~/lynis # ./lynis --auditor "Frederic Mohr" -Q [ Lynis 2.1.0 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software. Copyright 2007-2015 - CISOfy, https://cisofy.com Enterprise support and plugins available via CISOfy ################################################################################ [+] Initializing program ------------------------------------ - Detecting OS... [ DONE ] --------------------------------------------------- Program version: 2.1.0 Operating system: Linux Operating system name: Ubuntu Operating system version: 14.04 Kernel version: 3.13.0 Hardware platform: x86_64 Hostname: test-lynis01 Auditor: Frederic Mohr Profile: ./default.prf Log file: /var/log/lynis.log Report file: /var/log/lynis-report.dat Report version: 1.0 Plugin directory: ./plugins --------------------------------------------------- - Checking profile file (./default.prf)... - Program update status... [ NO UPDATE ] [+] System Tools ------------------------------------ - Scanning available tools... - Checking system binaries... [+] Plugins (phase 1) ------------------------------------ Note: plugins have more extensive tests, which may take a few minutes to complete - Plugins enabled [ NONE ] [+] Boot and services ------------------------------------ - Service Manager [ UNKNOWN ] - Boot loader [ NONE FOUND ] - Check services at startup (rc2.d) [ DONE ] Result: found 5 services - Check startup files (permissions) [ OK ] [+] Kernel ------------------------------------ - Checking default run level [ RUNLEVEL 2 ] - Checking CPU support (NX/PAE) CPU support: PAE and/or NoeXecute supported [ FOUND ] - Checking kernel version and release [ DONE ] - Checking kernel type [ DONE ] - Checking loaded kernel modules [ DONE ] Found 63 active modules - Checking Linux kernel configuration file [ NOT FOUND ] - Checking for available kernel update [ UNKNOWN ] - Checking core dumps configuration [ DISABLED ] - Checking setuid core dumps configuration [ PROTECTED ] - Check if reboot is needed [ UNKNOWN ] [+] Memory and processes ------------------------------------ - Checking /proc/meminfo [ FOUND ] - Searching for dead/zombie processes [ OK ] - Searching for IO waiting processes [ OK ] [+] Users, Groups and Authentication ------------------------------------ - Search administrator accounts [ OK ] - Checking for non-unique UIDs [ OK ] - Checking consistency of group files (grpck) [ OK ] - Checking non unique group ID's [ OK ] - Checking non unique group names [ OK ] - Checking password file consistency [ OK ] - Query system users (non daemons) [ DONE ] - Checking NIS+ authentication support [ NOT ENABLED ] - Checking NIS authentication support [ NOT ENABLED ] - Checking sudoers file [ FOUND ] - Check sudoers file permissions [ OK ] - Checking PAM password strength tools [ SUGGESTION ] - Checking PAM configuration files (pam.conf) [ FOUND ] - Checking PAM configuration files (pam.d) [ FOUND ] - Checking PAM modules [ FOUND ] - Checking LDAP module in PAM [ NOT FOUND ] - Checking accounts without expire date [ OK ] - Checking accounts without password [ OK ] - Checking user password aging [ DISABLED ] - Determining default umask - Checking umask (/etc/profile) [ OK ] - Checking umask (/etc/login.defs) [ SUGGESTION ] - Checking umask (/etc/init.d/rc) [ SUGGESTION ] - Checking LDAP authentication support [ NOT ENABLED ] [+] Shells ------------------------------------ - Checking shells from /etc/shells Result: found 5 shells (valid shells: 5). - Session timeout settings/tools [ NONE ] [+] File systems ------------------------------------ - Checking mount points - Checking /home mount point [ SUGGESTION ] - Checking /tmp mount point [ SUGGESTION ] - Checking /var mount point [ SUGGESTION ] - Querying FFS/UFS mount points (fstab) [ NONE ] - Query swap partitions (fstab) [ NONE ] - Testing swap partitions [ WARNING ] - Checking for old files in /tmp [ OK ] - Checking /tmp sticky bit [ OK ] - ACL support root file system [ DISABLED ] - Checking Locate database [ NOT FOUND ] [+] Storage ------------------------------------ - Checking usb-storage driver (modprobe config) [ NOT DISABLED ] - Checking firewire ohci driver (modprobe config) [ DISABLED ] [+] NFS ------------------------------------ - Check running NFS daemon [ NOT FOUND ] [+] Name services ------------------------------------ - Checking default DNS search domain [ NONE ] - Checking search domains [ FOUND ] - Checking search domains lines [ CONFIG ERROR ] - Checking /etc/resolv.conf options [ NONE ] - Searching DNS domain name [ FOUND ] Domain name: prod.lan - Checking nscd status [ NOT FOUND ] - Checking BIND status [ NOT FOUND ] - Checking PowerDNS status [ NOT FOUND ] - Checking ypbind status [ NOT FOUND ] - Checking /etc/hosts - Checking /etc/hosts (duplicates) [ OK ] - Checking /etc/hosts (hostname) [ OK ] - Checking /etc/hosts (localhost) [ SUGGESTION ] [+] Ports and packages ------------------------------------ - Searching package managers - Searching dpkg package manager [ FOUND ] - Querying package manager - Query unpurged packages [ NONE ] - Checking security repository in sources.list file [ OK ] - Checking APT package database [ OK ] - Checking vulnerable packages [ OK ] - Checking upgradeable packages [ SKIPPED ] - Checking package audit tool [ INSTALLED ] Found: apt-check [+] Networking ------------------------------------ - Checking configured nameservers - Testing nameservers Nameserver: 10.0.x.x [ OK ] Nameserver: 10.0.x.x [ OK ] - Minimal of 2 responsive nameservers [ OK ] - Checking default gateway [ DONE ] - Getting listening ports (TCP/UDP) [ DONE ] * Found 5 ports - Checking promiscuous interfaces [ OK ] - Checking waiting connections [ OK ] - Checking status DHCP client [ RUNNING ] [+] Printers and Spools ------------------------------------ - Checking cups daemon [ NOT FOUND ] - Checking lp daemon [ NOT RUNNING ] [+] Software: e-mail and messaging ------------------------------------ - Checking Exim status [ NOT FOUND ] - Checking Postfix status [ NOT FOUND ] - Checking Qmail status [ NOT FOUND ] - Checking Sendmail status [ NOT FOUND ] [+] Software: firewalls ------------------------------------ - Checking iptables kernel module [ FOUND ] - Checking pflogd status [ NOT FOUND ] - Checking pf [ NOT FOUND ] - Checking host based firewall [ ACTIVE ] [+] Software: webserver ------------------------------------ - Checking Apache [ NOT FOUND ] - Checking nginx [ NOT FOUND ] [+] SSH Support ------------------------------------ - Checking running SSH daemon [ FOUND ] - Searching SSH configuration [ FOUND ] - Checking defined SSH options [ DONE ] - SSH option: PermitRootLogin (without-password) [ OK ] - SSH option: Protocol [ OK ] - SSH option: StrictModes [ OK ] - SSH option: AllowUsers [ NOT FOUND ] - SSH option: AllowGroups [ NOT FOUND ] [+] SNMP Support ------------------------------------ - Checking running SNMP daemon [ NOT FOUND ] [+] Databases ------------------------------------ - MySQL process status [ NOT FOUND ] - PostgreSQL processes status [ NOT FOUND ] - Oracle processes status [ NOT FOUND ] [+] LDAP Services ------------------------------------ - Checking OpenLDAP instance [ NOT FOUND ] [+] PHP ------------------------------------ - Checking PHP [ NOT FOUND ] [+] Squid Support ------------------------------------ - Checking running Squid daemon [ NOT FOUND ] [+] Logging and files ------------------------------------ - Checking for a running log daemon [ OK ] - Checking Syslog-NG status [ NOT FOUND ] - Checking systemd journal status [ NOT FOUND ] - Checking Metalog status [ NOT FOUND ] - Checking RSyslog status [ FOUND ] - Checking RFC 3195 daemon status [ NOT FOUND ] - Checking minilogd instances [ NOT FOUND ] - Checking logrotate presence [ OK ] - Checking log directories (static list) [ DONE ] - Checking open log files [ SKIPPED ] [+] Insecure services ------------------------------------ - Checking inetd status [ NOT ACTIVE ] [+] Banners and identification ------------------------------------ - /etc/motd [ NOT FOUND ] - /etc/issue [ FOUND ] - /etc/issue contents [ WEAK ] - /etc/issue.net [ FOUND ] - /etc/issue.net contents [ WEAK ] [+] Scheduled tasks ------------------------------------ - Checking crontab/cronjob [ DONE ] - Checking atd status [ NOT RUNNING ] [+] Accounting ------------------------------------ - Checking accounting information [ NOT FOUND ] - Checking sysstat accounting data [ NOT FOUND ] - Checking auditd [ NOT FOUND ] [+] Time and Synchronization ------------------------------------ - Checking NTP client in crontab file (/etc/crontab) [ NOT FOUND ] - Checking NTP client in cron.d files [ NOT FOUND ] - Checking event based ntpdate (if-up) [ FOUND ] - Checking for a running NTP daemon or client [ OK ] [+] Cryptography ------------------------------------ - Checking SSL certificate expiration [ OK ] [+] Virtualization ------------------------------------ [+] Security frameworks ------------------------------------ - Checking presence AppArmor [ NOT FOUND ] - Checking presence SELinux [ NOT FOUND ] - Checking presence grsecurity [ NOT FOUND ] - Checking for implemented MAC framework [ NONE ] [+] Software: file integrity ------------------------------------ - Checking file integrity tools - AFICK [ NOT FOUND ] - AIDE [ NOT FOUND ] - Osiris [ NOT FOUND ] - Samhain [ NOT FOUND ] - Tripwire [ NOT FOUND ] - OSSEC (syscheck) [ NOT FOUND ] - mtree [ NOT FOUND ] - Checking presence integrity tool [ NOT FOUND ] [+] Software: System tooling ------------------------------------ - Checking automation tooling - Automation tooling [ NOT FOUND ] [+] Software: Malware scanners ------------------------------------ [+] File