Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/dev
diff options
context:
space:
mode:
authormboelen <michael@cisofy.com>2014-08-26 19:33:55 +0400
committermboelen <michael@cisofy.com>2014-08-26 19:33:55 +0400
commitc0ae2e217b7f1fb0171017ce5afb8eb8898470db (patch)
tree545aa150c35c5fb74d7bb4c2d3b0ae41cfa7b4e5 /dev
Initial import
Diffstat (limited to 'dev')
-rw-r--r--dev/README9
-rw-r--r--dev/TODO114
-rwxr-xr-xdev/build-lynis.sh138
-rwxr-xr-xdev/check-lynis.sh4
-rw-r--r--dev/files.dat33
-rw-r--r--dev/openbsd/+CONTENTS90
6 files changed, 388 insertions, 0 deletions
diff --git a/dev/README b/dev/README
new file mode 100644
index 00000000..c51df06f
--- /dev/null
+++ b/dev/README
@@ -0,0 +1,9 @@
+
+================================================================================
+
+ This directory contains tools for:
+ - Easy building customized packages
+ - Integrity checks and tools
+ - Development tools
+
+================================================================================ \ No newline at end of file
diff --git a/dev/TODO b/dev/TODO
new file mode 100644
index 00000000..c9229e1c
--- /dev/null
+++ b/dev/TODO
@@ -0,0 +1,114 @@
+
+================================================================================
+
+ Lynis - To Do
+
+================================================================================
+
+ Author: Michael Boelen (michael@rootkit.nl)
+ Description: Security and system auditing tool
+ Website: http://www.rootkit.nl/projects/lynis.html
+ Support policy: See section 'Support' (README file)
+ Documentation: See web site, README, FAQ and CHANGELOG file
+
+================================================================================
+
+
+[+] Open issues
+-------------------------------
+
+
+[+] Project
+-------------------------------
+
+
+[+] General
+-------------------------------
+ - Activate warning when default profile is being used
+ - Add list of manual audit items, depending on performed tests
+ - Replace awk instances with ${AWKBINARY}
+
+
+[+] Forensics
+-------------------------------
+ - Add MD5/SHA1 database
+
+
+[+] Generic Tests
+-------------------------------
+ - NFS: Check if there is no localhost line in the /etc/export file
+ - Check /etc/crontab entries (permissions, locations)
+ - Search for all setuid/setgid files and compare against baseline
+ - Skel: Red Hat files are hidden, check with ls -al?
+ - Add MacOS X test for /tmp dir (or redirect location of symlink)
+ - Samba: make sure it does listen only at one interface (not at WAN)
+ - Cleanup some tests by combining options (like NETW-3006)
+ - Check for latest versions of programs
+ - Check if multiple users have group '0'
+ - When using --quiet, use long warnings instead of default lines
+ - Don't show section headers when using --tests
+ - Show Last logon dates for user accounts
+ - Show passwords 30 days or older / trivial passwords / password shadowing
+ - Show duplicate usernames, UIDs and GIDs
+ - System wide policies including: default files creation mask, login timeout intervals, lockout durations...
+ - Permissions on selected sensitive files / directories
+
+
+[+] Applications
+-------------------------------
+ - Debian/Ubuntu: check if apt-listbugs is installed
+
+[+] Databases
+-------------------------------
+ - Warn if MySQL is running on a network interface
+ - Check for empty root login
+ - Check Oracle things (tm)
+
+
+[+] Programming languages/interfaces
+-------------------------------
+ - Paranoid option: set binaries to 750 for perl, python, ruby, cc, gcc, *cc* etc
+
+
+[+] DNS
+-------------------------------
+ - Bind: check if version is disabled
+
+
+[+] Firewalls
+-------------------------------
+ - iptables: show chain numbers when rules are unused
+
+
+[+] Shell/interface/X
+-------------------------------
+ - Check for autolog or timeoutd package
+
+
+[+] MTA
+-------------------------------
+ - Sendmail: check banner, check file permissions of configuration files
+ - Exim: check banner
+ - SMTP (if running): check if a version shows up in banner
+
+
+[+] Printers/spools
+-------------------------------
+ - Printcap consistency check for Linux/Solaris/MacOS
+
+
+[+] Tomcat
+-------------------------------
+ - Check if iptables has rules for port 8080, 8009, 8443
+ - Check if /WEB-INF/ and /META-INF/ are denied in httpd.conf
+
+[+] Reporting
+-------------------------------
+ - Add possibility to mail directly (instead of log to file)
+ - Find audit templates for reporting (direct post to webserver?)
+ - Allow bonus points, however check a maximum index score of 100
+
+
+================================================================================
+ Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands
+ http://www.rootkit.nl
diff --git a/dev/build-lynis.sh b/dev/build-lynis.sh
new file mode 100755
index 00000000..6ecd8988
--- /dev/null
+++ b/dev/build-lynis.sh
@@ -0,0 +1,138 @@
+#!/bin/sh
+
+#########################################################################
+#
+# Builds Lynis distribution
+#
+# Usage: this script creates Lynis builds
+#
+# *** NOTE ***
+# This script is not fully functional yet, several options like digital
+# signing, RPM/DEB package creation are missing.
