File lynis-1.2.9_suse.diff of Package lynis
diff -EruN lynis-1.2.9/db/dbus-whitelist.db lynis-1.2.9_suse/db/dbus-whitelist.db
--- lynis-1.2.9/db/dbus-whitelist.db 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/db/dbus-whitelist.db 2010-08-31 13:54:17.111659655 +0200
@@ -0,0 +1,51 @@
+avahi-dbus.conf
+backup-manager.conf
+bluetooth.conf
+cnetworkmanager.conf
+com.google.code.BackupManager.service
+com.novell.Pkcs11Monitor.conf
+ConsoleKit.conf
+cups.conf
+fi.epitest.hostap.WPASupplicant.service
+galago-daemon.conf
+gdm.conf
+hal.conf
+kerneloops.dbus
+knetworkmanager.conf
+NetworkManager.conf
+newprinternotification.conf
+nm-applet.conf
+nm-avahi-autoipd.conf
+nm-dhcp-client.conf
+nm-dispatcher.conf
+nm-novellvpn-service.conf
+nm-openvpn-service.conf
+nm-pptp-service.conf
+nm-system-settings.conf
+nm-vpnc-service.conf
+org.bluez.service
+org.freedesktop.ConsoleKit.service
+org.freedesktop.ModemManager.conf
+org.freedesktop.ModemManager.service
+org.freedesktop.NetworkManagerSystemSettings.service
+org.freedesktop.nm_dispatcher.service
+org.freedesktop.PackageKit.conf
+org.freedesktop.PackageKit.service
+org.freedesktop.PolicyKit.conf
+org.freedesktop.PolicyKit.service
+org.gnome.ClockApplet.Mechanism.conf
+org.gnome.ClockApplet.Mechanism.service
+org.gnome.GConf.Defaults.conf
+org.gnome.GConf.Defaults.service
+org.opensuse.BackupManager.service
+org.opensuse.CupsPkHelper.Mechanism.conf
+org.opensuse.CupsPkHelper.Mechanism.service
+org.opensuse.yast.SCR.conf
+org.opensuse.yast.SCR.service
+pommed.conf
+powersave.conf
+system.d
+upsd.conf
+wpa_supplicant.conf
+xorg-server.conf
+yum-updatesd.conf
diff -EruN lynis-1.2.9/db/fileperms.db lynis-1.2.9_suse/db/fileperms.db
--- lynis-1.2.9/db/fileperms.db 2008-05-31 13:23:24.000000000 +0200
+++ lynis-1.2.9_suse/db/fileperms.db 2010-08-30 18:23:26.048115772 +0200
@@ -1,19 +1,214 @@
-#version=2008053000
-#
-# Field definitions
-# ===============================
-# 1) file | dir
-# 2) file name
-# 3) file permissions
-# 4) file owner
-# 5) file group owner
-# 6) operating system, or systems
-# 7) operating system special
-# 8)
-#
-#==================================================
-file:/etc/group:644:root:root:Linux:
-file:/etc/gshadow:400:root:root:Linux:
-file:/etc/passwd:644:root:root:Linux:
-file:/etc/shadow:400:root:root:Linux:
-
+file:/var/lib/xemacs/lock/:1777:root:root:Linux:
+file:/var/run/uscreens/:1777:root:root:Linux:
+file:/etc/crontab:44:root:root:Linux:
+file:/etc/exports:644:root:root:Linux:
+file:/etc/fstab:644:root:root:Linux:
+file:/etc/ftpaccess:644:root:root:Linux:
+file:/etc/ftpusers:644:root:root:Linux:
+file:/etc/inetd.conf:644:root:root:Linux:
+file:/etc/inittab:644:root:root:Linux:
+file:/etc/mtab:644:root:root:Linux:
+file:/etc/rmtab:644:root:root:Linux:
+file:/var/lib/nfs/rmtab:644:root:root:Linux:
+file:/etc/syslog.conf:644:root:root:Linux:
+file:/bin/su:4755:root:root:Linux:
+file:/usr/bin/at:4755:root:trusted:Linux:
+file:/usr/bin/crontab:4755:root:trusted:Linux:
+file:/usr/bin/gpasswd:4755:root:shadow:Linux:
+file:/usr/bin/newgrp:4755:root:root:Linux:
+file:/usr/bin/passwd:4755:root:shadow:Linux:
+file:/usr/bin/chfn:4755:root:shadow:Linux:
+file:/usr/bin/chage:4755:root:shadow:Linux:
+file:/usr/bin/chsh:4755:root:shadow:Linux:
+file:/usr/bin/expiry:4755:root:shadow:Linux:
+file:/usr/bin/sudo:4755:root:root:Linux:
+file:/usr/sbin/su-wrapper:4755:root:root:Linux:
+file:/usr/bin/opiepasswd:4755:root:root:Linux:
+file:/usr/bin/opiesu:4755:root:root:Linux:
+file:/usr/bin/ncpmount:4750:root:trusted:Linux:
+file:/usr/bin/ncpumount:4750:root:trusted:Linux:
+file:/sbin/mount.nfs:4755:root:root:Linux:
+file:/bin/mount:4755:root:root:Linux:
+file:/bin/umount:4755:root:root:Linux:
+file:/bin/eject:4755:root:audio:Linux:
+file:/usr/bin/fusermount:4755:root:trusted:Linux:
+file:/usr/lib/majordomo/wrapper:4755:root:daemon:Linux:
+file:/usr/lib/pt_chown:4755:root:root:Linux:
+file:/usr/lib64/pt_chown:4755:root:root:Linux:
+file:/sbin/unix_chkpwd:4755:root:shadow:Linux:
+file:/sbin/unix2_chkpwd:4755:root:shadow:Linux:
+file:/usr/sbin/popauth:4755:pop:trusted:Linux:
+file:/usr/sbin/pam_auth:4755:root:shadow:Linux:
+file:/usr/lib/vte/gnome-pty-helper:2755:root:tty:Linux:
+file:/usr/src/packages/SOURCES/:1777:root:root:Linux:
+file:/usr/src/packages/BUILD/:1777:root:root:Linux:
