[tool] Unix auditing, Lynis 1.2.5

A new version of Lynis is available, which includes currently over 200
tests to assist auditors and security administrators to audit their Unix
machines. The tool can be executed without a required installation and
displays the outcome of the tests on the screen. Extended information
can be found in the log file, including all the results of tests.

After many releases I want to ask to try this new version and give me
input about what you like to see when checking Unix systems for their
security strenghts and weaknesses.

More information and a download link can be found on the project page:
http://www.rootkit.nl/projects/lynis.html

Regards,

Michael Boelen
--
Original author of Rootkit Hunter and Lynis - http://www.rootkit.nl

M. Boelen wrote:
> A new version of Lynis is available, which includes currently over 200
>  

Great work. :)

But i found it doesn't include the openldap configuration directory
(/etc/openldap) for RHEL/CentOS.
Patch attached:

--- include/tests_ldap.orig     2009-03-28 17:40:45.000000000 +0800
+++ include/tests_ldap  2009-03-28 17:41:00.000000000 +0800
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    SLAPD_CONF_LOCS="/usr/local/etc/openldap /etc/ldap"
+    SLAPD_CONF_LOCS="/usr/local/etc/openldap /etc/ldap /etc/openldap"
     SLAPD_CONF_LOCATION=""
     SLAPD_RUNNING=0
 #


--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
  http://code.google.com/p/iredmail/

M. Boelen wrote:
> A new version of Lynis is available

filesystem ACL support detect is incorrect on CentOS/RHEL 5.x.

It doesn't include 'acl' option in /etc/fstab, but you can check it like
below:

----
# mount | grep '/ '
/dev/hda1 on / type ext3 (rw)

# tune2fs -l /dev/hda1 | grep -i acl
Default mount options:    user_xattr acl
----

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
  http://code.google.com/p/iredmail/

M. Boelen wrote:
> A new version of Lynis is available, which includes currently over 200

Another error on RHEL/CentOS 5.x platform:

----
  - Checking PAM modules                                      [ FOUND ]
passwd: bad argument --all: unknown option
----

In passwd(1), doesn't metion '--all'.

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
  http://code.google.com/p/iredmail/

quoted from man mount

Mount options for ext2
       The  'ext2'  file  system  is  the standard Linux file system.  Since Linux 2.5.46, for most mount options the
       default is determined by the filesystem superblock. Set them with tune2fs(8).

       acl / noacl
              Support POSIX Access Control Lists (or not).

are you sure there has no "acl" option ?

Best Regards, Quentin
BBA, CISSP #322276, MHKIM, PMHKLA, RHCE, BCCPP, BCWAA, LPIC-1
candidate of PMP, C|EH, C|HFI, ECSA, CIA
----- Original Message -----
From: "Zhang Huangbin" <zhbmaillistonly@...>
To: "M. Boelen" <michael@...>
Cc: <focus-linux@...>
Sent: Saturday, March 28, 2009 5:49 PM
Subject: Re: [tool] Unix auditing, Lynis 1.2.5

Quentin Chung@Programmer wrote:
> are you sure there has no "acl" option ?

Absolutely.

On my laptop (RHEL 5.3, x86_64):
----
# cat /etc/fstab  |grep '/ '
LABEL=/                 /                       ext3    defaults        1 1

# e2label /dev/sda3
/

# tune2fs -l /dev/sda3 |grep acl
Default mount options:    user_xattr acl
----

--
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
  http://code.google.com/p/iredmail/

from fune2fs man page:
-o [^]mount-option[,...]
Set or clear the indicated default mount options in the filesystem. Default mount options can be overridden by mount options specified either in /etc/fstab(5) or on the command line arguments to mount(8). Older kernels may not support this feature; in particular, kernels which predate 2.4.20 will almost certainly ignore the default mount options field in the superblock.
More than one mount option can be cleared or set by separating
features with commas. Mount options prefixed with a caret character ('^') will be cleared in the filesystem's superblock; mount options without a prefix character or prefixed with a plus character ('+') will be added to the filesystem.
The following mount options can be set or cleared using
tune2fs:

see also http://magazine.redhat.com/2007/06/07/tips-from-an-rhce-new-default-mount-options-in-red-hat-enterprise-linux-5/
Tips from an RHCE: New default mount options in Red Hat Enterprise Linux 5

