Your message dated Tue, 18 Feb 2014 21:22:06 +0000
with message-id <[email protected]>
and subject line Bug#737173: fixed in lynis 1.4.0-1
has caused the Debian Bug report #737173,
regarding lynis: Added test to tests_filesystems for Ecryptfs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
737173: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737173
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lynis
Version: 1.3.9-1
Severity: normal
Dear Maintainer,
I've put together a pair of short patches for your consideration.
Patches add tests that check if Ecryptfs is installed and if it is, then
checks if ecryptfs-migirate-home (or other method) has been used to
configure each user's home directory (UID >= 500 && != 65534) to use it.
I believe the use of Ecryptfs could be valuable for anyone using a
laptop or any system with multiple users. This could add to the
hardened status of the system that Lynis is testing for many users.
The patch I've worked up is missing a test number (FILE-####) that the
other tests have and may need to be submitted upstream to get one.
What do you think, would this be a worthwhile addition to Lynis?
Thanks,
Dave Vehrs
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
lynis depends on no packages.
Versions of packages lynis recommends:
ii menu 2.1.46
Versions of packages lynis suggests:
ii dnsutils 1:9.8.4.dfsg.P1-6+nmu3
-- no debconf information
--
Dave Vehrs [email protected]
--- binaries.orig 2014-01-27 17:31:06.193667725 -0700
+++ binaries 2014-01-28 20:24:33.913326347 -0700
@@ -69,6 +69,8 @@
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
+ ecryptfsd) ECRYPTFSDFOUND=1; ECRYPTFSDBINARY="${BINARY}"; logtext " Found known binary: ecryptfsd (Layered Encryption) - ${BINARY}" ;;
+ ecryptfs-migrate-home) ECRYPTFSMIGRATEFOUND=1; ECRYPTFSMIGRATEBINARY=${BINARY}; logtext " Found known binary: ecryptfs-migrate-home (Layered Encryption) - ${BINARY}" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; logtext "Found ${BINARY} (version ${EXIMVERSION})" ;;
find) FINDFOUND=1; FINDBINARY="${BINARY}"; logtext " Found known binary: find (search tool) - ${BINARY}" ;;
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: g++ (compiler) - ${BINARY}" ;;
--- tests_filesystems.orig 2014-01-27 17:20:14.749679392 -0700
+++ tests_filesystems 2014-01-29 16:20:52.128727221 -0700
@@ -558,6 +558,72 @@
#################################################################################
#
+ # Test : FILE-####
+ # Description : (LINUX) Check if user home directories are encrypted with ecryptfs
+ # Notes : Ecryptfs is useful on multi-user systems. Can be configured
+ # so that files in the users home directories are only
+ # decrypted while the user is logged in.
+ #
+ # This function adds hardening points according to the
+ # following criteria:
+ # +1 Ecryptfs Installed
+ # +1 for each user account that can be configured to use it.
+ if [ "${OS}" = "Linux" ]; then
+ if [ ! "${ECRYPTFSDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no "FILE-####" --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for Ecryptfs"
+ if [ ${SKIPTEST} -eq 0 -a ! "${ECRYPTFSDBINARY}" = "" ]; then
+ Display --indent 2 --text "- Ecryptfs" --result INSTALLED --color GREEN
+ logtext "Ecryptfs installed."
+ logtext "Test: If user home directories are configured to use Ecryptfs"
+ AddHP 1 1
+ USERLIST=`awk -F: '($3 > 500) && ($3 != 65534) { print $1","$6 }' /etc/passwd`
+ for U in ${USERLIST}; do
+ ECRYPTFSHOME=1
+ USER=`echo ${U} | sed -e 's/,.*//'`
+ HOMEDIR=`echo ${U} | sed -e 's/^[^,]*,//'`
+ logtext "USER: ${USER}"
+ logtext "HOME DIR: ${HOMEDIR}"
+ if [ -d /home/.ecryptfs/${USER} -a -f /home/.ecryptfs/${USER}/.ecryptfs/auto-mount -a -f /home/.ecryptfs/${USER}/.ecryptfs/Private.mnt ]; then
+ PRIVDIR=`cat /home/.ecryptfs/${USER}/.ecryptfs/Private.mnt`
+ logtext "PRIVATE DIR: ${PRIVDIR}"
+ if [ "${HOMEDIR}" = ${PRIVDIR} ]; then
+ # Ecryptfs installed and configured to encrypt users
+ # entire ${HOME} directory.