+file:/usr/src/packages/BUILDROOT/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alpha/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alphaev56/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alphaev67/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alphaev6/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/arm4l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/athlon/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i386/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i486/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i586/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i686/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/ia64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/mips/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/ppc/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/ppc64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/powerpc/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/powerpc64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/s390/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/s390x/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/sparc/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/sparcv9/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/sparc64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/x86_64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv4l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tel/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tevl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tejl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tejvl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv6l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv6vl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv7l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/hppa/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/hppa2.0/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/noarch/:1777:root:root:Linux:
+file:/usr/src/packages/SPECS/:1777:root:root:Linux:
+file:/usr/src/packages/SRPMS/:1777:root:root:Linux:
+file:/usr/bin/v4l-conf:4755:root:video:Linux:
+file:/usr/lib/ia32el/suid_ia32x_loader:4755:root:root:Linux:
+file:/usr/bin/ntping:4750:root:trusted:Linux:
+file:/usr/bin/vlock:2755:root:shadow:Linux:
+file:/usr/bin/Xorg:4711:root:root:Linux:
+file:/usr/bin/wall:2755:root:tty:Linux:
+file:/usr/bin/write:2755:root:tty:Linux:
+file:/usr/bin/makeweb:2755:root:www:Linux:
+file:/usr/bin/yaps:2755:root:uucp:Linux:
+file:/usr/bin/nwsfind:4750:root:trusted:Linux:
+file:/usr/bin/ncplogin:4750:root:trusted:Linux:
+file:/usr/bin/ncpmap:4750:root:trusted:Linux:
+file:/usr/lib/lpdfilter/bin/runlpr:4755:root:root:Linux:
+file:/sbin/pccardctl:4755:root:trusted:Linux:
+file:/usr/sbin/mgnokiidev:4755:root:uucp:Linux:
+file:/usr/lib/pcp/pmpost:4755:root:root:Linux:
+file:/usr/lib/mailman/cgi-bin/admin:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/admindb:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/edithtml:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/listinfo:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/options:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/private:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/roster:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/subscribe:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/confirm:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/create:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/editarch:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/rmlist:2755:root:mailman:Linux:
+file:/usr/lib/mailman/mail/mailman:2755:root:mailman:Linux:
+file:/usr/lib/libgnomesu/gnomesu-pam-backend:4755:root:root:Linux:
+file:/usr/sbin/change-passwd:4755:root:root:Linux:
+file:/usr/bin/lppasswd:2755:lp:lp:Linux:
+file:/usr/bin/get_printing_ticket:4750:root:lp:Linux:
+file:/bin/ping:4755:root:root:Linux:
+file:/bin/ping6:4755:root:root:Linux:
+file:/usr/sbin/mtr:4750:root:dialout:Linux:
+file:/usr/bin/rcp:4755:root:root:Linux:
+file:/usr/bin/rlogin:4755:root:root:Linux:
+file:/usr/bin/rsh:4755:root:root:Linux:
+file:/usr/bin/cl_status:2555:root:haclient:Linux:
+file:/usr/sbin/exim:4755:root:root:Linux:
+file:/usr/sbin/pppoe-wrapper:4750:root:dialout:Linux:
+file:/sbin/isdnctrl:4750:root:dialout:Linux:
+file:/usr/bin/vboxbeep:4755:root:trusted:Linux:
+file:/usr/lib/mc/cons.saver:4755:root:root:Linux:
+file:/usr/bin/jfbterm:6755:root:tty:Linux:
+file:/opt/kde3/bin/artswrapper:4755:root:root:Linux:
+file:/opt/kde3/bin/kcheckpass:4755:root:shadow:Linux:
+file:/usr/lib/kde4/libexec/kcheckpass:4755:root:shadow:Linux:
