lynis/CHANGELOG0000644000000000000000000020323012553734554012141 0ustar rootroot ================================================================================ Lynis - Changelog ================================================================================ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool Website: https://cisofy.com/lynis/ GitHub: https://github.com/CISOfy/lynis Support policy: See section 'Support' in README file Commercial support and plugins available via CISOfy Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ = Lynis 2.1.1 (2015-07-22) = This release adds a lot of improvements, with focus on performance, and additional support for common Linux distributions and external utilities. We recommend to use this latest version. * Operating system enhancements ------------------------------- Support for systems like CentOS, openSUSE, Slackware is improved. * Performance ------------- Performance tuning has been applied, to speed up execution of the audit on systems with many files. This also includes code cleanups. * Automatic updates ------------------- Initial work on an automatic updater has been implemented. This way Lynis can be scheduled for automatic updating from a trusted source. * Internal functions -------------------- Not all systems have readlink, or the -f option of readlink. The ShowSymlinkPath function has been extended with a Python based check, which is often available. * Software support ------------------ Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. Support for Chef has been added. Added tests for CSF's lfd utility for integrity monitoring on directories and files. Related tests are FINT-4334 and FINT-4336. Added support for Chrony time daemon and timesync daemon. Additionally NTP sychronization status is checked when it is enabled. Improved single user mode protection on the rescue.service file. * Other ------- Check for user permissions has been extended. Python binary is now detected, to help with symlink detection. Several new legal terms have been added, which are used for usage in banners. In several files old tests have been removed, to further clean up the code. * Bug fixes --------- Nginx test showed error when access_log had multiple parameters. Tests using locate won't be performed if not present. Fix false positive match on Squid unsafe ports [SQD-3624]. The hardening index is now also inserted into the report if it is not displayed on screen. * Functions --------- Added AddSystemGroup function * New tests --------- Several new tests have been added: [PKGS-7366] Scan for debsecan utility on Debian systems [PKGS-7410] Determine amount of installed kernel packages [TIME-3106] Check synchronization status of NTP on systemd based systems [CONT-8102] Docker daemon status and gather basic details [CONT-8104] Check docker info for any Docker warnings [CONT-8106] Check total, running and unused Docker containers * Plugins --------- [PLGN-2602] Disabled by default, as it may be too slow for some machines [PLGN-3002] Extended with /sbin/nologin * Documentation --------------- A new document has been created to help with the process of upgrading Lynis. It is available at https://cisofy.com/documentation/lynis/upgrading/ -------------------------------------------------------------- = Lynis 2.1.0 (2015-04-16) = * General --------- Screen output has been improved to provide additional information. * OS support ------------ CUPS detection on Mac OS has been improved. AIX systems will now use csum utility to create host ID. Group check have been altered on AIX, to include the -n ALL. Core dump check on Linux is extended to check for actual values as well. * Software ---------- McAfee detection has been extended by detecting a running cma binary. Improved detection of pf firewall on BSD and Mac OS. Security patch checking with zypper extended. * Session timeout ----------------- Tests to determine shell time out setting have been extended to account for AIX, HP-UX and other platforms. It will now determine also if variable is exported as a readonly variable. Related compliance section PCI DSS 8.1.8 has been extended. * Documentation --------------- - New document: Getting started with Lynis https://cisofy.com/documentation/lynis/get-started/ * Plugins (Enterprise) ---------------------- - Update to file integrity plugin Changes to PLGN-2606 (capabilities check) - New configuration plugins: PLGN-4802 (SSH settings) PLGN-4804 (login.defs) Download link: https://cisofy.com/download/lynis/ -------------------------------------------------------------- = Lynis 2.0.0 (2015-02-25) = The first release within the 2.x branch! It includes several new features, to simplify or improve auditing on Unix based systems, including BSD, Linux, Mac OS and more traditional systems like AIX, HPUX and Solaris. New features and many improvements are the reason for the bump to a major release, also a beginning of a new era. Many tools to audit or harden systems have being released, yet none have been maintained over a long period of time. * Support and Feedback This software is supported and under development by CISOfy. By providing a dual license, this software is kept up-to-date and enhanced. Both customers and the community, benefit from this licensing. This release is available thanks to your input and feedback. * Helpers New in this release is the support for helpers. Small utilities which enhance Lynis by providing a single goal. The first helper available is to audit Docker build files. * Improved OS support Many changes have been implemented to better support Linux, FreeBSD, NetBSD DragonBSD and OpenBSD in particular. Upcoming releases will include smaller "improvement rounds" for other systems as well. * New technologies More utilities and technologies are supported now. Technologies and tools like systemd, Docker, nftables. * Lynis Enterprise As this code is shared, customers have an additional option to define to what server they want to upload the audit results. Also, commercial plugins have been bundled. * New parameters Several new options have been added: --dump-options (see all options) --report-file (define a different location for the report file) * General Documentation on the website has been extended: https://cisofy.com/support/ The man page, Lynis binary and several tests have improved texts. This release is exceptional in that it includes many changes. We have done a lot of testing on different platforms. You could expect this software to be stable. Still, an assumption is no guarantee and especially no substitution for testing in your own environment. If you encounter issues, please report them via one of the links above in this changelog. Enjoy this new release! ================================================================================ * 1.6.4 (2014-11-04) New: - Boot loader detection for AIX [BOOT-5102] - Detection of getcap and lsvg binary - Added filesystem_ext to report - Detect rootsh Changes: - Hide errors when RPM database is faulty and show suggestion instead [PKGS-7308] - Allow OpenBSD to gather information on listening network ports [NETW-3012] - Don't trigger warning for Shellshock when doing segfault test [SHLL-6290] - Do not run Apache test on OpenBSD and strip control chars [HTTP-6624] - Extended AIDE test with configuration validation test [FIND-4314] - Improved Shellshock test regarding non-Linux support [SHLL-6290] - Added support for gathering volume groups on AIX [FILE-6311] - Properly parse PAM lines and add them to report [AUTH-9264] - Support for boot loader detection on OpenBSD [BOOT-5159] - Added uptime detection for OpenBSD systems [BOOT-5202] - Support for volume groups on AIX [FILE-6312] - Redirect errors when searching for readlink binary -- * 1.6.3 (2014-10-14) New: - Added tests for Shellshock bash vulnerability [SHLL-6290] - Added test to determine if Snoopy is used [ACCT-9636] - New test for qdaemon configuration file [PRNT-2416] - Test for GRUB boot loader password [BOOT-5122] - New test for qdaemon printer jobs [PRNT-2420] - Added ClamXav test for Mac OS X [MALW-3288] - Gentoo vulnerable packages test [PKGS-7393] - New test for qdaemon status [PRNT-2418] - Gentoo package listing [PKGS-7304] - Running Lynis without root permissions will start non-privileged scan - Systemd service and timer example file added - Added grub2-install to binaries Changes: - Adjustments so insecure SSL protocols are detected in nginx config [HTTP-6710] - Directories will be skipped when searching for nginx log files [HTTP-6720] - Only gather unique name servers from /etc/resolv.conf [NAME-2704] - Properly detect mod_evasive on Gentoo and others [HTTP-6640] - Improved swap partition detection in /etc/fstab [FILE-6336] - Improvements to kernel detection (e.g. Gentoo) [KRNL-5830] - Test for built-in security options in YUM [PKGS-7386] - Improved boot loader detection for GRUB2 [BOOT-5121] - Split GRUB test into two tests [BOOT-5122] - Added Mac OS uptime check [BOOT-5202] - Improved GetHostID function for systems having only ip binary - Improved testing for symlinked binary directories - Minor adjustments to log output - Renamed dev directory to extras -- * 1.6.2 (2014-09-22) New: - IsVirtualMachine function to check if system is running in VM VM types: Bochs CPU emulation, IBM z/VM, KVM, Linux Containers, libvirt LXC driver (Linux Containers), Microsoft Virtual PC, OpenVZ, Oracle VM VirtualBox, QEMU, Systemd Namespace container, User-Mode Linux (UML), VMware products, XEN - Detection for SaltStack configuration management tooling - ShowSymlinkPath function to check path behind a symlink - Check of configuration options of pacman [PKGS-7314] - Support for drill binary to check for Lynis update - FileIsEmpty function to check for empty files - Detect updates for Arch Linux [PKGS-7312] - Add detection for machine ID (systemd) - Added linux_config_file to report - Bash completion script for Lynis - Added detection of ss binary Changes: - Extended system reboot check, to enable it for most Linux versions[KRNL-5830] - Improved inetd test to avoid false positive with xinetd process [INSE-8002] - Permissions check has been adjusted to allow packaging and pentest mode - Added detection for compressed Linux config file [KRNL-5728] - Added support for compressed Linux config file [KRNL-5730] - Store PID file in home directory of the user, if needed - Added usage of ss to gather listening ports [NETW-3012] - Additional permission added to CUPS check [PRNT-2307] - Extended telnet in inetd test [INSE-8016] - Fix for reading at.deny file [SCHD-7720] - Removed individual warnings [BOOT-5184] - Several improvements for Arch Linux -- * 1.6.1 (2014-09-09) New: - Added --pentest