Performing test ID BOOT-5122 (Check for GRUB boot password): FAILED 2022-05-17 10:21:58 Result: file is owned by our current user ID (0), checking if it is readable 2022-05-17 10:21:58 Result: file /etc/grub.d/05_debian_theme is readable (or directory accessible). 2022-05-17 10:21:58 Result: did not find hashed password line in this file 2022-05-17 10:21:58 Result: Didn't find hashed password line in GRUB configuration 2022-05-17 10:21:58 Suggestion: Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]
Test: Checking presence /var/run/reboot-required.pkgs: FAILED 2022-05-17 10:22:02 Result: file /var/run/reboot-required.pkgs exists 2022-05-17 10:22:02 Result: reboot is needed, related to 4 packages 2022-05-17 10:22:02 Package: 4 2022-05-17 10:22:02 Result: /boot exists, performing more tests from here 2022-05-17 10:22:02 Result: found /boot/vmlinuz 2022-05-17 10:22:02 Result: found a symlink, retrieving destination 2022-05-17 10:22:02 Result: destination file is vmlinuz-4.15.0-177-generic 2022-05-17 10:22:02 Result: version derived from file name is '4.15.0-177-generic' 2022-05-17 10:22:02 Result: found version 4.15.0-177-generic 2022-05-17 10:22:02 Result: active kernel version 4.15.0-166-generic 2022-05-17 10:22:02 Result: reboot needed, as there is a difference between active kernel and the one on disk 2022-05-17 10:22:02 Result: /var/cache/apt/archives/ does not exist 2022-05-17 10:22:02 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
Performing test ID AUTH-9229 (Check password hashing methods): FAILED 2022-05-17 10:22:02 Result: poor password hashing methods found: sha256crypt/sha512crypt(default<=5000rounds) 2022-05-17 10:22:02 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-]
Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: FAILED 2022-05-17 10:22:02 Result: low number of maximum encryption algorithm rounds found: 5000
Performing test ID USB-2000 (Check USB authorizations): FAILED 2022-05-17 10:22:04 Result: Some USB devices are authorized by default (or temporary) to connect to the system
Performing test ID USB-3000 (Check for presence of USBGuard): FAILED 2022-05-17 10:22:04 Result: USBGuard not found
Performing test ID SSH-7408 (Check SSH specific defined options): FAILED 2022-05-17 10:22:39 Result: Option AllowTcpForwarding found 2022-05-17 10:22:39 Result: Option AllowTcpForwarding value is YES 2022-05-17 10:22:39 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-] 2022-05-17 10:22:39 Result: Option MaxSessions found 2022-05-17 10:22:39 Result: Option MaxSessions value is 4 2022-05-17 10:22:39 Result: OpenSSH option MaxSessions is configured reasonably 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)] [solution:-] 2022-05-17 10:22:39 Result: Option PermitRootLogin found 2022-05-17 10:22:39 Result: Option PermitRootLogin value is YES 2022-05-17 10:22:39 Result: OpenSSH option PermitRootLogin is in a weak configuration state and should be fixed 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))] [solution:-] 2022-05-17 10:22:39 Result: Option Port found 2022-05-17 10:22:39 Result: Option Port value is 22 2022-05-17 10:22:39 Result: OpenSSH option Port is in a weak configuration state and should be fixed 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )] [solution:-] 2022-05-17 10:22:40 Result: Option X11Forwarding found 2022-05-17 10:22:40 Result: Option X11Forwarding value is YES 2022-05-17 10:22:40 Result: OpenSSH option X11Forwarding is in a weak configuration state and should be fixed 2022-05-17 10:22:40 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:X11Forwarding (set YES to NO)] [solution:-]
Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED 2022-05-17 10:23:32 Result: key hw.kbd.keymap_restrict_change does not exist on this machine 2022-05-17 10:23:32 Result: key kern.sugid_coredump does not exist on this machine 2022-05-17 10:23:32 Result: key kernel.core_setuid_ok does not exist on this machine 2022-05-17 10:23:32 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0 2022-05-17 10:23:32 Result: key kernel.exec-shield-randomize does not exist on this machine 2022-05-17 10:23:32 Result: key kernel.exec-shield does not exist on this machine 2022-05-17 10:23:32 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1 2022-05-17 10:23:32 Result: key kernel.suid_dumpable does not exist on this machine 2022-05-17 10:23:32 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176 2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:33 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:33 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2022-05-17 10:23:33 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:33 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine 2022-05-17 10:23:33 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: NOT PRESENT IN THIS LOG
Performing test ID USB-3000 (Check for presence of USBGuard): FAILED 2022-06-23 07:10:51 Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy) 2022-06-23 07:10:51 Result: PresentControllerPolicy = keep 2022-06-23 07:10:51 Consider changing PresentControllerPolicy to "apply-policy", "block" or "reject"