diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-aarch64-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-aarch64-gnome new file mode 100644 index 000000000000..e8d092ee72d3 --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-aarch64-gnome @@ -0,0 +1,645 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: aarch64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ ENABLED ] +- Checking Secure Boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 32 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 29 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 5 ] +- Checking CPU support (NX/PAE) +CPU support: No PAE or NoeXecute supported [ NONE ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 96 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 24 shells (valid shells: 16). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +- Minimal of 2 responsive nameservers [ WARNING ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 5 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/2] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.Agent.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package bluez-5.55-1.52.aarch64 installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.10.1-1.11.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.service [ WARNING ] +Warning: Package fwupd-1.5.3-1.32.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package systemd-246.10-1.5.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 6180 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (2): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + ! Couldn't find 2 responsive nameservers [NETW-2705] + https://cisofy.com/controls/NETW-2705/ + + Suggestions (35): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] + https://cisofy.com/controls/KRNL-5677/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] + https://cisofy.com/controls/NETW-2705/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 91 [################## ] + Tests performed : 222 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-aarch64-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-aarch64-textmode new file mode 100644 index 000000000000..944c6bc3cc8d --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-aarch64-textmode @@ -0,0 +1,639 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: aarch64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ ENABLED ] +- Checking Secure Boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 24 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 27 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 3 ] +- Checking CPU support (NX/PAE) +CPU support: No PAE or NoeXecute supported [ NONE ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 96 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 24 shells (valid shells: 16). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +- Minimal of 2 responsive nameservers [ WARNING ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 5 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/0] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package systemd-246.10-1.5.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 4450 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (2): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + ! Couldn't find 2 responsive nameservers [NETW-2705] + https://cisofy.com/controls/NETW-2705/ + + Suggestions (35): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] + https://cisofy.com/controls/KRNL-5677/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] + https://cisofy.com/controls/NETW-2705/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 87 [################# ] + Tests performed : 222 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-ppc64le-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-ppc64le-gnome new file mode 100644 index 000000000000..c8bab840e774 --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-ppc64le-gnome @@ -0,0 +1,639 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: ppc64le + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 32 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 36 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 5 ] +- Checking CPU support (NX/PAE) +CPU support: No PAE or NoeXecute supported [ NONE ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 79 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 24 shells (valid shells: 16). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +Nameserver: fec0::3 [ OK ] +- Minimal of 2 responsive nameservers [ OK ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 5 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/2] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.Agent.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package bluez-5.55-1.52.ppc64le installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.10.1-1.11.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.service [ WARNING ] +Warning: Package fwupd-1.5.3-1.32.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package systemd-246.10-1.5.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 6243 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (1): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + Suggestions (34): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] + https://cisofy.com/controls/KRNL-5677/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 91 [################## ] + Tests performed : 222 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-ppc64le-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-ppc64le-textmode new file mode 100644 index 000000000000..79469cde889a --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-ppc64le-textmode @@ -0,0 +1,635 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: ppc64le + Hostname: redcurrant-3 + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 24 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 30 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 3 ] +- Checking CPU support (NX/PAE) +CPU support: No PAE or NoeXecute supported [ NONE ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 58 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 24 shells (valid shells: 16). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ DISABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Checking search domains [ FOUND ] +- Searching DNS domain name [ FOUND ] +Domain name: qa.suse.de +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 2620:113:80c0:80a0:10:162:0:1 [ OK ] +Nameserver: 10.162.0.1 [ OK ] +- Minimal of 2 responsive nameservers [ OK ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 14 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ +- Checking for a running NTP daemon or client [ WARNING ] + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/0] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ NOT FOUND ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ NONE ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package systemd-246.10-1.5.ppc64le installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.ppc64le installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 4186 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (1): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + Suggestions (34): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] + https://cisofy.com/controls/KRNL-5677/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Use NTP daemon or NTP client to prevent time issues. [TIME-3104] + https://cisofy.com/controls/TIME-3104/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 90 [################## ] + Tests performed : 221 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-s390x-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-s390x-gnome new file mode 100644 index 000000000000..6d35beb8749f --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-s390x-gnome @@ -0,0 +1,640 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: s390x + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 31 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 32 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 5 ] +- Checking CPU support (NX/PAE) +CPU support: No PAE or NoeXecute supported [ NONE ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 74 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 25 shells (valid shells: 17). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ DISABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Checking search domains [ FOUND ] +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.160.2.88 [ OK ] +Nameserver: 10.160.0.1 [ OK ] +- Minimal of 2 responsive nameservers [ OK ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 35 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/2] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.Agent.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package bluez-5.55-1.52.s390x installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.10.1-1.11.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package fwupd-1.5.3-1.32.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.service [ WARNING ] +Warning: Package systemd-246.10-1.5.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 6207 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (1): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + Suggestions (34): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] + https://cisofy.com/controls/KRNL-5677/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 91 [################## ] + Tests performed : 222 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-s390x-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-s390x-textmode new file mode 100644 index 000000000000..18b209b6324f --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-s390x-textmode @@ -0,0 +1,634 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: s390x + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 23 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 30 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 3 ] +- Checking CPU support (NX/PAE) +CPU support: No PAE or NoeXecute supported [ NONE ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 74 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 25 shells (valid shells: 17). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ DISABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Checking search domains [ FOUND ] +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.160.2.88 [ OK ] +Nameserver: 10.160.0.1 [ OK ] +- Minimal of 2 responsive nameservers [ OK ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 10 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/0] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package systemd-246.10-1.5.s390x installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.s390x installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 4494 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (1): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + Suggestions (34): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] + https://cisofy.com/controls/KRNL-5677/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 87 [################# ] + Tests performed : 222 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-x86_64-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-x86_64-gnome new file mode 100644 index 000000000000..619df9395274 --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-x86_64-gnome @@ -0,0 +1,636 @@ + +[ Lynis 2.6.1 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 2.6.1 + Operating system: Linux + Operating system name: Linux + Operating system version: 5.3.18-47-default + Kernel version: 5.3.18 + Hardware platform: x86_64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ WARNING ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version is more than 4 months old + + Current version : 261 Latest version : 303 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System Tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ WARNING ] +- Check running services (systemctl) [ DONE ] +Result: found 32 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 29 enabled services +- Check startup files (permissions) [ OK ] +- Checking sulogin in rescue.service [ NOT FOUND ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 5 ] +- Checking CPU support (NX/PAE) +CPU support: PAE and/or NoeXecute supported [ FOUND ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 105 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration [ DISABLED ] +- Checking setuid core dumps configuration [ PROTECTED ] +- Check if reboot is needed [ NO ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ OK ] +- Searching for IO waiting processes [ OK ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- sudoers file [ FOUND ] +- Check sudoers file permissions [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ OK ] +- Accounts without password [ OK ] +- Checking user password aging (minimum) [ DISABLED ] +- User password aging (maximum) [ DISABLED ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- umask (/etc/login.defs) [ SUGGESTION ] +- LDAP authentication support [ NOT ENABLED ] +- Logging failed login attempts [ DISABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 24 shells (valid shells: 16). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /tmp [ NON DEFAULT ] +- Mount options of /var [ NON DEFAULT ] +- Disable kernel support of some filesystems +- Discovered kernel modules: cramfs hfsplus squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Checking /etc/hosts (duplicates) [ OK ] +- Checking /etc/hosts (hostname) [ SUGGESTION ] +- Checking /etc/hosts (localhost) [ OK ] +- Checking /etc/hosts (localhost to IP) [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +Nameserver: fec0::3 [ OK ] +- Minimal of 2 responsive nameservers [ OK ] +- Getting listening ports (TCP/UDP) [ DONE ] +* Found 5 ports +- Checking status DHCP client [ NOT ACTIVE ] +- Checking for ARP monitoring software [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ OK ] +- Checking for unused rules [ FOUND ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd2-prefork) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (117) ] +- Found 117 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- SSH option: AllowTcpForwarding [ SUGGESTION ] +- SSH option: ClientAliveCountMax [ SUGGESTION ] +- SSH option: ClientAliveInterval [ OK ] +- SSH option: Compression [ SUGGESTION ] +- SSH option: FingerprintHash [ OK ] +- SSH option: GatewayPorts [ OK ] +- SSH option: IgnoreRhosts [ OK ] +- SSH option: LoginGraceTime [ OK ] +- SSH option: LogLevel [ SUGGESTION ] +- SSH option: MaxAuthTries [ SUGGESTION ] +- SSH option: MaxSessions [ SUGGESTION ] +- SSH option: PermitRootLogin [ SUGGESTION ] +- SSH option: PermitUserEnvironment [ OK ] +- SSH option: PermitTunnel [ OK ] +- SSH option: Port [ SUGGESTION ] +- SSH option: PrintLastLog [ OK ] +- SSH option: Protocol [ NOT FOUND ] +- SSH option: StrictModes [ OK ] +- SSH option: TCPKeepAlive [ SUGGESTION ] +- SSH option: UseDNS [ OK ] +- SSH option: UsePrivilegeSeparation [ NOT FOUND ] +- SSH option: VerifyReverseMapping [ NOT FOUND ] +- SSH option: X11Forwarding [ SUGGESTION ] +- SSH option: AllowAgentForwarding [ SUGGESTION ] +- SSH option: AllowUsers [ NOT FOUND ] +- SSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Checking inetd status [ NOT ACTIVE ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ NOT FOUND ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab/cronjob [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/2] [ NONE ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +- Checking presence SELinux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +/root/.ssh [ OK ] + +[+] Home directories +------------------------------------ +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ OK ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ DIFFERENT ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] + +[+] System Tools +------------------------------------ +- Starting dbus policy check... +Warning: Package autofs-5.1.3-7.3.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.AutoMount.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.Agent.conf [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.AUTO4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP4.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.DHCP6.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.Nanny.conf [ WARNING ] +Warning: Package wicked-0.6.64-3.3.4.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Network.conf [ WARNING ] +Warning: Package snapper-0.8.15-1.28.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.conf [ WARNING ] +Warning: Package bluez-5.55-1.52.x86_64 installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.10.1-1.11.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package geoclue2-2.5.4-1.32.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.GeoClue2.service [ WARNING ] +Warning: Package fwupd-1.5.3-1.32.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package systemd-246.10-1.5.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-1.28.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + +[+] Users, Groups and Authentication +------------------------------------ +- Starting password check for users... + +[+] Binary integrity +------------------------------------ +- Starting binary RPATH check... +No bad RPATH usage found in 6231 executables [ OK ] + +[+] File systems +------------------------------------ +- Starting look-up of symlinks in /tmp... + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... +/tmp is world-writeable [ WARNING ] + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + +[+] Custom Tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 2.6.1 Results ]- + + Warnings (1): + ---------------------------- + ! Version of Lynis is very old and should be updated [LYNIS] + https://cisofy.com/controls/LYNIS/ + + Suggestions (33): + ---------------------------- + * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/controls/BOOT-5122/ + + * Protect rescue.service by using sulogin [BOOT-5260] + https://cisofy.com/controls/BOOT-5260/ + + * Configure minimum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Configure maximum password age in /etc/login.defs [AUTH-9286] + https://cisofy.com/controls/AUTH-9286/ + + * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] + https://cisofy.com/controls/AUTH-9328/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] + https://cisofy.com/controls/STRG-1840/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/controls/NAME-4404/ + + * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] + https://cisofy.com/controls/NETW-3032/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + https://cisofy.com/controls/FIRE-4513/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (3 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (YES --> (DELAYED|NO)) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (INFO --> VERBOSE) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (6 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (10 --> 2) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (22 --> ) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (YES --> NO) + https://cisofy.com/controls/SSH-7408/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/controls/BANN-7126/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/controls/TOOL-5002/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 