| Age | Commit message (Collapse) | Author |
|---|
|
|
|
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Linux is the only OS with systemd so no need to check for systemd
single user mode on other operatings systems.
|
|
|
|
|
|
Fix logging of running and enabled services
|
|
Detect rEFInd boot loader (https://www.rodsbooks.com/refind/).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
Log lines for running and enabled services were mixed up, fix.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
* Handle service names with multiple periods
The current awk filter produces truncated output if the service
name contains multiple periods.
eg. dbus-org.freedesktop.resolve1.service and
dbus-org.freedesktop.network1.service both appear as 'dbus-org' in
the resulting service list.
This change addresses this by filtering on '.service' instead.
* Simplify systemd service filtering
Added systemctl switches to filter the output based on enabled
or running services. This removes the need for one of the awk
statements.
|
|
Adds a test to detect systemd-boot. The 'bootctl' binary is also
added as this is the utility used to inspect the systemd-boot
configuration.
This test is only executed if systemd is installed, the bootctl
utility exists and the system is booted in UEFI mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* systemctl does not mean systemd is used
* Check for systemd active
* determine service manager if not already set
|
|
|
|
* fix missing ROOTDIR prefix
* sort list of services before processing
* sort list of certificates before processing
* sort list of startup scripts before processing
* spell check
* remove possessive pronoun
|
|
|
|
and new tests
|
|
|
|
* Description fix: SafePerms works on files not dirs.
All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).
* Lots of whitespace cleanups.
Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces. But sometimes
it's 1, sometimes 3, sometimes 8.
These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).
This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.
FWIW I identified instances to check by using:
perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)
Which produced output like:
./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated"
./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then
./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists"
...There's probably formal shellscript-beautification tools that
I'm oblivious about.
* More whitespace standardization.
* Fix a syntax error.
This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.
* Add whitespace before closing ].
Without it, the shell thinks the ] is part of the last string, and
emits warnings like:
.../lynis/include/tests_authentication: line 1028: [: missing `]'
|
|
* Typo fix.
* Style change: always use $(), never ``.
The Lynis code already mostly used $(), but backticks were sprinkled
around. Converted all of them.
* Lots of minor spelling/typo fixes.
FWIW these were found with:
find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less
And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
|
|
|
|
|
|
|
|
* Update facter location for BSDs
BSDs tend to place third party binaries in /usr/local rather than /usr
* Add support for DragonFly boot loader detection
DragonFly BSD has the same file paths for the bootloader as FreeBSD
* Add kernel module checking for DragonFly
DragonFly BSD checks kernel modules the same way as FreeBSD
* Add DragonFly check for login shells
DragonFly's login files are the same as FreeBSD's
* Add HAMMER PFS Detection
All PFS mounts in HAMMER systems for DragonFly will be detected now
|
|
* Default all macOS `OS` names as macOS. Added comments to specify `uname` outputs for better understanding.
* Refactored all `Mac` instances referring to macOS over to `macOS` formatting.
Tested on my own machine, unable to find any errors outside of normal parameters.
|
|
|
|
|
|
Test will display result in red if no boot loader password set and if
server or workstation role was set. Cosmetic change for log text, one
instead of two log texts.
Test displays result in yellow if using personal machine role as
suggestion for typical users.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
