Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.1:Update
lynis
lynis-1.2.9_suse.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File lynis-1.2.9_suse.diff of Package lynis
diff -EruN lynis-1.2.9/db/dbus-whitelist.db lynis-1.2.9_suse/db/dbus-whitelist.db --- lynis-1.2.9/db/dbus-whitelist.db 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/db/dbus-whitelist.db 2010-08-31 13:54:17.111659655 +0200 @@ -0,0 +1,51 @@ +avahi-dbus.conf +backup-manager.conf +bluetooth.conf +cnetworkmanager.conf +com.google.code.BackupManager.service +com.novell.Pkcs11Monitor.conf +ConsoleKit.conf +cups.conf +fi.epitest.hostap.WPASupplicant.service +galago-daemon.conf +gdm.conf +hal.conf +kerneloops.dbus +knetworkmanager.conf +NetworkManager.conf +newprinternotification.conf +nm-applet.conf +nm-avahi-autoipd.conf +nm-dhcp-client.conf +nm-dispatcher.conf +nm-novellvpn-service.conf +nm-openvpn-service.conf +nm-pptp-service.conf +nm-system-settings.conf +nm-vpnc-service.conf +org.bluez.service +org.freedesktop.ConsoleKit.service +org.freedesktop.ModemManager.conf +org.freedesktop.ModemManager.service +org.freedesktop.NetworkManagerSystemSettings.service +org.freedesktop.nm_dispatcher.service +org.freedesktop.PackageKit.conf +org.freedesktop.PackageKit.service +org.freedesktop.PolicyKit.conf +org.freedesktop.PolicyKit.service +org.gnome.ClockApplet.Mechanism.conf +org.gnome.ClockApplet.Mechanism.service +org.gnome.GConf.Defaults.conf +org.gnome.GConf.Defaults.service +org.opensuse.BackupManager.service +org.opensuse.CupsPkHelper.Mechanism.conf +org.opensuse.CupsPkHelper.Mechanism.service +org.opensuse.yast.SCR.conf +org.opensuse.yast.SCR.service +pommed.conf +powersave.conf +system.d +upsd.conf +wpa_supplicant.conf +xorg-server.conf +yum-updatesd.conf diff -EruN lynis-1.2.9/db/fileperms.db lynis-1.2.9_suse/db/fileperms.db --- lynis-1.2.9/db/fileperms.db 2008-05-31 13:23:24.000000000 +0200 +++ lynis-1.2.9_suse/db/fileperms.db 2010-08-30 18:23:26.048115772 +0200 @@ -1,19 +1,214 @@ -#version=2008053000 -# -# Field definitions -# =============================== -# 1) file | dir -# 2) file name -# 3) file permissions -# 4) file owner -# 5) file group owner -# 6) operating system, or systems -# 7) operating system special -# 8) -# -#================================================== -file:/etc/group:644:root:root:Linux: -file:/etc/gshadow:400:root:root:Linux: -file:/etc/passwd:644:root:root:Linux: -file:/etc/shadow:400:root:root:Linux: - +file:/var/lib/xemacs/lock/:1777:root:root:Linux: +file:/var/run/uscreens/:1777:root:root:Linux: +file:/etc/crontab:44:root:root:Linux: +file:/etc/exports:644:root:root:Linux: +file:/etc/fstab:644:root:root:Linux: +file:/etc/ftpaccess:644:root:root:Linux: +file:/etc/ftpusers:644:root:root:Linux: +file:/etc/inetd.conf:644:root:root:Linux: +file:/etc/inittab:644:root:root:Linux: +file:/etc/mtab:644:root:root:Linux: +file:/etc/rmtab:644:root:root:Linux: +file:/var/lib/nfs/rmtab:644:root:root:Linux: +file:/etc/syslog.conf:644:root:root:Linux: +file:/bin/su:4755:root:root:Linux: +file:/usr/bin/at:4755:root:trusted:Linux: +file:/usr/bin/crontab:4755:root:trusted:Linux: +file:/usr/bin/gpasswd:4755:root:shadow:Linux: +file:/usr/bin/newgrp:4755:root:root:Linux: +file:/usr/bin/passwd:4755:root:shadow:Linux: +file:/usr/bin/chfn:4755:root:shadow:Linux: +file:/usr/bin/chage:4755:root:shadow:Linux: +file:/usr/bin/chsh:4755:root:shadow:Linux: +file:/usr/bin/expiry:4755:root:shadow:Linux: +file:/usr/bin/sudo:4755:root:root:Linux: +file:/usr/sbin/su-wrapper:4755:root:root:Linux: +file:/usr/bin/opiepasswd:4755:root:root:Linux: +file:/usr/bin/opiesu:4755:root:root:Linux: +file:/usr/bin/ncpmount:4750:root:trusted:Linux: +file:/usr/bin/ncpumount:4750:root:trusted:Linux: +file:/sbin/mount.nfs:4755:root:root:Linux: +file:/bin/mount:4755:root:root:Linux: +file:/bin/umount:4755:root:root:Linux: +file:/bin/eject:4755:root:audio:Linux: +file:/usr/bin/fusermount:4755:root:trusted:Linux: +file:/usr/lib/majordomo/wrapper:4755:root:daemon:Linux: +file:/usr/lib/pt_chown:4755:root:root:Linux: +file:/usr/lib64/pt_chown:4755:root:root:Linux: +file:/sbin/unix_chkpwd:4755:root:shadow:Linux: +file:/sbin/unix2_chkpwd:4755:root:shadow:Linux: +file:/usr/sbin/popauth:4755:pop:trusted:Linux: +file:/usr/sbin/pam_auth:4755:root:shadow:Linux: +file:/usr/lib/vte/gnome-pty-helper:2755:root:tty:Linux: +file:/usr/src/packages/SOURCES/:1777:root:root:Linux: +file:/usr/src/packages/BUILD/:1777:root:root:Linux: +file:/usr/src/packages/BUILDROOT/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alpha/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alphaev56/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alphaev67/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alphaev6/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/arm4l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/athlon/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i386/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i486/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i586/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i686/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/ia64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/mips/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/ppc/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/ppc64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/powerpc/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/powerpc64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/s390/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/s390x/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/sparc/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/sparcv9/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/sparc64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/x86_64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv4l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tel/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tevl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tejl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tejvl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv6l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv6vl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv7l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/hppa/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/hppa2.0/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/noarch/:1777:root:root:Linux: +file:/usr/src/packages/SPECS/:1777:root:root:Linux: +file:/usr/src/packages/SRPMS/:1777:root:root:Linux: +file:/usr/bin/v4l-conf:4755:root:video:Linux: +file:/usr/lib/ia32el/suid_ia32x_loader:4755:root:root:Linux: +file:/usr/bin/ntping:4750:root:trusted:Linux: +file:/usr/bin/vlock:2755:root:shadow:Linux: +file:/usr/bin/Xorg:4711:root:root:Linux: +file:/usr/bin/wall:2755:root:tty:Linux: +file:/usr/bin/write:2755:root:tty:Linux: +file:/usr/bin/makeweb:2755:root:www:Linux: +file:/usr/bin/yaps:2755:root:uucp:Linux: +file:/usr/bin/nwsfind:4750:root:trusted:Linux: +file:/usr/bin/ncplogin:4750:root:trusted:Linux: +file:/usr/bin/ncpmap:4750:root:trusted:Linux: +file:/usr/lib/lpdfilter/bin/runlpr:4755:root:root:Linux: +file:/sbin/pccardctl:4755:root:trusted:Linux: +file:/usr/sbin/mgnokiidev:4755:root:uucp:Linux: +file:/usr/lib/pcp/pmpost:4755:root:root:Linux: +file:/usr/lib/mailman/cgi-bin/admin:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/admindb:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/edithtml:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/listinfo:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/options:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/private:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/roster:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/subscribe:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/confirm:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/create:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/editarch:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/rmlist:2755:root:mailman:Linux: +file:/usr/lib/mailman/mail/mailman:2755:root:mailman:Linux: +file:/usr/lib/libgnomesu/gnomesu-pam-backend:4755:root:root:Linux: +file:/usr/sbin/change-passwd:4755:root:root:Linux: +file:/usr/bin/lppasswd:2755:lp:lp:Linux: +file:/usr/bin/get_printing_ticket:4750:root:lp:Linux: +file:/bin/ping:4755:root:root:Linux: +file:/bin/ping6:4755:root:root:Linux: +file:/usr/sbin/mtr:4750:root:dialout:Linux: +file:/usr/bin/rcp:4755:root:root:Linux: +file:/usr/bin/rlogin:4755:root:root:Linux: +file:/usr/bin/rsh:4755:root:root:Linux: +file:/usr/bin/cl_status:2555:root:haclient:Linux: +file:/usr/sbin/exim:4755:root:root:Linux: +file:/usr/sbin/pppoe-wrapper:4750:root:dialout:Linux: +file:/sbin/isdnctrl:4750:root:dialout:Linux: +file:/usr/bin/vboxbeep:4755:root:trusted:Linux: +file:/usr/lib/mc/cons.saver:4755:root:root:Linux: +file:/usr/bin/jfbterm:6755:root:tty:Linux: +file:/opt/kde3/bin/artswrapper:4755:root:root:Linux: +file:/opt/kde3/bin/kcheckpass:4755:root:shadow:Linux: +file:/usr/lib/kde4/libexec/kcheckpass:4755:root:shadow:Linux: +file:/usr/lib64/kde4/libexec/kcheckpass:4755:root:shadow:Linux: +file:/opt/kde3/bin/kdesud:2755:root:nogroup:Linux: +file:/usr/lib/kde4/libexec/kdesud:2755:root:nogroup:Linux: +file:/usr/lib64/kde4/libexec/kdesud:2755:root:nogroup:Linux: +file:/opt/kde3/bin/kpac_dhcp_helper:4755:root:root:Linux: +file:/opt/kde3/bin/start_kdeinit:4755:root:root:Linux: +file:/usr/lib/kde4/libexec/start_kdeinit:4755:root:root:Linux: +file:/usr/lib64/kde4/libexec/start_kdeinit:4755:root:root:Linux: +file:/usr/bin/fileshareset:4755:root:root:Linux: +file:/usr/sbin/amcheck:4750:root:amanda:Linux: +file:/usr/lib/amanda/calcsize:4750:root:amanda:Linux: +file:/usr/lib/amanda/rundump:4750:root:amanda:Linux: +file:/usr/lib/amanda/planner:4750:root:amanda:Linux: +file:/usr/lib/amanda/runtar:4750:root:amanda:Linux: +file:/usr/lib/amanda/dumper:4750:root:amanda:Linux: +file:/usr/lib/amanda/killpgrp:4750:root:amanda:Linux: +file:/usr/lib/gnats/gen-index:4555:gnats:root:Linux: +file:/usr/lib/gnats/pr-edit:4555:gnats:root:Linux: +file:/usr/lib/gnats/queue-pr:4555:gnats:root:Linux: +file:/usr/lib/news/bin/rnews:4550:news:uucp:Linux: +file:/usr/lib/news/bin/startinnfeed:4554:root:news:Linux: +file:/usr/lib/news/bin/inndstart:4554:root:news:Linux: +file:/usr/lib/news/bin/inews:2555:news:news:Linux: +file:/usr/lib/mgetty+sendfax/faxq-helper:4755:fax:root:Linux: +file:/var/spool/fax/outgoing/:0755:fax:root:Linux: +file:/var/spool/fax/outgoing/locks:0755:fax:root:Linux: +file:/var/spool/uucppublic/:1777:root:root:Linux: +file:/usr/bin/uucp:6555:uucp:uucp:Linux: +file:/usr/bin/uuname:6555:uucp:uucp:Linux: +file:/usr/bin/uustat:6555:uucp:uucp:Linux: +file:/usr/bin/uux:6555:uucp:uucp:Linux: +file:/usr/lib/uucp/uucico:6555:uucp:uucp:Linux: +file:/usr/lib/uucp/uuxqt:6555:uucp:uucp:Linux: +file:/usr/games/atc:2755:games:games:Linux: +file:/usr/games/battlestar:2755:games:games:Linux: +file:/usr/games/canfield:2755:games:games:Linux: +file:/usr/games/cribbage:2755:games:games:Linux: +file:/usr/games/phantasia:2755:games:games:Linux: +file:/usr/games/robots:2755:games:games:Linux: +file:/usr/games/sail:2755:games:games:Linux: +file:/usr/games/snake:2755:games:games:Linux: +file:/usr/games/tetris-bsd:2755:games:games:Linux: +file:/usr/games/Maelstrom:2755:games:games:Linux: +file:/usr/games/pachi:2755:games:games:Linux: +file:/usr/games/martian:2755:games:games:Linux: +file:/usr/lib/nethack/nethack.tty:2755:games:games:Linux: +file:/usr/games/chromium:2755:games:games:Linux: +file:/usr/games/xscrab:2755:games:games:Linux: +file:/usr/games/trackballs:2755:games:games:Linux: +file:/usr/games/ltris:2755:games:games:Linux: +file:/usr/games/xlogical:2755:games:games:Linux: +file:/usr/games/lbreakout2:2755:games:games:Linux: +file:/usr/bin/xgalaga:2755:games:games:Linux: +file:/usr/games/rocksndiamonds:2755:games:games:Linux: +file:/usr/bin/glines:2755:games:games:Linux: +file:/usr/bin/gnibbles:2755:games:games:Linux: +file:/usr/bin/gnobots2:2755:games:games:Linux: +file:/usr/bin/gnometris:2755:games:games:Linux: +file:/usr/bin/gnomine:2755:games:games:Linux: +file:/usr/bin/gnotravex:2755:games:games:Linux: +file:/usr/bin/gnotski:2755:games:games:Linux: +file:/usr/bin/gtali:2755:games:games:Linux: +file:/usr/bin/mahjongg:2755:games:games:Linux: +file:/usr/bin/same-gnome:2755:games:games:Linux: +file:/usr/sbin/zypp-refresh-wrapper:4755:root:root:Linux: +file:/usr/lib/PolicyKit/polkit-set-default-helper:4755:polkituser:root:Linux: +file:/usr/lib/PolicyKit/polkit-read-auth-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-revoke-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-explicit-grant-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-grant-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-grant-helper-pam:4750:root:polkituser:Linux: +file:/usr/lib/polkit-1/polkit-agent-helper-1:4755:root:root:Linux: +file:/usr/bin/pkexec:4755:root:root:Linux: +file:/lib/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux: +file:/lib64/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux: +file:/usr/bin/newrole:4755:root:root:Linux: +file:/usr/lib/virtualbox/VirtualBox:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VirtualBox3:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxBFE:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxHeadless:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxSDL:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxNetAdpCtl:4750:root:vboxusers:Linux: +file:/usr/bin/vmware-user-suid-wrapper:4755:root:root:Linux: +file:/var/log/messages:0644:root.root:Linux: diff -EruN lynis-1.2.9/default.prf lynis-1.2.9_suse/default.prf --- lynis-1.2.9/default.prf 2009-12-13 21:25:19.000000000 +0100 +++ lynis-1.2.9_suse/default.prf 2010-08-30 18:23:43.524052641 +0200 @@ -29,6 +29,7 @@ # ** Scan type (how deep test has to be, light, normal or full) ** # config:test_scan_mode:light|normal|full: +config:test_scan_mode:full # ** Skip one or more specific tests ** # (always ignores scan mode and will make sure the test is skipped) @@ -37,7 +38,7 @@ # ** Define the role(s) of a machine ** # Values: desktop|server (default: server) #config:machine_role:server: - +config:machine_role:desktop ################################################################################# @@ -47,91 +48,32 @@ # Define which plugins are enabled # ################################################################################# -# plugin=security_malware -# plugin=security_rootkit -# plugin=files_permissions +plugin_enable=security_malware +plugin_enable=security_rootkit +plugin_enable=plugin_fileperms ################################################################################# # # Sysctl options # --------------- -# sysctl:<Sysctl Key>:<Expected Value>:<Hardening Points>:<Description>: -# -# Sysctl key = name -# Expected value = value of sysctl key -# Hardening points = Number of hardening points. For most keys 1 HP will be suitable -# Description = Text description of key +# sysctl:<sysctl key>:<expected value>: +# The 'expected value' is used to compare with the active value. If they +# differ, the program will mark it with a warning. # ################################################################################# [processes] -#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: -sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: -sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: +sysctl:kern.randompid:1: [kernel] -sysctl:kern.sugid_coredump:0:1:XXX: -sysctl:kernel.core_setuid_ok:0:1:XXX: -sysctl:kernel.core_uses_pid:1:1:XXX: -sysctl:kernel.ctrl-alt-del:0:1:XXX: -sysctl:kernel.exec-shield-randomize:1:1:XXX: -sysctl:kernel.exec-shield:1:1:XXX: -sysctl:kernel.sysrq:0:1:Disable magic SysRQ: -sysctl:kernel.use-nx:0:1:XXX: +sysctl:kern.sugid_coredump:0: [network] -sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: -sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: -sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: -sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: -sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: -sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: -sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: -sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: -sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: -sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: -sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: -sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: -sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: -sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore -#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: -sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: -sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: -sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: -sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: +sysctl:net.inet.tcp.blackhole:2: +sysctl:net.inet.udp.blackhole:1: [security] -#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: -#security.jail.jailed: 0 -#security.jail.jail_max_af_ips: 255 -#security.jail.mount_allowed: 0 -#security.jail.chflags_allowed: 0 -#security.jail.allow_raw_sockets: 0 -#security.jail.enforce_statfs: 2 -#security.jail.sysvipc_allowed: 0 -#security.jail.socket_unixiproute_only: 1 -#security.jail.set_hostname_allowed: 1 -#security.bsd.suser_enabled: 1 -#security.bsd.unprivileged_proc_debug: 1 -#security.bsd.conservative_signals: 1 -#security.bsd.unprivileged_read_msgbuf: 1 -#security.bsd.hardlink_check_gid: 0 -#security.bsd.hardlink_check_uid: 0 -#security.bsd.unprivileged_get_quota: 0 - +sysctl:kern.securelevel:3: ################################################################################# @@ -167,17 +109,6 @@ ################################################################################# # -# NTP options -# -################################################################################# - -# Ignore some stratum 16 hosts (for example when running as time source itself) -#ntp:ignore_stratum_16_peer:127.0.0.1: -#ntp:ignore_stratum_16_peer:1.2.3.4: - - -################################################################################# -# # File/directories permissions (currently not used yet) # ################################################################################# @@ -187,8 +118,8 @@ #scanfile:/etc/rc.conf:FreeBSD configuration: # Scan for exact directory name match -#[scandirs] -#scandir:/etc:/etc directory: +[scandirs] +scandir:/etc:/etc directory: ################################################################################# @@ -205,7 +136,7 @@ #permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile:/etc/fstab:rw-r--r--:root:-:WARN: -permfile:/etc/lilo.conf:rw-------:root:-:WARN: +#permfile:/etc/lilo.conf:rw-------:root:-:WARN: ################################################################################# @@ -217,10 +148,11 @@ ################################################################################# permdir:/root/.ssh:rwx------:root:-:WARN: +permdir:/root/.gnupg:rwx------:root:-:WARN: # Scan for a program/binary in BINPATHs #scanbinary:Rootkit Hunter:rkhunter: - +scanbinary:ChkRootKit:chkrootkit ################################################################################# # @@ -253,4 +185,3 @@ # Define if available NTP daemon is configured as a server or client on the network # values: server or client (default: client) #config:ntpd_role:client: - diff -EruN lynis-1.2.9/include/consts lynis-1.2.9_suse/include/consts --- lynis-1.2.9/include/consts 2009-03-15 14:10:37.000000000 +0100 +++ lynis-1.2.9_suse/include/consts 2010-09-01 13:30:22.584145341 +0200 @@ -68,6 +68,7 @@ CHKROOTKITBINARY="" CHKCONFIGBINARY="" FILEVALUE="" + FILE_NUM_TOTAL=0 FIND="" GRPCKBINARY="" IPTABLESBINARY="" diff -EruN lynis-1.2.9/include/tests_binary_rpath lynis-1.2.9_suse/include/tests_binary_rpath --- lynis-1.2.9/include/tests_binary_rpath 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_binary_rpath 2010-09-01 22:53:15.037731414 +0200 @@ -0,0 +1,84 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies if a binary contains an insecure RPATH variable. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Binary integrity" + report "[Software]" +# +################################################################################# +# + # Test : BINARY-1000 + # Description : Verifies if a binary contains an insecure RPATH variable. + Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting binary RPATH check..." + logtext "Test: Checking binary integrity of RPATH" + + RPNOTOK=0 + FILENUM=0 + HPMAX=0 + HPBAD=0 + for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null) + do + ((FILENUM++)) + for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}') + do + ((HPMAX++)) + if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi + while [ -n "$RPATH_VAL" ] + do + RPATH_VAL_NXT=${RPATH_VAL%%:*} + RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:} + test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P) + + case ":$RPATH_VAL_NXT" in + :/usr/lib*) + ;; + :/lib*) + ;; + :/opt/*/lib*) + ;; + :/usr/X11R6/lib*) + ;; + :/usr/local/lib*) + ;; + *) + ((HPBAD++)) + RPNOTOK=1; + Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED + esac + done + done + done + if [ $RPNOTOK == 0 ]; then + Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN + fi + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_file_permissionsDB lynis-1.2.9_suse/include/tests_file_permissionsDB --- lynis-1.2.9/include/tests_file_permissionsDB 