178 - # Description : Check for Linux boot services (Red Hat style) - # if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - # Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)" - # if [ ${SKIPTEST} -eq 0 ]; then - # N=0 - # N=`expr ${N} + 1` - - #* mctrans (if selinux is NOT enabled) - #* restorecond (if selinux is NOT enabled) --> and is it really needed? - # - # if profile is server, warn if found: - #* pcscd (if profile=server) - #* avahi-daemon - # Redhat: /etc/sysconfig/network - # check if NOZEROCONF=yes is available - # - #* xfs (if /usr/bin/startx is not found) - # - #if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then - #* mdmonitor - # - # - #* firstboot - # Display warning if [ ! -f /etc/reconfigSys ] - # AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot - # - #* acpid - # Display warning if no modules are loaded (lsmod | grep -i acpi) - # - # - # fi -# -################################################################################# -# # Test : BOOT-5180 # Description : Check for Linux boot services (Debian style) if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then - # YYY runlevel check + # Runlevel check sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"` if [ ! "${sRUNLEVEL}" = "" ]; then FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` @@ -610,16 +565,6 @@ # ################################################################################# # - # Add autostart services, like from KDE/Gnome - # Test : BOOT-5102 - # Description : Check for tasks which are autostarted via /etc/inittab - #Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi - #YYY check against static list? -# -################################################################################# -# # Test : BOOT-5202 # Description : Check uptime of system Register --test-no BOOT-5202 --weight L --network NO --description "Check uptime of system" @@ -721,7 +666,6 @@ ################################################################################# # - report "boot_loader=${BOOT_LOADER}" report "service_manager=${SERVICE_MANAGER}" diff --git a/include/tests_containers b/include/tests_containers index d6450c95..dcd4d238 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -159,7 +159,6 @@ ################################################################################# # - wait_for_keypress # diff --git a/include/tests_crypto b/include/tests_crypto index ea69bf3c..8db5eb69 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -50,7 +50,6 @@ FOUNDPROBLEM=1 logtext "Result: certificate ${J} has been expired" report "expired_certificate[]=${J}|unknown entity|" - #YYY Dump more information to log file fi else logtext "Result: can not read file ${J} (no permission)" diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 534132ee..f6b5e15d 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -37,7 +37,6 @@ if [ ${RUNNING} -eq 1 ]; then logtext "Result: inetd is running" Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN - #YYY perform manual check INETD_ACTIVE=1 else logtext "Result: inetd is NOT running" @@ -61,8 +60,6 @@ logtext "Result: ${INETD_CONFIG_FILE} does not exist" Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE fi - # YYY immutable bit could be set - # YYY permission check (already set in profile) fi # ################################################################################# @@ -106,15 +103,9 @@ # ################################################################################# # -# Check telnet in /etc/xinetd.conf -# Check telnet in /etc/xinetd/* -# Check running telnet daemon (telnetd) -# rshd rlogin rexec -# /etc/hosts.equiv - wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_kernel b/include/tests_kernel index a7cb4a91..15c84206 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -277,10 +277,6 @@ # ################################################################################# # -# YYY Check for kernel options -# -################################################################################# -# # Test : KRNL-5745 # Description : Checking FreeBSD loaded kernel modules Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 7797fa1a..cc82eb47 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ldap b/include/tests_ldap index 551fae3a..26c35c0b 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -101,4 +101,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_logging b/include/tests_logging index 7346365a..707b6948 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -36,7 +36,6 @@ # Test : LOGG-2130 # Description : Check for a running syslog daemon - # Notes : Log which syslog daemon is found YYY Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching for a logging daemon" @@ -476,12 +475,6 @@ # ################################################################################# # -# -# Rsyslogd checks -# -# -################################################################################# -# report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" report "log_rotation_tool=${LOGROTATE_TOOL}" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 23e75e5e..4a0bc6dc 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -48,11 +48,11 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${AASTATUSBINARY}" = "" ]; then # Checking AppArmor status - #0 if apparmor is enabled and policy is loaded. - #1 if apparmor is not enabled/loaded. - #2 if apparmor is enabled but no policy is loaded. - #3 if control files are not available - #4 if apparmor status can't be read + # 0 if apparmor is enabled and policy is loaded. + # 1 if apparmor is not enabled/loaded. + # 2 if apparmor is enabled but no policy is loaded. + # 3 if control files are not available + # 4 if apparmor status can't be read FIND=`${AASTATUSBINARY} > /dev/null; echo $?