diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-aarch64-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-aarch64-gnome new file mode 100644 index 000000000000..5c1b85eac38b --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-aarch64-gnome @@ -0,0 +1,918 @@ + +[ Lynis 3.0.5 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 3.0.5 + Operating system: Linux + Operating system name: openSUSE + Operating system version: 20210929 + Kernel version: 5.14.6 + Hardware platform: aarch64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ UPDATE AVAILABLE ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version : 305 Latest version : 306 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +================================================================= + + Exception found! + + Function/test: [GetHostID] + Message: Can't create hostid (no MAC addresses found) + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + + +================================================================= + + Exception found! + + Function/test: [GetHostID] + Message: Can't create HOSTID, command ip not found + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + + +[+] Boot and services +------------------------------------ + + [WARNING]: Test CORE-1000 had a long execution: 25.669889 seconds + +- Service Manager [ systemd ] +- Checking UEFI boot [ ENABLED ] +- Checking Secure Boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ NONE ] +- Check running services (systemctl) [ DONE ] +Result: found 34 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 25 enabled services +- Check startup files (permissions) [ OK ] +- Running 'systemd-analyze security' +- ModemManager.service: [ MEDIUM ] +- NetworkManager.service: [ EXPOSED ] +- accounts-daemon.service: [ EXPOSED ] +- after-local.service: [ UNSAFE ] +- alsa-state.service: [ UNSAFE ] +- appstream-sync-cache.service: [ UNSAFE ] +- auditd.service: [ MEDIUM ] +- avahi-daemon.service: [ UNSAFE ] +- chronyd.service: [ EXPOSED ] +- colord.service: [ EXPOSED ] +- cron.service: [ UNSAFE ] +- cups.service: [ UNSAFE ] +- dbus.service: [ UNSAFE ] +- display-manager.service: [ UNSAFE ] +- dm-event.service: [ UNSAFE ] +- emergency.service: [ UNSAFE ] +- firewalld.service: [ UNSAFE ] +- fwupd.service: [ MEDIUM ] +- getty@tty1.service: [ UNSAFE ] +- getty@tty4.service: [ UNSAFE ] +- getty@tty6.service: [ UNSAFE ] +- getty@tty7.service: [ UNSAFE ] +- gpm.service: [ UNSAFE ] +- haveged.service: [ MEDIUM ] +- irqbalance.service: [ MEDIUM ] +- nscd.service: [ UNSAFE ] +- pcscd.service: [ UNSAFE ] +- plymouth-start.service: [ UNSAFE ] +- polkit.service: [ UNSAFE ] +- postfix.service: [ UNSAFE ] +- rc-local.service: [ UNSAFE ] +- rescue.service: [ UNSAFE ] +- rng-tools.service: [ MEDIUM ] +- rtkit-daemon.service: [ MEDIUM ] +- serial-getty@hvc0.service: [ UNSAFE ] +- serial-getty@ttyAMA0.service: [ UNSAFE ] +- serial-getty@ttyS0.service: [ UNSAFE ] +- serial-getty@ttyS1.service: [ UNSAFE ] +- serial-getty@ttyS2.service: [ UNSAFE ] +- smartd.service: [ UNSAFE ] +- sshd.service: [ UNSAFE ] +- systemd-ask-password-console.service: [ UNSAFE ] +- systemd-ask-password-plymouth.service: [ UNSAFE ] +- systemd-initctl.service: [ UNSAFE ] +- systemd-journald.service: [ PROTECTED ] +- systemd-logind.service: [ PROTECTED ] +- systemd-rfkill.service: [ UNSAFE ] +- systemd-timesyncd.service: [ PROTECTED ] +- systemd-udevd.service: [ MEDIUM ] +- udisks2.service: [ UNSAFE ] +- upower.service: [ PROTECTED ] +- user@0.service: [ UNSAFE ] +- user@1000.service: [ UNSAFE ] +- wpa_supplicant.service: [ UNSAFE ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 5 ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 105 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration +- configuration in systemd conf files [ DEFAULT ] +- configuration in etc/profile [ DEFAULT ] +- 'hard' configuration in security/limits.conf [ DEFAULT ] +- 'soft' configuration in security/limits.conf [ DEFAULT ] +- Checking setuid core dumps configuration [ DISABLED ] + +================================================================= + + Exception found! + + Function/test: [KRNL-5830:2] + Message: Can not find any vmlinuz or kernel files in /boot, which is unexpected + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ NOT FOUND ] +- Searching for IO waiting processes [ NOT FOUND ] +- Search prelink tooling [ NOT FOUND ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Password hashing methods [ SUGGESTION ] +- Query system users (non daemons) [ DONE ] +- NIS+ authentication support [ NOT ENABLED ] +- NIS authentication support [ NOT ENABLED ] +- Sudoers file(s) [ FOUND ] +- Permissions for directory: /etc/sudoers.d [ OK ] +- Permissions for: /etc/sudoers [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ SUGGESTION ] +- Accounts without password [ OK ] +- Locked accounts [ OK ] +- Checking expired passwords [ OK ] +- Checking Linux single user mode authentication [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] +- LDAP authentication support [ NOT ENABLED ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 26 shells (valid shells: 6). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/bash.bashrc.local [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /dev [ PARTIALLY HARDENED ] +- Mount options of /dev/shm [ PARTIALLY HARDENED ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /run [ HARDENED ] +- Mount options of /tmp [ PARTIALLY HARDENED ] +- Mount options of /var [ NON DEFAULT ] +- Total without nodev:14 noexec:20 nosuid:12 ro or noexec (W^X): 19 of total 34 +- Disable kernel support of some filesystems + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Duplicate entries in hosts file [ NONE ] +- Presence of configured hostname in /etc/hosts [ NOT FOUND ] +- Hostname mapped to localhost [ NOT FOUND ] +- Localhost mapping to IP address [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager + + [WARNING]: Test PKGS-7308 had a long execution: 54.469523 seconds + + + [WARNING]: Test PKGS-7328 had a long execution: 23.975757 seconds + +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +- Minimal of 2 responsive nameservers [ WARNING ] +- Checking default gateway [ DONE ] +- Getting listening ports (TCP/UDP) [ DONE ] +- Checking promiscuous interfaces [ OK ] +- Checking waiting connections [ OK ] +- Checking status DHCP client [ RUNNING ] +- Checking for ARP monitoring software [ NOT FOUND ] +- Uncommon network protocols [ 0 ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ RUNNING ] +- Checking CUPS configuration file [ OK ] +- File permissions [ OK ] +- Checking CUPS addresses/sockets [ FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ WARNING ] +- Checking for unused rules [ OK ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (119) ] +- Found 119 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ NOT FOUND ] + +================================================================= + + Exception found! + + Function/test: [SSH-7404:1] + Message: SSH daemon is running, but no readable configuration file found + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + +- OpenSSH option: AllowTcpForwarding [ SUGGESTION ] +- OpenSSH option: ClientAliveCountMax [ SUGGESTION ] +- OpenSSH option: ClientAliveInterval [ OK ] +- OpenSSH option: Compression [ SUGGESTION ] +- OpenSSH option: FingerprintHash [ OK ] +- OpenSSH option: GatewayPorts [ OK ] +- OpenSSH option: IgnoreRhosts [ OK ] +- OpenSSH option: LoginGraceTime [ OK ] +- OpenSSH option: LogLevel [ SUGGESTION ] +- OpenSSH option: MaxAuthTries [ SUGGESTION ] +- OpenSSH option: MaxSessions [ SUGGESTION ] +- OpenSSH option: PermitRootLogin [ OK ] +- OpenSSH option: PermitUserEnvironment [ OK ] +- OpenSSH option: PermitTunnel [ OK ] +- OpenSSH option: Port [ SUGGESTION ] +- OpenSSH option: PrintLastLog [ SUGGESTION ] +- OpenSSH option: StrictModes [ OK ] +- OpenSSH option: TCPKeepAlive [ SUGGESTION ] +- OpenSSH option: UseDNS [ OK ] +- OpenSSH option: X11Forwarding [ SUGGESTION ] +- OpenSSH option: AllowAgentForwarding [ SUGGESTION ] +- OpenSSH option: AllowUsers [ NOT FOUND ] +- OpenSSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ NOT FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking remote logging [ NOT ENABLED ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Installed inetd package [ NOT FOUND ] +- Installed xinetd package [ OK ] +- xinetd status +- Installed rsh client package [ OK ] +- Installed rsh server package [ OK ] +- Installed telnet client package [ OK ] +- Installed telnet server package [ NOT FOUND ] +- Checking NIS client installation [ OK ] +- Checking NIS server installation [ OK ] +- Checking TFTP client installation [ OK ] +- Checking TFTP server installation [ OK ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ FOUND ] +- /etc/issue.net contents [ WEAK ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab and cronjob files [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ +- NTP daemon found: chronyd [ FOUND ] +- Checking for a running NTP daemon or client [ OK ] + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/3] [ NONE ] +- Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ] +- Kernel entropy is sufficient [ YES ] +- HW RNG & rngd [ YES ] +- SW prng [ YES ] +- MOR variable not found [ WEAK ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +Found 98 unconfined processes +- Checking presence SELinux [ NOT FOUND ] +- Checking presence TOMOYO Linux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- dm-integrity (status) [ DISABLED ] +- dm-verity (status) [ DISABLED ] +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +File: /boot/grub2/grub.cfg [ SUGGESTION ] +File: /etc/cron.deny [ OK ] +File: /etc/crontab [ OK ] +File: /etc/group [ OK ] +File: /etc/group- [ OK ] +File: /etc/hosts.allow [ OK ] +File: /etc/hosts.deny [ OK ] +File: /etc/issue [ SUGGESTION ] +File: /etc/issue.net [ OK ] +File: /etc/passwd [ OK ] +File: /etc/passwd- [ OK ] +File: /etc/hosts.equiv [ OK ] +Directory: /root/.ssh [ OK ] +Directory: /etc/cron.d [ SUGGESTION ] +Directory: /etc/cron.daily [ SUGGESTION ] +Directory: /etc/cron.hourly [ SUGGESTION ] +Directory: /etc/cron.weekly [ SUGGESTION ] +Directory: /etc/cron.monthly [ SUGGESTION ] + +[+] Home directories +------------------------------------ +- Permissions of home directories [ WARNING ] +- Ownership of home directories [ OK ] +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ] +- fs.protected_fifos (exp: 2) [ OK ] +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_regular (exp: 2) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ OK ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.modules_disabled (exp: 1) [ DIFFERENT ] +- kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ] +- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ + + [WARNING]: Test KRNL-6000 had a long execution: 10.596062 seconds + +- Installed compiler(s) [ NOT FOUND ] +- Installed malware scanner [ NOT FOUND ] +- Non-native binary formats [ NOT FOUND ] + +[+] System Tools +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting dbus policy check... + + [WARNING]: Deprecated function used (logtext) + +Warning: Package iio-sensor-proxy-3.1-1.1.aarch64 installs an unknown D-BUS autostart/system service: net.hadess.SensorProxy.conf [ WARNING ] +Warning: Package bluez-5.61-1.3.aarch64 installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.11.3-1.1.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package bolt-0.9.1-1.1.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.bolt.service [ WARNING ] +Warning: Package fwupd-1.5.8-1.4.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package systemd-249.4-2.2.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.9.0-6.3.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Users, Groups and Authentication +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting password check for users... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Binary integrity +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting binary RPATH check... + + [WARNING]: Deprecated function used (logtext) + +No bad RPATH usage found in 8117 executables [ OK ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ + + [WARNING]: Test BINARY-1000 had a long execution: 168.754672 seconds + +- Starting look-up of symlinks in /tmp... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... + + [WARNING]: Deprecated function used (logtext) + +/tmp is world-writeable [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (logtext) + +Open port 631 not allowed [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Custom tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 3.0.5 Results ]- + + Warnings (2): + ---------------------------- + ! Couldn't find 2 responsive nameservers [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + ! iptables module(s) loaded, but no rules active [FIRE-4512] + https://cisofy.com/lynis/controls/FIRE-4512/ + + Suggestions (41): + ---------------------------- + * Version of Lynis outdated, consider upgrading to the latest version [LYNIS] + https://cisofy.com/lynis/controls/LYNIS/ + + * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/lynis/controls/BOOT-5122/ + + * Consider hardening system services [BOOT-5264] + - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service + https://cisofy.com/lynis/controls/BOOT-5264/ + + * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] + https://cisofy.com/lynis/controls/KRNL-5820/ + + * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] + https://cisofy.com/lynis/controls/AUTH-9229/ + + * When possible set expire dates for all password protected accounts [AUTH-9282] + https://cisofy.com/lynis/controls/AUTH-9282/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] + https://cisofy.com/lynis/controls/USB-1000/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/lynis/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/lynis/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/lynis/controls/NAME-4404/ + + * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + * Determine if protocol 'dccp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'sctp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'rds' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'tipc' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Check CUPS configuration if it really needs to listen on the network [PRNT-2308] + https://cisofy.com/lynis/controls/PRNT-2308/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/lynis/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/lynis/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (set 3 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (set INFO to VERBOSE) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (set 6 to 3) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (set 10 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (set 22 to ) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PrintLastLog (set NO to YES) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] + https://cisofy.com/lynis/controls/LOGG-2154/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/lynis/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/lynis/controls/BANN-7126/ + + * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] + https://cisofy.com/lynis/controls/BANN-7130/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/lynis/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/lynis/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/lynis/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/lynis/controls/TOOL-5002/ + + * Consider