parameter to run a non-privileged scans (e.g. for pentesting) - Show skipped tests in report if they require root and scan is non-privileged Changes: - Improved vulnerable packages test on Debian based systems (apt-check) [PKGS-7392] - Don't show warnings for 'swap' in 4th column fstab file [FILE-6336] - Remove warning for old files in /tmp [FILE-6354] - CheckUpdates function will have better output when no connection is available - Changes to parameters and functions, to allow penetration tests with Lynis - Test for actual files in /etc/modprobe.d before grepping in it - Improved chown command when file permissions are incorrect - Changed output of update test, show when status is unknown - No scanning of symlinked directories (binaries test) - Extended SafePerms function to also check for UID - Several tests will have root-only bit set now - Improved netstat tests on Arch Linux -- * 1.6.0 (2014-08-27) New: - Added several new plugins to default profile - HostID detection for AIX Changes: - Improvements for log file - GetHostID function improved - Improved detection of security repository for Debian based systems [PKGS-7388] - Set default values for update check, to avoid error message on screen - Cleanup for mail section, adding IMAP and POP3 protocols -- * 1.5.9 (2014-07-31) New: - New NetBSD test for vulnerable software packages [PKGS-7380] - Test if Debian based systems need a reboot [KRNL-5830] - Test for running Sendmail daemon [MAIL-8880] - Test for availability of mtree [FINT-4330] - Check for lp daemon (printing) [PRNT-2314] - Added Qmail status detection [MAIL-8860] - New NetBSD boot loader test [BOOT-5126] - Added test for automation tools like Cfengine and Puppet [TOOL-5002] - Added KRNL-5830 control to website - Added detection for Puppet - Added tooling category Changes: - Security repository test extended with /etc/apt/sources.list.d [PKGS-7388] - Added exception case for CUPS configuration (listen statement) [PRNT-2308] - Improved detection of TMOUT setting in shell profile file [SHLL-6220] - Perform promiscuous interfaces test for NetBSD as well [NETW-3014] - Perform swap partition parameters test on all systems [FILE-6336] - Also check password file on DragonFlyBSD and NetBSD [AUTH-9208] - Show message regarding toor user for all systems [AUTH-9204] - Check for available interfaces on NetBSD as well [NETW-3004] - Extended UFS file system test with FFS support [FILE-6329] - Improvements for step-tickers file test [TIME-3160] - Perform sockstat test for NetBSD [NETW-3012] - Gather IP addresses for NetBSD [NETW-3008] - Test MAC addresses on NetBSD [NETW-3006] - Added /usr/X11R7/bin directory to search for binaries - Improved full qualified domain name (FQDN) check for Linux - Don't show follow-up hints when there are no warnings or suggestions - Improved IsRunning function to better target processes - Several smaller adjustments in text and descriptions - Extended ReportException function with logging text - Improved GetHostID function for NetBSD and Solaris - Added printing_daemon and mail_daemon to report - Binaries extended with tools like kstat, puppet -- * 1.5.8 (2014-07-24) New: - Testing for commercial anti-virus solutions like McAfee and Sophos [MALW-3280] - New control text for MALW-3280 - http://cisofy.com/controls/MALW-3280/ Changes: - Extended GRUB test with encrypted password (SHA1) [BOOT-5121] - Check /etc/profile for multiple umask values [AUTH-9328] - Extended PHP disabled functions test [PHP-2320] - Add gpgcheck parameter to YUM test [PKGS-7387] - Squid configuration file permissions test adjusted and control added to website [SQD-3613] - Logging has been extended and exceptional event text adjusted -- * 1.5.7 (2014-07-09) New: - Implementation of SafePerms function - Added notification when exceptions are found Changes: - Fix for error_log handling in nginx -- * 1.5.6 (2014-06-12) New: - Test for PHP binary and PHP version - Don't perform register_global test for systems running PHP 5.4.0 and later [PHP-2368] - Debug function (can be activated via --debug or profile) Changes: - Extended IsRunning function - Removed suggestion from secure shell test [SHLL-6202] - Check for idle session handlers [SHLL-6220] - Also check for apache2 binary (file instead of directory) - New report values: session_timeout_enabled and session_timeout_method - New report value for plugins: plugins_enabled - Fixed test to determine active TCP sessions on Linux [NETW-3012] -- * 1.5.5 (2014-06-08) New: - Check for nginx access logging [HTTP-6712] - Check for missing error logs in nginx [HTTP-6714] - Check for debug mode in nginx [HTTP-6716] Changes: - Extended SSL test for nginx when using listen statements - Allow debugging via profile (config:debug:yes) - Check if discovered httpd file is actually a file - Improved temporary file creation related to security notice - Adjustments to screen output Security Note: This releases solves two issues regarding the usage of temporary files (predictability of the file names). You are advised to upgrade to this version as soon as possible. For more information see the our blog post: http://linux-audit.com/lynis-security-notice-154-and-older/ -- * 1.5.4 (2014-06-04) New: - Check additional configuration files for nginx [HTTP-6706] - Analysis of nginx settings [HTTP-6708] - New test for SSL configuration of nginx [HTTP-6710] Changes: - Altered SMBD version check for Mac OS - Small adjustments to report for readability -- * 1.5.3 (2014-05-19) New: - Support for zypper package manager - Gather installed packages with Zypper on SuSE systems [PKGS-728] - Check for vulnerable packages with Zypper package manager [PKGS-7330] Changes: - Check for aide.conf also in /etc [FINT-4315] - Adjusted screen output for unreliable NTP peers [TIME-3120] - Adjusted check kernel test for non-Linux systems [KRNL-5730] - Improved screen output on AIX systems with echo command -- * 1.5.2 (2014-05-05) New: - Support for runlevel in binaries test Changes: - Added suggestion for kernel availability check [KRNL-5788] - Added suggestion for services at startup and proper binary call [BOOT-5180] - Added suggestion to configure accounting on FreeBSD [ACCT-2754] - Added suggestion to configure Linux process accounting [ACCT-9622] - Several new controls listed on website - Adjusted hardening index if total score was zero - Added suggestion for auditd.conf file [ACCT-9632] - Removed suggestion for audit log file [ACCT-9634] - Removed warning from NTP falsetickers test, added data to report [TIME-3132] - Removed warning from NTP selected time source test [TIME-3124] -- * 1.5.1 (2014-04-22) Changes: - Extended reporting with running databases and frameworks - Adjusted Oracle status in test [DBS-1840] - Extended grsecurity test [RBAC-6272] - Redirect rpcinfo errors to /dev/null - Adjusted color scheme -- * 1.5.0 (2014-04-10) New: - Support for Amazon Linux - NTP check for step-tickers file (Red Hat and clones) [TIME-3160] Changes: - Minor textual changes in description of several controls - Removed several warnings (usage of suggestions instead) - Website has now more information for several controls - Extended detection for Oracle Linux - Updated the FAQ and README files -- * 1.4.9 (2014-04-03) New: - Added links in report to related control documentation on website - Detect Linux I/O kernel scheduler [KRNL-5730] Changes: - Check for non-unique accounts on several platforms [AUTH-9208] - Set initial discover value for PAM modules to zero [AUTH-9268] -- * 1.4.8 (2014-03-27) Changes: - Adjusted resolv.conf domain setting in report [NAME-4016] - Extend account test with /var/log/pacct [ACCT-9620] - Added suggestion to DNS domain name test [NAME-4028] - Changed text strings of ZFS test [FILE-6330] - Extend LILO password test [BOOT-5139] - Set default value for pf firewall -- * 1.4.7 (2014-03-21) New: - New configuration item to set group name - Search for AIDE configuration file (aide.conf) [FINT-4315] - Check for usage of SHA256/SHA512 in AIDE configuration [FINT-4316] - Added grep to list of binaries Changes: - Added suggestion when using NIS or NIS+ [NAME-4302] - Clean-up of unneeded plugin section - Small typo fix -- * 1.4.6 (2014-03-14) New: - Check for GPG signing in yum.conf [PKGS-7387] - Check CUPS configuration file permissions [PRNT-2307] Changes: - Screen cleanup -- * 1.4.5 (2014-03-08) New: - Support for Chakra Linux - Support for pacman binary (package manager) - Query installed packages on systems with pacman [PKGS-7310] Changes: - Avoid logging to screen when falsetickets are found [TIME-3132] - Skipping FIFO file on Solaris systems when checking for cron jobs [TIME-3104] - Extended uptime test for Solaris systems [BOOT-5202] - Added /usr/lib/security to PAM locations to scan - Report cronjobs to report [SCHD-7704] - HostID support for Solaris - Improved color scheme - Extended logging -- * 1.4.4 (2014-03-03) New: - Detect tune2fs binary - Added ExitFatal() function - Added egrep binary to binaries - Initial plugin support (phase 1) - Added InsertPluginSection() function Changes: - Adjusted disabled functions tests to properly find functions [PHP-2320] - Extended time test with egrep binary replace for Solaris [TIME-3104] - Adjusted color for SNMP test when warning is found [SNMP-3306] - Adjusted text for PHP risky functions [PHP-2320] - Refer to discovered binaries for ifconfig, lsmod, tune2fs - Test plugin directory when provided by --plugin-dir - Scan report extended with plugin information - Extended help for Enterprise options - Improved IsRunning() function - Extended color scheme -- * 1.4.3 (2014-02-23) New: - Support for ClearOS - Data upload for Lynis Enterprise users (--upload) - Added debug variable for troubleshooting purposes - Scan profile option license_key Changes: - Skip password check for Red Hat or clones [AUTH-9282] - Extended single user login protection [AUTH-9308] - Adjusted repolist check for yum based systems [PKGS-7383] - Inserted sleep time when update is found - Extended report output -- * 1.4.2 (2014-02-19) Changes: - Ignore interfaces aliases for HostID - Extended umask tests with pam_umask entries [AUTH-9328] - Check for supressed version on Squid [SQD-3680] -- * 1.4.1 (2014-02-15) New: --plugin-dir parameter Changes: - Added 64 bits locations for Apache modules - Add start of new category to logfile - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626] - Extended cron job tests with entries start with asterix (*) [SCHD-7704] - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328] - Adjusted PHP test for register_globals (explicit test) [PHP-2368] - Small adjustments for upcoming plugin support - Extended man page -- * 1.4.0 (2014-01-29) Changes: - Removed some warnings, to prevent double messages - Extended accounting check for Linux [ACCT-9622] - Added consistency check to time test [TIME-3124] - Added support for anacron jobs [SCHD-7704] - Rewrite of YUM repository test [PKGS-7383] - Use binary variables for hostid creation - AIX version detection changed - Added rpcinfo to binaries check - Ignore LANG global setting - Improved logging -- * 1.3.9 (2014-01-09) Changes: - Additional support for Mac OS - Support for shasum binary - Performance adjustment for lsof tests - Extended interface check for hostid creation - Improved NSCD detection [NAME-4032] - Bug fix for passwdqc [AUTH-9262] - Extended vulnerable packages test [PKGS-7392] - Hide possible sysctl errors [KRNL-5820] -- * 1.3.8 (2013-12-25) New: - New parameter --view-categories to display available test categories - Added /etc/hosts check (duplicates) [NAME-4402] - Added /etc/hosts check (hostname) [NAME-4404] - Added /etc/hosts check (localhost mapping) [NAME-4406] - Portmaster test for possible port upgrades [PKGS-7378] - Check for SPARC improve boot loader (SILO) [BOOT-5142] - NFS client access test [STRG-1930] - Check system uptime [BOOT-5202] - YUM repolist check [PKGS-7383] - Contributors file added Changes: - Improved locate database check and reporting [FILE-6410] - Improved PAE/No eXecute test for Linux kernel [KRNL-5677] - Disabled NIS domain name from test [NAME-4028] - Extended NIS domain test to check BSD sysctl value [NAME-4306] - Extended PAM tools check with PAM paths [AUTH-9262] - Adjusted Apache check to avoid skipping it [HTTP-6622] - Extended USB state testing [STRG-1840] - Extended Firewire state testing [STRG-1846] - Extended core dump test [KRNL-5820] - Added /lib/i386-linux-gnu/security to PAM directories - Added /usr/X11R6/bin directory to binary paths - Improved readability of screen output - Improved logging for several tests - Improved Debian version detection - Added warning to BIND test [NAME-4206] - Extended binaries with showmount and yum - Updated man page -- * 1.3.7 (2013-12-10) New: - Function FileExists() and SearchItem() Changes: - Adjusted yum-security check [PKGS-7386] - Improved check for iptables binary check - Extended report with the tests executed and skipped -- * 1.3.6 (2013-12-03) New: - Support for the dntpd time daemon - New Apache test for modules [HTTP-6632] - Apache test for mod_evasive [HTTP-6640] - Apache test for mod_qos [HTTP-6641] - Apache test for mod_spamhaus [HTTP-6642] - Apache test for ModSecurity [HTTP-6643] - Check for installed package audit tool [PKGS-7398] - Added initial support for new pkgng and related tools [PKGS-7381] - Check for ssh-keyscan binary - ZFS support for FreeBSD [FILE-6330] - Test for passwordless accounts [AUTH-9283] - Initial OS support for DragonFly BSD - Initial OS support for TrueOS (FreeBSD based) - Initial OS support for elementary OS (Luna) - GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD - Check for DHCP client [NETW-3030] - Initial support for OSSEC (system integrity) [FINT-4328] - New parameter --log-file to adjust log file location - New function IsRunning() to check status of processes - New function RealFilename() to determine file name - New function CheckItem() for parsing files - New function ReportManual() and ReportException() to simplify code - New function DirectoryExists() to check existence of a directory - Support for dntpd [TIME-3104] Changes: - Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518] - Extended test to gather listening network ports for Linux [NETW-3012] - Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190] - Added suggestion for discovered shells on FreeBSD [AUTH-9218] - Extended core dump test with additional details [KRNL-5820] - Properly display suggestion if portaudit is not installed [PKGS-7382] - Ignore message if no packages are installed (pkg_info) [PKGS-7320] - Also try using apt-check on Debian systems [PKGS-7392] - Adjusted logging for RPM binary on systems not using it [PKGS-7308] - Extended search in cron directories for rdate/ntpdate [TIME-3104] - Adjusted PHP check to find ini files [PHP-2211] - Skip Apache test for NetBSD [HTTP-6622] - Skip test http version check for NetBSD [HTTP-6624] - Additional check to supress sort error [HTTP-6626] - Improved the way binaries are checked (less disk reads) - Adjusted ReportWarning() function to skip impact rating - Improved report on screen by leaving out date/time and type - Redirect errors while checking for OpenSSL version - Extended reporting with firewall status and software - Adjusted naming of some operating systems to make them more consistent - Extended update check by using host binary if dig is not installed - Count number of installed binaries/packages and report them - Report about log rotation tool and status - Updated man page -- * 1.3.5 (2013-11-19) New: - OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux - Added some initial systemd support (e.g. boot services) - Test to display if any known MAC framework is implemented [MACF-6290] Changes: - Improved support for Slackware Linux (OS and version detection) - Added systemd support (boot and running services) for Linux systems [BOOT-5177] - Added systemd support (default runlevel) for Linux systems [KRNL-5622] - Extended USB storage check in modprobe.d directory [STRG-1840] - Improved output, reporting and check for kernel update [KRNL-5788] - Optimized code and output of test to check writable scripts [BOOT-5184] - Fixed detection for writable scripts [BOOT-5184] - Improved detection IPv6 addresses for Slackware and others [NETW-3008] - Minor addition to SSH PermitRootLogin check [SSH-7412] - Extended cronjob tests, reporting and logging [SCHD-7704] - Extended umask check in /etc/profile [AUTH-9328] - Added suggestion about BIND version [NAME-4210] - Merged test NTP daemon test TIME-3108 into TIME-3104 - Improved support for Arch Linux (output, detection) - Extended common list of directories with SSL certifcates in profile - New function GetHostID() to determine an unique identifier of the machine - Added a tests_custom file template - Perform file permissions test on tests_custom file - Improved OS detection and extended logging on several tests - Several layout improvements - Extended update check functions and output - Cleaned up reporting and extended it with exceptions -- * 1.3.4 (2013-11-08) New: - OS detection support for Arch Linux - Support for systemd journal Changes: - Test for files in /etc/modprobe.d directory [STRG-1840] - Extended log daemon detection with systemd journal [LOGG-2130] - Adjusted hardening value for compiler GCC [HRDN-7222] - Extended IsWorldWritable and IsWorldExecutable functions to support symlinks - Adjusted PHP test for disabled functions [PHP-2320] - Extended testing for PHP files in other directories [PHP-2211] - Improved screen output for several tests and extended logging -- * 1.3.3 (2013-10-24) New: - Added NTP configuration type to report [TIME-3104] Changes: - Do not warn on empty shells for FreeBSD systems [AUTH-9218] - Extended checks for presence NTP client or daemon [TIME-3104] - Extended logging -- * 1.3.2 (2013-10-09) New: - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238] Changes: - CUPS test extended with hardening rules [PRNT-2308] - Added hardening points to sticky bit on /tmp [FILE-6362] - Extended Ubuntu security packages check [PKGS-7392] - Improved update check, show when no check is performed - Added additional check for binaries, so checks on CentOS work correctly - Added word 'restricted' to banner strings - Adjusted wording for Debian packages purge [PKGS-7346] - Corrected listing of purgable packages [PKGS-7346] - Adjusted yum-plugin-security check due to package changes [PKGS-7386] -- * 1.3.1 (2013-10-02) Changes: - Updated generic references in files - Fixed detection of several binaries (AFICK/awk) - Performance tweaks when checking for binaries - Fixed core dump check and dumpable sysctl [KRNL-5820] - Force test to always to check for binaries [FILE-7502] - Changed detection to egrep [DBS-1840] - Adjusted variable checking for Solaris [HOME-9310] - Adjusted search in modprobe directory [STRG-1840] [STRG-1846] -- * 1.3.0 (2011-12-25) New: - Profile option: ignore_home_dir - TCP wrappers category added - Tooling category added - Initial extensions to support plugins in the future - Test for unpurged Debian packages [PKGS-7346] - Test for compiler permissions [HRDN-7222] Changes: - Converted all dates to ISO format and updated copyright lines - Correct suggestion for file integrity tool [FINT-4350] - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] - Changed logging for /etc/security/limits.conf file [KRNL-5820] - Fixed incorrect warning for single user mode [AUTH-9308] - Improved output for stratum 16 time servers [TIME-3116] - Added suggestion and screen output for kernel hardening [KRNL-6000] - Screen layout optimalizations and log file improvements - Improved list/layout of scan options - Improved binary check for compilers - Added configuration option in scan profile (show_tool_tips, default true) -- * 1.2.9 (2009-12-15) New: - Support for Squid3 - Added Squid unsafe ports check [SQD-3624] - Added Squid configuration file permission check [SQD-3613] - Added Squid test: reply_body_max_size option [SQD-3630] - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] - Check PHP option allow_url_include [PHP-2378] Changes: - Extended possible Squid configuration file locations - Added additional sysctl keys to default profile - Fixed typo in squid.conf checks - Improved descriptions, logging and reporting for several tests - Corrected /etc/security/limits.conf path in test [KRNL-5820] - Updated man page, limited lines to 80 chars -- * 1.2.8 (2009-12-08) New: - Squid support added - Squid daemon detection [SQD-3602] - Squid configuration file search [SQD-3604] - Squid version detection [SQD-3606] - Check /etc/motd banner [BANN-7122] - Check /etc/issue.net file [BANN-7128] - Check contents in /etc/issue.net [BANN-7130] - Solaris single user mode login check (/etc/default/sulogin) [AUTH-9304] - HP-UX boot authentication check [AUTH-9306] - Linux single user mode authentication check [AUTH-9308] - Solaris account locking policy check [AUTH-9340] Changes: - Added prerequisite to SSH test, so the test is skipped properly [SSH-7440] - Check for /etc/issue symlink [BANN-7124] - Added file check for possible harmful shells found [AUTH-9218] - Add user home directories to report [HOME-9302] - Extended Linux run level test with support for Debian/Ubuntu [KRNL-5622] - Added /lib64/security to PAM test [AUTH-9262] - Extended security repository check [PKGS-7388] - Iptables check should not check