713
Lynis ist ein leistungsstarkes Open-Source-Sicherheitsaudit-Tool für Linux-, macOS- und andere UNIX-basierte Systeme. Es führt umfassende Sicherheitsscans direkt auf dem System durch, um Sicherheitslücken zu identifizieren und Empfehlungen zur Systemhärtung zu geben. Lynis wird häufig von Systemadministratoren, Auditoren und auch Penetrationstestern eingesetzt, um die Sicherheit von Systemen zu bewerten und zu verbessern. Die Software ist einfach zu bedienen, wird regelmäßig aktualisiert und ist als Open Source frei verfügbar.
| Datum | Änderungen |
|---|---|
| 21.05.2024 | Erstellung dieser Anleitung |
1. Grundvoraussetzung
- keine
2. Lynis installieren
Wir können Lynis per Paketmanager einfach unter Debian installieren.
apt update apt install lynis -y
3. Security Audit durchführen
Mittels folgenden Befehls könnt ihr dann ein Audit eures Systems durchführen lassen.
lynis audit system
Nach wenigen Minuten solltet ihr dann eine Auswertung sehen. Hier das Ergebnis eines Testservers: (Der Server ist echt unsicher und zum Glück 99% der Zeit ausgeschaltet).
[ Lynis 3.0.8 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
- Detecting language and localization [ de ]
---------------------------------------------------
Program version: 3.0.8
Operating system: Linux
Operating system name: Debian
Operating system version: 12
Kernel version: 6.1.0
Hardware platform: x86_64
Hostname: xxxxx
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /etc/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: de
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ KEINE AKTUALISIERUNG ]
[+] Systemwerkzeuge
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (Phase 1)
------------------------------------
Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind
- Plugin: debian
[
[+] Debian Tests
------------------------------------
- Checking for system binaries that are required by Debian Tests...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Authentication:
- PAM (Pluggable Authentication Modules):
- libpam-tmpdir [ Not Installed ]
- File System Checks:
- DM-Crypt, Cryptsetup & Cryptmount:
- Software:
- apt-listbugs [ Not Installed ]
- apt-listchanges [ Installed and enabled for apt ]
- needrestart [ Not Installed ]
- fail2ban [ Not Installed ]
]
[+] Systemstart und Dienste
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DEAKTIVIERT ]
- Checking presence GRUB2 [ GEFUNDEN ]
- Checking for password protection [ NICHTS ]
- Check running services (systemctl) [ FERTIG ]
Result: found 12 running services
- Check enabled services at boot (systemctl) [ FERTIG ]
Result: found 16 enabled services
- Check startup files (permissions) [ OK ]
- Running 'systemd-analyze security'
- containerd.service: [ UNSICHER ]
- cron.service: [ UNSICHER ]
- dbus.service: [ UNSICHER ]
- docker.service: [ UNSICHER ]
- emergency.service: [ UNSICHER ]
- getty@tty1.service: [ UNSICHER ]
- lynis.service: [ UNSICHER ]
- ntpsec-rotate-stats.service: [ UNSICHER ]
- ntpsec-systemd-netif.service: [ UNSICHER ]
- ntpsec.service: [ UNSICHER ]
- qemu-guest-agent.service: [ UNSICHER ]
- rc-local.service: [ UNSICHER ]
- rescue.service: [ UNSICHER ]
- ssh.service: [ UNSICHER ]
- systemd-ask-password-console.service: [ UNSICHER ]
- systemd-ask-password-wall.service: [ UNSICHER ]
- systemd-fsckd.service: [ UNSICHER ]
- systemd-initctl.service: [ UNSICHER ]
- systemd-journald.service: [ GESCHÜTZT ]
- systemd-logind.service: [ GESCHÜTZT ]
- systemd-networkd.service: [ GESCHÜTZT ]
- systemd-udevd.service: [ MITTEL ]
- user@0.service: [ UNSICHER ]