Permissions ------------------------------------ - Starting file permissions check /etc/lilo.conf [ NOT FOUND ] /root/.ssh [ NOT FOUND ] [+] Home directories ------------------------------------ - Checking shell history files [ OK ] [+] Kernel Hardening ------------------------------------ - Comparing sysctl key pairs with scan profile - kernel.core_uses_pid (exp: 1) [ DIFFERENT ] - kernel.ctrl-alt-del (exp: 0) [ OK ] - kernel.kptr_restrict (exp: 1) [ OK ] - kernel.sysrq (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] - net.ipv4.conf.all.forwarding (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] - net.ipv4.conf.all.rp_filter (exp: 1) [ OK ] - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] [+] Hardening ------------------------------------ - Installed compiler(s) [ NOT FOUND ] - Installed malware scanner [ NOT FOUND ] [+] Custom Tests ------------------------------------ - Running custom tests... [ NONE ] ================================================================================ -[ Lynis 2.1.0 Results ]- Warnings: ---------------------------- - Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration [NAME-4018] https://cisofy.com/controls/NAME-4018/ Suggestions: ---------------------------- - Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788] https://cisofy.com/controls/KRNL-5788/ - Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] https://cisofy.com/controls/AUTH-9262/ - Configure password aging limits to enforce password changing on a regular base [AUTH-9286] https://cisofy.com/controls/AUTH-9286/ - Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/controls/AUTH-9328/ - Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328] https://cisofy.com/controls/AUTH-9328/ - To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/ - To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/ - To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/ - Check your /etc/fstab file for swap partition mount options [FILE-6336] https://cisofy.com/controls/FILE-6336/ - The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410] https://cisofy.com/controls/FILE-6410/ - Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] https://cisofy.com/controls/STRG-1840/ - Split resolving between localhost and the hostname of the system [NAME-4406] https://cisofy.com/controls/NAME-4406/ - Install package apt-show-versions for patch management purposes [PKGS-7394] https://cisofy.com/controls/PKGS-7394/ - Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/controls/BANN-7126/ - Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/controls/BANN-7130/ - Enable process accounting [ACCT-9622] https://cisofy.com/controls/ACCT-9622/ - Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/controls/ACCT-9626/ - Enable auditd to collect audit information [ACCT-9628] https://cisofy.com/controls/ACCT-9628/ - Install a file integrity tool [FINT-4350] https://cisofy.com/controls/FINT-4350/ - Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/controls/TOOL-5002/ - One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] https://cisofy.com/controls/KRNL-6000/ - Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] https://cisofy.com/controls/HRDN-7230/ Follow-up: ---------------------------- - Check the logfile for more details (less /var/log/lynis.log) - Read security controls texts (https://cisofy.com) - Use --upload to upload data (Lynis Enterprise users) ================================================================================ Lynis security scan details: Hardening index : 70 [############## ] Tests performed : 170 Plugins enabled : 0 Quick overview: - Firewall [V] - Malware scanner [X] Lynis Modules: - Heuristics Check [NA] - Security Audit [V] - Compliance Tests [X] - Vulnerability Scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat ================================================================================ Exceptions found Some exceptional events or information was found! What to do: You can help improving Lynis by providing your report file. Go to https://cisofy.com/contact/ and send your file to the e-mail address listed ================================================================================ Tip: Disable all tests which are not relevant or are too strict for the purpose of this particular machine. This will remove unwanted suggestions and also boost the hardening index. Each test should be properly analyzed to see if the related risks can be accepted, before disabling the test. ================================================================================ Lynis 2.1.0 Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix Copyright 2007-2015 - CISOfy, https://cisofy.com Enterprise support and plugins available via CISOfy ================================================================================