+ logtext "Result: Home directory for ${USER} configured to use Ecryptfs"
+ Display --indent 4 --text "- Home for ${USER}" --result YES --color GREEN
+ AddHP 1 1
+ ECRYPTFSHOME=0
+ fi
+ fi
+ if [ ${ECRYPTFSHOME} = 1 ]; then
+ # Ecryptfs Private directory configured but not for
+ # users ${HOME} directory -OR- Ecryptfs has not been setup
+ # for user.
+ logtext "Result: Ecryptfs installed but not configured for ${USER}'s home directory"
+ Display --indent 4 --text "- Home for ${USER}" --result NO --color RED
+ AddHP 0 1
+ # Unsure if ecryptfs-migrate-home is part of all Ecryptfs installations
+ # on all Linux distributions.
+ if [ ! "${ECRYPTFSMIGRATEBINARY}" = "" ]; then
+ ReportSuggestion ${TEST_NO} "As root run 'ecryptfs-migrate-home --user ${USER}' to configure Ecryptfs for user's home directory"
+ else
+ ReportSuggestion ${TEST_NO} "Configure Ecryptfs for ${USER}'s home directory"
+ fi
+ fi
+ done
+ else
+ Display --indent 2 --text "- Ecryptfs" --result "NOT INSTALLED" --color RED
+ ReportSuggestion ${TEST_NO} "Install 'ecryptfs-utils' and configure for each user."
+ # Increasing Hardening score by 1 for each account that could use
+ # Ecryptfs + 1 for installation.
+ USERCOUNT=`awk -F: '($3 > 500) && ($3 != 65534) { print $1 }' /etc/passwd | wc -l`
+ AddHP 0 $((USERCOUNT+1))
+ fi
+ fi
+
+#
+#################################################################################
+#
wait_for_keypress
--- End Message ---
--- Begin Message ---
Source: lynis
Source-Version: 1.4.0-1
We believe that the bug you reported is fixed in the latest version of
lynis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francisco Manuel Garcia Claramonte <[email protected]> (supplier of updated
lynis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Feb 2014 19:48:47 +0100
Source: lynis
Binary: lynis
Architecture: source all
Version: 1.4.0-1
Distribution: unstable
Urgency: low
Maintainer: Francisco Manuel Garcia Claramonte <[email protected]>
Changed-By: Francisco Manuel Garcia Claramonte <[email protected]>
Description:
lynis - security auditing tool for Unix based systems
Closes: 736115 736197 737173
Changes:
lynis (1.4.0-1) unstable; urgency=low
.
* New upstream release.
+ Added test for Anacrontab jobs. (Closes: #736197)
* Added debian patch to fix a misconfiguration in crontab test. Thanks to
Dave Vehrs. (Closes: #736115).
* Added debian patch to add Ecryptfs test. Thanks to Dave Vehrs.
(Closes: #737173).
Checksums-Sha1:
e0a278fffabad8a484c47b0ea334d7206bf3e9de 1028 lynis_1.4.0-1.dsc
fe2b0b6016b36cdf0b188019d405a177a751f258 135492 lynis_1.4.0.orig.tar.gz
9b7549da4698576fe80e3e3c8886956536890a63 6886 lynis_1.4.0-1.debian.tar.gz
1f32d34a5d01284614e6ce6b5dca02a37f5ddfc6 132708 lynis_1.4.0-1_all.deb
Checksums-Sha256:
8ff0e24057b74b5d2e095f02cda4fa6b10c67bf8ded1231d9fc2449120e4f1df 1028
lynis_1.4.0-1.dsc
ebbcd4fe1114e3735084236eec9ad0fe092730ee3af3a99d640c0267171379d2 135492
lynis_1.4.0.orig.tar.gz
4b3302983fa606fdca59496649ada81f6e60b7312437c81b8736a67a089c3653 6886
lynis_1.4.0-1.debian.tar.gz
d6b8354bc6654a6a52e89eb08a23a606f1be3ffad59f14b2ce215e3e648e4e8d 132708
lynis_1.4.0-1_all.deb
Files:
fe4c2c0bc664d10369d3396d677f1ac0 1028 utils optional lynis_1.4.0-1.dsc
b3f687deec39aef910be30979e4f0696 135492 utils optional lynis_1.4.0.orig.tar.gz
e8a33afcdfdcbf765e7f326ba056c817 6886 utils optional
lynis_1.4.0-1.debian.tar.gz
b61aa4f76cfcf74db8d378648be3edd8 132708 utils optional lynis_1.4.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iEYEARECAAYFAlMDqs8ACgkQmpU8glVqulFI+QCgmnirwBX/FLwHqT88se+eW5WT
XGAAoOe7IbwXYndEsDWKjed+IokOEaLu
=w3RV
-----END PGP SIGNATURE-----
--- End Message ---