+file:/usr/lib64/kde4/libexec/kcheckpass:4755:root:shadow:Linux:
+file:/opt/kde3/bin/kdesud:2755:root:nogroup:Linux:
+file:/usr/lib/kde4/libexec/kdesud:2755:root:nogroup:Linux:
+file:/usr/lib64/kde4/libexec/kdesud:2755:root:nogroup:Linux:
+file:/opt/kde3/bin/kpac_dhcp_helper:4755:root:root:Linux:
+file:/opt/kde3/bin/start_kdeinit:4755:root:root:Linux:
+file:/usr/lib/kde4/libexec/start_kdeinit:4755:root:root:Linux:
+file:/usr/lib64/kde4/libexec/start_kdeinit:4755:root:root:Linux:
+file:/usr/bin/fileshareset:4755:root:root:Linux:
+file:/usr/sbin/amcheck:4750:root:amanda:Linux:
+file:/usr/lib/amanda/calcsize:4750:root:amanda:Linux:
+file:/usr/lib/amanda/rundump:4750:root:amanda:Linux:
+file:/usr/lib/amanda/planner:4750:root:amanda:Linux:
+file:/usr/lib/amanda/runtar:4750:root:amanda:Linux:
+file:/usr/lib/amanda/dumper:4750:root:amanda:Linux:
+file:/usr/lib/amanda/killpgrp:4750:root:amanda:Linux:
+file:/usr/lib/gnats/gen-index:4555:gnats:root:Linux:
+file:/usr/lib/gnats/pr-edit:4555:gnats:root:Linux:
+file:/usr/lib/gnats/queue-pr:4555:gnats:root:Linux:
+file:/usr/lib/news/bin/rnews:4550:news:uucp:Linux:
+file:/usr/lib/news/bin/startinnfeed:4554:root:news:Linux:
+file:/usr/lib/news/bin/inndstart:4554:root:news:Linux:
+file:/usr/lib/news/bin/inews:2555:news:news:Linux:
+file:/usr/lib/mgetty+sendfax/faxq-helper:4755:fax:root:Linux:
+file:/var/spool/fax/outgoing/:0755:fax:root:Linux:
+file:/var/spool/fax/outgoing/locks:0755:fax:root:Linux:
+file:/var/spool/uucppublic/:1777:root:root:Linux:
+file:/usr/bin/uucp:6555:uucp:uucp:Linux:
+file:/usr/bin/uuname:6555:uucp:uucp:Linux:
+file:/usr/bin/uustat:6555:uucp:uucp:Linux:
+file:/usr/bin/uux:6555:uucp:uucp:Linux:
+file:/usr/lib/uucp/uucico:6555:uucp:uucp:Linux:
+file:/usr/lib/uucp/uuxqt:6555:uucp:uucp:Linux:
+file:/usr/games/atc:2755:games:games:Linux:
+file:/usr/games/battlestar:2755:games:games:Linux:
+file:/usr/games/canfield:2755:games:games:Linux:
+file:/usr/games/cribbage:2755:games:games:Linux:
+file:/usr/games/phantasia:2755:games:games:Linux:
+file:/usr/games/robots:2755:games:games:Linux:
+file:/usr/games/sail:2755:games:games:Linux:
+file:/usr/games/snake:2755:games:games:Linux:
+file:/usr/games/tetris-bsd:2755:games:games:Linux:
+file:/usr/games/Maelstrom:2755:games:games:Linux:
+file:/usr/games/pachi:2755:games:games:Linux:
+file:/usr/games/martian:2755:games:games:Linux:
+file:/usr/lib/nethack/nethack.tty:2755:games:games:Linux:
+file:/usr/games/chromium:2755:games:games:Linux:
+file:/usr/games/xscrab:2755:games:games:Linux:
+file:/usr/games/trackballs:2755:games:games:Linux:
+file:/usr/games/ltris:2755:games:games:Linux:
+file:/usr/games/xlogical:2755:games:games:Linux:
+file:/usr/games/lbreakout2:2755:games:games:Linux:
+file:/usr/bin/xgalaga:2755:games:games:Linux:
+file:/usr/games/rocksndiamonds:2755:games:games:Linux:
+file:/usr/bin/glines:2755:games:games:Linux:
+file:/usr/bin/gnibbles:2755:games:games:Linux:
+file:/usr/bin/gnobots2:2755:games:games:Linux:
+file:/usr/bin/gnometris:2755:games:games:Linux:
+file:/usr/bin/gnomine:2755:games:games:Linux:
+file:/usr/bin/gnotravex:2755:games:games:Linux:
+file:/usr/bin/gnotski:2755:games:games:Linux:
+file:/usr/bin/gtali:2755:games:games:Linux:
+file:/usr/bin/mahjongg:2755:games:games:Linux:
+file:/usr/bin/same-gnome:2755:games:games:Linux:
+file:/usr/sbin/zypp-refresh-wrapper:4755:root:root:Linux:
+file:/usr/lib/PolicyKit/polkit-set-default-helper:4755:polkituser:root:Linux:
+file:/usr/lib/PolicyKit/polkit-read-auth-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-revoke-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-explicit-grant-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-grant-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-grant-helper-pam:4750:root:polkituser:Linux:
+file:/usr/lib/polkit-1/polkit-agent-helper-1:4755:root:root:Linux:
+file:/usr/bin/pkexec:4755:root:root:Linux:
+file:/lib/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux:
+file:/lib64/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux:
+file:/usr/bin/newrole:4755:root:root:Linux:
+file:/usr/lib/virtualbox/VirtualBox:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VirtualBox3:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxBFE:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxHeadless:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxSDL:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxNetAdpCtl:4750:root:vboxusers:Linux:
+file:/usr/bin/vmware-user-suid-wrapper:4755:root:root:Linux:
+file:/var/log/messages:0644:root.root:Linux:
diff -EruN lynis-1.2.9/default.prf lynis-1.2.9_suse/default.prf
--- lynis-1.2.9/default.prf 2009-12-13 21:25:19.000000000 +0100
+++ lynis-1.2.9_suse/default.prf 2010-08-30 18:23:43.524052641 +0200
@@ -29,6 +29,7 @@
# ** Scan type (how deep test has to be, light, normal or full) **
# config:test_scan_mode:light|normal|full:
+config:test_scan_mode:full
# ** Skip one or more specific tests **
# (always ignores scan mode and will make sure the test is skipped)
@@ -37,7 +38,7 @@
# ** Define the role(s) of a machine **
# Values: desktop|server (default: server)
#config:machine_role:server:
-
+config:machine_role:desktop
#################################################################################
@@ -47,91 +48,32 @@
# Define which plugins are enabled
#
#################################################################################
-# plugin=security_malware
-# plugin=security_rootkit
-# plugin=files_permissions
+plugin_enable=security_malware
+plugin_enable=security_rootkit
+plugin_enable=plugin_fileperms
#################################################################################
#
# Sysctl options
# ---------------
-# sysctl:<Sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
-#
-# Sysctl key = name
-# Expected value = value of sysctl key
-# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
-# Description = Text description of key
+# sysctl:<sysctl key>:<expected value>:
+# The 'expected value' is used to compare with the active value. If they
+# differ, the program will mark it with a warning.
#
#################################################################################
[processes]
-#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
-sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
-sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
+sysctl:kern.randompid:1:
[kernel]
-sysctl:kern.sugid_coredump:0:1:XXX:
-sysctl:kernel.core_setuid_ok:0:1:XXX:
-sysctl:kernel.core_uses_pid:1:1:XXX:
-sysctl:kernel.ctrl-alt-del:0:1:XXX:
-sysctl:kernel.exec-shield-randomize:1:1:XXX:
-sysctl:kernel.exec-shield:1:1:XXX:
-sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
-sysctl:kernel.use-nx:0:1:XXX:
+sysctl:kern.sugid_coredump:0:
[network]
-sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
-sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
-sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
-sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
-sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
-sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
-sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
-sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
-sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
-sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
-sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
-sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
-sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
-#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
-sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
-sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
-sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
-sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
+sysctl:net.inet.tcp.blackhole:2:
+sysctl:net.inet.udp.blackhole:1:
[security]
-#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
-#security.jail.jailed: 0
-#security.jail.jail_max_af_ips: 255
-#security.jail.mount_allowed: 0
-#security.jail.chflags_allowed: 0
-#security.jail.allow_raw_sockets: 0
-#security.jail.enforce_statfs: 2
-#security.jail.sysvipc_allowed: 0
-#security.jail.socket_unixiproute_only: 1
-#security.jail.set_hostname_allowed: 1
-#security.bsd.suser_enabled: 1
-#security.bsd.unprivileged_proc_debug: 1
-#security.bsd.conservative_signals: 1
-#security.bsd.unprivileged_read_msgbuf: 1
-#security.bsd.hardlink_check_gid: 0
-#security.bsd.hardlink_check_uid: 0
-#security.bsd.unprivileged_get_quota: 0
-
+sysctl:kern.securelevel:3:
#################################################################################
@@ -167,17 +109,6 @@
#################################################################################
#
-# NTP options
-#
-#################################################################################
-
-# Ignore some stratum 16 hosts (for example when running as time source itself)
-#ntp:ignore_stratum_16_peer:127.0.0.1:
-#ntp:ignore_stratum_16_peer:1.2.3.4:
-
-