[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ GEFUNDEN ]
- Checking kernel version and release [ FERTIG ]
- Checking kernel type [ FERTIG ]
- Checking loaded kernel modules [ FERTIG ]
Found 95 active modules
- Checking Linux kernel configuration file [ GEFUNDEN ]
- Checking default I/O kernel scheduler [ NICHT GEFUNDEN ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration
- configuration in systemd conf files [ STANDARD ]
- configuration in /etc/profile [ STANDARD ]
- 'hard' configuration in /etc/security/limits.conf [ STANDARD ]
- 'soft' configuration in /etc/security/limits.conf [ STANDARD ]
- Checking setuid core dumps configuration [ DEAKTIVIERT ]
- Check if reboot is needed [ NEIN ]
[+] Software: Speicher und Prozesse
------------------------------------
- Checking /proc/meminfo [ GEFUNDEN ]
- Searching for dead/zombie processes [ NICHT GEFUNDEN ]
- Searching for IO waiting processes [ NICHT GEFUNDEN ]
- Search prelink tooling [ NICHT GEFUNDEN ]
[+] Benutzer, Gruppen und Authentifizierung
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Password hashing methods [ VORSCHLAG ]
- Checking password hashing rounds [ DEAKTIVIERT ]
- Query system users (non daemons) [ FERTIG ]
- NIS+ authentication support [ NICHT AKTIVIERT ]
- NIS authentication support [ NICHT AKTIVIERT ]
- Sudoers file(s) [ GEFUNDEN ]
- Permissions for directory: /etc/sudoers.d [ WARNUNG ]
- Permissions for: /etc/sudoers [ OK ]
- Permissions for: /etc/sudoers.d/README [ OK ]
- PAM password strength tools [ VORSCHLAG ]
- PAM configuration files (pam.conf) [ GEFUNDEN ]
- PAM configuration files (pam.d) [ GEFUNDEN ]
- PAM modules [ GEFUNDEN ]
- LDAP module in PAM [ NICHT GEFUNDEN ]
- Accounts without expire date [ VORSCHLAG ]
- Accounts without password [ OK ]
- Locked accounts [ OK ]
- Checking user password aging (minimum) [ DEAKTIVIERT ]
- User password aging (maximum) [ DEAKTIVIERT ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NICHT GEFUNDEN ]
- umask (/etc/login.defs) [ VORSCHLAG ]
- LDAP authentication support [ NICHT AKTIVIERT ]
- Logging failed login attempts [ AKTIVIERT ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 8 shells (valid shells: 8).
- Session timeout settings/tools [ NICHTS ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NICHTS ]
- Checking default umask in /etc/profile [ NICHTS ]
[+] Dateisysteme
------------------------------------
- Checking mount points
- Checking /home mount point [ VORSCHLAG ]
- Checking /tmp mount point [ VORSCHLAG ]
- Checking /var mount point [ VORSCHLAG ]
- Query swap partitions (fstab) [ NICHTS ]
- Testing swap partitions [ OK ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ AKTIVIERT ]
- Mount options of / [ NICHT STANDARD ]
- Mount options of /boot [ STANDARD ]
- Mount options of /dev [ TEILWEISE GEHÄRTET ]
- Mount options of /dev/shm [ TEILWEISE GEHÄRTET ]
- Mount options of /run [ GEHÄRTET ]
- Total without nodev:55 noexec:56 nosuid:53 ro or noexec (W^X): 56 of total 75
- Disable kernel support of some filesystems
[+] USB Geräte
------------------------------------
- Checking usb-storage driver (modprobe config) [ NICHT DEAKTIVIERT ]
- Checking USB devices authorization [ AKTIVIERT ]
- Checking USBGuard [ NICHT GEFUNDEN ]
[+] Speicher
------------------------------------
- Checking firewire ohci driver (modprobe config) [ NICHT DEAKTIVIERT ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NICHT GEFUNDEN ]
[+] Namensauflösung
------------------------------------
- Searching DNS domain name [ GEFUNDEN ]
Domain name: xxx.de
