...
The Lynis Program Update test MUST pass with no errors.
2022-0309-0414 1516:3319:2849 Test: Checking for program update...
2022-0309-0414 15:33:31 Current installed version : 301
2022-03-04 15:33:31 Latest stable version : 307
2022-03-04 15:33:31 Minimum required version : 297
2022-03-04 15:33:31 Result: newer Lynis release available!
2022-03-04 15:33:31 Suggestion: Version of Lynis outdated, consider upgrading to the latest version16:19:49 Result: Update check failed. No network connection?
2022-09-14 16:19:49 Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record).
2022-09-14 16:19:49 Suggestion: This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [test:LYNIS] [details:-] [solution:-]
TODO Fix: Download and run the latest Lynis directly on SUT. See the link below:
Steps To Implement Security Scan Requirements#InstallandExecute
The following list of tests MUST complete as passing
| No. | Test | Result | Fix |
|---|---|---|---|
| 1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: password minimum age is not configured Suggestion: Configure minimum password age option in /etc/login.defs [test:AUTH-9286] | 2022-09-14 16:20:32 Result: password aging limits are not configured | TODO: Set PASS_MAX_DAYS 180 in /etc/login.defs and rerun. |
| 2 | Performing test ID AUTH-9328 (Default umask values) | 2022-09-14 16:20:32 Result: found umask 022, which could be improved | Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] TODO: Set UMASK 027 in /etc/login.defs |
| 3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) | 2022-09-14 16:20:44 Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). | TODO: Configure AllowUsers in /etc/ssh/sshd_config (allow only the admin account). |
| 4 | Test: checking for file /etc/network/if-up.d/ntpdate Test: checking for file /etc/network/if-up.d/ntpdate | 2022-09-14 16:20:46 Result: file /etc/network/if-up.d/ntpdate does not exist ... 2022-09-14 16:20:46 Result: Found a time syncing daemon/client. | OK |
| 5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required | N/A | N/A |
| 5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) | 2022-09-14 16:20:58 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2contains equal expected and current value (0) | OKSet recommended value in /etc/sysctl.d/90-lynis-hardening.conf and disable apport in /etc/default/apport |
| 5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1)) | 2022-09-14 16:20:58 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0 | Set recommended value in TODO: Add kernel.dmesg_restrict=1 to /etc/sysctl.d/90-lynis-hardening.conf |
| 5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) | 2022-09-14 16:20:58 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1 | Set recommended value in TODO: Add net.ipv4.conf.default.accept_source_route=0 to /etc/sysctl.d/90-lynis-hardening.conf |
| 6 | Test: Check if one or more compilers can be found on the system | 2022-09-14 16:20:59 Result: found installed compiler. See top of logfile which compilers have been found or use /usr/bin/grep to filter on 'compiler' Hardening: assigned partial number of hardening points (1 of 3). | TODO: Uninstall gcc and remove /usr/bin/as (installed with binutils) |
...