91 [################## ] + Tests performed : 222 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Lynis Modules: + - Compliance Status [?] + - Security Audit [V] + - Vulnerability Scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 261 Latest version : 303 +================================================================================ + + Lynis 2.6.1 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2018, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-sle15sp3-x86_64-snapshot7-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-x86_64-textmode similarity index 100% rename from data/lynis/baseline-lynis-audit-system-nocolors-sle15sp3-x86_64-snapshot7-textmode rename to data/lynis/baseline-lynis-audit-system-nocolors-15-SP3-x86_64-textmode diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome new file mode 100644 index 000000000000..ef22094965fd --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome @@ -0,0 +1,824 @@ + +[ Lynis 3.0.3 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 3.0.3 + Operating system: Linux + Operating system name: openSUSE + Operating system version: 20210222 + Kernel version: 5.10.16 + Hardware platform: x86_64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ NO UPDATE ] + +[+] System tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ NONE ] +- Check running services (systemctl) [ DONE ] +Result: found 32 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 26 enabled services +- Check startup files (permissions) [ OK ] +- Running 'systemd-analyze security' +- ModemManager.service: [ MEDIUM ] +- NetworkManager.service: [ EXPOSED ] +- accounts-daemon.service: [ UNSAFE ] +- after-local.service: [ UNSAFE ] +- alsa-state.service: [ UNSAFE ] +- appstream-sync-cache.service: [ UNSAFE ] +- auditd.service: [ UNSAFE ] +- avahi-daemon.service: [ UNSAFE ] +- chronyd.service: [ EXPOSED ] +- colord.service: [ EXPOSED ] +- cron.service: [ UNSAFE ] +- cups.service: [ UNSAFE ] +- dbus.service: [ UNSAFE ] +- display-manager.service: [ UNSAFE ] +- dm-event.service: [ UNSAFE ] +- emergency.service: [ UNSAFE ] +- firewalld.service: [ UNSAFE ] +- fwupd.service: [ MEDIUM ] +- getty@tty1.service: [ UNSAFE ] +- getty@tty6.service: [ UNSAFE ] +- getty@tty7.service: [ UNSAFE ] +- gpm.service: [ UNSAFE ] +- haveged.service: [ MEDIUM ] +- irqbalance.service: [ MEDIUM ] +- mcelog.service: [ UNSAFE ] +- nscd.service: [ UNSAFE ] +- pcscd.service: [ UNSAFE ] +- plymouth-start.service: [ UNSAFE ] +- polkit.service: [ UNSAFE ] +- postfix.service: [ UNSAFE ] +- rc-local.service: [ UNSAFE ] +- rescue.service: [ UNSAFE ] +- rtkit-daemon.service: [ MEDIUM ] +- serial-getty@hvc0.service: [ UNSAFE ] +- serial-getty@ttyAMA0.service: [ UNSAFE ] +- serial-getty@ttyS0.service: [ UNSAFE ] +- serial-getty@ttyS1.service: [ UNSAFE ] +- serial-getty@ttyS2.service: [ UNSAFE ] +- smartd.service: [ UNSAFE ] +- snapperd.service: [ UNSAFE ] +- sshd.service: [ UNSAFE ] +- systemd-ask-password-console.service: [ UNSAFE ] +- systemd-ask-password-plymouth.service: [ UNSAFE ] +- systemd-initctl.service: [ UNSAFE ] +- systemd-journald.service: [ OK ] +- systemd-logind.service: [ OK ] +- systemd-rfkill.service: [ UNSAFE ] +- systemd-timesyncd.service: [ OK ] +- systemd-udevd.service: [ MEDIUM ] +- udisks2.service: [ UNSAFE ] +- upower.service: [ OK ] +- user@0.service: [ UNSAFE ] +- user@1000.service: [ UNSAFE ] +- wpa_supplicant.service: [ UNSAFE ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 5 ] +- Checking CPU support (NX/PAE) +CPU support: PAE and/or NoeXecute supported [ FOUND ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 106 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration +- configuration in systemd conf files [ DEFAULT ] +- configuration in etc/profile [ DEFAULT ] +- 'hard' configuration in security/limits.conf [ DEFAULT ] +- 'soft' configuration in security/limits.conf [ DEFAULT ] +- Checking setuid core dumps configuration [ DISABLED ] +- Check if reboot is needed [ NO ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ NOT FOUND ] +- Searching for IO waiting processes [ NOT FOUND ] +- Search prelink tooling [ NOT FOUND ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Password hashing methods [ SUGGESTION ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- Sudoers file(s) [ FOUND ] +- Permissions for directory: /etc/sudoers.d [ OK ] +- Permissions for: /etc/sudoers [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ SUGGESTION ] +- Accounts without password [ OK ] +- Locked accounts [ OK ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- LDAP authentication support [ NOT ENABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 26 shells (valid shells: 6). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/bash.bashrc.local [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /dev [ HARDENED ] +- Mount options of /dev/shm [ PARTIALLY HARDENED ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /run [ HARDENED ] +- Mount options of /tmp [ PARTIALLY HARDENED ] +- Mount options of /var [ NON DEFAULT ] +- Total without nodev:14 noexec:18 nosuid:12 ro or noexec (W^X): 18 of total 45 +- Disable kernel support of some filesystems +- Module cramfs is blacklisted [ OK ] +- Module freevxfs is blacklisted [ OK ] +- Module hfs is blacklisted [ OK ] +- Discovered kernel modules: cramfs freevxfs hfsplus jffs2 squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Duplicate entries in hosts file [ NONE ] +- Presence of configured hostname in /etc/hosts [ NOT FOUND ] +- Hostname mapped to localhost [ NOT FOUND ] +- Localhost mapping to IP address [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager + + [WARNING]: Test PKGS-7308 had a long execution: 16.369354 seconds + +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +- Minimal of 2 responsive nameservers [ WARNING ] +- Checking default gateway [ DONE ] +- Getting listening ports (TCP/UDP) [ DONE ] +- Checking promiscuous interfaces [ OK ] +- Checking waiting connections [ OK ] +- Checking status DHCP client +- Checking for ARP monitoring software [ NOT FOUND ] +- Uncommon network protocols [ 0 ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ RUNNING ] +- Checking CUPS configuration file [ OK ] +- File permissions [ OK ] +- Checking CUPS addresses/sockets [ FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ WARNING ] +- Checking for unused rules [ OK ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (119) ] +- Found 119 