diff options
-rw-r--r-- | dev/TODO | 114 | ||||
-rw-r--r-- | extras/README (renamed from dev/README) | 0 | ||||
-rw-r--r-- | extras/bash_completion.d/lynis (renamed from dev/bash_completion.d/lynis) | 0 | ||||
-rwxr-xr-x | extras/build-lynis.sh (renamed from dev/build-lynis.sh) | 0 | ||||
-rwxr-xr-x | extras/check-lynis.sh (renamed from dev/check-lynis.sh) | 0 | ||||
-rw-r--r-- | extras/files.dat (renamed from dev/files.dat) | 0 | ||||
-rw-r--r-- | extras/lynis.spec (renamed from dev/lynis.spec) | 0 | ||||
-rw-r--r-- | extras/openbsd/+CONTENTS (renamed from dev/openbsd/+CONTENTS) | 0 | ||||
-rw-r--r-- | extras/systemd/lynis.service | 23 | ||||
-rw-r--r-- | extras/systemd/lynis.timer | 23 |
10 files changed, 46 insertions, 114 deletions
diff --git a/dev/TODO b/dev/TODO deleted file mode 100644 index c9229e1c..00000000 --- a/dev/TODO +++ /dev/null @@ -1,114 +0,0 @@ - -================================================================================ - - Lynis - To Do - -================================================================================ - - Author: Michael Boelen (michael@rootkit.nl) - Description: Security and system auditing tool - Website: http://www.rootkit.nl/projects/lynis.html - Support policy: See section 'Support' (README file) - Documentation: See web site, README, FAQ and CHANGELOG file - -================================================================================ - - -[+] Open issues -------------------------------- - - -[+] Project -------------------------------- - - -[+] General -------------------------------- - - Activate warning when default profile is being used - - Add list of manual audit items, depending on performed tests - - Replace awk instances with ${AWKBINARY} - - -[+] Forensics -------------------------------- - - Add MD5/SHA1 database - - -[+] Generic Tests -------------------------------- - - NFS: Check if there is no localhost line in the /etc/export file - - Check /etc/crontab entries (permissions, locations) - - Search for all setuid/setgid files and compare against baseline - - Skel: Red Hat files are hidden, check with ls -al? - - Add MacOS X test for /tmp dir (or redirect location of symlink) - - Samba: make sure it does listen only at one interface (not at WAN) - - Cleanup some tests by combining options (like NETW-3006) - - Check for latest versions of programs - - Check if multiple users have group '0' - - When using --quiet, use long warnings instead of default lines - - Don't show section headers when using --tests - - Show Last logon dates for user accounts - - Show passwords 30 days or older / trivial passwords / password shadowing - - Show duplicate usernames, UIDs and GIDs - - System wide policies including: default files creation mask, login timeout intervals, lockout durations... - - Permissions on selected sensitive files / directories - - -[+] Applications -------------------------------- - - Debian/Ubuntu: check if apt-listbugs is installed - -[+] Databases -------------------------------- - - Warn if MySQL is running on a network interface - - Check for empty root login - - Check Oracle things (tm) - - -[+] Programming languages/interfaces -------------------------------- - - Paranoid option: set binaries to 750 for perl, python, ruby, cc, gcc, *cc* etc - - -[+] DNS -------------------------------- - - Bind: check if version is disabled - - -[+] Firewalls -------------------------------- - - iptables: show chain numbers when rules are unused - - -[+] Shell/interface/X -------------------------------- - - Check for autolog or timeoutd package - - -[+] MTA -------------------------------- - - Sendmail: check banner, check file permissions of configuration files - - Exim: check banner - - SMTP (if running): check if a version shows up in banner - - -[+] Printers/spools -------------------------------- - - Printcap consistency check for Linux/Solaris/MacOS - - -[+] Tomcat -------------------------------- - - Check if iptables has rules for port 8080, 8009, 8443 - - Check if /WEB-INF/ and /META-INF/ are denied in httpd.conf - -[+] Reporting -------------------------------- - - Add possibility to mail directly (instead of log to file) - - Find audit templates for reporting (direct post to webserver?) - - Allow bonus points, however check a maximum index score of 100 - - -================================================================================ - Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands - http://www.rootkit.nl diff --git a/dev/README b/extras/README index c51df06f..c51df06f 100644 --- a/dev/README +++ b/extras/README diff --git a/dev/bash_completion.d/lynis b/extras/bash_completion.d/lynis index 1492b032..1492b032 100644 --- a/dev/bash_completion.d/lynis +++ b/extras/bash_completion.d/lynis diff --git a/dev/build-lynis.sh b/extras/build-lynis.sh index 7d2dd826..7d2dd826 100755 --- a/dev/build-lynis.sh +++ b/extras/build-lynis.sh diff --git a/dev/check-lynis.sh b/extras/check-lynis.sh index 855f3577..855f3577 100755 --- a/dev/check-lynis.sh +++ b/extras/check-lynis.sh diff --git a/dev/files.dat b/extras/files.dat index 1e46d3a7..1e46d3a7 100644 --- a/dev/files.dat +++ b/extras/files.dat diff --git a/dev/lynis.spec b/extras/lynis.spec index 997a386f..997a386f 100644 --- a/dev/lynis.spec +++ b/extras/lynis.spec diff --git a/dev/openbsd/+CONTENTS b/extras/openbsd/+CONTENTS index d8da54ed..d8da54ed 100644 --- a/dev/openbsd/+CONTENTS +++ b/extras/openbsd/+CONTENTS diff --git a/extras/systemd/lynis.service b/extras/systemd/lynis.service new file mode 100644 index 00000000..e7acdabc --- /dev/null +++ b/extras/systemd/lynis.service @@ -0,0 +1,23 @@ +################################################################################# +# +# Lynis service file for systemd +# +################################################################################# +# +# - Adjust path to link to location where Lynis binary is installed +# - Place this file together with the timer file in systemd directory +# - Run: systemctl enable lynis.service +# +################################################################################# + +[Unit] +Description=Lynis security audit and vulnerability scan + +[Service] +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +Type=simple +ExecStart=/path/to/lynis -c --cronjob + +#EOF
\ No newline at end of file diff --git a/extras/systemd/lynis.timer b/extras/systemd/lynis.timer new file mode 100644 index 00000000..e0490834 --- /dev/null +++ b/extras/systemd/lynis.timer @@ -0,0 +1,23 @@ +################################################################################# +# +# Lynis timer file for systemd +# +################################################################################# +# +# - Place this file together with the service file in systemd directory +# - Run: systemctl enable lynis.timer +# systemctl start lynis.service +# +################################################################################# + +[Unit] +Description=Daily run for Lynis security audit and vulnerability scan + +[Timer] +OnCalendar=daily +Persistent=false + +[Install] +WantedBy=timers.target + +#EOF
\ No newline at end of file |