Age | Commit message (Collapse) | Author |
|
Apple doesn’t disclose when it stops providing security updates for
macOS versions. There’s no consensus on when the exact EOL date is.
Lacking that information, I applied the following ruleset, which is
driven by what people have observed, and seems pragmatic enough:
- From Mac OS X 10.0 through 10.4, a version 10.N would be considered
EOL on the day the first patch-level update 10.(N+2).1 for its
N+2 successor was released.
- Starting with 10.5, Apple began to support three versions at the same
time. For 10.5 itself, the EOL date is difficult to pin down so I
went with 2011-06-23, the date given by the English-language
Wikipedia.
- From 10.6 through 10.11, a version 10.N would be considered EOL on
the day the first patch-level update 10.(N+3).1 for its N+3 successor
was released.
- Starting with macOS Sierra (10.12), Lynis counts the patch level.
Any version 10.N.P can be considered EOL on the day 10.N.(P+1)
is released. If that hasn’t happened, the EOL date is the day
10.(N+3).1 is released. If neither has been released, 10.N.P has
no EOL date.
|
|
|
|
Switched entries and added a note. Due to matching by regular expression, the shortest match would otherwise always win.
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
Update language files (de, de-AT, en)
|
|
|
|
|
|
|
|
Sorting
|
|
Sorting
|
|
|
|
(cherry picked from commit 6ce0aa41c64f8146716de25d613e66cf53f08b0e)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
Co-authored-by: Jaimie <59117167+Jaimie85@users.noreply.github.com>
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
|
|
Check if system uses encrypted swap devices
|
|
Examine /proc/sys/fs/binfmt_misc (Linux) for additional registered
binary formats. Those are probably emulated and their emulation could
be less tested, more buggy and more vulnerable than native binary
formats, so they should be disabled when not needed.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Added Russian localization
|
|
|
|
AUTH-9218 Improvements
|
|
These two tests are essentially identical. There is no need separate
the DragonFly and FreeBSD tests. This will make it easier to add
support for other BSD systems.
|
|
|
|
|
|
Add test CRYP-7931 to check if the system uses any encrypted swap
devices.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
Add test for group password hash rounds
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Check IMA/EVM, dm-integrity and dm-verity statuses
|
|
Check password hashing methods
|
|
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Check for running audio-entropyd, havegd or jitterentropy-rngd.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
Replace setting an artificaly high date and converted date for
operating systems with no EOL (rolling) or the EOL is still to
be determined. This makes it easier for humans and saves making
a comparison (when using an artifically high converted time)
will always be false (EOL=0).
An example entry
os:AGreatOS 2.0::-1:
The converted time (seconds since the epoch) could be specified as
zero but this typically means the OS is out of date (now), A value
of -1 is a convention indicating no EOL.
|
|
|
|
|
|
|
|
Corrected test ID
|
|
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Detect rEFInd boot loader (https://www.rodsbooks.com/refind/).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|