Best Regards, Quentin
BBA, CISSP #322276, MHKIM, PMHKLA, RHCE, BCCPP, BCWAA, LPIC-1
candidate of PMP, C|EH, C|HFI, ECSA, CIA
----- Original Message -----
From: "Zhang Huangbin" <zhbmaillistonly@...>
To: "Quentin Chung@Programmer" <quentin.chung@...>
Cc: "M. Boelen" <michael@...>; <focus-linux@...>
Sent: Monday, March 30, 2009 4:13 PM
Subject: Re: [tool] Unix auditing, Lynis 1.2.5

hi,

very fine!!

here are some errors on debian (5.0) lenny:

- Locate database...                                        [ NOT FOUND ]
Aufruf: locate [-d path | --database=path] [-e | -E | --[non-]existing]
      [-i | --ignore-case] [-w | --wholename] [-b | --basename]
      [--limit=N | -l N] [-S | --statistics] [-0 | --null] [-c | --count]
      [-P | -H | --nofollow] [-L | --follow] [-m | --mmap ] [ -s | --stdio ]
      [-A | --all] [-p | --print] [-r | --regex ] [--regextype=TYPE]
      [--max-database-age D] [--version] [--help]
      Muster...

locate-database was present!

########################################

- Checking Exim status...                                   [ NOT FOUND ]

but running exim4
debian source-package self-compiled but std. installation path not changed:
/usr/sbin/exim4
/etc/exim4

########################################

[+] Scheduled tasks
------------------------------------
find: "/var/spool/crontabls": Datei oder Verzeichnis nicht gefunden

########################################


thats it!!

cheers,
chris





----------  Ursprüngliche Nachricht  ----------

Von:     "M. Boelen" <"M. Boelen" <michael@...>>
An:      "focus-linux@..." <focus-linux@...>
Betreff: [tool] Unix auditing, Lynis 1.2.5

Am Freitag, 27. März 2009 schrieb M. Boelen:


-------------------------------------------------------

Michael,

Lynis looks like it has a good future and potential.

I've noticed that several bugs have been reported against the your recently
published edition.
I'm curious if you've a production 'schedule' of any sort?
Are you doing all the work on this, or do you have some assistance?
Will you be releasing a new version with bug-corrections anytime soon?
Would you have something like Bugzilla where bugs can be submitted and tracked
(or considered it)?

I look forward to trying it out and would be willing to give feedback on what I
find.  Other than
the public mailing list where other bugs have been reported recently, do you have
another method
you prefer for bug reports?

Good luck with your Linux security audit tool!


R,
-Joe Wulf, CISSP, VCP, USN(RET)
 Senior IA Engineer
 ProSync Technology Group, LLC
 www.prosync.com


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of M. Boelen
Sent: Friday, March 27, 2009 13:55
To: focus-linux@...
Subject: [tool] Unix auditing, Lynis 1.2.5

A new version of Lynis is available, which includes currently over 200 tests to
assist auditors and security administrators to audit their Unix machines. The
tool can be executed without a required installation and displays the outcome of
the tests on the screen. Extended information can be found in the log file,
including all the results of tests.

After many releases I want to ask to try this new version and give me input about
what you like to see when checking Unix systems for their security strenghts and
weaknesses.

More information and a download link can be found on the project page:
http://www.rootkit.nl/projects/lynis.html

Regards,

Michael Boelen
--
Original author of Rootkit Hunter and Lynis - http://www.rootkit.nl