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_file_permissionsDB 2010-09-01 14:12:03.432001883 +0200 @@ -0,0 +1,77 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# File permissions from db file +# +################################################################################# +# +# TODO: +# - owner can have ':' and '.' as delimiter, '.' will cause an error -> fix it! +# - octal perms starting with 0 are valid but will cause an error -> fix it! +# +################################################################################ +# + InsertSection "File systems" +# +################################################################################# +# + # Test : FILE-7525 + # Description : Perform file permissions check + Register --test-no FILE-7525 --weight L --network NO --description "Perform file permissions check from DB" + if [ ${SKIPTEST} -eq 0 ]; then + DB="${DBDIR}/fileperms.db" + Display --indent 2 --text "- Starting file permissions check from DB..." + logtext "Test: Checking file permissions from DB" + logtext "Using database ${DB}." + + HPMAX=0 + HPBAD=0 + for LINE in $(cat $DB) + do + ((HPMAX++)) + FN=$(echo $LINE | cut -d: -f2) + PM=$(echo $LINE | cut -d: -f3) + UN=$(echo $LINE | cut -d: -f4) + GN=$(echo $LINE | cut -d: -f5) + OS=$(echo $LINE | cut -d: -f6) + if [ -z $OS ]; then + logtext "Warning: line format invalid: '$LINE'" + fi + + logtext "Checking $FN" + + STR="$PM:$UN:$GN" + STAT=$(stat --printf="%a:%U:%G" $FN 2>/dev/null) + if [ -z $STAT ]; then + #Display --indent 4 --text "${FN}" --result "NOT FOUND" --color WHITE + continue; + fi + if ! [ "$STR" == "$STAT" ]; then + ((HPBAD++)) + Display --indent 4 --text "${FN}" --result WARNING --color RED + else + Display --indent 4 --text "${FN}" --result OK --color GREEN + fi + done + + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_file_permissions_ww lynis-1.2.9_suse/include/tests_file_permissions_ww --- lynis-1.2.9/include/tests_file_permissions_ww 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_file_permissions_ww 2010-09-01 22:52:58.827762122 +0200 @@ -0,0 +1,52 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# File permissions world-writeable file +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "File systems" +# +################################################################################# +# + # Test : FILE-7527 + # Description : Perform file permissions check + Register --test-no FILE-7527 --weight L --network NO --description "Lookup world-writeable files." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting file permissions check for world-writeable files..." + logtext "Test: Checking for world-writeable files" + + TMP=$(mktemp /tmp/lynis.XXXXXX) + HPMAX=$FILE_NUM_TOTAL + HP=$HPMAX + find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) -a -perm -0002 -print 2>/dev/null > $TMP + for i in $(cat $TMP) + do + ((HP--)) + Display --indent 4 --text "${i} is world-writeable" --result WARNING --color RED + done +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + rm -f $TMP + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_network_allowed_ports lynis-1.2.9_suse/include/tests_network_allowed_ports --- lynis-1.2.9/include/tests_network_allowed_ports 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_network_allowed_ports 2010-09-01 13:16:25.036189511 +0200 @@ -0,0 +1,84 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies open network ports. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Networking" +# +################################################################################# +# + # Test : NETW-3085 + # Description : Verifies dbus policy. + Register --test-no NETW-3085 --weight L --network NO --description "Verifies open network ports." + if [ ${SKIPTEST} -eq 0 ]; then + ALLOWED_PORTS=( 22 25 68 80 111 443 ) + TMP=$(mktemp /tmp/lynis.XXXXXX) + + STR="${ALLOWED_PORTS[@]:0}" + Display --indent 2 --text "- Starting verifying open network ports ($STR)..." + logtext "Test: Checking open network ports" + logtext "Allowed ports: $STR" + + netstat -an | grep -i listen > $TMP + PORTS=($(cat $TMP | awk '{ print $4 }' | sed 's/.