diff options
Diffstat (limited to 'dev/TODO')
| -rw-r--r-- | dev/TODO | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/dev/TODO b/dev/TODO new file mode 100644 index 00000000..c9229e1c --- /dev/null +++ b/dev/TODO @@ -0,0 +1,114 @@ + +================================================================================ + + Lynis - To Do + +================================================================================ + + Author: Michael Boelen (michael@rootkit.nl) + Description: Security and system auditing tool + Website: http://www.rootkit.nl/projects/lynis.html + Support policy: See section 'Support' (README file) + Documentation: See web site, README, FAQ and CHANGELOG file + +================================================================================ + + +[+] Open issues +------------------------------- + + +[+] Project +------------------------------- + + +[+] General +------------------------------- + - Activate warning when default profile is being used + - Add list of manual audit items, depending on performed tests + - Replace awk instances with ${AWKBINARY} + + +[+] Forensics +------------------------------- + - Add MD5/SHA1 database + + +[+] Generic Tests +------------------------------- + - NFS: Check if there is no localhost line in the /etc/export file + - Check /etc/crontab entries (permissions, locations) + - Search for all setuid/setgid files and compare against baseline + - Skel: Red Hat files are hidden, check with ls -al? + - Add MacOS X test for /tmp dir (or redirect location of symlink) + - Samba: make sure it does listen only at one interface (not at WAN) + - Cleanup some tests by combining options (like NETW-3006) + - Check for latest versions of programs + - Check if multiple users have group '0' + - When using --quiet, use long warnings instead of default lines + - Don't show section headers when using --tests + - Show Last logon dates for user accounts + - Show passwords 30 days or older / trivial passwords / password shadowing + - Show duplicate usernames, UIDs and GIDs + - System wide policies including: default files creation mask, login timeout intervals, lockout durations... + - Permissions on selected sensitive files / directories + + +[+] Applications +------------------------------- + - Debian/Ubuntu: check if apt-listbugs is installed + +[+] Databases +------------------------------- + - Warn if MySQL is running on a network interface + - Check for empty root login + - Check Oracle things (tm) + + +[+] Programming languages/interfaces +------------------------------- + - Paranoid option: set binaries to 750 for perl, python, ruby, cc, gcc, *cc* etc + + +[+] DNS +------------------------------- + - Bind: check if version is disabled + + +[+] Firewalls +------------------------------- + - iptables: show chain numbers when rules are unused + + +[+] Shell/interface/X +------------------------------- + - Check for autolog or timeoutd package + + +[+] MTA +------------------------------- + - Sendmail: check banner, check file permissions of configuration files + - Exim: check banner + - SMTP (if running): check if a version shows up in banner + + +[+] Printers/spools +------------------------------- + - Printcap consistency check for Linux/Solaris/MacOS + + +[+] Tomcat +------------------------------- + - Check if iptables has rules for port 8080, 8009, 8443 + - Check if /WEB-INF/ and /META-INF/ are denied in httpd.conf + +[+] Reporting +------------------------------- + - Add possibility to mail directly (instead of log to file) + - Find audit templates for reporting (direct post to webserver?) + - Allow bonus points, however check a maximum index score of 100 + + +================================================================================ + Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands + http://www.rootkit.nl |