+#
+#########################################################################
+#
+# Options:
+
+ # Umask used when creating files/directories
+ OPTION_UMASK="027"
+
+ # Directory name used to create package related directories (like /usr/local/include/lynis)
+ OPTION_PACKAGE_DIRNAME="lynis"
+
+ # Binary to test
+ OPTION_BINARY_FILE="../lynis"
+
+#
+#########################################################################
+#
+# Functions:
+
+ # Clean temporary files up
+ CleanUp()
+ {
+ if [ ! ${TMPDIR} = "" -a -d ${TMPDIR} ]; then
+ rm -rf ${TMPDIR}
+ fi
+ }
+
+#
+#########################################################################
+#
+
+ # Clean files up if we get interrupted
+ trap CleanUp INT
+
+#
+#########################################################################
+#
+
+# Set umask
+ echo -n "- Setting umask to ${OPTION_UMASK} "
+ umask ${OPTION_UMASK}
+ if [ $? -eq 0 ]; then
+ echo "OK"
+ else
+ echo "BAD"
+ exit 1
+ fi
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ # Build root
+ echo -n "- Creating BUILDROOT "
+ TMPDIR=`mktemp -d /tmp/lynis-BUILDROOT.XXXX`
+ if [ $? -eq 0 ]; then
+ echo "OK"
+ echo " BUILDROOT: ${TMPDIR}"
+ else
+ echo "BAD"
+ exit 1
+ fi
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ # Test script for errors
+ echo -n "- Test Lynis script "
+
+ # Is file there?
+ if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi
+
+ # Check script
+ FIND=`sh -n ${OPTION_BINARY_FILE} ; echo $?`
+ if [ $FIND -eq 0 ]; then
+ echo "OK"
+ else
+ echo "BAD"
+ fi
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ # Create SHA1 hashes
+ echo -n "- Create SHA1 hashes "
+ SHA1HASH_LYNIS=`grep -v '^#' ${OPTION_BINARY_FILE} | sha1`
+ echo "DONE"
+ echo " Lynis (SHA1): ${SHA1HASH_LYNIS}"
+
+ # Add hashes to script
+ echo -n "- Injecting SHA1 hash into Lynis script "
+ echo "-NOT DONE-"
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ echo -n "- Cleaning up OpenBSD package build... "
+ if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi
+ echo "DONE"
+ OPENBSD_CONTENTS="openbsd/+CONTENTS"
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ echo -n "- Creating MD5 hashes..."
+ PACKAGE_LIST_FILES=`cat files.dat | grep "^file:" | cut -d ':' -f3`
+
+ for I in ${PACKAGE_LIST_FILES}; do
+
+ echo -n "${I} "
+ #FULLNAME=`cat files.dat | grep ":file:include:
+ #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
+ echo "${I}" >> ${OPENBSD_CONTENTS}
+ FILE="../${I}"
+ MD5HASH=`md5 -q ${FILE}`
+ echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS}
+ echo "@size 0000" >> ${OPENBSD_CONTENTS}
+ done
+ echo ""
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ echo -n "- Cleaning up... "
+
+ # Clean up our mess
+ CleanUp
+
+ echo "DONE"
+
+#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+# The End!