- Checking Unbound status [ LÄUFT ]
- Checking /etc/hosts
- Duplicate entries in hosts file [ NICHTS ]
- Presence of configured hostname in /etc/hosts [ GEFUNDEN ]
- Hostname mapped to localhost [ NICHT GEFUNDEN ]
- Localhost mapping to IP address [ OK ]
[+] Ports und Pakete
------------------------------------
- Searching package managers
- Searching dpkg package manager [ GEFUNDEN ]
- Querying package manager
- Query unpurged packages [ GEFUNDEN ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages [ WARNUNG ]
- Checking upgradeable packages [ ÜBERSPRUNGEN ]
- Checking package audit tool [ INSTALLIERT ]
Found: apt-get
- Toolkit for automatic upgrades [ NICHT GEFUNDEN ]
[+] Netzwerk
------------------------------------
- Checking IPv6 configuration [ AKTIVIERT ]
Configuration method [ AUTO ]
IPv6 only [ NEIN ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 46.38.225.230 [ OK ]
Nameserver: 46.38.252.230 [ OK ]
Nameserver: 2a03:4000:0:1::e1e6 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
- Getting listening ports (TCP/UDP) [ FERTIG ]
- Checking promiscuous interfaces [ OK ]
- Checking status DHCP client
- Checking for ARP monitoring software [ NICHT GEFUNDEN ]
- Uncommon network protocols [ 0 ]
[+] Drucker und Warteschlange
------------------------------------
- Checking cups daemon [ NICHT GEFUNDEN ]
- Checking lp daemon [ LÄUFT NICHT ]
[+] Software: E-Mail und Messaging
------------------------------------
- Postfix status [ LÄUFT ]
- Dovecot status [ LÄUFT ]
[+] Software: Firewalls
------------------------------------
- Checking iptables kernel module [ GEFUNDEN ]
- Checking iptables policies of chains [ GEFUNDEN ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ GEFUNDEN ]
- Checking host based firewall [ AKTIV ]
[+] Software: Webserver
------------------------------------
- Checking Apache [ NICHT GEFUNDEN ]
- Checking nginx [ GEFUNDEN ]
- Searching nginx configuration file [ NICHT GEFUNDEN ]
[+] SSH
------------------------------------
- Checking running SSH daemon [ GEFUNDEN ]
- Searching SSH configuration [ GEFUNDEN ]
- OpenSSH option: AllowTcpForwarding [ VORSCHLAG ]
- OpenSSH option: ClientAliveCountMax [ VORSCHLAG ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: Compression [ VORSCHLAG ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ VORSCHLAG ]
- OpenSSH option: MaxAuthTries [ VORSCHLAG ]
- OpenSSH option: MaxSessions [ VORSCHLAG ]
- OpenSSH option: PermitRootLogin [ VORSCHLAG ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ VORSCHLAG ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ VORSCHLAG ]
- OpenSSH option: UseDNS [ OK ]
- OpenSSH option: X11Forwarding [ VORSCHLAG ]
- OpenSSH option: AllowAgentForwarding [ VORSCHLAG ]
- OpenSSH option: AllowUsers [ NICHT GEFUNDEN ]
- OpenSSH option: AllowGroups [ NICHT GEFUNDEN ]
[+] SNMP Unterstützung
------------------------------------
- Checking running SNMP daemon [ NICHT GEFUNDEN ]
[+] Datenbanken
------------------------------------
- MySQL process status [ GEFUNDEN ]
- Redis (server) status [ GEFUNDEN ]
=================================================================
Exception found!
Function/test: [DBS-1882]
Message: Found Redis, but no configuration file. Report this if you know where it is located on your system.
Help improving the Lynis community with your feedback!
Steps:
- Ensure you are running the latest version (/usr/sbin/lynis update check)
- If so, create a GitHub issue at https://github.com/CISOfy/lynis
- Include relevant parts of the log file or configuration file
Thanks!
