Commit graph

141 commits

Author SHA1 Message Date
Thomas Sjögren
bc09f921f0 fix indentation
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-03-24 11:53:50 +01:00
Thomas Sjögren
0b9e2d85d6 fix tabs
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-03-24 11:45:05 +01:00
Thomas Sjögren
5341fa7b29 AUTH-9229 isnt related to login.defs, add AUTH-9230
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2020-03-24 11:44:14 +01:00
Michael Boelen
17bbaa8f7a
[AUTH-9229] make test only available for root 2020-03-23 13:19:10 +01:00
Michael Boelen
122619d01f
Merge pull request #874 from topimiettinen/check-password-hashing-methods
Check password hashing methods
2020-03-23 12:49:20 +01:00
Michael Boelen
17ac4d2c1c
[AUTH-9252] corrected permission check 2020-03-23 10:44:45 +01:00
Michael Boelen
058b071ea2
Merge pull request #877 from bginsbach/auth-9268-add-bsd
Add FreeBSD and NetBSD to AUTH-9268
2020-03-22 15:16:09 +01:00
Brian Ginsbach
33ba896b41 Add FreeBSD and NetBSD to AUTH-9268
Add FreeBSD and NetBSD as both support PAM. Simplify the PREQS_MET
test by using a case rather than a long if or.
2020-03-21 20:03:37 -05:00
Brian Ginsbach
f56c3b5f94 Combine NetBSD and OpenBSD AUTH-9234 check
Both NetBSD and OpenBSD have `useradd(8)`, so they can share logic
checking `/etc/usermgmt.conf` for the default user UID range.
2020-03-21 16:16:34 -05:00
Brian Ginsbach
044c78452b Add AUTH-9234 for NetBSD 2020-03-21 16:10:05 -05:00
Topi Miettinen
4a51ad031b
Check password hashing methods
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 12:50:38 +02:00
Brian Ginsbach
32d1155953 Fix uses of non-standard find not operator
Use ! rather than the non-standard -not find(1) operator.
2020-03-20 14:37:56 -05:00
Michael Boelen
38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen
0b0b0ea905
Style improvement 2020-03-12 16:01:11 +01:00
gfelkel
5bce9d598c
AUTH-9228 for HP-UX
HP-UX also has /usr/sbin/pwck. For trusted systems, two additional options -s (check inconsistencies with the protected password database) and -l (check encrypted password lengths that are greater than 8 characters) are available.
2020-01-23 13:30:46 +01:00
Michael Boelen
09f29a5e64
Code style improvement: quote argument 2019-12-18 12:17:46 +01:00
Dave Vehrs
e6bf111f41 Updated tests for file permissions to case statements 2019-10-23 14:47:03 -06:00
Kristian Schuster
364b770c64
kernel-test: determine reboot requirement for more distros. Plus a few fixes 2019-09-28 00:39:12 +02:00
Michael Boelen
2c32e8e04d
Merge pull request #765 from Marzal/Marzal-AUTH-9282
Fix auth-9282
2019-09-21 15:49:58 +02:00
Marzal
0e1e80bacf Double quote to prevent globbing and word splitting.SC2086 2019-09-19 23:36:36 +02:00
Marzal
42ac40aad6 Change variable name from FIND to FIND_P so is not reset by Register 2019-09-19 23:33:19 +02:00
Michael Boelen
36627a4eb7
Style improvements 2019-09-19 14:05:15 +02:00
Michael Boelen
22a7f4fd6d
Combine multiple unsets into a single command 2019-08-26 08:01:43 +02:00
Michael Boelen
3006b8dd26
[AUTH-9408] both backslash and brackets needs to be individually escaped 2019-08-08 15:05:23 +02:00
Michael Boelen
fdc2977575
[AUTH-9408] corrected description 2019-08-08 13:28:17 +02:00
Michael Boelen
8321b98689
[AUTH-9408] double escape to prevent error message (awk: warning: escape sequence '\[' treated as plain '[') 2019-07-26 11:11:03 +02:00
Michael Boelen
b7fb98a47f
[AUTH-9266] skip .pam-old files in /etc/pam.d (used by Ubuntu) 2019-07-26 10:57:44 +02:00
Michael Boelen
63043b536d
[AUTH-9408] added support for pam_tally2 to log failed logins 2019-07-18 11:33:28 +02:00
Michael Boelen
2bd1b1b590
Format change 2019-07-16 19:05:28 +02:00
Michael Boelen
fa8bad20db
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00
Michael Boelen
f6f7a69857
Merge pull request #713 from bcs016/patch-1
Update tests_authentication - AUTH-9402
2019-06-24 13:43:19 +02:00
Michael Boelen
59b102989f
[AUTH-9268] AIX find does not support maxdepth 2019-06-06 14:13:05 +02:00
bcs016
10b8da1c6a
Update tests_authentication
Update AUTH-9402, change name to check in etc/passwd file when device is a QNAP
2019-04-29 11:47:11 +02:00
Michael Boelen
8a9edeb40b
[AUTH-9278] style change, description, allow different root directory 2019-03-29 12:30:12 +01:00
Capashenn
f9bcf26f25 fix issue #612 (#677)
LDAP support for Red Hat and others (fix issue #612)
2019-03-29 12:26:12 +01:00
jirib
0dafe4a02b better OpenBSD support (#641) 2019-03-05 19:03:44 +01:00
Michael Boelen
19921ab001
Style improvements, typo, variable usage 2019-02-28 10:19:09 +01:00
chr0mag
353cf84413 [AUTH-9252] Sudo configuration file/folder check improvements (#637)
* [AUTH-9252] Adds support for files in sudoers.d