*://;s/ACC//' | sort -un)) + + + IDX_P=0 + LEN_P=${#PORTS[@]} + NUM_NOTOK=0 + while [ $IDX_P -lt $LEN_P ] + do + IDX_A=0 + LEN_A=${#ALLOWED_PORTS[@]} + PORTOK=0 + while [ $IDX_A -lt $LEN_A ] + do +# echo "${PORTS[$IDX_P]} vs. ${ALLOWED_PORTS[$IDX_A]}" + if [ ${PORTS[$IDX_P]} == ${ALLOWED_PORTS[$IDX_A]} ] + then + PORTOK=1 + break + fi + ((IDX_A++)) + done + if [ $PORTOK -eq 0 ] + then + ((NUM_NOTOK++)) + P=${PORTS[$IDX_P]} + Display --indent 4 --text "Open port ${P} not allowed" --result WARNING --color RED + fi + + ((IDX_P++)) + done + + HPMAX=$LEN_A + HP=$(expr $LEN_A - $NUM_NOTOK) + if [ $HP -lt 0 ]; then HP=0; fi + + AddHP $HP $HPMAX + + rm -f $TMP + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_system_dbus lynis-1.2.9_suse/include/tests_system_dbus --- lynis-1.2.9/include/tests_system_dbus 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_system_dbus 2010-09-01 14:22:45.700133034 +0200 @@ -0,0 +1,79 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies dbus policy. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "System Tools" + report "[Software]" +# +################################################################################# +# + # Test : SYSTEM-1000 + # Description : Verifies dbus policy. + Register --test-no SYSTEM-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting dbus policy check..." + logtext "Test: Checking dbus policy" + + DB="${DBDIR}/dbus-whitelist.db" + + if ! [ -f $DB ] + then + if [ -f ./dbus-whitelist.db ] + then + DB="./dbus-whitelist.db" + else + logtext "Warning: dbus autostart/system services whitelist file is missing." + return + fi + fi + WHITELIST=$(cat $DB) + HPMAX=$(wc -l $DB | cut -d' ' -f1) + HPBAD=0 + E=$(ls -1 /usr/share/dbus-*/system-services/*.service /etc/dbus-*/system.d/*.conf 2>/dev/null) + if ! [ -z "$E" ] + then + for i in $E + do + DF=$(basename $i) + + FOUND=0 + for j in $WHITELIST + do + if [ "$DF" == "$j" ]; then FOUND=1; fi + done + if [ $FOUND -eq 0 ] + then + ((HPBAD++)) + PKG=$(rpm -qf "$i") + Display --indent 4 --text "Warning: Package $PKG installs an unknown D-BUS autostart/system service: $DF" --result WARNING --color RED + fi + done + fi + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_system_proc lynis-1.2.9_suse/include/tests_system_proc --- lynis-1.2.9/include/tests_system_proc 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_system_proc 2010-09-01 13:25:41.784037408 +0200 @@ -0,0 +1,59 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Checking for processes running as 'nobody' +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Memory and processes" +# +################################################################################# +# + # Test : PROC-3625 + # Description : Processes running as 'nobody' + Register --test-no PROC-3625 --weight L --network NO --description "Processes running as 'nobody'." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting look-up of 'nobody' processes..." + logtext "Test: Checking for processes running as 'nobody'" + + TMP=$(mktemp /tmp/lynis.XXXXXX) + TMP2=$(mktemp /tmp/lynis.XXXXXX) + ps -eo uname,pid,comm | tr -s " " | sed "s/ /:/g" > $TMP + HPMAX=$(wc -l $TMP | cut -d' ' -f1) + grep '^nobody' $TMP > $TMP2 + + HP=$HPMAX + for i in $(cat $TMP2) + do + ((HP--)) + PID=$(echo $i | cut -d: -f2) + PNAME=$(echo $i | cut -d: -f3) + Display --indent 4 --text "${PNAME} [PID ${PID}] runs as user 'nobody'" --result WARNING --color RED + done + +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + + rm -f $TMP $TMP2 + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_tmp_symlinks lynis-1.2.9_suse/include/tests_tmp_symlinks --- lynis-1.2.9/include/tests_tmp_symlinks 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_tmp_symlinks 2010-08-31 11:34:46.696758595 +0200 @@ -0,0 +1,50 @@ +#!/bin/sh + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Looks up symlinks in /tmp +# +################################################################################# +# +# TODO: +# - also verify other tmp localtions like /var/tmp and ~/tmp +# +################################################################################ +# + InsertSection "File systems" +# +################################################################################# +# + # Test : FILE-7526 + # Description : Looks up symlinks in /tmp + Register --test-no FILE-7526 --weight L --network NO --description "Looks up symlinks in /tmp" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting look-up of symlinks in /tmp..." + logtext "Test: Checking /tmp for symlinks" + + TMP_SYMLINK=$(find /tmp -type l -print 2>/dev/null) + + if [ "$TMP_SYMLINK" ] + then + for sym in $TMP_SYMLINK + do + Display --indent 4 --text "${sym}" --result WARNING --color RED + done + fi + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/include/tests_users_wo_password lynis-1.2.9_suse/include/tests_users_wo_password --- lynis-1.2.9/include/tests_users_wo_password 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/include/tests_users_wo_password 2010-09-01 14:07:43.820127326 +0200 @@ -0,0 +1,58 @@ +#!