=================================================================
[+] LDAP Dienste
------------------------------------
- Checking OpenLDAP instance [ NICHT GEFUNDEN ]
[+] PHP
------------------------------------
- Checking PHP [ NICHT GEFUNDEN ]
[+] Squid
------------------------------------
- Checking running Squid daemon [ NICHT GEFUNDEN ]
[+] Logs und Logdateien
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ GEFUNDEN ]
- Checking systemd journal status [ GEFUNDEN ]
- Checking Metalog status [ NICHT GEFUNDEN ]
- Checking RSyslog status [ NICHT GEFUNDEN ]
- Checking RFC 3195 daemon status [ NICHT GEFUNDEN ]
- Checking minilogd instances [ NICHT GEFUNDEN ]
- Checking logrotate presence [ OK ]
- Checking remote logging [ NICHT AKTIVIERT ]
- Checking log directories (static list) [ FERTIG ]
- Checking open log files [ FERTIG ]
- Checking deleted files in use [ DATEIEN GEFUNDEN ]
[+] Unsichere Dienste
------------------------------------
- Installed inetd package [ NICHT GEFUNDEN ]
- Installed xinetd package [ OK ]
- xinetd status
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NICHT GEFUNDEN ]
- Checking NIS client installation [ OK ]
- Checking NIS server installation [ OK ]
- Checking TFTP client installation [ OK ]
- Checking TFTP server installation [ OK ]
[+] Banner und Identifizierung
------------------------------------
- /etc/issue [ GEFUNDEN ]
- /etc/issue contents [ SCHWACH ]
- /etc/issue.net [ GEFUNDEN ]
- /etc/issue.net contents [ SCHWACH ]
[+] Geplante Aufgaben
------------------------------------
- Checking crontab and cronjob files [ FERTIG ]
[+] Accounting
------------------------------------
- Checking accounting information [ NICHT GEFUNDEN ]
- Checking sysstat accounting data [ NICHT GEFUNDEN ]
- Checking auditd [ NICHT GEFUNDEN ]
[+] Zeit und Zeitsynchronisierung
------------------------------------
- NTP daemon found: ntpd [ GEFUNDEN ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ GEFUNDEN ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ GEFUNDEN ]
- Checking selected time source [ OK ]
- Checking time source candidates [ OK ]
- Checking falsetickers [ OK ]
- Checking NTP version [ GEFUNDEN ]
[+] Kryptographie
------------------------------------
- Checking for expired SSL certificates [0/142] [ NICHTS ]
- Kernel entropy is sufficient [ JA ]
- HW RNG & rngd [ NEIN ]
- SW prng [ NEIN ]
- MOR variable not found [ SCHWACH ]
[+] Virtualisierung
------------------------------------
[+] Container
------------------------------------
- Docker
- Docker daemon [ LÄUFT ]
- Docker info output (warnings) [ NICHTS ]
- Containers
- Total containers [ 32 ]
- Running containers [ 26 ]
- Unused containers [ 6 ]
- File permissions [ OK ]
[+] Sicherheitsframeworks
------------------------------------
- Checking presence AppArmor [ GEFUNDEN ]
- Checking AppArmor status [ AKTIVIERT ]
Found 78 unconfined processes
- Checking presence SELinux [ NICHT GEFUNDEN ]
- Checking presence TOMOYO Linux [ NICHT GEFUNDEN ]
- Checking presence grsecurity [ NICHT GEFUNDEN ]
- Checking for implemented MAC framework [ OK ]
[+] Software: Dateintegrität
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NICHT GEFUNDEN ]
[+] Software: Systemwerkzeuge
------------------------------------
- Checking automation tooling
- Ansible artifact [ GEFUNDEN ]
- Automation tooling [ GEFUNDEN ]
- Checking for IDS/IPS tooling [ NICHTS ]
[+] Software: Malware
------------------------------------
pgrep: pattern that searches for process name longer than 15 characters will result in zero matches
Try `pgrep -f' option to match against the complete command line.
- Überprüfung ClamAV daemon [ GEFUNDEN ]
- Überprüfung freshclam [ VORSCHLAG ]
- Malware software components [ GEFUNDEN ]
- Active agent [ GEFUNDEN ]
- Rootkit scanner [ NICHT GEFUNDEN ]
[+] Dateiberechtigungen
------------------------------------
- Starting file permissions check
File: /boot/grub/grub.cfg [ OK ]
File: /etc/crontab [ VORSCHLAG ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ VORSCHLAG ]
Directory: /root/.ssh [ OK ]
Directory: /etc/cron.d [ VORSCHLAG ]
Directory: /etc/cron.daily [ VORSCHLAG ]
Directory: /etc/cron.hourly [ VORSCHLAG ]
Directory: /etc/cron.weekly [ VORSCHLAG ]
Directory: /etc/cron.monthly [ VORSCHLAG ]
[+] Heimatverzeichnisse
------------------------------------
- Permissions of home directories [ OK ]
- Ownership of home directories [ OK ]
- Checking shell history files [ OK ]
[+] Kernelhärtung
------------------------------------
- Comparing sysctl key pairs with scan profile
- dev.tty.ldisc_autoload (exp: 0) [ UNTERSCHIEDLICH ]
- fs.protected_fifos (exp: 2) [ UNTERSCHIEDLICH ]
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_regular (exp: 2) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ UNTERSCHIEDLICH ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ OK ]
- kernel.kptr_restrict (exp: 2) [ UNTERSCHIEDLICH ]
- kernel.modules_disabled (exp: 1) [ UNTERSCHIEDLICH ]
- kernel.perf_event_paranoid (exp: 3) [ OK ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ UNTERSCHIEDLICH ]
- kernel.unprivileged_bpf_disabled (exp: 1) [ UNTERSCHIEDLICH ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ UNTERSCHIEDLICH ]
- net.core.bpf_jit_harden (exp: 2) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.all.log_martians (exp: 1) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ UNTERSCHIEDLICH ]
- net.ipv4.conf.default.log_martians (exp: 1) [ UNTERSCHIEDLICH ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ UNTERSCHIEDLICH ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ UNTERSCHIEDLICH ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Härtung