+
diff --git a/dev/check-lynis.sh b/dev/check-lynis.sh
new file mode 100755
index 00000000..855f3577
--- /dev/null
+++ b/dev/check-lynis.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# Check for double ID numbers
+grep -r Register .. | awk '{ if($2=="Register") { print $4 } }' | sort | uniq -c | awk '{ if ($1!=1) { print $2 } }'
diff --git a/dev/files.dat b/dev/files.dat
new file mode 100644
index 00000000..1e46d3a7
--- /dev/null
+++ b/dev/files.dat
@@ -0,0 +1,33 @@
+file/dir:type:filename:prefix:filename
+file:doc:CHANGELOG:CHANGELOG
+file:doc:FAQ:FAQ
+file:doc:INSTALL:INSTALL
+file:doc:LICENSE:LICENSE
+file:doc:README:README
+file:doc:TODO:TODO
+file:example:default.prf:default.prf
+file:bin:lynis:/usr/bin:lynis
+file:man:lynis.8:lynis.8
+dir:extra:contrib:contrib
+dir:include:include::/usr/local:include
+file:include:include/functions:/usr/local:include/lynis/functions
+file:include:include/osdetection:/usr/local:include/lynis/osdetection
+file:include:include/consts:/usr/local:include/lynis/consts
+file:include:include/parameters:/usr/local:include/lynis/parameters
+file:include:include/profiles:/usr/local:include/lynis/profiles
+file:include:include/tests_ports_packages:/usr/local:include/lynis/tests_ports_packages
+file:include:include/tests_boot_services:/usr/local:include/lynis/tests_boot_services
+file:include:include/tests_filesystems:/usr/local:include/lynis/tests_filesystems
+file:include:include/tests_networking:/usr/local:include/lynis/tests_networking
+file:include:include/tests_memory_processes:/usr/local:include/lynis/tests_memory_processes
+file:include:include/tests_kernel:/usr/local:include/lynis/tests_kernel
+file:include:include/tests_logging:/usr/local:include/lynis/tests_logging
+file:include:include/tests_authentication:/usr/local:include/lynis/tests_authentication
+file:include:include/tests_firewalls:/usr/local:include/lynis/tests_firewalls
+file:include:include/tests_homedirs:/usr/local:include/lynis/tests_homedirs
+file:include:include/tests_shells:/usr/local:include/lynis/tests_shells
+file:include:include/tests_printers_spools:/usr/local:include/lynis/tests_printers_spools
+file:include:include/tests_file_integrity:/usr/local:include/lynis/tests_file_integrity
+file:include:include/tests_accounting:/usr/local:include/lynis/tests_accounting
+file:include:include/tests_banners:/usr/local:include/lynis/tests_banners
+file:include:include/tests_mail_messaging:/usr/local:include/lynis/tests_mail_messaging
diff --git a/dev/openbsd/+CONTENTS b/dev/openbsd/+CONTENTS
new file mode 100644
index 00000000..d8da54ed
--- /dev/null
+++ b/dev/openbsd/+CONTENTS
@@ -0,0 +1,90 @@
+CHANGELOG
+@md5 7e0ad05581d32d6051a3e22ef297e81d
+@size 0000
+FAQ
+@md5 b1e44a42bad55941868a743b24d01d8b
+@size 0000
+INSTALL
+@md5 a1574195ee66d7cf8b9947de2cce6ab4
+@size 0000
+LICENSE
+@md5 d32239bcb673463ab874e80d47fae504
+@size 0000
+README
+@md5 d46ffad53300d044ba02a037a7255ee8
+@size 0000
+TODO
+@md5 3486e35f6c705d8ea1e34c4a66ec7046
+@size 0000
+default.prf
+@md5 63e7765073d12b3b177a3587e3a4d6e4
+@size 0000
+lynis
+@md5 aab4c29e3f3dbcbf71b320b476b91c94
+@size 0000
+lynis.8
+@md5 604d717b4671972f7d53350f6efd1f10
+@size 0000
+include/functions
+@md5 cc8fd64fc868251453e54305ebd71b58
+@size 0000
+include/osdetection
+@md5 92fa7e249e65271a450bbb523cd36ce9
+@size 0000
+include/consts
+@md5 a39c3101c95bde6556374e4d8d4992d7
+@size 0000
+include/parameters
+@md5 4d983d717a62276b4e7df8b04b423ca2
+@size 0000
+include/profiles
+@md5 1781be3989c4f42aeb77656a7885bedd
+@size 0000
+include/tests_ports_packages
+@md5 d1754a6365ff04acbfacbb0208e2bb57
+@size 0000
+include/tests_boot_services
+@md5 746100f95e83097ab3f52f2a0287980b
+@size 0000
+include/tests_filesystems
+@md5 b5257d89440fa06f170dfb9bd35cb5fe
+@size 0000
+include/tests_networking
+@md5 0b4d329f118a1845abce2af6b7b19b25
+@size 0000
+include/tests_memory_processes
+@md5 b0e1df62f87bfc08bea1c21f4762c0ff
+@size 0000
+include/tests_kernel
+@md5 2ca3f7ec1924854e1076bebbdc654928
+@size 0000
+include/tests_logging
+@md5 9993368b9616248195ef350b470a7768
+@size 0000
+include/tests_authentication
+@md5 18b810aa4a87fde400b2da127edd2d04
+@size 0000
+include/tests_firewalls
+@md5 c12c6014b844595f866a76545c8c9893
+@size 0000
+include/tests_homedirs
+@md5 44760dd3a0ca3a8c665356b2c2028fc9
+@size 0000
+include/tests_shells
+@md5 489667c1fb7c12c3fa3dcef19ce45ebb
+@size 0000
+include/tests_printers_spools
+@md5 3c151550ff48df8e913b0b74a4fd1f2b
+@size 0000
+include/tests_file_integrity
+@md5 794ad1c924b23d0a808035961f47023c
+@size 0000
+include/tests_accounting
+@md5 1808a389d1b5ba8c6e708978839eb3d1
+@size 0000
+include/tests_banners
+@md5 6449b7069a4a08b83daa685e100b316e
+@size 0000
+include/tests_mail_messaging
+@md5 8424dab66b29ea5270bccbfc9dbd4cb2
+@size 0000
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-25 11:43:29 +0300