-#################################################################################
-#
# File/directories permissions (currently not used yet)
#
#################################################################################
@@ -187,8 +118,8 @@
#scanfile:/etc/rc.conf:FreeBSD configuration:
# Scan for exact directory name match
-#[scandirs]
-#scandir:/etc:/etc directory:
+[scandirs]
+scandir:/etc:/etc directory:
#################################################################################
@@ -205,7 +136,7 @@
#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
-permfile:/etc/lilo.conf:rw-------:root:-:WARN:
+#permfile:/etc/lilo.conf:rw-------:root:-:WARN:
#################################################################################
@@ -217,10 +148,11 @@
#################################################################################
permdir:/root/.ssh:rwx------:root:-:WARN:
+permdir:/root/.gnupg:rwx------:root:-:WARN:
# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:
-
+scanbinary:ChkRootKit:chkrootkit
#################################################################################
#
@@ -253,4 +185,3 @@
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#config:ntpd_role:client:
-
diff -EruN lynis-1.2.9/include/consts lynis-1.2.9_suse/include/consts
--- lynis-1.2.9/include/consts 2009-03-15 14:10:37.000000000 +0100
+++ lynis-1.2.9_suse/include/consts 2010-09-01 13:30:22.584145341 +0200
@@ -68,6 +68,7 @@
CHKROOTKITBINARY=""
CHKCONFIGBINARY=""
FILEVALUE=""
+ FILE_NUM_TOTAL=0
FIND=""
GRPCKBINARY=""
IPTABLESBINARY=""
diff -EruN lynis-1.2.9/include/tests_binary_rpath lynis-1.2.9_suse/include/tests_binary_rpath
--- lynis-1.2.9/include/tests_binary_rpath 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_binary_rpath 2010-09-01 22:53:15.037731414 +0200
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Verifies if a binary contains an insecure RPATH variable.
+#
+#################################################################################
+#
+# TODO:
+#
+################################################################################
+#
+ InsertSection "Binary integrity"
+ report "[Software]"
+#
+#################################################################################
+#
+ # Test : BINARY-1000
+ # Description : Verifies if a binary contains an insecure RPATH variable.
+ Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting binary RPATH check..."
+ logtext "Test: Checking binary integrity of RPATH"
+
+ RPNOTOK=0
+ FILENUM=0
+ HPMAX=0
+ HPBAD=0
+ for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null)
+ do
+ ((FILENUM++))
+ for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}')
+ do
+ ((HPMAX++))
+ if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi
+ while [ -n "$RPATH_VAL" ]
+ do
+ RPATH_VAL_NXT=${RPATH_VAL%%:*}
+ RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
+ test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)
+
+ case ":$RPATH_VAL_NXT" in
+ :/usr/lib*)
+ ;;
+ :/lib*)
+ ;;
+ :/opt/*/lib*)
+ ;;
+ :/usr/X11R6/lib*)
+ ;;
+ :/usr/local/lib*)
+ ;;
+ *)
+ ((HPBAD++))
+ RPNOTOK=1;
+ Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED
+ esac
+ done
+ done
+ done
+ if [ $RPNOTOK == 0 ]; then
+ Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN
+ fi
+ HP=$(expr $HPMAX - $HPBAD)
+# echo "AddHP $HP $HPMAX"
+ AddHP $HP $HPMAX
+
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_file_permissionsDB lynis-1.2.9_suse/include/tests_file_permissionsDB
--- lynis-1.2.9/include/tests_file_permissionsDB 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_file_permissionsDB 2010-09-01 14:12:03.432001883 +0200
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# File permissions from db file
+#
+#################################################################################
+#
+# TODO:
+# - owner can have ':' and '.' as delimiter, '.' will cause an error -> fix it!
+# - octal perms starting with 0 are valid but will cause an error -> fix it!
+#
+################################################################################
+#
+ InsertSection "File systems"
+#
+#################################################################################
+#
+ # Test : FILE-7525
+ # Description : Perform file permissions check
+ Register --test-no FILE-7525 --weight L --network NO --description "Perform file permissions check from DB"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ DB="${DBDIR}/fileperms.db"
+ Display --indent 2 --text "- Starting file permissions check from DB..."