restricting file permissions [FILE-7524] + - Details : See screen output or log file + - Solution : Use chmod to change file permissions + https://cisofy.com/lynis/controls/FILE-7524/ + + * Double check the permissions of home directories as some might be not strict enough. [HOME-9304] + https://cisofy.com/lynis/controls/HOME-9304/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/lynis/controls/KRNL-6000/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/lynis/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 82 [################ ] + Tests performed : 263 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Scan mode: + Normal [V] Forensics [ ] Integration [ ] Pentest [ ] + + Lynis modules: + - Compliance status [?] + - Security audit [V] + - Vulnerability scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 305 Latest version : 306 +================================================================================ + + Lynis 3.0.5 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) + diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-aarch64-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-aarch64-textmode new file mode 100644 index 000000000000..568126b5f0e5 --- /dev/null +++ b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-aarch64-textmode @@ -0,0 +1,892 @@ + +[ Lynis 3.0.5 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ +- Detecting OS...  [ DONE ] +- Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 3.0.5 + Operating system: Linux + Operating system name: openSUSE + Operating system version: 20210929 + Kernel version: 5.14.6 + Hardware platform: aarch64 + Hostname: susetest + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: [Not Specified] + Language: en + Test category: all + Test group: all + --------------------------------------------------- +- Program update status...  [ UPDATE AVAILABLE ] + + =============================================================================== + Lynis update available + =============================================================================== + + Current version : 305 Latest version : 306 + + Please update to the latest version. + New releases include additional features, bug fixes, tests, and baselines. + + Download the latest version: + + Packages (DEB/RPM) - https://packages.cisofy.com + Website (TAR) - https://cisofy.com/downloads/ + GitHub (source) - https://github.com/CISOfy/lynis + + =============================================================================== + + +[+] System tools +------------------------------------ +- Scanning available tools... +- Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ +Note: plugins have more extensive tests and may take several minutes to complete +  +- Plugins enabled [ NONE ] + +================================================================= + + Exception found! + + Function/test: [GetHostID] + Message: Can't create hostid (no MAC addresses found) + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + + +================================================================= + + Exception found! + + Function/test: [GetHostID] + Message: Can't create HOSTID, command ip not found + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + + +[+] Boot and services +------------------------------------ + + [WARNING]: Test CORE-1000 had a long execution: 16.923534 seconds + +- Service Manager [ systemd ] +- Checking UEFI boot [ ENABLED ] +- Checking Secure Boot [ DISABLED ] +- Checking presence GRUB2 [ FOUND ] +- Checking for password protection [ NONE ] +- Check running services (systemctl) [ DONE ] +Result: found 26 running services +- Check enabled services at boot (systemctl) [ DONE ] +Result: found 24 enabled services +- Check startup files (permissions) [ OK ] +- Running 'systemd-analyze security' +- after-local.service: [ UNSAFE ] +- auditd.service: [ MEDIUM ] +- chronyd.service: [ EXPOSED ] +- cron.service: [ UNSAFE ] +- cups.service: [ UNSAFE ] +- dbus.service: [ UNSAFE ] +- dm-event.service: [ UNSAFE ] +- emergency.service: [ UNSAFE ] +- firewalld.service: [ UNSAFE ] +- getty@tty1.service: [ UNSAFE ] +- getty@tty4.service: [ UNSAFE ] +- getty@tty6.service: [ UNSAFE ] +- haveged.service: [ MEDIUM ] +- irqbalance.service: [ MEDIUM ] +- iscsid.service: [ UNSAFE ] +- iscsiuio.service: [ UNSAFE ] +- nscd.service: [ UNSAFE ] +- pcscd.service: [ UNSAFE ] +- plymouth-start.service: [ UNSAFE ] +- polkit.service: [ UNSAFE ] +- postfix.service: [ UNSAFE ] +- rc-local.service: [ UNSAFE ] +- rescue.service: [ UNSAFE ] +- rng-tools.service: [ MEDIUM ] +- serial-getty@hvc0.service: [ UNSAFE ] +- serial-getty@ttyAMA0.service: [ UNSAFE ] +- serial-getty@ttyS0.service: [ UNSAFE ] +- serial-getty@ttyS1.service: [ UNSAFE ] +- serial-getty@ttyS2.service: [ UNSAFE ] +- smartd.service: [ UNSAFE ] +- sshd.service: [ UNSAFE ] +- systemd-ask-password-console.service: [ UNSAFE ] +- systemd-ask-password-plymouth.service: [ UNSAFE ] +- systemd-initctl.service: [ UNSAFE ] +- systemd-journald.service: [ PROTECTED ] +- systemd-logind.service: [ PROTECTED ] +- systemd-rfkill.service: [ UNSAFE ] +- systemd-timesyncd.service: [ PROTECTED ] +- systemd-udevd.service: [ MEDIUM ] +- user@0.service: [ UNSAFE ] +- user@1000.service: [ UNSAFE ] +- wickedd-auto4.service: [ UNSAFE ] +- wickedd-dhcp4.service: [ UNSAFE ] +- wickedd-dhcp6.service: [ UNSAFE ] +- wickedd-nanny.service: [ UNSAFE ] +- wickedd.service: [ UNSAFE ] + +[+] Kernel +------------------------------------ +- Checking default runlevel [ runlevel 3 ] +- Checking kernel version and release [ DONE ] +- Checking kernel type [ DONE ] +- Checking loaded kernel modules [ DONE ] +Found 106 active modules +- Checking Linux kernel configuration file [ FOUND ] +- Checking default I/O kernel scheduler [ NOT FOUND ] +- Checking core dumps configuration +- configuration in systemd conf files [ DEFAULT ] +- configuration in etc/profile [ DEFAULT ] +- 'hard' configuration in security/limits.conf [ DEFAULT ] +- 'soft' configuration in security/limits.conf [ DEFAULT ] +- Checking setuid core dumps configuration [ DISABLED ] + +================================================================= + + Exception found! + + Function/test: [KRNL-5830:2] + Message: Can not find any vmlinuz or kernel files in /boot, which is unexpected + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + +- Check if reboot is needed [ UNKNOWN ] + +[+] Memory and Processes +------------------------------------ +- Checking /proc/meminfo [ FOUND ] +- Searching for dead/zombie processes [ NOT FOUND ] +- Searching for IO waiting processes [ NOT FOUND ] +- Search prelink tooling [ NOT FOUND ] + +[+] Users, Groups and Authentication +------------------------------------ +- Administrator accounts [ OK ] +- Unique UIDs [ OK ] +- Consistency of group files (grpck) [ OK ] +- Unique group IDs [ OK ] +- Unique group names [ OK ] +- Password file consistency [ OK ] +- Password hashing methods [ SUGGESTION ] +- Query system users (non daemons) [ DONE ] +- Sudoers file(s) [ FOUND ] +- Permissions for directory: /etc/sudoers.d [ OK ] +- Permissions for: /etc/sudoers [ OK ] +- PAM password strength tools [ OK ] +- PAM configuration file (pam.conf) [ NOT FOUND ] +- PAM configuration files (pam.d) [ FOUND ] +- PAM modules [ FOUND ] +- LDAP module in PAM [ NOT FOUND ] +- Accounts without expire date [ SUGGESTION ] +- Accounts without password [ OK ] +- Locked accounts [ OK ] +- Checking expired passwords [ OK ] +- Checking Linux single user mode authentication [ OK ] +- Determining default umask +- umask (/etc/profile) [ NOT FOUND ] + +[+] Shells +------------------------------------ +- Checking shells from /etc/shells +Result: found 26 shells (valid shells: 6). +- Session timeout settings/tools [ NONE ] +- Checking default umask values +- Checking default umask in /etc/bash.bashrc [ NONE ] +- Checking default umask in /etc/bash.bashrc.local [ NONE ] +- Checking default umask in /etc/csh.cshrc [ NONE ] +- Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ +- Checking mount points +- Checking /home mount point [ OK ] +- Checking /tmp mount point [ OK ] +- Checking /var mount point [ OK ] +- Query swap partitions (fstab) [ OK ] +- Testing swap partitions [ OK ] +- Testing /proc mount (hidepid) [ SUGGESTION ] +- Checking for old files in /tmp [ OK ] +- Checking /tmp sticky bit [ OK ] +- Checking /var/tmp sticky bit [ OK ] +- ACL support root file system [ ENABLED ] +- Mount options of / [ OK ] +- Mount options of /dev [ PARTIALLY HARDENED ] +- Mount options of /dev/shm [ PARTIALLY HARDENED ] +- Mount options of /home [ NON DEFAULT ] +- Mount options of /run [ HARDENED ] +- Mount options of /tmp [ PARTIALLY HARDENED ] +- Mount options of /var [ NON DEFAULT ] +- Total without nodev:14 noexec:18 nosuid:12 ro or noexec (W^X): 18 of total 32 +- Disable kernel support of some filesystems + +[+] USB Devices +------------------------------------ +- Checking usb-storage driver (modprobe config) [ NOT DISABLED ] +- Checking USB devices authorization [ ENABLED ] +- Checking USBGuard [ NOT FOUND ] + +[+] Storage +------------------------------------ +- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ] + +[+] NFS +------------------------------------ +- Query rpc registered programs [ DONE ] +- Query NFS versions [ DONE ] +- Query NFS protocols [ DONE ] +- Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ +- Searching DNS domain name [ UNKNOWN ] +- Checking nscd status [ RUNNING ] +- Checking /etc/hosts +- Duplicate entries in hosts file [ NONE ] +- Presence of configured hostname in /etc/hosts [ NOT FOUND ] +- Hostname mapped to localhost [ NOT FOUND ] +- Localhost mapping to IP address [ OK ] + +[+] Ports and packages +------------------------------------ +- Searching package managers +- Searching RPM package manager [ FOUND ] +- Querying RPM package manager + + [WARNING]: Test PKGS-7308 had a long execution: 31.921872 seconds + + + [WARNING]: Test PKGS-7328 had a long execution: 10.966953 seconds + +- Using Zypper to find vulnerable packages [ NONE ] +- Checking package audit tool [ INSTALLED ] +Found: zypper + +[+] Networking +------------------------------------ +- Checking IPv6 configuration [ ENABLED ] +Configuration method [ AUTO ] +IPv6 only [ NO ] +- Checking configured nameservers +- Testing nameservers +Nameserver: 10.0.2.3 [ OK ] +- Minimal of 2 responsive nameservers [ WARNING ] +- Checking default gateway [ DONE ] +- Getting listening ports (TCP/UDP) [ DONE ] +- Checking promiscuous interfaces [ OK ] +- Checking waiting connections [ OK ] +- Checking status DHCP client +- Checking for ARP monitoring software [ NOT FOUND ] +- Uncommon network protocols [ 0 ] + +[+] Printers and Spools +------------------------------------ +- Checking cups daemon [ NOT FOUND ] +- Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ +- Postfix status [ RUNNING ] +- Postfix configuration [ FOUND ] + +[+] Software: firewalls +------------------------------------ +- Checking iptables kernel module [ FOUND ] +- Checking iptables policies of chains [ FOUND ] +- Checking for empty ruleset [ WARNING ] +- Checking for unused rules [ OK ] +- Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ +- Checking Apache (binary /usr/sbin/httpd) [ FOUND ] +Info: Configuration file found (/etc/apache2/httpd.conf) +Info: No virtual hosts found +* Loadable modules [ FOUND (118) ] +- Found 118 loadable modules +mod_evasive: anti-DoS/brute force [ NOT FOUND ] +mod_reqtimeout/mod_qos [ FOUND ] +ModSecurity: web application firewall [ NOT FOUND ] +- Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ +- Checking running SSH daemon [ FOUND ] +- Searching SSH configuration [ NOT FOUND ] + +================================================================= + + Exception found! + + Function/test: [SSH-7404:1] + Message: SSH daemon is running, but no readable configuration file found + + Help improving the Lynis community with your feedback! + + Steps: + - Ensure you are running the latest version (/usr/bin/lynis update check) + - If so, create a GitHub issue at https://github.com/CISOfy/lynis + - Include relevant parts of the log file or configuration file + + Thanks! + +================================================================= + +- OpenSSH option: AllowTcpForwarding [ SUGGESTION ] +- OpenSSH option: ClientAliveCountMax [ SUGGESTION ] +- OpenSSH option: ClientAliveInterval [ OK ] +- OpenSSH option: Compression [ SUGGESTION ] +- OpenSSH option: FingerprintHash [ OK ] +- OpenSSH option: GatewayPorts [ OK ] +- OpenSSH option: IgnoreRhosts [ OK ] +- OpenSSH option: LoginGraceTime [ OK ] +- OpenSSH option: LogLevel [ SUGGESTION ] +- OpenSSH option: MaxAuthTries [ SUGGESTION ] +- OpenSSH option: MaxSessions [ SUGGESTION ] +- OpenSSH option: PermitRootLogin [ OK ] +- OpenSSH option: PermitUserEnvironment [ OK ] +- OpenSSH option: PermitTunnel [ OK ] +- OpenSSH option: Port [ SUGGESTION ] +- OpenSSH option: PrintLastLog [ SUGGESTION ] +- OpenSSH option: StrictModes [ OK ] +- OpenSSH option: TCPKeepAlive [ SUGGESTION ] +- OpenSSH option: UseDNS [ OK ] +- OpenSSH option: X11Forwarding [ SUGGESTION ] +- OpenSSH option: AllowAgentForwarding [ SUGGESTION ] +- OpenSSH option: AllowUsers [ NOT FOUND ] +- OpenSSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ +- Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ +No database engines found + +[+] LDAP Services +------------------------------------ +- Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ +- Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ +- Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ +- Checking for a running log daemon [ OK ] +- Checking Syslog-NG status [ NOT FOUND ] +- Checking systemd journal status [ FOUND ] +- Checking Metalog status [ NOT FOUND ] +- Checking RSyslog status [ NOT FOUND ] +- Checking RFC 3195 daemon status [ NOT FOUND ] +- Checking minilogd instances [ NOT FOUND ] +- Checking logrotate presence [ OK ] +- Checking remote logging [ NOT ENABLED ] +- Checking log directories (static list) [ DONE ] +- Checking open log files [ DONE ] +- Checking deleted files in use [ FILES FOUND ] + +[+] Insecure services +------------------------------------ +- Installed inetd package [ NOT FOUND ] +- Installed xinetd package [ OK ] +- xinetd status +- Installed rsh client package [ OK ] +- Installed rsh server package [ OK ] +- Installed telnet client package [ OK ] +- Installed telnet server package [ NOT FOUND ] +- Checking NIS client installation [ OK ] +- Checking NIS server installation [ OK ] +- Checking TFTP client installation [ OK ] +- Checking TFTP server installation [ OK ] + +[+] Banners and identification +------------------------------------ +- /etc/issue [ SYMLINK ] +- /etc/issue contents [ WEAK ] +- /etc/issue.net [ FOUND ] +- /etc/issue.net contents [ WEAK ] + +[+] Scheduled tasks +------------------------------------ +- Checking crontab and cronjob files [ DONE ] + +[+] Accounting +------------------------------------ +- Checking accounting information [ NOT FOUND ] +- Checking sysstat accounting data [ NOT FOUND ] +- Checking auditd [ ENABLED ] +- Checking audit rules [ OK ] +- Checking audit configuration file [ OK ] +- Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ +- NTP daemon found: chronyd [ FOUND ] +- Checking for a running NTP daemon or client [ OK ] + +[+] Cryptography +------------------------------------ +- Checking for expired SSL certificates [0/1] [ NONE ] +- Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ] +- Kernel entropy is sufficient [ YES ] +- HW RNG & rngd [ YES ] +- SW prng [ NO ] +- MOR variable not found [ WEAK ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ +- Checking presence AppArmor [ FOUND ] +- Checking AppArmor status [ ENABLED ] +Found 39 unconfined processes +- Checking presence SELinux [ NOT FOUND ] +- Checking presence TOMOYO Linux [ NOT FOUND ] +- Checking presence grsecurity [ NOT FOUND ] +- Checking for implemented MAC framework [ OK ] + +[+] Software: file integrity +------------------------------------ +- Checking file integrity tools +- dm-integrity (status) [ DISABLED ] +- dm-verity (status) [ DISABLED ] +- Checking presence integrity tool [ NOT FOUND ] + +[+] Software: System tooling +------------------------------------ +- Checking automation tooling +- Automation tooling [ NOT FOUND ] +- Checking for IDS/IPS tooling [ NONE ] + +[+] Software: Malware +------------------------------------ + +[+] File Permissions +------------------------------------ +- Starting file permissions check +File: /boot/grub2/grub.cfg [ SUGGESTION ] +File: /etc/cron.deny [ OK ] +File: /etc/crontab [ OK ] +File: /etc/group [ OK ] +File: /etc/group- [ OK ] +File: /etc/hosts.allow [ OK ] +File: /etc/hosts.deny [ OK ] +File: /etc/issue [ SUGGESTION ] +File: /etc/issue.net [ OK ] +File: /etc/passwd [ OK ] +File: /etc/passwd- [ OK ] +File: /etc/hosts.equiv [ OK ] +Directory: /root/.ssh [ OK ] +Directory: /etc/cron.d [ SUGGESTION ] +Directory: /etc/cron.daily [ SUGGESTION ] +Directory: /etc/cron.hourly [ SUGGESTION ] +Directory: /etc/cron.weekly [ SUGGESTION ] +Directory: /etc/cron.monthly [ SUGGESTION ] + +[+] Home directories +------------------------------------ +- Permissions of home directories [ WARNING ] +- Ownership of home directories [ OK ] +- Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ +- Comparing sysctl key pairs with scan profile +- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ] +- fs.protected_fifos (exp: 2) [ OK ] +- fs.protected_hardlinks (exp: 1) [ OK ] +- fs.protected_regular (exp: 2) [ OK ] +- fs.protected_symlinks (exp: 1) [ OK ] +- fs.suid_dumpable (exp: 0) [ OK ] +- kernel.core_uses_pid (exp: 1) [ DIFFERENT ] +- kernel.ctrl-alt-del (exp: 0) [ OK ] +- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ] +- kernel.kptr_restrict (exp: 2) [ DIFFERENT ] +- kernel.modules_disabled (exp: 1) [ DIFFERENT ] +- kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ] +- kernel.randomize_va_space (exp: 2) [ OK ] +- kernel.sysrq (exp: 0) [ DIFFERENT ] +- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ] +- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ] +- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] +- net.ipv4.conf.all.forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] +- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] +- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] +- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] +- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] +- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] +- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] +- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] +- net.ipv4.tcp_syncookies (exp: 1) [ OK ] +- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] +- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] +- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ +- Installed compiler(s) [ NOT FOUND ] +- Installed malware scanner [ NOT FOUND ] +- Non-native binary formats [ NOT FOUND ] + +[+] System Tools +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting dbus policy check... + + [WARNING]: Deprecated function used (logtext) + +Warning: Package systemd-249.4-2.2.aarch64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.9.0-6.3.aarch64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Users, Groups and Authentication +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting password check for users... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Binary integrity +------------------------------------ + + [WARNING]: Deprecated function used (report) + +- Starting binary RPATH check... + + [WARNING]: Deprecated function used (logtext) + +No bad RPATH usage found in 4320 executables [ OK ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ + + [WARNING]: Test BINARY-1000 had a long execution: 86.762008 seconds + +- Starting look-up of symlinks in /tmp... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] File systems +------------------------------------ +- Starting file permissions check for world-writeable files... + + [WARNING]: Deprecated function used (logtext) + +/tmp is world-writeable [ WARNING ] + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Memory and processes +------------------------------------ +- Starting look-up of 'nobody' processes... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Networking +------------------------------------ +- Starting verifying open network ports (22 25 80 111 443)... + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (logtext) + + + [WARNING]: Deprecated function used (wait_for_keypress) + + +[+] Custom tests +------------------------------------ +- Running custom tests...  [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 3.0.5 Results ]- + + Warnings (2): + ---------------------------- + ! Couldn't find 2 responsive nameservers [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + ! iptables module(s) loaded, but no rules active [FIRE-4512] + https://cisofy.com/lynis/controls/FIRE-4512/ + + Suggestions (40): + ---------------------------- + * Version of Lynis outdated, consider upgrading to the latest version [LYNIS] + https://cisofy.com/lynis/controls/LYNIS/ + + * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] + https://cisofy.com/lynis/controls/BOOT-5122/ + + * Consider hardening system services [BOOT-5264] + - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service + https://cisofy.com/lynis/controls/BOOT-5264/ + + * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] + https://cisofy.com/lynis/controls/KRNL-5820/ + + * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] + https://cisofy.com/lynis/controls/AUTH-9229/ + + * When possible set expire dates for all password protected accounts [AUTH-9282] + https://cisofy.com/lynis/controls/AUTH-9282/ + + * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] + https://cisofy.com/lynis/controls/USB-1000/ + + * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] + https://cisofy.com/lynis/controls/STRG-1846/ + + * Check DNS configuration for the dns domain name [NAME-4028] + https://cisofy.com/lynis/controls/NAME-4028/ + + * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] + https://cisofy.com/lynis/controls/NAME-4404/ + + * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] + https://cisofy.com/lynis/controls/NETW-2705/ + + * Determine if protocol 'dccp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'sctp' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'rds' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Determine if protocol 'tipc' is really needed on this system [NETW-3200] + https://cisofy.com/lynis/controls/NETW-3200/ + + * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] + https://cisofy.com/lynis/controls/HTTP-6640/ + + * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] + https://cisofy.com/lynis/controls/HTTP-6643/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowTcpForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : ClientAliveCountMax (set 3 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Compression (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : LogLevel (set INFO to VERBOSE) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxAuthTries (set 6 to 3) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : MaxSessions (set 10 to 2) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : Port (set 22 to ) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : PrintLastLog (set NO to YES) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : TCPKeepAlive (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : X11Forwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Consider hardening SSH configuration [SSH-7408] + - Details : AllowAgentForwarding (set YES to NO) + https://cisofy.com/lynis/controls/SSH-7408/ + + * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] + https://cisofy.com/lynis/controls/LOGG-2154/ + + * Check what deleted files are still in use and why. [LOGG-2190] + https://cisofy.com/lynis/controls/LOGG-2190/ + + * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] + https://cisofy.com/lynis/controls/BANN-7126/ + + * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] + https://cisofy.com/lynis/controls/BANN-7130/ + + * Enable process accounting [ACCT-9622] + https://cisofy.com/lynis/controls/ACCT-9622/ + + * Enable sysstat to collect accounting (no results) [ACCT-9626] + https://cisofy.com/lynis/controls/ACCT-9626/ + + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] + https://cisofy.com/lynis/controls/FINT-4350/ + + * Determine if automation tools are present for system management [TOOL-5002] + https://cisofy.com/lynis/controls/TOOL-5002/ + + * Consider restricting file permissions [FILE-7524] + - Details : See screen output or log file + - Solution : Use chmod to change file permissions + https://cisofy.com/lynis/controls/FILE-7524/ + + * Double check the permissions of home directories as some might be not strict enough. [HOME-9304] + https://cisofy.com/lynis/controls/HOME-9304/ + + * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] + - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:) + https://cisofy.com/lynis/controls/KRNL-6000/ + + * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] + - Solution : Install a tool like rkhunter, chkrootkit, OSSEC + https://cisofy.com/lynis/controls/HRDN-7230/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 81 [################ ] + Tests performed : 260 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [X] + + Scan mode: + Normal [V] Forensics [ ] Integration [ ] Pentest [ ] + + Lynis modules: + - Compliance status [?] + - Security audit [V] + - Vulnerability scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + Notice: Lynis update available + Current version : 305 Latest version : 306 +================================================================================ + + Lynis 3.0.5 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2021, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) +