Commit graph

1912 commits

Author SHA1 Message Date
Michael Boelen
b8cdb04772
Corrected requirements to run tests 2020-03-25 19:33:55 +01:00
Michael Boelen
1e52ed0c0d
Added notes to NETW-3200 for future extending this test 2020-03-25 15:19:21 +01:00
Michael Boelen
04c969752a
[NETW-3200] corrected test 2020-03-25 15:15:42 +01:00
Michael Boelen
9b978a3581
Add specific control ID for warnings regarding usage of deprecated options 2020-03-25 15:03:21 +01:00
Michael Boelen
db117ae644
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-25 10:11:34 +01:00
Michael Boelen
f644927a42
Improved warning message with 'how to resolve' 2020-03-25 10:11:25 +01:00
Topi Miettinen
339e0c3207
[FILE-6374]: Summarize unhardened file system
Report total numbers of unhardened filesystems.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-25 09:18:16 +02:00
Michael Boelen
3c8e3b0adb
Merge pull request #862 from topimiettinen/blacklist-fs
FS module tests: check if modules are blacklisted
2020-03-24 13:34:05 +01:00
Michael Boelen
3c3feecbfb
Merge pull request #824 from Varbin/master
Add detection of OpenNTPD
2020-03-24 13:29:02 +01:00
Michael Boelen
f83025a283
Merge pull request #860 from topimiettinen/harden-mount-options
Harden mount options for /var, check also /dev and /run
2020-03-24 13:27:50 +01:00
Michael Boelen
dbfadc5446
Merge pull request #879 from topimiettinen/enhance-tomoyo-check
Enhance TOMOYO Linux check
2020-03-24 13:26:33 +01:00
Michael Boelen
18a570c0b8
Merge pull request #880 from konstruktoid/grphashrounds
Add test for group password hash rounds
2020-03-24 13:24:12 +01:00
Thomas Sjögren
bc09f921f0 fix indentation
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-03-24 11:53:50 +01:00
Thomas Sjögren
0b9e2d85d6 fix tabs
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-03-24 11:45:05 +01:00
Thomas Sjögren
5341fa7b29 AUTH-9229 isnt related to login.defs, add AUTH-9230
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-03-24 11:44:14 +01:00
Topi Miettinen
e09fe98b89 Enhance TOMOYO Linux check
Count and log unconfined processes, which are not using policy
profile 3.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 18:44:21 +02:00
Topi Miettinen
0da82a18cb
FS module tests: check if modules are blacklisted
Check if FS modules are blacklisted.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 17:43:53 +02:00
Topi Miettinen
8913374092 Run 'systemd-analyze security'
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 17:31:32 +02:00
Michael Boelen
7bba7bd4af
Removed incorrect process name from list, enable --full as it is required for matching jitterentropy-rngd 2020-03-23 16:13:39 +01:00
Michael Boelen
dcddfdb6cc
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-23 15:56:03 +01:00
Michael Boelen
1e74f9be9a
Fixed 'lynis show details' output 2020-03-23 15:55:40 +01:00
Michael Boelen
8f77116ce7
Merge pull request #876 from topimiettinen/enhance-apparmor-check
Enhance AppArmor check
2020-03-23 15:24:52 +01:00
Michael Boelen
7d1fe1231a
[CRYP-8005] added haveged, match against process name instead of full command line, code cleanup 2020-03-23 14:29:47 +01:00
Michael Boelen
1eb9218986
Merge branch 'master' of https://github.com/CISOfy/lynis 2020-03-23 13:19:29 +01:00
Michael Boelen
17bbaa8f7a
[AUTH-9229] make test only available for root 2020-03-23 13:19:10 +01:00
Michael Boelen
32cefdea0a
Merge pull request #878 from topimiettinen/check-ima-evm
Check IMA/EVM, dm-integrity and dm-verity statuses
2020-03-23 13:18:16 +01:00
Michael Boelen
122619d01f
Merge pull request #874 from topimiettinen/check-password-hashing-methods
Check password hashing methods
2020-03-23 12:49:20 +01:00
Michael Boelen
17ac4d2c1c
[AUTH-9252] corrected permission check 2020-03-23 10:44:45 +01:00
