[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#653580: ITP: yasat -- YASAT (Yet Another Stupid Audit Tool) is a simple stupid audit tool.

El mié, 04-01-2012 a las 10:56 +0100, corentin.labbe escribió:
> Le 03/01/2012 21:21, Francisco Manuel Garcia Claramonte a écrit :
> > Hi Corentin,
> > 
> > According to website, YASAT doesn't look to provide any new feature
> > than lynis or tiger.
> > What are the advantages or differences with Lynis?.
> Hello

Hi Corentin,
First of all thank you for your fast answer.

> Tiger is old and unmaintened. For example, it warn me that my sha512 shadow password for root "is not using an acceptable password hash".
> And said the same for user without password.
> Lynis is not really actively developed (2 years without release), 

Recently It was released the new upstream version 3.0.0. 
Now I am working on packaging it.

> YASAT is actively developed.
It is Ok.

> One of the advantages of YASAT over lynis/tiger is the number of test done:
> - 277 for lynis (grepped register in include directory)

I count 307,
grep "Register --test-no" /usr/share/lynis/include/* | wc -l

(I'll review it).

> - 600 for YASAT (grepped display and relevant data files)

> One other advantages of YASAT is that it doesn't just said what is bad or good, it tried to said why and give external links to informations about the report.
> Example, YASAT wont just said that file_uploads must be turned off it give also the following link http://phpsec.org/projects/phpsecinfo/tests/file_uploads.html.
> Ok, it is not like this for all tests, but it is one of the goal.
> I also think YASAT is better architectured (at least for some test)
> example: for adding an option in php.ini to be tested, you must copy all test block in lynis and changes some values in it.
> In YASAT you have just to add a line in php_conf.data.
> One recent advantages is the creation of a shell script for automatic correction of reported problems. (But for the moment this feature is not used by all YASAT parts)
> But I am probably one-sided, so for conclude, just test it both and made your opinion.

It looks a good audit tool. I am going to try with it. 
Thank you.


> Regards,
> > 

Francisco M. García Claramonte 
Debian GNU/Linux Developer   <francisco@debian.org>
GPG: public key ID 556ABA51

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: