diff options
| -rw-r--r-- | db/languages/en | 8 | ||||
| -rw-r--r-- | db/languages/fr | 19 | ||||
| -rw-r--r-- | include/tests_kernel | 16 | ||||
| -rw-r--r-- | include/tests_kernel_hardening | 2 | ||||
| -rw-r--r-- | include/tests_logging | 4 | ||||
| -rw-r--r-- | include/tests_networking | 2 | ||||
| -rw-r--r-- | include/tests_storage | 2 | ||||
| -rw-r--r-- | include/tests_usb | 2 | ||||
| -rwxr-xr-x | lynis | 30 |
9 files changed, 52 insertions, 33 deletions
diff --git a/db/languages/en b/db/languages/en index b5cbef6a..409b92d5 100644 --- a/db/languages/en +++ b/db/languages/en @@ -64,26 +64,34 @@ SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_VIRTUALIZATION="Virtualization" SECTION_WEBSERVER="Software: webserver" STATUS_ACTIVE="ACTIVE" +STATUS_DEBUG="DEBUG" +STATUS_DEFAULT="DEFAULT" +STATUS_DIFFERENT="DIFFERENT" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" STATUS_FAILED="FAILED" +STATUS_FILES_FOUND="FILES FOUND" STATUS_FOUND="FOUND" STATUS_INSTALLED="INSTALLED" STATUS_NO="NO" +STATUS_NO_UPDATE="NO UPDATE" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" +STATUS_NOT_DISABLED="NOT DISABLED" STATUS_NOT_ENABLED="NOT ENABLED" STATUS_NOT_FOUND="NOT FOUND" STATUS_NOT_RUNNING="NOT RUNNING" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PROTECTED="PROTECTED" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" +STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" STATUS_YES="YES" diff --git a/db/languages/fr b/db/languages/fr index 0a867eee..8b99e548 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -28,10 +28,10 @@ SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie" SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier" SECTION_FILE_PERMISSIONS="Permissions de fichier" SECTION_FILE_SYSTEMS="Systèmes de fichier" -SECTION_FIREWALLS="Logiciel : Pare-feux" +SECTION_FIREWALLS="Logiciel : Pare-feu" SECTION_GENERAL="Général" SECTION_HARDENING="Hardening" -SECTION_HOME_DIRECTORIES="Home directories" +SECTION_HOME_DIRECTORIES="Dossiers personnels" SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initialisation du programme" SECTION_INSECURE_SERVICES="Services non sécurisés" @@ -39,7 +39,7 @@ SECTION_KERNEL="Noyau" SECTION_KERNEL_HARDENING="Kernel Hardening" SECTION_LDAP_SERVICES="Services LDAP" SECTION_LOGGING_AND_FILES="Journalisation et fichiers" -SECTION_MALWARE="Logiciel : Malware" +SECTION_MALWARE="Logiciel : Malveillant" SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" SECTION_NAME_SERVICES="Services de noms" SECTION_NETWORKING="Mise en réseau" @@ -48,7 +48,7 @@ SECTION_PORTS_AND_PACKAGES="Ports et packages" SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression" SECTION_PROGRAM_DETAILS="Détails du programme" SECTION_SCHEDULED_TASKS="Tâches planifiées" -SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SECURITY_FRAMEWORKS="Frameworks de sécurité" SECTION_SHELLS="Shells" SECTION_SNMP_SUPPORT="Prise en charge SNMP" SECTION_SOFTWARE="Logiciel" @@ -63,24 +63,35 @@ SECTION_USB_DEVICES="Périphériques USB" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification" SECTION_VIRTUALIZATION="Virtualisation" SECTION_WEBSERVER="Logiciel : Serveur web" +STATUS_ACTIVE="ACTIF" +STATUS_DEBUG="DÉBUG" +STATUS_DEFAULT="PAR DÉFAUT" +STATUS_DIFFERENT="DIFFÉRENT" STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" STATUS_ENABLED="ACTIVÉ" STATUS_ERROR="ERREUR" STATUS_FAILED="ÉCHOUÉ" +STATUS_FILES_FOUND="FICHIERS TROUVÉS" STATUS_FOUND="TROUVÉ" +STATUS_INSTALLED="INSTALLÉ" STATUS_NO="NON" +STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NONE="AUCUN" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" +STATUS_NOT_DISABLED="NON DESACTIVÉ" +STATUS_NOT_ENABLED="NON ACTIVÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PROTECTED="PROTÉGÉ" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" +STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE" STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" STATUS_YES="OUI" diff --git a/include/tests_kernel b/include/tests_kernel index 3d3ac339..119b276e 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -491,7 +491,7 @@ AddHP 0 1 else LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'" - Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE + Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 fi fi @@ -508,7 +508,7 @@ AddHP 1 1 elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" - Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE + Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" @@ -516,7 +516,7 @@ AddHP 0 1 else LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" - Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW + Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi # Limits option @@ -538,8 +538,8 @@ FIND2="hard core enabled" fi - IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" - IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" + IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps are hard disabled" @@ -587,18 +587,18 @@ fi if [ "${FIND}" = "2" ]; then LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE + Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_PROTECTED}" --color WHITE AddHP 1 1 elif [ "${FIND}" = "1" ]; then LogText "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW + Display --indent 2 --text "- Checking setuid core dumps configuration" --result "${STATUS_DEBUG}" --color YELLOW ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" AddHP 0 1 else # 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped # https://www.kernel.org/doc/Documentation/sysctl/fs.txt LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN + Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN AddHP 1 1 fi fi diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index e117a704..c0887078 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -89,7 +89,7 @@ AddHP ${tFINDhp} ${tFINDhp} else LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" - Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED + Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_DIFFERENT}" --color RED AddHP 0 ${tFINDhp} FOUND=1 N=$((N + 1)) diff --git a/include/tests_logging b/include/tests_logging index 1638cb62..4a15591d 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -452,7 +452,7 @@ LogText "Result: no remote logging found" ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 - Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW + Display --indent 2 --text "- Checking remote logging" --result "${STATUS_NOT_ENABLED}" --color YELLOW else Report "remote_syslog_configured=1" AddHP 5 5 @@ -579,7 +579,7 @@ LogText "Found deleted file: ${I}" Report "deleted_file[]=${I}" done - Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW + Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_FILES_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why." else LogText "Result: no deleted files found" diff --git a/include/tests_networking b/include/tests_networking index 867429ec..7a04305f 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -140,7 +140,7 @@ Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]') Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE - if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi + if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="${STATUS_YES}"; else STATUS="${STATUS_NO}"; fi LogText "Result: IPv6 only configuration: ${STATUS}" Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE else diff --git a/include/tests_storage b/include/tests_storage index 89431aa0..6ee1a78a 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -59,7 +59,7 @@ if [ ${FOUND} -eq 0 ]; then LogText "Result: firewire ohci driver is not explicitly disabled" - Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE ReportSuggestion "${TEST_NO}" "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft" # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u AddHP 2 3 diff --git a/include/tests_usb b/include/tests_usb index 92c81a32..d99d5a66 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -73,7 +73,7 @@ fi if [ ${FOUND} -eq 0 ]; then LogText "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE if [ "${USBGUARD_FOUND}" -eq "0" ]; then ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" fi @@ -511,7 +511,7 @@ ${NORMAL} # SafePerms ${INCLUDEDIR}/osdetection . ${INCLUDEDIR}/osdetection - Display --indent 2 --text "- Detecting OS... " --result DONE --color GREEN + Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN # Check hostname case ${OS} in @@ -542,7 +542,7 @@ ${NORMAL} CDATE=$(date "+%Y-%m-%d %H:%M:%S") if [ ${LOGTEXT} -eq 1 ]; then echo "${CDATE} Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE}" > ${LOGFILE}; fi if [ $? -gt 0 ]; then - Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED + Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result "${STATUS_WARNING}" --color RED echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions." RemovePIDFile exit 1 @@ -728,7 +728,7 @@ ${NORMAL} fi if [ -z "${PROGRAM_AC}" -o -z "${PROGRAM_LV}" ]; then - Display --indent 2 --text "- Program update status... " --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Update check failed. No network connection?" LogText "Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record)." # Set both to safe values @@ -741,13 +741,13 @@ ${NORMAL} PROGRAM_MINVERSION=$((PROGRAM_LV - 10)) LogText "Minimum required version : ${PROGRAM_MINVERSION}" if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then - Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED + Display --indent 2 --text "- Program update status... " --result "${STATUS_WARNING}" --color RED LogText "Result: This version is VERY outdated. Newer ${PROGRAM_NAME} release available!" ReportWarning "LYNIS" "Version of Lynis is very old and should be updated" Report "lynis_update_available=1" UPDATE_AVAILABLE=1 else - Display --indent 2 --text "- Program update status... " --result "UPDATE AVAILABLE" --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_UPDATE_AVAILABLE}" --color YELLOW LogText "Result: newer ${PROGRAM_NAME} release available!" ReportSuggestion "LYNIS" "Version of Lynis outdated, consider upgrading to the latest version" Report "lynis_update_available=1" @@ -755,11 +755,11 @@ ${NORMAL} fi else if [ ${UPDATE_CHECK_SKIPPED} -eq 0 ]; then - Display --indent 2 --text "- Program update status... " --result "NO UPDATE" --color GREEN + Display --indent 2 --text "- Program update status... " --result "${STATUS_NO_UPDATE}" --color GREEN LogText "No ${PROGRAM_NAME} update available." Report "lynis_update_available=0" else - Display --indent 2 --text "- Program update status... " --result "SKIPPED" --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_SKIPPED}" --color YELLOW LogText "Update check skipped due to constraints (e.g. missing dig binary)" Report "lynis_update_available=-1" fi @@ -863,11 +863,11 @@ ${NORMAL} # if IsVerbose; then InsertSection "${SECTION_PROGRAM_DETAILS}" - Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN + Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "${STATUS_YES}" --color GREEN if IsDebug; then - Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN + Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_YES}" --color GREEN else - Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED + Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_NO}" --color RED fi fi # @@ -957,7 +957,7 @@ ${NORMAL} RunPlugins 1 if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then - Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "NONE" --color WHITE + Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "${STATUS_NONE}" --color WHITE Report "plugins_enabled=0" else Report "plugins_enabled=1" @@ -1018,7 +1018,7 @@ ${NORMAL} ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "${SECTION_GENERAL}" - Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED + Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "${STATUS_SKIPPED}" --color RED fi else echo "Error: Can't find file (category: ${INCLUDE_TEST})" @@ -1043,10 +1043,10 @@ ${NORMAL} else LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" - Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED + Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi else - Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE + Display --indent 2 --text "- Running custom tests... " --result "${STATUS_NONE}" --color WHITE fi fi # @@ -1079,7 +1079,7 @@ ${NORMAL} if [ ${SKIP_PLUGINS} -eq 0 ]; then RunPlugins 2 if [ ${N_PLUGIN_ENABLED} -gt 1 ]; then - Display --indent 2 --text "- Plugins (phase 2)" --result "DONE" --color GREEN + Display --indent 2 --text "- Plugins (phase 2)" --result "${STATUS_DONE}" --color GREEN fi fi # |