+ logtext "Test: Checking file permissions from DB"
+ logtext "Using database ${DB}."
+
+ HPMAX=0
+ HPBAD=0
+ for LINE in $(cat $DB)
+ do
+ ((HPMAX++))
+ FN=$(echo $LINE | cut -d: -f2)
+ PM=$(echo $LINE | cut -d: -f3)
+ UN=$(echo $LINE | cut -d: -f4)
+ GN=$(echo $LINE | cut -d: -f5)
+ OS=$(echo $LINE | cut -d: -f6)
+ if [ -z $OS ]; then
+ logtext "Warning: line format invalid: '$LINE'"
+ fi
+
+ logtext "Checking $FN"
+
+ STR="$PM:$UN:$GN"
+ STAT=$(stat --printf="%a:%U:%G" $FN 2>/dev/null)
+ if [ -z $STAT ]; then
+ #Display --indent 4 --text "${FN}" --result "NOT FOUND" --color WHITE
+ continue;
+ fi
+ if ! [ "$STR" == "$STAT" ]; then
+ ((HPBAD++))
+ Display --indent 4 --text "${FN}" --result WARNING --color RED
+ else
+ Display --indent 4 --text "${FN}" --result OK --color GREEN
+ fi
+ done
+
+ HP=$(expr $HPMAX - $HPBAD)
+# echo "AddHP $HP $HPMAX"
+ AddHP $HP $HPMAX
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_file_permissions_ww lynis-1.2.9_suse/include/tests_file_permissions_ww
--- lynis-1.2.9/include/tests_file_permissions_ww 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_file_permissions_ww 2010-09-01 22:52:58.827762122 +0200
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# File permissions world-writeable file
+#
+#################################################################################
+#
+# TODO:
+#
+################################################################################
+#
+ InsertSection "File systems"
+#
+#################################################################################
+#
+ # Test : FILE-7527
+ # Description : Perform file permissions check
+ Register --test-no FILE-7527 --weight L --network NO --description "Lookup world-writeable files."
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting file permissions check for world-writeable files..."
+ logtext "Test: Checking for world-writeable files"
+
+ TMP=$(mktemp /tmp/lynis.XXXXXX)
+ HPMAX=$FILE_NUM_TOTAL
+ HP=$HPMAX
+ find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) -a -perm -0002 -print 2>/dev/null > $TMP
+ for i in $(cat $TMP)
+ do
+ ((HP--))
+ Display --indent 4 --text "${i} is world-writeable" --result WARNING --color RED
+ done
+# echo "AddHP $HP $HPMAX"
+ AddHP $HP $HPMAX
+ rm -f $TMP
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_network_allowed_ports lynis-1.2.9_suse/include/tests_network_allowed_ports
--- lynis-1.2.9/include/tests_network_allowed_ports 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_network_allowed_ports 2010-09-01 13:16:25.036189511 +0200
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Verifies open network ports.
+#
+#################################################################################
+#
+# TODO:
+#
+################################################################################
+#
+ InsertSection "Networking"
+#
+#################################################################################
+#
+ # Test : NETW-3085
+ # Description : Verifies dbus policy.
+ Register --test-no NETW-3085 --weight L --network NO --description "Verifies open network ports."
+ if [ ${SKIPTEST} -eq 0 ]; then
+ ALLOWED_PORTS=( 22 25 68 80 111 443 )
+ TMP=$(mktemp /tmp/lynis.XXXXXX)
+
+ STR="${ALLOWED_PORTS[@]:0}"
+ Display --indent 2 --text "- Starting verifying open network ports ($STR)..."
+ logtext "Test: Checking open network ports"
+ logtext "Allowed ports: $STR"
+
+ netstat -an | grep -i listen > $TMP
+ PORTS=($(cat $TMP | awk '{ print $4 }' | sed 's/.*://;s/ACC//' | sort -un))
+
+
+ IDX_P=0
+ LEN_P=${#PORTS[@]}
+ NUM_NOTOK=0
+ while [ $IDX_P -lt $LEN_P ]
+ do
+ IDX_A=0
+ LEN_A=${#ALLOWED_PORTS[@]}
+ PORTOK=0
+ while [ $IDX_A -lt $LEN_A ]
+ do
+# echo "${PORTS[$IDX_P]} vs. ${ALLOWED_PORTS[$IDX_A]}"
+ if [ ${PORTS[$IDX_P]} == ${ALLOWED_PORTS[$IDX_A]} ]
+ then
+ PORTOK=1
+ break
+ fi
+ ((IDX_A++))
+ done
+ if [ $PORTOK -eq 0 ]
+ then
+ ((NUM_NOTOK++))
+ P=${PORTS[$IDX_P]}
+ Display --indent 4 --text "Open port ${P} not allowed" --result WARNING --color RED
+ fi
+
+ ((IDX_P++))
+ done
+
+ HPMAX=$LEN_A
+ HP=$(expr $LEN_A - $NUM_NOTOK)
+ if [ $HP -lt 0 ]; then HP=0; fi
+
+ AddHP $HP $HPMAX
+
+ rm -f $TMP
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_system_dbus lynis-1.2.9_suse/include/tests_system_dbus
--- lynis-1.2.9/include/tests_system_dbus 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_system_dbus 2010-09-01 14:22:45.700133034 +0200
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Verifies dbus policy.