Topi Miettinen
8ea39314f2
Check for dm-integrity and dm-verity
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 10:35:38 +02:00
Michael Boelen
058b071ea2
Merge pull request #877 from bginsbach/auth-9268-add-bsd
Add FreeBSD and NetBSD to AUTH-9268
2020-03-22 15:16:09 +01:00
Topi Miettinen
203a4d3480
Check IMA/EVM status
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-22 11:21:52 +02:00
Brian Ginsbach
33ba896b41 Add FreeBSD and NetBSD to AUTH-9268
Add FreeBSD and NetBSD as both support PAM. Simplify the PREQS_MET
test by using a case rather than a long if or.
2020-03-21 20:03:37 -05:00
Brian Ginsbach
f56c3b5f94 Combine NetBSD and OpenBSD AUTH-9234 check
Both NetBSD and OpenBSD have `useradd(8)`, so they can share logic
checking `/etc/usermgmt.conf` for the default user UID range.
2020-03-21 16:16:34 -05:00
Brian Ginsbach
044c78452b Add AUTH-9234 for NetBSD 2020-03-21 16:10:05 -05:00
Topi Miettinen
e0e2096a25
Enhance AppArmor check
Count and log unconfined processes which have no AppArmor profile
applied.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 17:14:55 +02:00
Topi Miettinen
26a54991ba
Check for software pseudo random number generators
Check for running audio-entropyd, havegd or jitterentropy-rngd.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 16:26:30 +02:00
Michael Boelen
148e5b5c14
Merge pull request #870 from bginsbach/boot-5260-linux
Make BOOT-5260 Linux only
2020-03-21 13:54:21 +01:00
Michael Boelen
1bb35b86b8
Merge pull request #873 from topimiettinen/fix-developer-profile
Fix developer profile
2020-03-21 13:50:03 +01:00
Michael Boelen
357b059c12
Merge pull request #871 from bginsbach/fix-find-not
Fix uses of non-standard find not operator
2020-03-21 13:43:28 +01:00
Topi Miettinen
4a51ad031b
Check password hashing methods
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 12:50:38 +02:00
Topi Miettinen
e98fcb9b73
Fix developer profile
Initialialize a few variables to let --profile developer.prf pass.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-20 22:26:51 +02:00
Brian Ginsbach
9c5451d29d Make BOOT-5260 Linux only
Linux is the only OS with systemd so no need to check for systemd
single user mode on other operatings systems.
2020-03-20 14:40:20 -05:00
Brian Ginsbach
32d1155953 Fix uses of non-standard find not operator
Use ! rather than the non-standard -not find(1) operator.
2020-03-20 14:37:56 -05:00
Brian Ginsbach
52344913d3 Add a way to signify undetermined EOL
Replace setting an artificaly high date and converted date for
operating systems with no EOL (rolling) or the EOL is still to
be determined. This makes it easier for humans and saves making
a comparison (when using an artifically high converted time)
will always be false (EOL=0).

An example entry

        os:AGreatOS 2.0:👎

The converted time (seconds since the epoch) could be specified as
zero but this typically means the OS is out of date (now), A value
of -1 is a convention indicating no EOL.
2020-03-20 13:42:28 -05:00
Michael Boelen
1f8b5fafde
Add OS to 'show eol' and make output easier to parse 2020-03-20 14:57:56 +01:00
Michael Boelen
38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen
8c0b42cdae
Merge pull request #861 from topimiettinen/enhance-selinux-check
Enhance SELinux checks
2020-03-20 14:00:57 +01:00
Michael Boelen
bf7bd1415b
Merge pull request #867 from topimiettinen/check-dnssec-resolvectl
Check DNSSEC status with resolvectl when available
2020-03-20 09:46:40 +01:00
Topi Miettinen
820d2ec607
Check DNSSEC status with resolvectl when available
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-19 23:56:24 +02:00
Topi Miettinen
fb9cdb5c43
Enhance SELinux checks
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-19 19:45:37 +02:00