------------------------------------
- Installed compiler(s) [ GEFUNDEN ]
- Installed malware scanner [ GEFUNDEN ]
- Non-native binary formats [ GEFUNDEN ]
[+] Benutzerdefinierte Tests
------------------------------------
- Running custom tests... [ NICHTS ]
[+] Plugins (Phase 2)
------------------------------------
================================================================================
-[ Lynis 3.0.8 Results ]-
Warnings (1):
----------------------------
! Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/lynis/controls/PKGS-7392/
Suggestions (54):
----------------------------
* This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS]
https://cisofy.com/lynis/controls/LYNIS/
* Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280]
https://cisofy.com/lynis/controls/DEB-0280/
* Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810]
https://cisofy.com/lynis/controls/DEB-0810/
* Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831]
https://cisofy.com/lynis/controls/DEB-0831/
* Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880]
https://cisofy.com/lynis/controls/DEB-0880/
* Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
https://cisofy.com/lynis/controls/BOOT-5122/
* Consider hardening system services [BOOT-5264]
- Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service
https://cisofy.com/lynis/controls/BOOT-5264/
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
* Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
https://cisofy.com/lynis/controls/AUTH-9229/
* Configure password hashing rounds in /etc/login.defs [AUTH-9230]
https://cisofy.com/lynis/controls/AUTH-9230/
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
https://cisofy.com/lynis/controls/AUTH-9262/
* When possible set expire dates for all password protected accounts [AUTH-9282]
https://cisofy.com/lynis/controls/AUTH-9282/
* Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
https://cisofy.com/lynis/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000]
https://cisofy.com/lynis/controls/USB-1000/
* Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
https://cisofy.com/lynis/controls/STRG-1846/
* Purge old/removed packages (1 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346]
https://cisofy.com/lynis/controls/PKGS-7346/
* Install debsums utility for the verification of packages with known good database. [PKGS-7370]
https://cisofy.com/lynis/controls/PKGS-7370/
* Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392]
https://cisofy.com/lynis/controls/PKGS-7392/
* Install package apt-show-versions for patch management purposes [PKGS-7394]
https://cisofy.com/lynis/controls/PKGS-7394/
* Consider using a tool to automatically apply upgrades [PKGS-7420]
https://cisofy.com/lynis/controls/PKGS-7420/
* Determine if protocol 'dccp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'sctp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'rds' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'tipc' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Check iptables rules to see which rules are currently not used [FIRE-4513]
https://cisofy.com/lynis/controls/FIRE-4513/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : ClientAliveCountMax (set 3 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Compression (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : LogLevel (set INFO to VERBOSE)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxAuthTries (set 6 to 3)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxSessions (set 10 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Port (set 22 to )
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : TCPKeepAlive (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : X11Forwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowAgentForwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
https://cisofy.com/lynis/controls/LOGG-2154/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/lynis/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/lynis/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/lynis/controls/BANN-7130/
* Enable process accounting [ACCT-9622]
https://cisofy.com/lynis/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/lynis/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/lynis/controls/ACCT-9628/
* Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120]
https://cisofy.com/lynis/controls/TIME-3120/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/lynis/controls/FINT-4350/
* Confirm that freshclam is properly configured and keeps updating the ClamAV database [MALW-3286]
https://cisofy.com/lynis/controls/MALW-3286/
* Consider restricting file permissions [FILE-7524]
- Details : See screen output or log file
- Solution : Use chmod to change file permissions
https://cisofy.com/lynis/controls/FILE-7524/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/lynis/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 61 [############ ]
Tests performed : 264
Plugins enabled : 1
Components:
- Firewall [V]
- Malware scanner [V]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Abweichungen gefunden
Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden!
Was zu tun ist:
Sie können durch Übermittlung Ihrer Logdatei helfen (/var/log/lynis.log).
Go to https://cisofy.com/contact/ and send your file to the e-mail address listed
================================================================================
Lynis 3.0.8
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