` if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 @@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}" wait_for_keypress -# To implement: -# FMAC (OpenSolaris, MAC) -# LSM (Linux Security Modules) -# TrustedBSD (MAC) -# RSBAC (RBAC) -# Apple sandbox technology -# PAX - # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index dc568283..b936dbb8 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -51,29 +51,6 @@ # ################################################################################# # - # Test : MAIL-8804 - # Description : Check Exim configuration - #if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration" - #if [ ${SKIPTEST} -eq 0 ]; then - # if [ ! "${EXIMBINARY}" = "" ]; then - # logtext "Test: Searching Exim configuration file" - # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'` - # if [ ! "${FIND}" = "" ]; then - # Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN - # Display --indent 4 --text "Result: configuration file is ${FIND}" - # logtext "Result: found Exim" - # logtext "Result: configuration file is ${FIND}" - # else - # Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED - # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed." - # fi - # else - # logtext "Exim binary not found, no tests performed" - # fi -# -################################################################################# -# # Test : MAIL-8814 # Description : Check Postfix process # Notes : qmgr and pickup run under postfix uid, without full path to binary @@ -162,26 +139,6 @@ # ################################################################################# # - # Test : MAIL-8842 - # Description : Check Dovecot logging locations - #Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations" - #if [ ${SKIPTEST} -eq 0 ]; then -# ParseDovecot -# CONF="/etc/dovecot/dovecot.conf" -# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'` -# if [ ! "${FIND}" = "" ]; then -# logtext "Result: output for error messages = ${FIND}" -# fi -# -# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'` -# if [ ! "${FIND}" = "" ]; then -# logtext "Result: output for informational messages = ${FIND}" -# fi -# -# fi -# -################################################################################# -# # Test : MAIL-8860 # Description : Check Qmail process status Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status" @@ -240,23 +197,6 @@ # ################################################################################# # - # Test : MAIL-xxxx - # Description : Check if outgoing mail is obscured (increased privacy) - #Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# - #YYY Add support for mail, procmail - #YYY Add support for MUAs: Thunderbird, Kmail, Evolution - # Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop - #- Dovecot : \'/usr/local/etc/dovecot.conf\' - #- For Sendmail : \'/var/mail/sendmail.cf\' - #- Fetchmail : \'~/.fetchmailrc\' (not only root) - #- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched -# -################################################################################# -# report "imap_daemon=${IMAP_DAEMON}" report "pop3_daemon=${POP3_DAEMON}" @@ -267,4 +207,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_malware b/include/tests_malware index 2fe22ba1..1462646c 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands -# Web site: http://cisofy.com +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -166,26 +166,20 @@ # ################################################################################# # -# Test : MALW-3288 -# Description : Check for ClamXav (Mac OS X) -# -################################################################################# -# - Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav" + # Test : MALW-3288 + # Description : Check for ClamXav (Mac OS X) + if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then - if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then - CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` - if [ ! "${CLAMSCANBINARY}" = "" ]; then - logtext "Result: Found ClamXav clamscan installed" - Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN - MALWARE_SCANNER_INSTALLED=1 - AddHP 3 3 - else - logtext "Result: ClamXav malware scanner not found" - AddHP 0 3 - fi + CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` + if [ ! "${CLAMSCANBINARY}" = "" ]; then + logtext "Result: Found ClamXav clamscan installed" + Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN + MALWARE_SCANNER_INSTALLED=1 + AddHP 3 3 else - logtext "Result: could not find ClamXav location" + logtext "Result: ClamXav malware scanner not found" + AddHP 0 3 fi fi # @@ -196,12 +190,6 @@ # ################################################################################# # -################################################################################# -# -# Other projects: maldetect (rfxn) -# -################################################################################# -# report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 4fa64c1c..fda6a32e 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -111,22 +111,9 @@ # ################################################################################# # - # Ubuntu test: dead processes - # who -d -# -################################################################################# -# - # Test : PROC-3624 - # Description : Check shared memory (ipcs -m) - # Notes : if it's empty, check /dev/shm and warn if any files are left behind - #Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_nameservices b/include/tests_nameservices index 38782a8b..6aedd833 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -233,7 +233,6 @@ else logtext "Result: nscd is not running" Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE - #YYY show performance suggestion if LDAP is used fi fi # @@ -263,7 +262,6 @@ Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Search BIND configuration file" - #YYY add chrooted environments for I in ${BIND_CONFIG_LOCS}; do if [ -f ${I}/named.conf ]; then BIND_CONFIG_LOCATION="${I}/named.conf" @@ -377,7 +375,6 @@ Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Search PowerDNS configuration file" - #YYY add chrooted environments for I in ${POWERDNS_CONFIG_LOCS}; do if [ -f ${I}/pdns.conf ]; then POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" @@ -609,4 +606,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_networking b/include/tests_networking index 4188c440..469a22f4 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -29,7 +29,7 @@ # ################################################################################# # - # Test : NETW-2704 (YYY move to nameservices section) + # Test : NETW-2704 # Description : Basic nameserver configuration tests (connectivity) Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" if [ ${SKIPTEST} -eq 0 ]; then @@ -44,7 +44,7 @@ for I in ${FIND}; do logtext "Found nameserver: ${I}" report "nameserver[]=${I}" - # Check if a local resolver is available (like DNSMasq) + # Check if a local resolver is available (like DNSMasq) if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then LOCAL_DNSRESOLVER_FOUND=1 fi @@ -200,7 +200,7 @@ case ${OS} in AIX) FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - # IPv6 support in AIX? (YYY) + FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` ;; DragonFly|FreeBSD|NetBSD) FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` @@ -473,8 +473,6 @@ IsRunning dhclient if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE - #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine - #report "manual[]=System is running DHCP client" DHCP_CLIENT_RUNNING=1 else Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE @@ -483,24 +481,10 @@ # ################################################################################# # - # Test : NETW-3060 - # Description : Check if IPv6 is configured AND used - # /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used) - # or - # aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable) - #Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# -# Linux: net.ipv4.ip_always_defrag -# -################################################################################# -# report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_php b/include/tests_php index 8a7db951..d4e842c8 100644 --- a/include/tests_php +++ b/include/tests_php @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -252,37 +252,13 @@ logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi - #YYY Check through all files fi # ################################################################################# # -# Disable/use functions: -# safe_mode (only for PHP5?) -# open_basedir (limits access to defined directory, comparable with chrooting) -# disable_classes -# session.save_path -# session.referer_check -# upload_tmp_dir -# file_uploads Off, if possible -# Set display_errors to Off -# Set log_errors to On and define error_log (with value Syslog or a filename) -# -################################################################################# -# - # mod_suexec - # suPHP (/etc/suphp.conf) -# -################################################################################# -# - # Test : PHP-2388 - # Description : Check php version number -# -################################################################################# -# wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 23a66584..8143113a 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -79,35 +79,6 @@ # ################################################################################# # -# Temporary disabled due false positives -# Packages like docbook, gcc, automake report multiple installed versions -# # Test : PKGS-7303 -# # Description : Query FreeBSD pkg_info -# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages" -# if [ ${SKIPTEST} -eq 0 ]; then -# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3` -# if [ "${SDOUBLEINSTALLED}" = "" ]; then -# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN -# logtext "Ok, no packages show up twice or more in the package listing." -# else -# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED -# for J in ${SDOUBLEINSTALLED}; do -# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})" -# logtext "This package ${J} is visible twice or more in the pkg_info listing." -# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually." -# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double " -# logtext "installed packages is unneeded." -# report "double_installed_package[]=${J}" -# done -# fi -# else -# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE -# logtext "Result: pkg_info can NOT be found on this system" -# fi -# -################################################################################# -# # Test : PKGS-7304 # Description : Gentoo packages if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -152,7 +123,6 @@ logtext "Result: pkginfo can NOT be found on this system" fi # -# ################################################################################# # # Test : PKGS-7308 @@ -202,7 +172,6 @@ if [ "${SPACKAGES}" = "" ]; then logtext "Result: pacman binary available, but package list seems to be empty" logtext "Info: looks like the pacman binary is installed, but not used for package installation" - #YYY ReportException? else for J in ${SPACKAGES}; do N=`expr ${N} + 1` @@ -380,7 +349,7 @@ fi # ################################################################################# - +# # Test : PKGS-7348 # Description : Show unneeded distfiles if present # Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is @@ -540,7 +509,6 @@ if [ "${FIND}" = "" ]; then logtext "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN - # Don't check yet, output of found vulnerable packages unclear (YYY) else logtext "Result: ${FIND}" #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED @@ -1015,21 +983,6 @@ # ################################################################################# # - # Test : PKGS-7414 - # Description : Check installonly_limit in yum.conf -# -################################################################################# -# - # Test : PKGS-7416 - # Description : Check for popularity-contest (Debian/Ubuntu) -# -################################################################################# -# - # Test : PKGS-7418 - # Description : Check for yum-changelog -# -################################################################################# -# if [ ! "${INSTALLED_PACKAGES}" = "" ]; then report "installed_packages_array=${INSTALLED_PACKAGES}" @@ -1043,4 +996,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com |