Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-12-22 | Merge pull request #933 from topimiettinen/check-clip-os-sysctls | Michael Boelen | |
[KRNL-6000] Check more sysctls | |||
2020-08-07 | Merge pull request #913 from topimiettinen/check-der-certs | Michael Boelen | |
[CRYP-7902] Check also certificates in DER format | |||
2020-08-07 | Merge pull request #957 from Varbin/rsh-permissions | Michael Boelen | |
rsh host file permissions | |||
2020-06-20 | add (Open)SSH equivalents to rhost files | Simon Biewald | |
SSH also supports host based authentication. In contrast to the totally insecure rsh, the hostnames are checked cryptographically. The authorization checks are still done with the same syntax as with rsh. In addition to the old rhosts/rlogin (and eqviv) file, SSH adds the slogin file. This must not be writable as well, as attackers could elevate their privileges. | |||
2020-06-20 | check permissions of files used by rsh | Simon Biewald | |
The old rsh (remote shell) grants access to users and hosts in the files /etc/hosts.equiv and ~/r(login|hosts). If attackers can write to those files, he can logon as a different user or even root (in case of roots .r(login|hosts) only) to the system. While the rsh daemon usually checks for non-root owners or write permissions, this may not be the case on any system. Those files might affect other services as well (rlogin, rcp, ...). As hostnames and usernames are not verified securely, the use of rsh and similar commands discouraged. It may still be in use on legacy systems even today, so it should be secured as much as possible if not possible to remove/replace. | |||
2020-06-11 | Fix typo in kernel options description | Steve8291 | |
2020-05-23 | [KRNL-6000] Check more sysctls | Topi Miettinen | |
Add checks for sysctls recommended by CLIP OS (vanilla kernel sysctls only): https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning Signed-off-by: Topi Miettinen <toiwoton@gmail.com> | |||
2020-04-25 | [CRYP-7902] Check also certificates in DER format | Topi Miettinen | |
Check also certificates in DER (*.cer, *.der) format. Add /etc/refind.d/keys to list of certificate paths. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> | |||
2020-04-02 | [CRYP-7902] Optionally check also certificates provided by packages | Topi Miettinen | |
The package maintainers are not immune to mistakes or they might not always provide timely updates, so let's check (optionally) more certificates even if they are delivered by packages. I found three expired certificates in my Debian/unstable system, thanks to changed Lynis. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> | |||
2019-09-14 | Disabled shadow files in default profile as each Linux distribution has its ↵ | Michael Boelen | |
own default | |||
2019-07-26 | Altered order of entries | Michael Boelen | |
2019-07-12 | Run non-interactive by default, use --wait to enforce waiting after ↵ | Michael Boelen | |
finishing a group of tests | |||
2019-07-08 | New profile option to ignore specified certificate directories | Michael Boelen | |
2019-07-07 | Cleanup of default profile and migration of permdir/permfile | Michael Boelen | |
2019-07-07 | Changed description and added note about strict checking | Michael Boelen | |
2019-07-03 | Merge branch 'master' of https://github.com/CISOfy/lynis | Michael Boelen | |
2019-07-03 | New option to disable plugins via profile | Michael Boelen | |
2019-03-25 | Add some default permfile/permdir | Capashenn | |
2018-03-03 | Changed action from flush to clear | Michael Boelen | |
2018-03-03 | Extended help | Michael Boelen | |
2018-02-16 | Add host identifier options and use manual configured setting in function | Michael Boelen | |
2018-01-23 | Added kernel.yama.ptrace_scope | Michael Boelen | |
2018-01-23 | Overhaul of default profile settings and parsing | Michael Boelen | |
2018-01-11 | Added solution, extended timestamps key values, allow multiple values | Michael Boelen | |
2017-12-08 | Changes for new plugin class 'hardware' | Michael Boelen | |
2017-11-25 | Support for allow-auto-purge option in profiles | Michael Boelen | |
2017-06-22 | Allow tags and system-customer-name to be specified | Michael Boelen | |
2017-06-14 | Added kernel.dmesg_restrict to sysctl checks. (#404) | Dave Vehrs | |
2017-05-03 | Adds Protected Links Checks (#389) | 0ri0n | |
Fixes #386 | |||
2017-03-14 | Added another certificate path for Plesk | Michael Boelen | |
2017-03-14 | Support for Plesk certificates path | Michael Boelen | |
2017-02-21 | Allow data uploads to be configured in profile | Michael Boelen | |
2017-02-16 | Allow colored output to be configured from profile | Michael Boelen | |
2017-02-14 | Added authentication plugin | Michael Boelen | |
2016-11-29 | Added paths for SSL certificates | Michael Boelen | |
2016-11-08 | Add remark for automatic updates and packages | Michael Boelen | |
2016-10-26 | Updated profiles (#300) | marcus-cr | |
* Updated profiles Added “personal” machine-role, changed “desktop” to “workstation”. * Changed Default Profile Amended roles of system: changed “desktop” to “workstation”, and added “personal”. | |||
2016-10-15 | Added missing separator | Michael Boelen | |
2016-10-05 | Added new sysctl values | Michael Boelen | |
2016-09-24 | Show possible solution with findings | Michael Boelen | |
2016-09-13 | Changed suggested value for kernel.randomize_va_space | Michael Boelen | |
2016-08-18 | Added more sysctl keys | Michael Boelen | |
2016-08-18 | Support sysctl checks with multiple profiles | Michael Boelen | |
2016-08-11 | Allow repository update to be disabled | Michael Boelen | |
2016-07-12 | Set initial value for language and improve auto detection | Michael Boelen | |
2016-07-11 | expect value of sysctl:kernel.kptr_restrict to be 2 (#224) | Lukas Pirl | |
from https://lwn.net/Articles/420403/: """ The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl. […] If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. """ | |||
2016-07-05 | More reorganizing as options will be deprecated | Michael Boelen | |
2016-07-05 | Migrate to new options, including skip-plugins | Michael Boelen | |
2016-07-05 | Migration of several settings to new format | Michael Boelen | |
2016-06-21 | Textual change related to languages | Michael Boelen | |