/bin/bash + +################################################################################# +# +# Author: Thomas Biege <thomas@suse.de> +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Verifies dbus policy. +# +################################################################################# +# +# TODO: +# +################################################################################ +# + InsertSection "Users, Groups and Authentication" + report "[Software]" +# +################################################################################# +# + # Test : AUTH-1000 + # Description : Verifies dbus policy. + Register --test-no AUTH-1000 --weight M --network NO --description "Verifies if users without a password exist." + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Starting password check for users..." + logtext "Test: Checking existence of password" + + TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX) + HPMAX=$(wc -l /etc/passwd | cut -d' ' -f1) + awk -F: '$2 == "" && $1 != "+" {print $1}' /etc/passwd > $TMPDIR/userwopwd + awk -F: '$2 == "" && $1 != "+" {print $1}' /etc/shadow >> $TMPDIR/userwopwd + sort -u $TMPDIR/userwopwd > $TMPDIR/userwopwd2 + HPBAD=0 + for i in $(cat $TMPDIR/userwopwd2) + do + ((HPBAD++)) + Display --indent 4 --text "${i} has no password set" --result WARNING --color RED + done + + HP=$(expr $HPMAX - $HPBAD) +# echo "AddHP $HP $HPMAX" + AddHP $HP $HPMAX + + rm -rf $TMPDIR + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ diff -EruN lynis-1.2.9/lynis lynis-1.2.9_suse/lynis --- lynis-1.2.9/lynis 2009-12-15 12:09:09.000000000 +0100 +++ lynis-1.2.9_suse/lynis 2010-09-02 07:58:04.795766140 +0200 @@ -455,6 +455,14 @@ if [ -f ${INCLUDEDIR}/binaries ]; then . ${INCLUDEDIR}/binaries fi + +# +################################################################################# +# + # init totl number of files + FILE_NUM_TOTAL=$(find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) | wc -l | cut -d' ' -f1) + + # ################################################################################# # @@ -466,9 +474,17 @@ nameservices ports_packages networking printers_spools \ mail_messaging firewalls \ webservers ssh snmp databases ldap php squid logging \ - insecure_services banners scheduling accounting \ + insecure_services banners scheduling accounting \ time crypto virtualization mac_frameworks file_integrity hardening_tools \ - malware file_permissions homedirs kernel_hardening hardening" + malware file_permissions homedirs kernel_hardening hardening \ + file_permissionsDB \ + system_dbus \ + users_wo_password \ + binary_rpath \ + tmp_symlinks \ + file_permissions_ww \ + system_proc \ + network_allowed_ports" else INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" fi diff -EruN lynis-1.2.9/prepare_for_suse.sh lynis-1.2.9_suse/prepare_for_suse.sh --- lynis-1.2.9/prepare_for_suse.sh 1970-01-01 01:00:00.000000000 +0100 +++ lynis-1.2.9_suse/prepare_for_suse.sh 2010-08-30 15:22:08.176094421 +0200 @@ -0,0 +1,31 @@ +#!/bin/bash + +umask 0077 + +function fileperms() +{ + PERMS=$(grep -E "^PERMISSION_SECURITY=" /etc/sysconfig/security | awk -F'=' '{print $2}' | sed s/\"//g) + echo $PERMS + for p in $PERMS + do + echo $p + cat "/etc/permissions."$p | grep -E "^/\w.*" | awk -F' ' '{print "file:"$1":"$3":"$2":Linux:"}' >> $TMPDIR/fileperms.lst + done + + if ! [ -f db/fileperms.db.orig ]; then + cp -v db/fileperms.db db/fileperms.db.orig + fi + + cp $TMPDIR/fileperms.lst db/fileperms.db +} + + + +TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX) + +echo "prepare lynis config for your suse systems" +echo "1. lookup file permission level" +fileperms + + +#rm -rf $TMPDIR
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor