Age | Commit message (Collapse) | Author |
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
|
|
|
|
+ add EN and FR up to date languages files
|
|
|
|
[SSH-7408] fix OpenSSH server version check
|
|
|
|
This option is deprecated since 2003. Having it in a config file raises
a warning and UseDNS (that is on by default) includes the
VerifyReverseMapping check.
See
https://github.com/openssh/openssh-portable/commit/3a961dc0d36c1f87788b707130f6d07709822d38
See #528
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenSSH daemon
|
|
|
|
authentication may need it
|
|
|
|
|
|
|
|
Seems like in the patch there was an extra 'ssh' added in the command line, which is breaking the ssh tests. Removing the ssh keyword... -T -C ... fixes the problem.
|
|
configuration
|
|
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
see also https://www.openssh.com/txt/release-7.5
|
|
|
|
* Description fix: SafePerms works on files not dirs.
All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).
* Lots of whitespace cleanups.
Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces. But sometimes
it's 1, sometimes 3, sometimes 8.
These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).
This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.
FWIW I identified instances to check by using:
perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)
Which produced output like:
./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated"
./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then
./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists"
...There's probably formal shellscript-beautification tools that
I'm oblivious about.
* More whitespace standardization.
* Fix a syntax error.
This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.
* Add whitespace before closing ].
Without it, the shell thinks the ] is part of the last string, and
emits warnings like:
.../lynis/include/tests_authentication: line 1028: [: missing `]'
|
|
* Typo fix.
* Style change: always use $(), never ``.
The Lynis code already mostly used $(), but backticks were sprinkled
around. Converted all of them.
* Lots of minor spelling/typo fixes.
FWIW these were found with:
find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less
And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
|
|
with public key authentication
|
|
PermitRootLogin
|
|
|
|
|
|
|
|
|
|
for reasons, see links below:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH#SSH_agent_forwarding
https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/
|
|
|
|
|
|
See Issue #197.
References:
- https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371/comments/11
- https://unix.stackexchange.com/questions/56941/what-is-the-point-of-sshd-usedns-option
- https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
|
|
lowercase settings for other tests
|
|
|
|
|
|
Added section to log & display skipped atomic tests.
|
|
|
|
details to report
|
|
|
|
|