Age | Commit message (Collapse) | Author |
|
installed packages and packages that can be upgraded
|
|
|
|
|
|
|
|
|
|
Add support for Solaris services, run BOOT-5184 there
|
|
Fixes cisofy/lynis#1078.
Signed-off-by: Simon Biewald <sbiewald@fam-biewald.de>
|
|
The Solaris IPS service manager (svcs) is now detected, and services
managed with it are enumerated.
Test BOOT-5184 now runs on Solaris, too, as SysV init scripts are
supported as well, even with IPS. SysV Init has been the traditional
init system on Solaris.
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
+ add EN and FR up to date languages files
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
Check if system uses encrypted swap devices
|
|
|
|
Report also number of set-uid and set-gid binaries found.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
The NetBSD pkgsrc package management system uses pkg_info for
determining information about packages. This is also the command
used in PKGS-7302.
|
|
Add test CRYP-7931 to check if the system uses any encrypted swap
devices.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Add detection of OpenNTPD
|
|
Enhance TOMOYO Linux check
|
|
Count and log unconfined processes, which are not using policy
profile 3.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Check IMA/EVM, dm-integrity and dm-verity statuses
|
|
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
Enhance SELinux checks
|
|
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
|
|
|
|
There are several challenges with the existing method of using
/etc/crypttab:
1)encrypted rootfs partitions are not typically listed in this
file (users are prompted for password in early boot instead)
2)the 'luks' option is the default option so it is possible for
/etc/crypttab entries to never have this set explicitly and any
block device configured as such will be missed currently
3)any device mounted manually, or using any other mechanism aside
from /etc/crypttab will be missed
This commit executes 'cryptsetup isLuks' on every block device in
the system to determine whether it is a LUKS device. This handles
all 3 cases mentioned above.
Test case wording was also updated to reflect the fact that it
only checks for LUKS entrypted block devices. So, plain dm-crypt
and TrueCrypt/VeraCrypt block device encryption is not detected.
Nor is any file system level encryption such as eCryptfs, EncFs,
gocryptfs.
|
|
|
|
|
|
binary scanning is not performed
|
|
|
|
|
|
measure
|
|
|
|
|
|
|
|
|