+#
+#################################################################################
+#
+# TODO:
+#
+################################################################################
+#
+ InsertSection "System Tools"
+ report "[Software]"
+#
+#################################################################################
+#
+ # Test : SYSTEM-1000
+ # Description : Verifies dbus policy.
+ Register --test-no SYSTEM-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting dbus policy check..."
+ logtext "Test: Checking dbus policy"
+
+ DB="${DBDIR}/dbus-whitelist.db"
+
+ if ! [ -f $DB ]
+ then
+ if [ -f ./dbus-whitelist.db ]
+ then
+ DB="./dbus-whitelist.db"
+ else
+ logtext "Warning: dbus autostart/system services whitelist file is missing."
+ return
+ fi
+ fi
+ WHITELIST=$(cat $DB)
+ HPMAX=$(wc -l $DB | cut -d' ' -f1)
+ HPBAD=0
+ E=$(ls -1 /usr/share/dbus-*/system-services/*.service /etc/dbus-*/system.d/*.conf 2>/dev/null)
+ if ! [ -z "$E" ]
+ then
+ for i in $E
+ do
+ DF=$(basename $i)
+
+ FOUND=0
+ for j in $WHITELIST
+ do
+ if [ "$DF" == "$j" ]; then FOUND=1; fi
+ done
+ if [ $FOUND -eq 0 ]
+ then
+ ((HPBAD++))
+ PKG=$(rpm -qf "$i")
+ Display --indent 4 --text "Warning: Package $PKG installs an unknown D-BUS autostart/system service: $DF" --result WARNING --color RED
+ fi
+ done
+ fi
+ HP=$(expr $HPMAX - $HPBAD)
+# echo "AddHP $HP $HPMAX"
+ AddHP $HP $HPMAX
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_system_proc lynis-1.2.9_suse/include/tests_system_proc
--- lynis-1.2.9/include/tests_system_proc 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_system_proc 2010-09-01 13:25:41.784037408 +0200
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Checking for processes running as 'nobody'
+#
+#################################################################################
+#
+# TODO:
+#
+################################################################################
+#
+ InsertSection "Memory and processes"
+#
+#################################################################################
+#
+ # Test : PROC-3625
+ # Description : Processes running as 'nobody'
+ Register --test-no PROC-3625 --weight L --network NO --description "Processes running as 'nobody'."
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting look-up of 'nobody' processes..."
+ logtext "Test: Checking for processes running as 'nobody'"
+
+ TMP=$(mktemp /tmp/lynis.XXXXXX)
+ TMP2=$(mktemp /tmp/lynis.XXXXXX)
+ ps -eo uname,pid,comm | tr -s " " | sed "s/ /:/g" > $TMP
+ HPMAX=$(wc -l $TMP | cut -d' ' -f1)
+ grep '^nobody' $TMP > $TMP2
+
+ HP=$HPMAX
+ for i in $(cat $TMP2)
+ do
+ ((HP--))
+ PID=$(echo $i | cut -d: -f2)
+ PNAME=$(echo $i | cut -d: -f3)
+ Display --indent 4 --text "${PNAME} [PID ${PID}] runs as user 'nobody'" --result WARNING --color RED
+ done
+
+# echo "AddHP $HP $HPMAX"
+ AddHP $HP $HPMAX
+
+ rm -f $TMP $TMP2
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_tmp_symlinks lynis-1.2.9_suse/include/tests_tmp_symlinks
--- lynis-1.2.9/include/tests_tmp_symlinks 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_tmp_symlinks 2010-08-31 11:34:46.696758595 +0200
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Looks up symlinks in /tmp
+#
+#################################################################################
+#
+# TODO:
+# - also verify other tmp localtions like /var/tmp and ~/tmp
+#
+################################################################################
+#
+ InsertSection "File systems"
+#
+#################################################################################
+#
+ # Test : FILE-7526
+ # Description : Looks up symlinks in /tmp
+ Register --test-no FILE-7526 --weight L --network NO --description "Looks up symlinks in /tmp"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting look-up of symlinks in /tmp..."