for a module in a Linux config [FIRE-4511] - Ignore APC ups daemon when scanning for CUPS [PRNT-2304] - Improved kernel logger daemon check [LOGG-2138] - Added auditctl to binary check [ACCT-9630] - Log used auditd ruleset [ACCT-9630] - Corrected logging of Solaris c2audit module [ACCT-9656] - Fixed warning function for Solaris passwordless accounts [AUTH-9254] - Commented kern.randompid in default profile - For sysctl the parameter -n will be used on Linux systems - Changed syslog daemon detection and state - Extended report file -- * 1.2.7 (2009-11-01) New: - Added Kernel Hardening section - Sysctl audit support in scan profile and related test [KRNL-6000] - SSH option StrictModes test [SSH-7416] - Password aging limit check [AUTH-9286] - Ubuntu packages check (apt-show-versions) [PKGS-7394] - Check for metalog daemon [LOGG-2210] - USB storage driver state check [STRG-1840] - Firewire storage driver state check [STRG-1846] - PostgreSQL process check [DBS-1826] - Oracle process check [DBS-1840] - Default umask check [AUTH-9328] - Check for rsyslog daemon [LOGG-2230] - RFC 3195 compliant daemon check [LOGG-2240] - Qmail SMTP daemon check [MAIL-8940] - Test for separation of /tmp and /home from root file system [FILE-6310] - SSH AllowUsers and AllowGroups usage check [SSH-7440] - AIX support, thanks to Michael Smerdka Changes: - Fixed crontabs path [SCHD-7704] - Extended locate database paths for Linux and FreeBSD [FILE-6410] - pflog detection fix [FIRE-4518] - Skip /proc/meminfo for non Linux systems [PROC-3602] - Extended text with rsyslogd [LOGG-2130] - Ignore comment and empty lines for group tests [AUTH-9222/9226] - Show firewall as active when iptables is available in config file [FIRE-4511] - Variable fix for SNMP daemon configuration file [SNMP-3304] - Freshclam check fix [MALW-3286] - Fixed waiting search for NIS domain [NAME-4306] - Check for a maximum of 1 search statement in /etc/resolv.conf [NAME-4018] - Apache test improved [HTTP-6622] - Skip klogd test if rsyslogd is available [LOGG-2138] - Added additional CUPS location to search paths - Only execute PAM test for systems with PAM [AUTH-9268] - Fixed logging of sudoers file location [AUTH-9250] - Improved FreeBSD support for NTP client check [TIME-3104] - Redirect warning "Unknown host" when DNS domain name is empty [NAME-4028] - Redirect warning when host name is empty - Fixed warning color [AUTH-9226] - Fixed FreeBSD COPYRIGHT file test [BANN-7113] - Changed text for sudoers text [AUTH-9250] - Improved text for DNS search domain [NAME-4016] - Skip nginx configuration test if nginx is not available [HTTP-6704] - Removed portsclean suggestion [PKGS-7348] - Fixed non unique IDs - Fixed cosmetic issue when using Debian with default dash shell - Improved hostname detection for HP-UX - Added additional php.ini file locations - Moved Linux default shell check to OS detection functions - Fixed CUPS daemon test [PRNT-2304] - Also check for uppercase chars in issue file [BANN-7126] -- * 1.2.6 (2009-04-05) New: - Sudoers file permissions check [AUTH-9252] - Core dumps configuration check for Linux [KRNL-5820] - PHP disabled functions check [PHP-2320] - PHP enable_dl function check [PHP-2374] - PHP allow_url_fopen function check [PHP-2376] - OpenBSD smtpd status check [MAIL-8920] - /etc/issue check [BANN-7124] - /etc/issue legal keywords check [BANN-7126] - Show suggestions in report Changes: - Extended support for Red Hat, CentOS and Fedora - Extended ACL test to test for default mount options as well [FILE-6368] - Exim status test fixed [MAIL-8812] - Corrected yum security check [PKGS-7386] - Replaced LDAP test AUTH-9238 with [AUTH-9402] - Removed backquotes when locate database is not available [FILE-6410] - Added /etc/openldap to search path for OpenLDAP - Fixed typo in crontab path [SCHD-7704] - Don't show message "No volume groups found" if LVM isn't used [FILE-6310] - Corrected Syslog-NG status [LOGG-2132] - Moved TODO to dev directory -- * 1.2.5 (2009-03-27) New: - slapd.conf check [LDAP-2224] - atd status test [SCHD-7718] - Check LDAP module in PAM [AUTH-9278] - Check Dovecot status check [MAIL-8838] - Check log directories from newsyslog.conf [LOGG-2162] - Check log directories from static list [LOGG-2170] - Check log directories from logrotate configuration [LOGG-2150] - syslog check for remote logging [LOGG-2154] - Open log files check [LOGG-2180] - Deleted file check [LOGG-2190] - Solaris active kernel modules check [KRNL-5770] - Solaris audit daemon status check [ACCT-9650] - Solaris audit daemon service status [ACCT-9652] - Solaris audit daemon BSM check [ACCT-9654] - Solaris audit logging location check [ACCT-9662] - Solaris audit statistics check [ACCT-9672] - Check for installed compiler [HRDN-7202] - BIND process check [NAME-4202] - BIND configuration file check [NAME-4204] - BIND configuration consistency check [NAME-4206] - BIND version check via DNS [NAME-4210] - Default domain check (/etc/resolv.conf) [NAME-4016] - Search domains in /etc/resolv.conf check [NAME-4018] - Parse /etc/resolv.conf options [NAME-4020] - Solaris /etc/nodename check [NAME-4026] - DNS domain checks [NAME-4028] - NSCD status check [NAME-4032] - PowerDNS presence check [NAME-4230] - PowerDNS configuration file check [NAME-4232] - PowerDNS backend check [NAME-4236] - ypbind status check [NAME-4302] - Log specific defined SSH daemon options [SSH-7408] - SSH protocol version check [SSH-7414] - NIS domain checks [NAME-4304] - Check pending at jobs [SCHD-7724] - LVM volume group scan [FILE-6310] - LVM volumes check [FILE-6312] - Locate database check [FILE-6410] - nginx configuration file check [HTTP-6704] - Exim status check [MAIL-8802] - Postfix status check [MAIL-8814] Changes: - atd needs to run before testing at files [SCHD-7720] - Removed Solaris OS requirement from logrotate test [LOGG-2148] - Sanitized output from logrotate test [LOGG-2148] - Skip comment fields in loghost check [LOGG-2152] - Changed auditd tests to Linux only - Binary scan optimized and partially combined with other check - Only perform iptables tests if kernel module is active - Don't show message when /etc/shells can't be found [SHLL-6211] - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] - Renumbered FreeBSD test SHLL-7225 [SHLL-6202] - Renumbered malware test MALW-3292 [HRDN-7230] - Improved grep on process status [PRNT-2304] - Ignore comment lines for nginx log file check [HTTP-6720] - Added file check for nginx log files [HTTP-6720] - Display IP addresses only of NTP tests [TIME-3124] - Fixed Postfix configuration directory path [MAIL-8816] - Redirected output of yum package duplicate check [PKGS-7384] - Ignore comment lines for lilo test [BOOT-5139] - Fixed incorrect iptables status and correct logging [FIRE-4511] - Check SNMP configuration only if SNMP daemon runs [SNMP-3304] - Don't scan PAM directories which are symlinks [AUTH-9268] - Changed hardening category to hardening_tools - Adjusted hardening points of several tests - Log and display improvements for several tests -- * 1.2.4 (2009-03-17) New: - NTP daemon process test [TIME-3108] - NTP association ID's check from peer list [TIME-3112] - NTP time source candidates test [TIME-3128] - NTP falseticker check [TIME-3132] - NTP protocol version check [TIME-3136] - Stratum 16 ntp peers check [TIME-3116] - Unreliable ntp peers check [TIME-3120] - Preferred NTP time source test [TIME-3124] - auditd presence check [ACCT-9628] - auditd rules check [ACCT-9630] - auditd configuration file check [ACCT-9632] - auditd log file location check [ACCT-9634] - cupsd status check [PRNT-2304] - cupsd configuration file check [PRNT-2306] - cupsd address configuration test [PRNT-2308] - pam.conf configuration check [AUTH-9264] - pam.d configuration file scan [AUTH-9266] - PAM modules check [AUTH-9268] - rpcinfo query [STRG-1902] - NFS version number check [STRG-1904] - NFS protocol and port number check [STRG-1906] - NFS status check [STRG-1920] - NFS exports check [STRG-1926] - NFS empty /etc/exports [STRG-1928] - SSH PermitRootLogin option check [SSH-7412] - at.allow and at.deny check [SCHD-7720] - File integrity tool check [FINT-4350] - nginx process check [HTTP-6702] - nginx log file test [HTTP-6720] - ClamAV clamscan presence test [MALW-3282] - ClamAV daemon check [MALW-3284] - ClamAV freshclam check [MALW-3286] - Check for presence malware scanner [MALW-3292] - clamscan, ntpq binary check - NTP daemon role and profile option - Parameter --tests-category, to scan one or more categories - Category added (Storage: NFS) - Added hardening points to tests - Display hardening index to report Changes: - Extended logrotate test [LOGG-2148] - Added check for inetd.conf before performing test [INSE-8016] - Added /var/spool/crontabs to search path [TIME-3104] - Added log line to sysstat test [ACCT-9626] - Improved screen output on Solaris - Checking for both rdate and ntpdate in cron files [TIME-3104] - Changed yum-security package check [PKGS-7386] - Change output if dig isn't available [NETW-2705] - Added IPv6 support and output adjustment [NETW-2704] - Cosmetic change for host based firewall check [FIRE-4590] - Corrected output in log file [PKGS-7388] - Corrected passwd options for Red Hat [AUTH-9282] - Changed text if everything is ok (no warnings) - Log improvements -- * 1.2.3 (2009-03-02) New: - Added syslog-NG daemon check [LOGG-2132] - Added klogd status test [LOGG-2138] - Added check to determine minilogd presence [LOGG-2142] - Added logrotate configuration test [LOGG-2146] - Added check for loghost entry on Solaris machines [LOGG-2152] - Added ipf test for Solaris [FIRE-4526] - Added uname -n test (Solaris) [NAME-4024] - Added ssh daemon configuration file check [SSH-7404] - Added BSD newsyslog.conf file check [LOGG-2160] - Added inetd status check [INSE-8002] - Added inetd.conf configuration check [INSE-8004] - Added check for inetd.conf when inetd is not active [INSE-8006] - Added telnet check via inetd [INSE-8016] - Added ACL check on root file system [FILE-6368] - Added check for firewall/packet filter on system [FIRE-4590] - Added lograte file check [LOGG-2148] - Added snmp daemon status test [SNMP-3302] - Added snmp configuration file test [SNMP-3304] - Added default snmp community strings test [SNMP-3306] - Added categories: Insecure services and SNMP - Added binary searches for awk, ipf Changes: - Changed profile name in default profile - Added path /usr/ucb to binary paths - Changed color to white if slapd is not running [LDAP-2219] - Changed test PKG-7345 into PKGS-7345 - Changed logging for several tests [PKGS-7302] [NETW-3004] - Extended FAQ - Changed default profile header Fixes: - Hostname detection under Solaris - Disabled tests PROC-3612 