This commit adds permission checks for files found in 'sudoers.d'.
Previously only the main 'sudoers' file is checked. Fixes #600.

* [AUTH-9252] Check drop-in directory permissions

The test case currently only checks file permissions. This adds
logic to check the drop-in directory permissions as well.

* [AUTH-9252] Check file/folder ownership

This test currently only checks file/directory permissions. This
commit adds checks to ensure sudo configuration files/folders are
owned with UID=0 and GID=0.
2019-02-28 10:15:57 +01:00
Michael Boelen
66066ae226
Changed year and preparing for new release 2019-01-31 14:47:35 +01:00
Michael Boelen
bca2d00ad7
Added STATUS_WEAK 2019-01-14 18:49:49 +01:00
Michael Boelen
e014e12310
Remove FIND1 variable, as we prefer FIND to limit number of variables 2018-12-17 09:58:57 +01:00
Capashenn
47e37bf058 [AUTH-9282][AUTH-9283] Add support for RedHad and clones (#609)
[AUTH-9282][AUTH-9283] Add support for Red Hat and clones
2018-12-17 09:55:41 +01:00
Michael Boelen
105befb2e9
[AUTH-9308] Made 'sulogin' more generic for systemd rescue shell 2018-04-23 11:01:18 +02:00
Michael Boelen
eb8b467915
Add TODO for PAM checks on AUTH-9286 2018-01-24 19:41:15 +01:00
Michael Boelen
66f8cb2441
Changed year 2018-01-11 09:50:26 +01:00
dataking
099c3b4468 fix for issue #453; simply add RPi/Raspian path to PAM_FILE_LOCATIONS (#475) 2017-10-19 11:33:09 +02:00
Michael Boelen
70ea29483a
Code enhancements 2017-04-23 20:06:54 +02:00
pyllyukko
88f39b9540 Fix regex to disregard locked accounts (#371)
This way, accounts that have ":!!:" in shadow and have an entry in
"Password expires" field don't get flagged with "Result: password of
user XYZ has been expired" by AUTH-9288.

Fixes #362
2017-03-27 09:19:55 +02:00
hlein
62d9a18861 A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.

If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be.  Exec it right away.

* Work around Solaris 'which' command oddity.

Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.

This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.

Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.

* Improved alternate-sh exec to avoid looping.

* Solaris' /usr/ucb/echo supports -n.

* Check for the best hash type that openssl supports.

When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.

* Solaris does not support sed -i; use a tempfile.

* Use the full path for modinfo.

When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.

* Solaris find does not support -maxdepth.

This mirrors the logic already in tests_homedirs.

* Use PSBINARY instead of ps.

* Work around Solaris' date not supporting +%s.

Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds.  A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.

* Revert to using sha1 for HOSTID.

* Whitespace cleanup for openssl hash tests.
2017-03-08 16:24:24 +00:00
hlein
e054e9757c Lots of cleanups (#366)
* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 19:23:08 +00:00