+ logtext "Test: Checking /tmp for symlinks"
+
+ TMP_SYMLINK=$(find /tmp -type l -print 2>/dev/null)
+
+ if [ "$TMP_SYMLINK" ]
+ then
+ for sym in $TMP_SYMLINK
+ do
+ Display --indent 4 --text "${sym}" --result WARNING --color RED
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/include/tests_users_wo_password lynis-1.2.9_suse/include/tests_users_wo_password
--- lynis-1.2.9/include/tests_users_wo_password 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/include/tests_users_wo_password 2010-09-01 14:07:43.820127326 +0200
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+#################################################################################
+#
+# Author: Thomas Biege <thomas@suse.de>
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Verifies dbus policy.
+#
+#################################################################################
+#
+# TODO:
+#
+################################################################################
+#
+ InsertSection "Users, Groups and Authentication"
+ report "[Software]"
+#
+#################################################################################
+#
+ # Test : AUTH-1000
+ # Description : Verifies dbus policy.
+ Register --test-no AUTH-1000 --weight M --network NO --description "Verifies if users without a password exist."
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting password check for users..."
+ logtext "Test: Checking existence of password"
+
+ TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX)
+ HPMAX=$(wc -l /etc/passwd | cut -d' ' -f1)
+ awk -F: '$2 == "" && $1 != "+" {print $1}' /etc/passwd > $TMPDIR/userwopwd
+ awk -F: '$2 == "" && $1 != "+" {print $1}' /etc/shadow >> $TMPDIR/userwopwd
+ sort -u $TMPDIR/userwopwd > $TMPDIR/userwopwd2
+ HPBAD=0
+ for i in $(cat $TMPDIR/userwopwd2)
+ do
+ ((HPBAD++))
+ Display --indent 4 --text "${i} has no password set" --result WARNING --color RED
+ done
+
+ HP=$(expr $HPMAX - $HPBAD)
+# echo "AddHP $HP $HPMAX"
+ AddHP $HP $HPMAX
+
+ rm -rf $TMPDIR
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
diff -EruN lynis-1.2.9/lynis lynis-1.2.9_suse/lynis
--- lynis-1.2.9/lynis 2009-12-15 12:09:09.000000000 +0100
+++ lynis-1.2.9_suse/lynis 2010-09-02 07:58:04.795766140 +0200
@@ -455,6 +455,14 @@
if [ -f ${INCLUDEDIR}/binaries ]; then
. ${INCLUDEDIR}/binaries
fi
+
+#
+#################################################################################
+#
+ # init totl number of files
+ FILE_NUM_TOTAL=$(find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) | wc -l | cut -d' ' -f1)
+
+
#
#################################################################################
#
@@ -466,9 +474,17 @@
nameservices ports_packages networking printers_spools \
mail_messaging firewalls \
webservers ssh snmp databases ldap php squid logging \
- insecure_services banners scheduling accounting \
+ insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools \
- malware file_permissions homedirs kernel_hardening hardening"
+ malware file_permissions homedirs kernel_hardening hardening \
+ file_permissionsDB \
+ system_dbus \
+ users_wo_password \
+ binary_rpath \
+ tmp_symlinks \
+ file_permissions_ww \
+ system_proc \
+ network_allowed_ports"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
fi
diff -EruN lynis-1.2.9/prepare_for_suse.sh lynis-1.2.9_suse/prepare_for_suse.sh
--- lynis-1.2.9/prepare_for_suse.sh 1970-01-01 01:00:00.000000000 +0100
+++ lynis-1.2.9_suse/prepare_for_suse.sh 2010-08-30 15:22:08.176094421 +0200
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+umask 0077
+
+function fileperms()
+{
+ PERMS=$(grep -E "^PERMISSION_SECURITY=" /etc/sysconfig/security | awk -F'=' '{print $2}' | sed s/\"//g)
+ echo $PERMS
+ for p in $PERMS
+ do
+ echo $p
+ cat "/etc/permissions."$p | grep -E "^/\w.*" | awk -F' ' '{print "file:"$1":"$3":"$2":Linux:"}' >> $TMPDIR/fileperms.lst
+ done
+
+ if ! [ -f db/fileperms.db.orig ]; then
+ cp -v db/fileperms.db db/fileperms.db.orig
+ fi
+
+ cp $TMPDIR/fileperms.lst db/fileperms.db
+}
+
+
+
+TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX)
+
+echo "prepare lynis config for your suse systems"
+echo "1. lookup file permission level"
+fileperms
+
+
+#rm -rf $TMPDIR