PROC3614 for Solaris machines - Disabled NTP check in cron.d directory on Solaris [TIME-3104] - Added result at line when querying system users [AUTH-9234] - Counters (N+1) fixed for some shells, like Solaris - Removed unneeded line for Solaris test [PROC-3604] - Disabled grsecurity test for Solaris [RBAC-6272] - Correct display of files with spaces [FILE-6354] - Changed several tests so they work correctly with Solaris -- * 1.2.2 (2009-02-15) New: - Support for MySQL client - New test: Test for empty MySQL root password [DBS-1816] - New test: SSH daemon status test [SSH-7402] - New test: sysstat account information [ACCT-9626] - New test: connections in WAIT state [NETW-3028] - Lynis displays a warning now, if current version is really outdated - New parameter option (log_tests_incorrect_os) to minimize logging Changes: - Several adjustments to default profile - Fixed option 'skip_test_always' to let it function properly - Fixed passwd check for SuSE systems [AUTH-9282] - Added error redirect for dpkg test [PKG-7345] - Improved NTP test and messages, excluded check when using xen [TIME-3104] - Extended DNS nameserver check with local resolver [NETW-2704] - Skip double nameserver check when a local resolver is found [NETW-2705] - Renamed tests_nameserver to tests_nameservices - Improved log output [AUTH-9218] Notes: - Custom profiles should be compared to the default profile, due small changes in the structure. -- * 1.2.1 (2008-09-05) New: - Added support for Samba - Added support for SELinux framework - New test: SELinux presence test [MACF-6232] - New test: SELinux status checks [MACF-6234] - New test: password PAM availability check [AUTH-9262] - New test: expire date check for accounts [AUTH-9282] - Added new option --tests, to run a small set of tests only Changes: - Report and logging messages improved - Output reduced when using --tests - Added suggestion to PHP expose_php option [PHP-2372] - Improved log message for PHP register_globals option [PHP-2368] - Added virtual host count to log file [HTTP-6626] - Improved Red Hat and clones detection and display - Fix: Improved promiscuous detection for Linux [NETW-3015] - Fix: AUTH-9204 test triggered on group ids as well - Fix: Only display unique MAC addresses [NETW-3006] - Extended Postfix test [MAIL-8818] - Don't show /proc/meminfo if not present [PROC-3602] - Don't show YABOOT information if not present [BOOT-5155] - Improved portaudit test (FreeBSD) [PKGS-7382] - Improved portsclean test (FreeBSD) [PKGS-7348] - Added --quiet and --tests options to help and man page -- * 1.2.0 (2008-08-26) New: - New test: Passwordless Solaris accounts test [AUTH-9254] - New test: AFICK file integrity [FINT-4310] - New test: AIDE file integrity [FINT-4314] - New test: Osiris file integrity [FINT-4318] - New test: Samhain file integrity [FINT-4322] - New test: Tripwire file integrity [FINT-4326] - New tests: NIS and NIS+ authentication test [AUTH-9240/42] - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire Changes: - Changed text of grsecurity test [RBAC-6272] - Optimized FreeBSD boot services test [BOOT-5165] - Optimized UID 0 test [AUTH-9204] - Extended login shells test [AUTH-9218] - PID file message extended and small output improvement - A log entry will be written when PID files are removed - Added operating system name to log file when a test is skipped - Added file available check when using --view-manpage - Most program variables are initialized now for future additions -- * 1.1.9 (2008-08-09) New: - New test: AppArmor framework check [MACF-6204] - New test: FreeBSD boot loader test [BOOT-5124] - New test: PHP option register_globals [PHP-2368] - New test: Promiscuous network interfaces (Linux) [NETW-3015] - Report option 'bootloader' added to several tests - Added readlink binary check Changes: - Extended file check (IsWorldWritable) for symlinks - Show result if no default gateway is found [NETW-3001] - Added /usr/local/etc to sudoers test [AUTH-9250] - Improved FreeBSD banner output [BANN-7113] - Removed incorrect line at promiscuous interface test [NETW-3014] - Fix: Show only once the GRUB test output [BOOT-5121] - Fix: Typo in NTP test [TIME-3104] - Fix: Skip NTP test in /etc/cron.d if empty [TIME-3104] - Fix: Initialize values when performing an update check without connection - Fix: Solaris id function has been fixed - Disabled FreeBSD double packages tests, due minor issues [PKGS-7303] - Changed LDAP/MySQL running states [LDAP-2219] [DBS-1804] - Replaced ifconfig calls with IFCONFIGBINARY - Renamed tests_auditing to tests_mac_frameworks - Several tests improved with extended logging -- * 1.1.8 (2008-07-16) New: - Mac OS X support extended and new options added Changes: - Extended default profile - Improved several screen output lines - User ID check improved, so it works better with older Solaris versions - Hostname in output and reports will contain only host now, not FQDN - Added extra php.ini locations to tests_php - Replaced 'ps' in tests with PSBINARY value for better support - Added output to zones test [VIRT-1902] - Updated description [AUTH-9218] - Extended ntp daemon/ntpdate check [TIME-3104] - Added suggestion to bootable scripts check [BOOT_5184] - Bugfix and improvement for FreeBSD portsclean test [PKGS-7348] - Added Mac OS support to MAC address gathering test [NETW-3006] - Added MAC OS support to inet and inet6 addresses test [NETW-3008] - Extended PHP expose_php test to support additional options [PHP-2372] - Improved LDAP test so it skips correctly on Mac OS AUTH-9238] - Bugfix: MySQL status check gave incorrect output [DBS-1804] -- * 1.1.7 (2008-06-28) New: - New test: check for unused iptables rules [FIRE-4513] - New test: checking for dead and zombie processes [PROC-3612] - New test: checking for heavy IO waiting processes [PROC-3614] - Initial HP-UX support (untested) - Initial AIX support (untested) - Added iptables binary check - Added dig check, for DNS related tests - Added option --no-colors to remove all colors from screen output - Added option --reverse-colors for optimizing output at light backgrounds (Konsole, MacOS terminal etc) Changes: - Improved grpck test for SuSE [AUTH-9216] - Added dig availability check to DNS test [NETW-2704] - Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512] - Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384] - Bugfix: Fixed prequisits for grpck test [AUTH-9216] - Improved MySQL check [DBS-1804] - Changed color at chkconfig boot services test [BOOT-5177] - Added missing prequisits output to portaudit test [PKGS-7382] - Test output for FreeBSD mounts (UFS) improved [FILE-6329] - Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219] - Several tests have their warning reporting improved - Improved SuSE Linux detection - Improved syslog-ng detection - Adjusted README with link to online (extended) documentation -- * 1.1.6 (2008-06-19) New: - New test: Check writable startup scripts [BOOT-5184] - New test: Syslog-NG consistency check [LOGG-2134] - New test: Check yum-utils package and scanning package database [PKGS-7384] - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] - New test: Check for expired SSL certificates [CRYP-7902] - New test: Check for LDAP authentication support [AUTH-9238] - New test: Read available crontab/cron files [SCHD-7704] - New test: Query Solaris running zones [VIRT-1902] - New test: Check availability sudoers file for future tests [AUTH-9250] - New test: Query all home directories from passwd file [HOME-9302] - Syslog-NG support added (binary and version check) - Added new sections: Scheduling, Time and Synchronization, Virtualization Changes: - Extended several tests with suggestions and warnings - Extended GRUB test with GRUB2 check [BOOT-5121] - Extended iptables firewall test [FIRE-4511] - Fixed incorrect variable at Linux kernel config display [KRNL-5728] - Fixed display for file system test [FILE-6023] - Reassigned some ID's to match others in category - Improvement of several logging sections and profile options - Assigned ID to Ubuntu security update check - Assigned ID to pwck test for Solaris [AUTH-9230] - Assigned ID to FreeBSD unused distfiles check [PKGS-7348] - Assigned ID to RPM package query test [PKGS-7308] - Assigned ID to /tmp sticky bit test [FILE-6362] - Assigned ID to old temporary files check [FILE-6354] - Assigned ID to passwd ID 0 test [AUTH-9204] - Assigned ID to FreeBSD swap partitions [FILE-6332] - Assigned ID to FreeBSD swap mount options [FILE-6336] - Assigned ID to nameserver tests [NETW-2704 and NETW-2705] - Assigned ID to pf consistency check [FIRE-4520] - Assigned ID to Postfix configuration check [MAIL-8816] - Assigned ID to Postfix banner check [MAIL-8818] - Assigned ID to FreeBSD promiscuous port test [NETW-3014] - Assigned ID to file permissions check [FILE-7524] -- * 1.1.5 (2008-06-10) New: - Assigned ID to Apache configuration file test [HTTP-6624] - Added pause_between_tests to profile file, to regulate the speed of a scan - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] - Assigned ID to Solaris package test [PKG-7306] - New test: which gathers virtual hosts from Apache configuration files [HTTP-6626] - New test: read all loaded kernel modules (Linux) [KRNL-5726] - New test: query available FreeBSD network interfaces [NETW-3004] - New test: query available IPv4 and IPv6 network addresses [NETW-3008] - New test: for MAC addresses [NETW-3006] - New test: check if a Linux kernel configuration file is available [KRNL-5728] - New test: check boot services for Debian/Ubuntu [BOOT-5180] - Added Lynx, Nmap, Wget version to log file - Added support for Oracle enterprise Linux (Unbreakable Linux) - Added new function ReportWarning for better logging to report file Changes: - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302] - Changed shell history file test, searching files with maxdepth 1 [HOME-9310] - Extended iptables test, to check Linux kernel configuration file [FIRE-4511] - Added report warning to promicuous test [NETW-3014] - Fixed yellow color when being used at text display - Several logging improvements and cleanups -- * 1.1.4 (2008-05-31) New: - Added option to disable Lynis upgrade availability test (profile option) - Added new option --check-update, to display (update) information - Added stub for malware and file permissions database - New section 'LDAP Services' - Support for OpenLDAP added - Place holders for new tests are added - Default profile extended - [FILE-6023] Added test for Linux ext2, ext3, ext4 file systems - [BOOT-5155] Added check for YABOOT boot loader Changes: - [BANN-7119] Improved MOTD banner check - Improved Apache tests for SuSE and Debian systems - Debian/Ubuntu file tests improved - Extended man page -- * 1.1.3 (2008-05-21) New: - Added security updates check for Fedora, RHEL 5.x, CentOS 5.x - Added Linux kernel version check - Most stable tests have an unique ID now - Skipped tests have their reason to skip logged - Added /etc/lynis/plugins to searchable plugin directory targets - Added Register() function, to handle tests, prerequisites and counter - Added new crypto tests - Added profile option "test_skip_always" to blacklist a specific test Changes: - Extended default profile location for FreeBSD - Extended accounting test to include pacct as well - Improved tests from categories: shells - Disabled skel tests - Several tests log their warnings into the report file now - Changed Linux default runlevel test - Extended man page Fixes: - Auditor name didn't get logged properly to report file. - Changed Debian/Ubuntu kernel update test, so it won't be tested on others - Exim test failed, due to using an incorrect variable name -- * 1.1.2 (2008-05-11) New: - Added memory test for Solaris (tested on OpenSolaris) - Password file consistency check for Solaris - 32/64 bits OS mode check for Solaris - Added Slackware detection - Plugin support (see documentation) - Added monolithic/modular test for Linux kernels Changes: - Improved LILO test and removed double message - Fixed incorrect message when using --help parameter - Improved portaudit test (FreeBSD) to show unique packages only - Updated man page, FAQ, extended documention with plugin information - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) ** Special release notes [package/ports]: ** - Added several default paths to check for usuable an INCLUDE directory. This should make packaging Lynis easier for downstream package providers. - When no profile is set, Lynis will check first /etc/lynis/default.prf, before setting default.prf (in current work directory) as profile to use. - New directory added to be installed for future versions: plugins -- * 1.1.1 (2008-04-13) New: - Added Solaris package manager (pkginfo) to obtain installed packages - Added new option to profile to whitelist promiscuous interfaces (if_promisc) - Added vulnerable packages check for Debian/Ubuntu - Added package database consistency check for Debian/Ubuntu Changes: - Only perform boot.conf check for OpenBSD when running on i386 - Changed RemovePIDFile to prevent incorrect file presence check (ie on OpenBSD) - Better OS detection and display output for Ubuntu systems - Improved text alignment (display) and logging - Commented out some of the default profile options - Updated FAQ, readme, man page Bug fixes: - Added missing space at OS detection function - Fixed /etc/group tests to ignore commented lines - Fixed sticky bit checking on /tmp, so it won't give incorrect results on SuSE/Debian systems -- * 1.1.0 (2008-04-09) New: - Added test: default gateway (Linux/BSD) - Added boot tasks to report file (boottask) - Added vulnerable packages to report file (vulnerable_package) Changes: - Fixed some typos - Several improvements in log output - Changed display of operating system version (Linux) - Fixed PHP check -- * 1.0.9 (2008-03-24) New: - Added --quiet option (currently not 100% quiet yet) - Added a spec file to the project page (see web site) - Added small INSTALL document Changes: - Changed check for PHP (php.ini location) - Added available shells from /etc/shells to report file - Updated man page - Fixed option in main help window for --man option - Code improvement, splitting up sections to seperated files -- * 1.0.8 (2008-02-10) New: - Added pf filter rule test - Added our PID to PID file - Added warnings, real users, mount points, total tests to report file Changes: - Changed Apache configuration file test - Changed old temporary files check - Changed test to include ubuntu security repository - Moved UID check to avoid PID creation as non root user - Moved most functions to seperated files and several code cleanups - Improved logging output - Extended FreeBSD (Copyright file) test - Changed indentation for many tests - Changed some typos in notice/warning messages -- * 1.0.7 (2008-01-28) New: - Test: UFS mount point check (FreeBSD) - Test: Check swap partitions (FreeBSD) - Test: find old files in /tmp - Test: check presence iptables - Test: check CPU PAE/NX support (Linux) - Added profile options check - Added option to skip Debian security repository check (profile option) - Support for Red Hat and CentOS Changes: - Changed report log location to /var/log instead of current work directory - Changed --help (and -h) to display general help, instead of man page - Renamed -man option to --man - Extended profile file (see default.prf) - Cleaned up code (rewritten several parts of static code to dynamic functions) - Added more comments to the program, for curious auditors, developers and users. Also regrouped parts of text and cleaned useless white spaces. - General program output improved (spaces, indentation) - Logging extended - Updated lynis.spec file (contrib) - FAQ and README files extended and updated Bugfixes: - Changed postfix banner check (thanks to Henk Bokhoven for reporting) - Extended skel directory test, with -A (ls) option to check hidden files (used with most Linux variants) Development: - Added new mirror - Updated year number in program and support files - Added new function Display, to use indentation within lines - Added function RemovePIDFile before some exit routines, to clean up PID file - Extracted profile support, parameter support to seperated files - Created file tests_ports_packages for Ports and Packages - Deleted lynis.spec file, since it was not working and will be rewritten later -- * 1.0.6 (2007-12-26) New: - Added Solaris real users test - Added hostname check Changes: - Added chkconfig binary test and changed related services test - Added 'xargs' to version checks, to replace unwanted chars - Added more breaks to log file. - Added sorting to rpm/dpkg listings - FAQ extended -- * 1.0.5 (2007-12-02) New: - Test: unique group names - Test: unique group IDs - Added check for rpm, chkrootkit and rkhunter binary - Added function to cleanup at manual interrupt (INT) - Support added to run Lynis as cronjob (--cronjob) - Fedora support added - Added umask 027, to tighten up file permissions Changes: - Changed FreeBSD ttys test - Changed grpck test, to operate in read-only mode - Changed Postfix test, to check for mail_name value as well - Changed GPL line in script which said GPL v2 - Extended README - Show latest update version, if available, at the end of the screen output - Lots of code cleanup (see Development) - Some log improvements - Changed date notation in changelog to preferred European format (with dots instead of slashes) Development: - New function (ShowResult) to avoid repeating the same result line within the script for standard status values - Moved program consts to file (include/consts) - Moved functions to file (include/functions) - Moved OS detection to file (include/osdetection) - Added NEVERBREAK to avoid user input (cronjob support) -- * 1.0.4 (2007-11-27) New: - Test: query real system users (FreeBSD/Linux) - Added PID file usage, to warn for unclean program states. - Added SSHd version test Changes: - Updated documentation - Changed sticky bit test (/tmp), to skip symlinks - Changed /etc/motd test, to skip symlinks - More code cleanup - Logging extended and improved - Screen output slightly changed -- * 1.0.3 (2007-11-19) New: - Added check for sockstat - Test: added test for GRUB and password option - Test: query listening ports (sockstat) Changes: - Fixed NTPd check (bug) - Extended help for 'double installed package' check (BSD systems, pkg_info) - Extended Debian kernel update check - Improved OpenBSD support - Improved Linux specific detection support (Cobalt, CPU Builders, Debian, E-Smith, Slackware, SuSE/OpenSuSE, Turbo Linux, Yellowdog and others) - Improved screen output - Extended logging, with status/impact flags - [Bugfix] chkconfig test improved - [Bugfix] Fixed sticky bit test at Debian - Extended documentation and changelog file -- * 1.0.2 (2007-11-15) New: - Test: Added check for NTP daemon or client - Test: file permissions (profile option) - Added -Q (--quick) parameter, to run the program without needing user input after every few sections. Changes: - Extended documentation (README file) and performed spell check - Improved screen output (colors, parameter handling and display) - Cleaned up source code and fixed some bad typos - Added much more delimiter lines to logfile - Added version numbers to logfile for used binaries/tools - Updated list of parameters within Lynis help -- * 1.0.1 (2007-11-12) New: - Test: check Exim configuration file location - Test: added memory check (/proc/meminfo) - Test: run grpck to check group files (if available) - Test: boot option check for OpenBSD boot loader - Test: check if pf (Software: firewall) is active - Test: check LILO password - Test: check presence of old distfiles (FreeBSD) - Added check for binaries: httpd, kldstat, openssl, (s)locate - Added version check for: exim, openssl - Added -V (--version) parameter, to show version number - Added breaks between tests Changes: - [bug] Changed skel directory check - Fixed display Apache configuration file -- * 1.0.0 (2007-11-08) New: - Support for CentOS (Tested: 5 Final) - Support for Debian (Tested: 4.0) - Support for FreeBSD (Tested: 6.2) - Support for Mac OS X (Tested: 10.4) - Test: Apache (ServerTokens option) - Test: PHP (expose_php option) - Test: Postfix (smtpd_banner option) - Test: check valid shells - Test: query pkg_info/RPM based systems - Test: query pkg_info for double installed packages - Test: query chkprintcap (FreeBSD) - Test: scan binary directories - Test: check administrator accounts - Test: check permissions /etc/motd - Test: read nameservers from /etc/resolv.conf - Test: query nameservers and test connectivity - Test: check promiscuous interfaces (FreeBSD) - Test: check sticky bit on /tmp directory - Test: check debian.org security brance in /etc/apt/sources.list - Test: check kernel update on Debian - Test: query default Linux run level - Test: query chkconfig to see which services start at boot - Test /etc/COPYRIGHT banner check for FreeBSD - Support for program parameters - Builtin integrity checks - Color enhanced output for readability - Support for profiles/templates - Report file creation (for reporting/monitoring) - Extended logfile creation (with system suggestions) - Added lynis.spec file for RPM creation - Created project page at website - Added documentation (README), ToDo list (TODO) - Man page lynis(8) Changes: - No changes Bugfixes: - No bugfixes ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com lynis/CONTRIBUTIONS.md0000640000000000000000000000244512551517721013305 0ustar rootroot# Contributions ## Pull Requests Contributions to the Lynis project should be submitted as a pull request. The upstream project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) to this repository, you agree that you: 1. Own the contribution that you are providing or have obtained permission from the contribution owner 2. Allow your contribution to be licensed under the license of the target project (GPLv3) 3. Allow your contribution to be freely distributed to the Lynis community 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution ## Unlimited Rights Our project is licensed under GPLv3. By providing a contribution to the project, it will be used for the purpose of the project. Unlimited rights includes the rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. If you want to be named in as a contributor in the CONTRIBUTOR file, then include this notition in your pull request. Preferred format: Full Name, with optional the company name and/or your e-mail address). lynis/CONTRIBUTORS0000644000000000000000000000167112553722136012605 0ustar rootroot ================================================================================ Lynis - CONTRIBUTORS ================================================================================ The Lynis project is very thankful for the following individuals who contributed to the project. ================================================================================ Want to contribute as well? Here are some suggestions: - New tests for your favorite daemons - Report (unexpected) screen errors - Missing results - Check for grammar issues [+] Patches, bug fixes and suggestions ------------------------------------------ Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US Dave Vehrs Mikko Lehtisalo, Finland Steve Bosek, France Thomas Siebel, Germany ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com lynis/FAQ0000644000000000000000000001027712553722471011263 0ustar rootroot ================================================================================ Lynis - Frequently Asked Questions ================================================================================ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool Web site: https://cisofy.com/lynis/ GitHub: https://github.com/CISOfy/lynis Support address: lynis-dev@cisofy.com Development: May 2007 - Now Support: See README file and https://cisofy.com/support/ Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ [+] General ------------------------------- Q: I don't understand the program (output), what to do? A: Keep reading this FAQ. Also useful are the README file and the log file (default: /var/log/lynis.log). Or check out the documentation on the website: https://cisofy.com/support/ Q: I can't find any configuration file for Lynis, where is it? A: There isn't one (currently), since all options are available as command parameters. Specific options to control the audit/security scan can be set or adjusted by changing the 'profile' file you are using (don't use default.prf for your own custom options, but make a copy of it). Q: Why is there no port/package for my operating system? A: Because there is no maintainer for it yet. If you have the time to keep the port/package current for your preferred operating system, let us know. Q: What to do with the report files? A: The output could be used for monitoring (baseline checks). For users of the Lynis Enterprise Suite, they will be used to upload data. [+] Bugs or issues ------------------------------- Q: Where can I report an issue or bug? A: GitHub, or use the developer e-mail address lynis-dev@cisofy.com [+] Usage problems ------------------------------- Q: Lynis hangs while testing the group files (grpck) A: Run the grpck command manually. It will most likely need user input, to repair incorrect groups. Q: Lynis doesn't display all messages on a white background A: White text is used for general (and important) messages. Most terminals have a dark background, so it gives extra attention to the message. However if you have a white background (for example Mac OS X), you can run Lynis with --no-colors to strip colors or --reverse-colors to reverse the color scheme. Another option is to change your terminal colors within Mac OS. Q: Some tests take very long to finish, what to do? A: Use a second console (or connection) and check the output of ps/lsof etc, to see the status of the active subroutine. If a specific test hangs for a very long time, try to kill that specific process (ie grpck) and see if Lynis continues. Afterwards, run the command manually to see the cause. Check the log file for additional information, when possible. Q: When running Lynis, it shows me the usage help even while using correct parameters, why? A: This can happen with alternative shells. Try using a different shell to invoke Lynis (example: bash lynis -c). Q: One or more tests are giving incorrect output. How to solve that? A: Check the log file. If that also has incorrect data, let us know via GitHub or the developer e-mail address. Q: The program takes long to complete and also uses too much resources. Can it be tuned? A: The time it takes to complete depends on the amount of tests to run. However the resources it take can be slighty lowered by increasing the pause_between_tests profile option. Keep in mind this increases the total length of the scan to complete. [+] Network related issues ------------------------------- Q: Lynis reports promiscuous interfaces, but they are needed for normal operation, how can I hide this warning? A: Whitelist the interface in the profile file (if_promisc). ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com lynis/INSTALL0000644000000000000000000000256412451752727011766 0ustar rootroot ================================================================================ Lynis - Installation instructions ================================================================================ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool Web site: https://cisofy.com Support: See 'Support' and https://cisofy.com/support/ Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ [+] Run directly ------------------------------- Lynis can be executed directly (unpack tarball, enter lynis directory). # sh lynis or # ./lynis Root privileges are preferred for full audit. [+] Installation ------------------------------- If you want to install Lynis, see the README file (section: Installation) for more tips about how to install or create a custom package. [+] Documentation ------------------------------- Documentation about Lynis can be found in the man page (man lynis, or lynis --man-page), README file and website. Also the FAQ file covers some often asked questions. ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com lynis/LICENSE0000644000000000000000000010451212414502061011715 0ustar rootroot GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . lynis/README0000644000000000000000000001060312553722606011602 0ustar rootroot ================================================================================ Lynis - README ================================================================================ Author: Michael Boelen (michael.boelen@cisofy.com), CISOfy Description: Security and system auditing tool Web site: https://cisofy.com/lynis/ Development: May 2007 - Now Support policy: See section 'Support' Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ *** NOTE *** The website contains the latest documentation See https://cisofy.com/documentation/lynis/ [+] Introduction ------------------------------- Lynis is an auditing tool which tests and gathers (security) information from Unix based systems. The audience for this tool are security and system auditors, network specialists and system maintainers. Some of the (future) features and usage options: - System and security audit checks - Compliance testing - File integrity monitoring - System and file forensics - Usage of templates/baselines (reporting and monitoring) - Extended debugging features Everyone is free to use Lynis under the conditions of the GPL v3 license (see LICENSE file). ======================== Quick facts ======================== - Name: Lynis - Type: audit, security, hardening, forensics tool - License: GPL v3 - Language: Shell script - Author: Michael Boelen, CISOfy - Web site: https://cisofy.com - Required permissions: root preferred, not needed - Other requirements: write access to /tmp [+] Installation ------------------------------- Lynis doesn't have to be installed, so it can be used directly from a (removable) disk. If you want the program to be installed, use one of the following methods: - Create a custom directory (ie. /usr/local/lynis) and unpack the tarball (tar xfvz lynis-version.tar.gz) into this directory. - Create a RPM package by using the lynis.spec file (see web site) run 'rpmbuild -ta lynis-version.tar.gz' (= build RPM package) run 'rpm -ivh ' (= install RPM package) See online documentation for detailed instructions. [+] Supported systems ------------------------------- Since the complexity of auditing different systems and platforms, Lynis is developed on BSD and Linux. This tool is tested or confirmed to work with at least: AIX, Linux, FreeBSD, OpenBSD, Mac OS X, Solaris. See website for the full list of tested operating systems. [+] Usage ------------------------------- See online documentation for more information about using Lynis. [+] Development and Bugs ------------------------------- If you have input to improve Lynis, let us know via: * GitHub - https://github.com/CISOfy/lynis * E-mail - lynis-dev@cisofy.com Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md for more information about how to submit them. [+] Support ------------------------------- Lynis is tested on the most common operating systems. The documentation (README, FAQ) and the debugging information in the log file should cover most questions and problems. Bugs can be reported via GitHub, or sending an e-mail to the lynis-dev address above. Commercial support is available and provided by CISOfy. For more information use the contact address on https://cisofy.com/contact/. [+] Upgrade to Lynis Enterprise ------------------------------- Individuals and companies which use this software for more than 10 systems, should think about the value of this tool in their job. To support ongoing development on this tool we have a commercial version available. Lynis Enterprise Suite uses Lynis to audit systems, but also provides malware scanning, intrusion detection and has additional guidance. For all features, please see our website: https://cisofy.com/lynis-enterprise/ [+] Thanks ------------------------------- Thanks to the community for using and supporting open source software. Many comments, bugs/patches and questions are the key to success and ongoing motivation in developing tools like this. ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com lynis/db/0000755000000000000000000000000012364412554011305 5ustar rootrootlynis/db/integrity.db0000644000000000000000000000007412364412554013633 0ustar rootroot#version=2008062800 #binary:string:|NOT: ifconfig:PROMISC:: lynis/db/sbl.db0000644000000000000000000000003512364412554012372 0ustar rootroot#version=2008052800 php:5.2.5lynis/db/fileperms.db0000644000000000000000000000071412364412554013604 0ustar rootroot#version=2008053000 # # Field definitions # =============================== # 1) file | dir # 2) file name # 3) file permissions # 4) file owner # 5) file group owner # 6) operating system, or systems # 7) operating system special # 8) # #================================================== file:/etc/group:644:root:root:Linux: file:/etc/gshadow:400:root:root:Linux: file:/etc/passwd:644:root:root:Linux: file:/etc/shadow:400:root:root:Linux: lynis/db/malware-susp.db0000644000000000000000000000006512364412554014235 0ustar rootroot#version=2009101500 vuln.txt::: crack*::: exploit*:::lynis/db/malware.db0000644000000000000000000000262112364412554013245 0ustar rootroot#version=2008062700 /bin/.log:::Apache worm::: /bin/.login:::Login backdoor::: /tmp/.../r:::W55808A::: /tmp/.../a:::W55808A::: /usr/share/.aPa:::APAKIT /usr/lib/.ark?:::ARK::: /dev/ptyxx/.log:::ARK::: /dev/ptyxx/.file:::ARK::: /usr/sbin/arobia:::Beastkit::: /usr/sbin/idrun:::Beastkit::: /usr/lib/elm/arobia/elm:::Beastkit::: /usr/lib/elm/arobia/elm/hk:::Beastkit::: /usr/lib/elm/arobia/elm/hk.pub:::Beastkit::: /usr/lib/elm/arobia/elm/sc:::Beastkit::: /usr/lib/elm/arobia/elm/sd.pp:::Beastkit::: /usr/lib/elm/arobia/elm/sdco:::Beastkit::: /usr/lib/elm/arobia/elm/srsd:::Beastkit::: /tmp/.cinik:::Cinik::: /dev/mdev:::Dannyboy::: /usr/lib/libX.a:::Dannyboy::: /usr/bin/duarawkz/loginpass:::Duarawkz::: /dev/dev/gaskit/sshd/sshdd:::Gaskit::: /proc/knark/pids:::Knark::: /var/lock/subsys/...datafile.../...datafile.../in.smbd.log:::Ohhara::: /dev/.oz/.nap/rkit/terror:::Oz::: /usr/man/man5/..%%/.dir/scannah/asus:::Shutdown::: /usr/man/man5/..%%/.dir/see:::Shutdown::: /usr/man/man5/..%%/.dir/nscd:::Shutdown::: /usr/man/man5/..%%/.dir/alpd:::Shutdown::: /etc/rc.d/rc.local%%:::Shutdown::: /tmp/.a:::Scalper::: /tmp/.uua:::Scalper::: /tmp/.bugtraq:::Slapper::: /tmp/.uubugtraq:::Slapper::: /tmp/.bugtraq.c:::Slapper::: /tmp/httpd:::Slapper::: /tmp/.unlock:::Slapper::: /tmp/update:::Slapper::: /tmp/.cinik:::Slapper::: /tmp/.b:::Slapper::: /usr/man/.sman/sk:::Superkit::: /usr/lib/.tbd:::TBD::: /sbin/.login:::Login backdoor:::lynis/db/hints.db0000644000000000000000000000017012364412554012737 0ustar rootroot#version=20091015 100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.:lynis/default.prf0000644000000000000000000003104212542752726013063 0ustar rootroot################################################################################# # # Lynis - Scan Profile (default) # # This is the default profile and contains default values. You are encouraged to # copy this file and use it's base for custom audit profiles. # # All empty lines or with the # prefix will be skipped # # More information about this plugin can be found in the documentation: # https://cisofy.com/documentation/lynis/ # ################################################################################# [configuration] # Profile name, will be used as title/description config:profile_name:Default Audit Template: # Number of seconds to pause between every test (0 is no pause) config:pause_between_tests:0: # Show inline tips about the tool config:show_tool_tips:1: ################################################################################# # # Testing options # --------------- # ################################################################################# # ** Scan type ** # # Description: How deep the audit should be # Values: light, normal or full (default) # # config:test_scan_mode:full: # ** Skip one or more specific tests ** # (always ignores scan mode and will make sure the test is skipped) # # config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012: # ** Define machine role ** # # Description: defines the role of the system # Values: desktop, server (default) # #config:machine_role:server: ################################################################################# # # Plugins # --------------- # Define which plugins are enabled # # Notes: # - Nothing happens if plugin isn't available # - There is no order in execution of plugins # - See documentation about how to use plugins and phases # ################################################################################# # Lynis Plugins (some are for Lynis Enterprise users only) plugin=compliance plugin=configuration plugin=control-panels plugin=crypto plugin=dns plugin=docker plugin=file-integrity plugin=file-systems plugin=firewalls plugin=forensics plugin=intrusion-detection plugin=intrusion-prevention plugin=kernel plugin=malware plugin=memory plugin=nginx plugin=processes plugin=security-modules plugin=software plugin=system-integrity plugin=systemd plugin=users ################################################################################# # # Kernel options # --------------- # sysctl::::: # # Sysctl key = name # Expected value = value of sysctl key # Hardening points = Number of hardening points. For most keys 1 HP will be suitable # Description = Text description of key # ################################################################################# [processes] #sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: [kernel] sysctl:kern.sugid_coredump:0:1:XXX: sysctl:kernel.core_setuid_ok:0:1:XXX: sysctl:kernel.core_uses_pid:1:1:XXX: sysctl:kernel.ctrl-alt-del:0:1:XXX: sysctl:kernel.exec-shield-randomize:1:1:XXX: sysctl:kernel.exec-shield:1:1:XXX: sysctl:kernel.kptr_restrict:1:1:Restrict access to kernel symbols: sysctl:kernel.sysrq:0:1:Disable magic SysRQ: sysctl:kernel.use-nx:0:1:XXX: [network] sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore #sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: [security] #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: #security.jail.jailed: 0 #security.jail.jail_max_af_ips: 255 #security.jail.mount_allowed: 0 #security.jail.chflags_allowed: 0 #security.jail.allow_raw_sockets: 0 #security.jail.enforce_statfs: 2 #security.jail.sysvipc_allowed: 0 #security.jail.socket_unixiproute_only: 1 #security.jail.set_hostname_allowed: 1 #security.bsd.suser_enabled: 1 #security.bsd.unprivileged_proc_debug: 1 #security.bsd.conservative_signals: 1 #security.bsd.unprivileged_read_msgbuf: 1 #security.bsd.hardlink_check_gid: 0 #security.bsd.hardlink_check_uid: 0 #security.bsd.unprivileged_get_quota: 0 ################################################################################# # # Apache options # columns: (1)apache : (2)option : (3)value # ################################################################################# apache:ServerTokens:Prod: ################################################################################# # # OpenLDAP options # columns: (1)openldap : (2)file : (3)option : (4)expected value(s) # ################################################################################# openldap:slapd.conf:permissions:640-600: openldap:slapd.conf:owner:ldap-root: ################################################################################# # # SSL certificates # ################################################################################# # Locations where to search for SSL certificates ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www /srv/www: ################################################################################# # # NTP options # ################################################################################# # Ignore some stratum 16 hosts (for example when running as time source itself) #ntp:ignore_stratum_16_peer:127.0.0.1: #ntp:ignore_stratum_16_peer:1.2.3.4: ################################################################################# # # File/directories permissions (currently not used yet) # ################################################################################# # Scan for exact file name match #[scanfiles] #scanfile:/etc/rc.conf:FreeBSD configuration: # Scan for exact directory name match #[scandirs] #scandir:/etc:/etc directory: ################################################################################# # # permfile # --------------- # permfile:file name:file permissions:owner:group:action: # Action = NOTICE or WARN # Examples: # permfile:/etc/test1.dat:600:root:wheel:NOTICE: # permfile:/etc/test1.dat:640:root:-:WARN: # ################################################################################# #permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile:/etc/fstab:rw-r--r--:root:-:WARN: permfile:/etc/lilo.conf:rw-------:root:-:WARN: ################################################################################# # # permdir # --------------- # permdir:directory name:file permissions:owner:group:action when permissions are different: # ################################################################################# permdir:/root/.ssh:rwx------:root:-:WARN: # Scan for a program/binary in BINPATHs #scanbinary:Rootkit Hunter:rkhunter: ################################################################################# # # Audit customizing # ----------------- # # Most options can contain 'yes' or 'no'. # ################################################################################# # Amount of connections in WAIT state before reporting it as a suggestion #config:connections_max_wait_state:5000: # Skip security repository check for Debian based systems #config:debian_skip_security_repository:yes: # Debug mode (for debugging purposes, extra data logged to screen) #config:debug:yes: # Skip the FreeBSD portaudit test #config:freebsd_skip_portaudit:yes: # Ignore some specific home directories # One directory per line; directories will be skipped for home directory specific # checks, like file permissions, SSH and other configuration files #config:ignore_home_dir:/home/user: # Do not log tests with another guest operating system (default: yes) #config:log_tests_incorrect_os:no: # Define if available NTP daemon is configured as a server or client on the network # values: server or client (default: client) #config:ntpd_role:client: # Allow promiscuous interfaces #