Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/default.prf
AgeCommit message (Collapse)Author
2020-12-22Merge pull request #933 from topimiettinen/check-clip-os-sysctlsMichael Boelen
[KRNL-6000] Check more sysctls
2020-08-07Merge pull request #913 from topimiettinen/check-der-certsMichael Boelen
[CRYP-7902] Check also certificates in DER format
2020-08-07Merge pull request #957 from Varbin/rsh-permissionsMichael Boelen
rsh host file permissions
2020-06-20add (Open)SSH equivalents to rhost filesSimon Biewald
SSH also supports host based authentication. In contrast to the totally insecure rsh, the hostnames are checked cryptographically. The authorization checks are still done with the same syntax as with rsh. In addition to the old rhosts/rlogin (and eqviv) file, SSH adds the slogin file. This must not be writable as well, as attackers could elevate their privileges.
2020-06-20check permissions of files used by rshSimon Biewald
The old rsh (remote shell) grants access to users and hosts in the files /etc/hosts.equiv and ~/r(login|hosts). If attackers can write to those files, he can logon as a different user or even root (in case of roots .r(login|hosts) only) to the system. While the rsh daemon usually checks for non-root owners or write permissions, this may not be the case on any system. Those files might affect other services as well (rlogin, rcp, ...). As hostnames and usernames are not verified securely, the use of rsh and similar commands discouraged. It may still be in use on legacy systems even today, so it should be secured as much as possible if not possible to remove/replace.
2020-06-11Fix typo in kernel options descriptionSteve8291
2020-05-23[KRNL-6000] Check more sysctlsTopi Miettinen
Add checks for sysctls recommended by CLIP OS (vanilla kernel sysctls only): https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-25[CRYP-7902] Check also certificates in DER formatTopi Miettinen
Check also certificates in DER (*.cer, *.der) format. Add /etc/refind.d/keys to list of certificate paths. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-02[CRYP-7902] Optionally check also certificates provided by packagesTopi Miettinen
The package maintainers are not immune to mistakes or they might not always provide timely updates, so let's check (optionally) more certificates even if they are delivered by packages. I found three expired certificates in my Debian/unstable system, thanks to changed Lynis. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2019-09-14Disabled shadow files in default profile as each Linux distribution has its ↵Michael Boelen
own default
2019-07-26Altered order of entriesMichael Boelen
2019-07-12Run non-interactive by default, use --wait to enforce waiting after ↵Michael Boelen
finishing a group of tests
2019-07-08New profile option to ignore specified certificate directoriesMichael Boelen
2019-07-07Cleanup of default profile and migration of permdir/permfileMichael Boelen
2019-07-07Changed description and added note about strict checkingMichael Boelen
2019-07-03Merge branch 'master' of https://github.com/CISOfy/lynisMichael Boelen
2019-07-03New option to disable plugins via profileMichael Boelen
2019-03-25Add some default permfile/permdirCapashenn
2018-03-03Changed action from flush to clearMichael Boelen
2018-03-03Extended helpMichael Boelen
2018-02-16Add host identifier options and use manual configured setting in functionMichael Boelen
2018-01-23Added kernel.yama.ptrace_scopeMichael Boelen
2018-01-23Overhaul of default profile settings and parsingMichael Boelen
2018-01-11Added solution, extended timestamps key values, allow multiple valuesMichael Boelen
2017-12-08Changes for new plugin class 'hardware'Michael Boelen
2017-11-25Support for allow-auto-purge option in profilesMichael Boelen
2017-06-22Allow tags and system-customer-name to be specifiedMichael Boelen
2017-06-14Added kernel.dmesg_restrict to sysctl checks. (#404)Dave Vehrs
2017-05-03Adds Protected Links Checks (#389)0ri0n
Fixes #386
2017-03-14Added another certificate path for PleskMichael Boelen
2017-03-14Support for Plesk certificates pathMichael Boelen
2017-02-21Allow data uploads to be configured in profileMichael Boelen
2017-02-16Allow colored output to be configured from profileMichael Boelen
2017-02-14Added authentication pluginMichael Boelen
2016-11-29Added paths for SSL certificatesMichael Boelen
2016-11-08Add remark for automatic updates and packagesMichael Boelen
2016-10-26Updated profiles (#300)marcus-cr
* Updated profiles Added “personal” machine-role, changed “desktop” to “workstation”. * Changed Default Profile Amended roles of system: changed “desktop” to “workstation”, and added “personal”.
2016-10-15Added missing separatorMichael Boelen
2016-10-05Added new sysctl valuesMichael Boelen
2016-09-24Show possible solution with findingsMichael Boelen
2016-09-13Changed suggested value for kernel.randomize_va_spaceMichael Boelen
2016-08-18Added more sysctl keysMichael Boelen
2016-08-18Support sysctl checks with multiple profilesMichael Boelen
2016-08-11Allow repository update to be disabledMichael Boelen
2016-07-12Set initial value for language and improve auto detectionMichael Boelen
2016-07-11expect value of sysctl:kernel.kptr_restrict to be 2 (#224)Lukas Pirl
from https://lwn.net/Articles/420403/: """ The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl. […] If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. """
2016-07-05More reorganizing as options will be deprecatedMichael Boelen
2016-07-05Migrate to new options, including skip-pluginsMichael Boelen
2016-07-05Migration of several settings to new formatMichael Boelen
2016-06-21Textual change related to languagesMichael Boelen
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-27 12:11:39 +0300