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- OpenSSH option: AllowTcpForwarding [ SUGGESTION ] +- OpenSSH option: ClientAliveCountMax [ SUGGESTION ] +- OpenSSH option: ClientAliveInterval [ OK ] +- OpenSSH option: Compression [ SUGGESTION ] +- OpenSSH option: FingerprintHash [ OK ] +- OpenSSH option: GatewayPorts [ OK ] +- OpenSSH option: IgnoreRhosts [ OK ] +- OpenSSH option: LoginGraceTime [ OK ] +- OpenSSH option: LogLevel [ SUGGESTION ] +- OpenSSH option: MaxAuthTries [ SUGGESTION ] +- OpenSSH option: MaxSessions [ SUGGESTION ] +- OpenSSH option: PermitRootLogin [ SUGGESTION ] +- OpenSSH option: PermitUserEnvironment [ OK ] +- OpenSSH option: PermitTunnel [ OK ] +- OpenSSH option: Port [ SUGGESTION ] +- OpenSSH option: PrintLastLog [ OK ] +- OpenSSH option: StrictModes [ OK ] +- OpenSSH option: TCPKeepAlive [ SUGGESTION ] +- OpenSSH option: UseDNS [ OK ] +- OpenSSH option: X11Forwarding [ SUGGESTION ] +- OpenSSH option: AllowAgentForwarding [ SUGGESTION ] +- OpenSSH option: AllowUsers [ NOT FOUND ] +- OpenSSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ NOT FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking remote logging [ NOT ENABLED ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Installed inetd package [ NOT FOUND ] +- Installed xinetd package [ OK ] +- xinetd status +- Installed rsh client package [ OK ] +- Installed rsh server package [ OK ] +- Installed telnet client package [ OK ] +- Installed telnet server package [ NOT FOUND ] +- Checking NIS client installation [ OK ] +- Checking NIS server installation [ OK ] +- Checking TFTP client installation [ OK ] +- Checking TFTP server installation [ OK ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ FOUND ] +- /etc/issue.net contents [ WEAK ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab and cronjob files [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ +- NTP daemon found: chronyd [ FOUND ] +- Checking for a running NTP daemon or client [ OK ] + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/3] [ NONE ] +- Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ] +- Kernel entropy is sufficient [ YES ] +- HW RNG & rngd [ NO ] +- SW prng [ YES ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +Found 94 unconfined processes +- Checking presence SELinux [ FOUND ] +- Checking SELinux status [ DISABLED ] +- Checking presence TOMOYO Linux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- dm-integrity (status) [ DISABLED ] +- dm-verity (status) [ DISABLED ] +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +File: /boot/grub2/grub.cfg [ OK ] +File: /etc/cron.deny [ OK ] +File: /etc/crontab [ OK ] +File: /etc/group [ OK ] +File: /etc/group- [ OK ] +File: /etc/hosts.allow [ OK ] +File: /etc/hosts.deny [ OK ] +File: /etc/issue [ SUGGESTION ] +File: /etc/issue.net [ OK ] +File: /etc/motd [ OK ] +File: /etc/passwd [ OK ] +File: /etc/passwd- [ OK ] +File: /etc/ssh/sshd_config [ SUGGESTION ] +File: /etc/hosts.equiv [ OK ] +Directory: /root/.ssh [ OK ] +Directory: /etc/cron.d [ SUGGESTION ] +Directory: /etc/cron.daily [ SUGGESTION ] +Directory: /etc/cron.hourly [ SUGGESTION ] +Directory: /etc/cron.weekly [ SUGGESTION ] +Directory: /etc/cron.monthly [ SUGGESTION ] + +[+] Home directories +------------------------------------ +- Permissions of home directories [ WARNING ] +- Ownership of home directories [ OK ] +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ] +- fs.protected_fifos (exp: 2) [ DIFFERENT ] +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_regular (exp: 2) [ DIFFERENT ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ OK ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.modules_disabled (exp: 1) [ DIFFERENT ] +- kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ OK ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ] +- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] +- Non-native binary formats [ NOT FOUND ] + +[+] System Tools +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting dbus policy check... + + [WARNING]: Deprecated function used (logtext) + +Warning: Package iio-sensor-proxy-3.0-1.3.x86_64 installs an unknown D-BUS autostart/system service: net.hadess.SensorProxy.conf [ WARNING ] +Warning: Package bluez-5.55-3.3.x86_64 installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.10.1-1.2.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package bolt-0.9-1.4.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.bolt.service [ WARNING ] +Warning: Package fwupd-1.5.6-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package systemd-246.10-2.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-2.2.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Users, Groups and Authentication +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting password check for users... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Binary integrity +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting binary RPATH check... + + [WARNING]: Deprecated function used (logtext) + +RPATH "//usr/lib64/bash" on /usr/bin/bash is not allowed [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ + + [WARNING]: Test BINARY-1000 had a long execution: 85.246075 seconds + +- Starting look-up of symlinks in /tmp... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... + + [WARNING]: Deprecated function used (logtext) + +/tmp is world-writeable [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (logtext) + +Open port 631 not allowed [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Custom tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 3.0.3 Results ]- + + Warnings (2): + ---------------------------- + ! Couldn't find 2 responsive nameservers [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + ! iptables module(s) loaded, but no rules active [FIRE-4512] + https://cisofy.com/lynis/controls/FIRE-4512/ + + Suggestions (42): + ---------------------------- + * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/lynis/controls/BOOT-5122/ + + * Consider hardening system services [BOOT-5264] + - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service + https://cisofy.com/lynis/controls/BOOT-5264/ + + * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] + https://cisofy.com/lynis/controls/KRNL-5820/ + + * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] + https://cisofy.com/lynis/controls/AUTH-9229/ + + * When possible set expire dates for all password protected accounts [AUTH-9282] + https://cisofy.com/lynis/controls/AUTH-9282/ + + * Consider disabling