diff options
| -rw-r--r-- | include/helper_audit_dockerfile | 8 | ||||
| -rw-r--r-- | include/tests_accounting | 2 | ||||
| -rw-r--r-- | include/tests_authentication | 4 | ||||
| -rw-r--r-- | include/tests_banners | 2 | ||||
| -rw-r--r-- | include/tests_boot_services | 2 | ||||
| -rw-r--r-- | include/tests_databases | 2 | ||||
| -rw-r--r-- | include/tests_filesystems | 4 | ||||
| -rw-r--r-- | include/tests_firewalls | 6 | ||||
| -rw-r--r-- | include/tests_kernel | 2 | ||||
| -rw-r--r-- | include/tests_logging | 8 | ||||
| -rw-r--r-- | include/tests_nameservices | 6 | ||||
| -rw-r--r-- | include/tests_networking | 8 | ||||
| -rw-r--r-- | include/tests_ports_packages | 10 | ||||
| -rw-r--r-- | include/tests_shells | 2 | ||||
| -rw-r--r-- | include/tests_squid | 2 | ||||
| -rw-r--r-- | include/tests_time | 2 | ||||
| -rwxr-xr-x | lynis | 4 |
17 files changed, 37 insertions, 37 deletions
diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index cabb9e92..faf1ab98 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -97,7 +97,7 @@ InsertSection "Basics" FIND=`egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g'` if [ "${FIND}" = "" ]; then - ReportWarning "dockerfile" "L" "No maintainer found. Unclear who created this file." + ReportWarning "dockerfile" "No maintainer found. Unclear who created this file." else MAINTAINER=`echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}'` Display --indent 2 --text "Maintainer" --result "${MAINTAINER}" @@ -125,7 +125,7 @@ InsertSection "Basics" FIND=`egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#"` if [ ! "${FIND}" = "" ]; then - ReportWarning "dockerfile" "L" "Possible development utilities found, which is not advised for production environment" + ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment" LogText "Details: ${FIND}" fi @@ -160,7 +160,7 @@ InsertSection "Basics" FIND=`grep "^ADD http" ${AUDIT_FILE}` if [ ! "${FIND}" = "" ]; then FILE_DOWNLOAD=1 - ReportWarning "dockerfile" "L" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed" + ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed" LogText "Details: ${FIND}" fi @@ -193,7 +193,7 @@ InsertSection "Basics" FIND=`grep -i "chmod 777" ${AUDIT_FILE}` if [ ! "${FIND}" = "" ]; then - ReportWarning "dockerfile" "L" "Warning: chmod 777 found" + ReportWarning "dockerfile" "Warning: chmod 777 found" fi # ################################################################################################## diff --git a/include/tests_accounting b/include/tests_accounting index 70b43450..c7ee1316 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -235,7 +235,7 @@ else LogText "Result: no log file found" Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk" + ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk" fi fi # diff --git a/include/tests_authentication b/include/tests_authentication index 1b873f30..321c1283 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -782,7 +782,7 @@ else LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" + ReportWarning ${TEST_NO} "No password needed for single user mode login" AddHP 0 1 fi else @@ -891,7 +891,7 @@ if [ ${FOUND} -eq 0 ]; then LogText "Result: option not set, no password needed at single user mode boot" Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "L" "No password set for single mode" + ReportWarning ${TEST_NO} "No password set for single mode" ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" AddHP 0 2 else diff --git a/include/tests_banners b/include/tests_banners index d25fc4d4..398fe28a 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -75,7 +75,7 @@ # if IsWorldWritable /etc/motd; then # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED # LogText "Result: /etc/motd is world writable. Users can change this file!" - # ReportWarning ${TEST_NO} "H" "/etc/motd is world writable" + # ReportWarning ${TEST_NO} "/etc/motd is world writable" # else # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN # LogText "Result: /etc/motd is not world writable." diff --git a/include/tests_boot_services b/include/tests_boot_services index 7cc6615d..cd431cab 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -658,7 +658,7 @@ LogText "Test: Checking ${CHECKFILE} file for writable bit" if IsWorldWritable ${CHECKFILE}; then FOUND=1 - ReportWarning ${TEST_NO} "H" "Found writable startup script ${CHECKFILE}" + ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" LogText "Result: warning, file ${CHECKFILE} is world writable" else LogText "Result: good, file ${CHECKFILE} not world writable" diff --git a/include/tests_databases b/include/tests_databases index 33315d13..cc459aeb 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -76,7 +76,7 @@ FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" - ReportWarning ${TEST_NO} "H" "No MySQL root password set" + ReportWarning ${TEST_NO} "No MySQL root password set" Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED AddHP 0 5 else diff --git a/include/tests_filesystems b/include/tests_filesystems index 56bf5152..eb2f56ea 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -283,7 +283,7 @@ else Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" - #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" + #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})" ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi @@ -367,7 +367,7 @@ AddHP 3 3 else Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!" + ReportWarning ${TEST_NO} "No sticky bit found on /tmp directory, which can be dangerous!" ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory." AddHP 0 3 fi diff --git a/include/tests_firewalls b/include/tests_firewalls index 59cdcd84..a7420852 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -156,7 +156,7 @@ FIREWALL_EMPTY_RULESET=1 LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" + ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN @@ -181,7 +181,7 @@ LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." LogText "Output: iptables rule numbers: ${FIND}" - #ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)" + #ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)" ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" LogText "Tip: iptables --list --numeric --line-numbers --verbose" fi @@ -272,7 +272,7 @@ else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" - ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file" + ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi else diff --git a/include/tests_kernel b/include/tests_kernel index dd289e85..4a5482d4 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -587,7 +587,7 @@ AddHP 5 5 elif [ ${REBOOT_NEEDED} -eq 1 ]; then Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED - ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed" + ReportWarning ${TEST_NO} "Reboot of system is most likely needed" AddHP 0 5 else Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW diff --git a/include/tests_logging b/include/tests_logging index