...
- The Lynis Program Update test MUST pass with no errors.
The following list of tests MUST complete as passing as described below.
In the lynis.log outputfile each test suite has one or more individual tests. The beginning and ending of a test suite is marked with "====". For example, the 'ID BOOT-5122' test suite should display:
020-04-08 15:36:28 ====
2020-04-08 15:36:28 Performing test ID BOOT-5122 (Check for GRUB boot password)
...
2020-04-08 15:36:29 Hardening: assigned maximum number of hardening points for this item (3).
2020-04-08 15:36:29 ===
If any tests in the test suit failed, there would be the following:
2020-04-08 15:36:29 Suggestion: <Description of failed test>
Also, the 'Hardening' line show above would not say 'assigned maximum number of hardening points', instead it would say 'assigned partial number of hardening points'.
| 2 | Performing test ID BOOT-5122 (Check for GRUB boot password) | | Test: Checking PASS_MAX_DAYS option in /etc/login.defs |
3| 2 | Performing test ID AUTH-9328 (Default umask values) |
4| 3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) |
5| 4 | Test: checking for file /etc/network/if-up.d/ntpdate |
6| 5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required |
6a| 5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) |
6b| 5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1) |
6c| 5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) |
7| 6 | Test: Check if one or more compilers can be found on the system |
The lynis.log output file and exception requests for any of the items listed above that cannot be fixed must be sent to the security sub-committee.
...