unused kernel modules [FILE-6430] + - Details : /etc/modprobe.d/blacklist.conf + - Solution : Add 'install MODULENAME /bin/true' (without quotes) + https://cisofy.com/lynis/controls/FILE-6430/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] + https://cisofy.com/lynis/controls/USB-1000/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/lynis/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/lynis/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/lynis/controls/NAME-4404/ + + * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + * Determine if protocol 'dccp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'sctp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'rds' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'tipc' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Check CUPS configuration if it really needs to listen on the network [PRNT-2308] + https://cisofy.com/lynis/controls/PRNT-2308/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/lynis/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/lynis/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (set 3 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (set INFO to VERBOSE) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (set 6 to 3) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (set 10 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD)) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (set 22 to ) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] + https://cisofy.com/lynis/controls/LOGG-2154/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/lynis/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/lynis/controls/BANN-7126/ + + * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] + https://cisofy.com/lynis/controls/BANN-7130/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/lynis/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/lynis/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/lynis/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/lynis/controls/TOOL-5002/ + + * Consider restricting file permissions [FILE-7524] + - Details : See screen output or log file + - Solution : Use chmod to change file permissions + https://cisofy.com/lynis/controls/FILE-7524/ + + * Double check the permissions of home directories as some might be not strict enough. [HOME-9304] + https://cisofy.com/lynis/controls/HOME-9304/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/lynis/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/lynis/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/lynis/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 92 [################## ] + Tests performed : 262 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Scan mode: + Normal [V] Forensics [ ] Integration [ ] Pentest [ ] + + Lynis modules: + - Compliance status [?] + - Security audit [V] + - Vulnerability scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + + Lynis 3.0.3 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode new file mode 100644 index 000000000000..6eb4453811ec --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode @@ -0,0 +1,796 @@ + +[ Lynis 3.0.3 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 3.0.3 + Operating system: Linux + Operating system name: openSUSE + Operating system version: 20210222 + Kernel version: 5.10.16 + Hardware platform: x86_64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ NO UPDATE ] + +[+] System tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ +- Service Manager [ systemd ] +- Checking UEFI boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ NONE ] +- Check running services (systemctl) [ DONE ] +Result: found 24 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 25 enabled services +- Check startup files (permissions) [ OK ] +- Running 'systemd-analyze security' +- after-local.service: [ UNSAFE ] +- auditd.service: [ UNSAFE ] +- chronyd.service: [ EXPOSED ] +- cron.service: [ UNSAFE ] +- cups.service: [ UNSAFE ] +- dbus.service: [ UNSAFE ] +- dm-event.service: [ UNSAFE ] +- emergency.service: [ UNSAFE ] +- firewalld.service: [ UNSAFE ] +- getty@tty1.service: [ UNSAFE ] +- getty@tty6.service: [ UNSAFE ] +- haveged.service: [ MEDIUM ] +- irqbalance.service: [ MEDIUM ] +- iscsid.service: [ UNSAFE ] +- iscsiuio.service: [ UNSAFE ] +- mcelog.service: [ UNSAFE ] +- nscd.service: [ UNSAFE ] +- plymouth-start.service: [ UNSAFE ] +- polkit.service: [ UNSAFE ] +- postfix.service: [ UNSAFE ] +- rc-local.service: [ UNSAFE ] +- rescue.service: [ UNSAFE ] +- serial-getty@hvc0.service: [ UNSAFE ] +- serial-getty@ttyAMA0.service: [ UNSAFE ] +- serial-getty@ttyS0.service: [ UNSAFE ] +- serial-getty@ttyS1.service: [ UNSAFE ] +- serial-getty@ttyS2.service: [ UNSAFE ] +- smartd.service: [ UNSAFE ] +- snapperd.service: [ UNSAFE ] +- sshd.service: [ UNSAFE ] +- systemd-ask-password-console.service: [ UNSAFE ] +- systemd-ask-password-plymouth.service: [ UNSAFE ] +- systemd-initctl.service: [ UNSAFE ] +- systemd-journald.service: [ OK ] +- systemd-logind.service: [ OK ] +- systemd-rfkill.service: [ UNSAFE ] +- systemd-timesyncd.service: [ OK ] +- systemd-udevd.service: [ MEDIUM ] +- user@0.service: [ UNSAFE ] +- wickedd-auto4.service: [ UNSAFE ] +- wickedd-dhcp4.service: [ UNSAFE ] +- wickedd-dhcp6.service: [ UNSAFE ] +- wickedd-nanny.service: [ UNSAFE ] +- wickedd.service: [ UNSAFE ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 3 ] +- Checking CPU support (NX/PAE) +CPU support: PAE and/or NoeXecute supported [ FOUND ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 107 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration +- configuration in systemd conf files [ DEFAULT ] +- configuration in etc/profile [ DEFAULT ] +- 'hard' configuration in security/limits.conf [ DEFAULT ] +- 'soft' configuration in security/limits.conf [ DEFAULT ] +- Checking setuid core dumps configuration [ DISABLED ] +- Check if reboot is needed [ NO ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ NOT FOUND ] +- Searching for IO waiting processes [ NOT FOUND ] +- Search prelink tooling [ NOT FOUND ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Password hashing methods [ SUGGESTION ] +- Query system users (non daemons) [ DONE ] +- Sudoers file(s) [ FOUND ] +- Permissions for directory: /etc/sudoers.d [ OK ] +- Permissions for: /etc/sudoers [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ SUGGESTION ] +- Accounts without password [ OK ] +- Locked accounts [ OK ] +- Checking expired passwords [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 26 shells (valid shells: 6). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/bash.bashrc.local [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /dev [ HARDENED ] +- Mount options of /dev/shm [ PARTIALLY HARDENED ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /run [ HARDENED ] +- Mount options of /tmp [ PARTIALLY HARDENED ] +- Mount options of /var [ NON DEFAULT ] +- Total without nodev:14 noexec:16 nosuid:12 ro or noexec (W^X): 16 of total 43 +- Disable kernel support of some filesystems +- Module cramfs is blacklisted [ OK ] +- Module freevxfs is blacklisted [ OK ] +- Module hfs is blacklisted [ OK ] +- Discovered kernel modules: cramfs freevxfs hfsplus jffs2 squashfs udf  + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Duplicate entries in hosts file [ NONE ] +- Presence of configured hostname in /etc/hosts [ NOT FOUND ] +- Hostname mapped to localhost [ NOT FOUND ] +- Localhost mapping to IP address [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +- Minimal of 2 responsive nameservers [ WARNING ] +- Checking default gateway [ DONE ] +- Getting listening ports (TCP/UDP) [ DONE ] +- Checking promiscuous interfaces [ OK ] +- Checking waiting connections [ OK ] +- Checking status DHCP client +- Checking for ARP monitoring software [ NOT FOUND ] +- Uncommon network protocols [ 0 ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ WARNING ] +- Checking for unused rules [ OK ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (118) ] +- Found 118 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ FOUND ] +- OpenSSH option: AllowTcpForwarding [ SUGGESTION ] +- OpenSSH option: ClientAliveCountMax [ SUGGESTION ] +- OpenSSH option: ClientAliveInterval [ OK ] +- OpenSSH option: Compression [ SUGGESTION ] +- OpenSSH option: FingerprintHash [ OK ] +- OpenSSH option: GatewayPorts [ OK ] +- OpenSSH option: IgnoreRhosts [ OK ] +- OpenSSH option: LoginGraceTime [ OK ] +- OpenSSH option: LogLevel [ SUGGESTION ] +- OpenSSH option: MaxAuthTries [ SUGGESTION ] +- OpenSSH option: MaxSessions [ SUGGESTION ] +- OpenSSH option: PermitRootLogin [ SUGGESTION ] +- OpenSSH option: PermitUserEnvironment [ OK ] +- OpenSSH option: PermitTunnel [ OK ] +- OpenSSH option: Port [ SUGGESTION ] +- OpenSSH option: PrintLastLog [ OK ] +- OpenSSH option: StrictModes [ OK ] +- OpenSSH option: TCPKeepAlive [ SUGGESTION ] +- OpenSSH option: UseDNS [ OK ] +- OpenSSH option: X11Forwarding [ SUGGESTION ] +- OpenSSH option: AllowAgentForwarding [ SUGGESTION ] +- OpenSSH option: AllowUsers [ NOT FOUND ] +- OpenSSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ NOT FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking remote logging [ NOT ENABLED ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Installed inetd package [ NOT FOUND ] +- Installed xinetd package [ OK ] +- xinetd status +- Installed rsh client package [ OK ] +- Installed rsh server package [ OK ] +- Installed telnet client package [ OK ] +- Installed telnet server package [ NOT FOUND ] +- Checking NIS client installation [ OK ] +- Checking NIS server installation [ OK ] +- Checking TFTP client installation [ OK ] +- Checking TFTP server installation [ OK ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ FOUND ] +- /etc/issue.net contents [ WEAK ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab and cronjob files [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ +- NTP daemon found: chronyd [ FOUND ] +- Checking for a running NTP daemon or client [ OK ] + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/1] [ NONE ] +- Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ] +- Kernel entropy is sufficient [ YES ] +- HW RNG & rngd [ NO ] +- SW prng [ YES ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +Found 35 unconfined processes +- Checking presence SELinux [ FOUND ] +- Checking SELinux status [ DISABLED ] +- Checking presence TOMOYO Linux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- dm-integrity (status) [ DISABLED ] +- dm-verity (status) [ DISABLED ] +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +File: /boot/grub2/grub.cfg [ OK ] +File: /etc/cron.deny [ OK ] +File: /etc/crontab [ OK ] +File: /etc/group [ OK ] +File: /etc/group- [ OK ] +File: /etc/hosts.allow [ OK ] +File: /etc/hosts.deny [ OK ] +File: /etc/issue [ SUGGESTION ] +File: /etc/issue.net [ OK ] +File: /etc/motd [ OK ] +File: /etc/passwd [ OK ] +File: /etc/passwd- [ OK ] +File: /etc/ssh/sshd_config [ SUGGESTION ] +File: /etc/hosts.equiv [ OK ] +Directory: /root/.ssh [ OK ] +Directory: /etc/cron.d [ SUGGESTION ] +Directory: /etc/cron.daily [ SUGGESTION ] +Directory: /etc/cron.hourly [ SUGGESTION ] +Directory: /etc/cron.weekly [ SUGGESTION ] +Directory: /etc/cron.monthly [ SUGGESTION ] + +[+] Home directories +------------------------------------ +- Permissions of home directories [ WARNING ] +- Ownership of home directories [ OK ] +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ] +- fs.protected_fifos (exp: 2) [ DIFFERENT ] +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_regular (exp: 2) [ DIFFERENT ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ OK ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.modules_disabled (exp: 1) [ DIFFERENT ] +- kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.suid_dumpable (exp: 0) [ OK ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ] +- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ FOUND ] +- Installed malware scanner [ NOT FOUND ] +- Non-native binary formats [ NOT FOUND ] + +[+] System Tools +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting dbus policy check... + + [WARNING]: Deprecated function used (logtext) + +Warning: Package systemd-246.10-2.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.8.15-2.2.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Users, Groups and Authentication +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting password check for users... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Binary integrity +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting binary RPATH check... + + [WARNING]: Deprecated function used (logtext) + +RPATH "//usr/lib64/bash" on /usr/bin/bash is not allowed [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ + + [WARNING]: Test BINARY-1000 had a long execution: 40.963852 seconds + +- Starting look-up of symlinks in /tmp... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... + + [WARNING]: Deprecated function used (logtext) + +/tmp is world-writeable [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Custom tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 3.0.3 Results ]- + + Warnings (2): + ---------------------------- + ! Couldn't find 2 responsive nameservers [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + ! iptables module(s) loaded, but no rules active [FIRE-4512] + https://cisofy.com/lynis/controls/FIRE-4512/ + + Suggestions (41): + ---------------------------- + * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/lynis/controls/BOOT-5122/ + + * Consider hardening system services [BOOT-5264] + - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service + https://cisofy.com/lynis/controls/BOOT-5264/ + + * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] + https://cisofy.com/lynis/controls/KRNL-5820/ + + * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] + https://cisofy.com/lynis/controls/AUTH-9229/ + + * When possible set expire dates for all password protected accounts [AUTH-9282] + https://cisofy.com/lynis/controls/AUTH-9282/ + + * Consider disabling unused kernel modules [FILE-6430] + - Details : /etc/modprobe.d/blacklist.conf + - Solution : Add 'install MODULENAME /bin/true' (without quotes) + https://cisofy.com/lynis/controls/FILE-6430/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] + https://cisofy.com/lynis/controls/USB-1000/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/lynis/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/lynis/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/lynis/controls/NAME-4404/ + + * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + * Determine if protocol 'dccp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'sctp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'rds' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'tipc' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/lynis/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/lynis/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (set 3 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (set INFO to VERBOSE) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (set 6 to 3) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (set 10 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD)) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (set 22 to ) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] + https://cisofy.com/lynis/controls/LOGG-2154/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/lynis/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/lynis/controls/BANN-7126/ + + * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] + https://cisofy.com/lynis/controls/BANN-7130/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/lynis/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/lynis/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/lynis/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/lynis/controls/TOOL-5002/ + + * Consider restricting file permissions [FILE-7524] + - Details : See screen output or log file + - Solution : Use chmod to change file permissions + https://cisofy.com/lynis/controls/FILE-7524/ + + * Double check the permissions of home directories as some might be not strict enough. [HOME-9304] + https://cisofy.com/lynis/controls/HOME-9304/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/lynis/controls/KRNL-6000/ + + * Harden compilers like restricting access to root user only [HRDN-7222] + https://cisofy.com/lynis/controls/HRDN-7222/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/lynis/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 89 [################# ] + Tests performed : 259 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Scan mode: + Normal [V] Forensics [ ] Integration [ ] Pentest [ ] + + Lynis modules: + - Compliance status [?] + - Security audit [V] + - Vulnerability scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + + Lynis 3.0.3 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/lib/lynis/lynistest.pm b/lib/lynis/lynistest.pm index 95765f777bbe..2d9e8335fbb3 100644 --- a/lib/lynis/lynistest.pm +++ b/lib/lynis/lynistest.pm @@ -51,7 +51,8 @@ our $testdir = "/tmp/"; our $f_position_b = 0; our $f_position_c = 0; -our $lynis_baseline_file_default = "baseline-lynis-audit-system-nocolors-sle15sp3-x86_64-snapshot7-textmode"; +my $var_str = get_var("VERSION", "15-SP3") . "-" . get_var("ARCH", "x86_64") . "-" . get_var("DESKTOP", "textmode"); +our $lynis_baseline_file_default = "baseline-lynis-audit-system-nocolors-" . "$var_str"; our $lynis_baseline_file = get_var("LYNIS_BASELINE_FILE", $lynis_baseline_file_default); our $lynis_audit_system_current_file = "lynis_audit_system_current_file"; @@ -268,6 +269,28 @@ sub compare_lynis_section_content { $s_new = "\\[.*$s_lynis.*\\]"; $ret = grep(/$s_new/, @section_current); if ($ret) { + # Filter out some execptions allowed: + # "Boot_and_services": "[4C- Checking for password protection[23C [ WARNING ]" + # "Name services": "[4C- Checking /etc/hosts (hostname)[25C [ SUGGESTION ]" + # "Kernel: "[4CCPU support: No PAE or NoeXecute supported[15C [ NONE ]" + # "Initializing_program": "[2C- Program update status... [32C [ WARNING ]" + # "Networking": "[[4C- Minimal of 2 responsive nameservers^[[20C [ WARNING ]" + # "Ports and packages": "Using Zypper to find vulnerable packages[17C [ NONE ]" + my @exceptions = ( + "Checking for password protection.*WARNING.*", + "Checking /etc/hosts .*hostname.*SUGGESTION.*", + "CPU support: No PAE or NoeXecute supported.*NONE.*", + "Program update status.*WARNING.*", + "Minimal of 2 responsive nameservers.*WARNING.*", + "Using Zypper to find vulnerable packages.*NONE.*" + ); + for my $exception (@exceptions) { + if (grep(/$exception/, @section_current)) { + $result = "ok"; + return $result; + } + } + $result = "softfail"; record_soft_failure("poo#78224, found $ret [ $s_lynis ] in current output"); } diff --git a/tests/security/lynis/lynis_setup.pm b/tests/security/lynis/lynis_setup.pm index 6dff959b5417..36c5fb695cf0 100644 --- a/tests/security/lynis/lynis_setup.pm +++ b/tests/security/lynis/lynis_setup.pm @@ -32,10 +32,8 @@ sub run { select_console "root-console"; - if (is_sle) { - add_suseconnect_product("PackageHub", undef, undef, undef, 300, 1); - zypper_call("in lynis", timeout => 300); - } + add_suseconnect_product("PackageHub", undef, undef, undef, 300, 1) if is_sle; + zypper_call("in lynis", timeout => 300); # Record the pkgs' version for reference my $results = script_output("rpm -qi lynis");