f941d082..a5f74a74 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -92,7 +92,7 @@ else LogText "Result: Syslog-NG configuration file seems NOT to be consistent" Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" + ReportWarning ${TEST_NO} "Found one or more problems in Syslog-NG configuration file" ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" fi fi @@ -191,7 +191,7 @@ else LogText "Result: No klogd found" Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED - ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" + ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files" fi else LogText "Result: test skipped, because other facility is being used to log kernel messages" @@ -214,7 +214,7 @@ Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED LogText "Result: minilogd found in process list" # minilogd daemon seems to be running - ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" + ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running" fi fi # @@ -327,7 +327,7 @@ else Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED LogText "Result: No loghost entry found" - ReportWarning ${TEST_NO} "L" "No loghost entry found" + ReportWarning ${TEST_NO} "No loghost entry found" ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" fi fi diff --git a/include/tests_nameservices b/include/tests_nameservices index 0b798fb0..edeefc6a 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -84,7 +84,7 @@ if [ ${N} -gt 6 ]; then LogText "Result: Found ${N} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW - ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" + ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else LogText "Result: Found ${N} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN @@ -100,7 +100,7 @@ if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW - ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" + ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" fi @@ -280,7 +280,7 @@ else LogText "Result: Unbound daemon is not running" Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW - ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)" + ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)" fi else LogText "Result: skipped, can't find unbound-checkconf utility" diff --git a/include/tests_networking b/include/tests_networking index 084dcc0f..eddf945a 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -147,7 +147,7 @@ LogText "Result: nameserver ${I} does NOT respond" LogText "Exit-code from dig: ${DNSRESPONSE}" ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." - ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond" + ReportWarning ${TEST_NO} "Nameserver ${I} does not respond" fi else LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed" @@ -169,7 +169,7 @@ if [ ${NUMBERACTIVENS} -lt 2 ]; then Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED LogText "Result: less than 2 responsive nameservers found" - ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers" + ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers" LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" AddHP 1 2 @@ -487,7 +487,7 @@ # Check if this interface was whitelisted if [ ${WHITELISTED} -eq 0 ]; then FOUNDPROMISC=1 - ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})" + ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" @@ -522,7 +522,7 @@ ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}` if [ "${ISWHITELISTED}" = "" ]; then FOUNDPROMISC=1 - ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})" + ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 7509968e..e4234367 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -313,7 +313,7 @@ else Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED LogText "Result: Zypper found one or more installed packages which are vulnerable." - ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed" + ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u` LogText "List of vulnerable packages/version:" @@ -447,7 +447,7 @@ # Decrease hardening points for every found vulnerable package AddHP 1 2 done - ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade" + ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade" Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED else @@ -711,7 +711,7 @@ else LogText "Result: One or more duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed" + ReportWarning ${TEST_NO} "Found one or more duplicate packages installed" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems" fi @@ -724,7 +724,7 @@ else LogText "Result: One or more problems found in package database" Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database" + ReportWarning ${TEST_NO} "Found one or more problems in the package database" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems" fi else @@ -1012,7 +1012,7 @@ VULNERABLE_PACKAGES_FOUND=1 Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED LogText "Result: found ${FIND} security updates with glsa-check" - ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check." + ReportWarning "${TEST_NO}" "Found ${FIND} security update(s) with glsa-check." LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." AddHP 0 25 fi diff --git a/include/tests_shells b/include/tests_shells index 936ed77b..4b8c3050 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -392,7 +392,7 @@ fi if [ ${FOUND} -eq 1 ]; then - ReportWarning ${TEST_NO} "H" "System vulnerable to Shellshock (bash)" + ReportWarning ${TEST_NO} "System vulnerable to Shellshock (bash)" AddHP 0 25 else AddHP 5 5 diff --git a/include/tests_squid b/include/tests_squid index c9d12bd2..20a29c02 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -257,7 +257,7 @@ AddHP 1 1 else Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED - ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" + ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" AddHP 0 1 fi done diff --git a/include/tests_time b/include/tests_time index caed09c3..3ba5e56e 100644 --- a/include/tests_time +++ b/include/tests_time @@ -259,7 +259,7 @@ Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED LogText "Result: Found one or more high stratum (16) peers)" ReportSuggestion ${TEST_NO} "Check ntpq peers output" - ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers" + ReportWarning ${TEST_NO} "Found one or more stratum 16 peers" fi fi fi @@ -906,7 +906,7 @@ ${NORMAL} . ${INCLUDE_FILE} else LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" - ReportWarning "NONE" "H" "Invalid permissions on tests file tests_${INCLUDE_TEST}" + ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "General" Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED @@ -933,7 +933,7 @@ ${NORMAL} . ${INCLUDEDIR}/tests_custom else LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" - ReportWarning "NONE" "H" "Invalid permissions on custom tests file" + ReportWarning "NONE" "Invalid permissions on custom tests file" Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED fi else |