Lynis: Performing test ID BOOT-5122 (Check for GRUB boot password): FAILED 2022-04-17 23:44:05 Result: file is owned by our current user ID (0), checking if it is readable 2022-04-17 23:44:05 Result: file /etc/grub.d/05_debian_theme is readable (or directory accessible). 2022-04-17 23:44:05 Result: did not find hashed password line in this file 2022-04-17 23:44:05 Result: Didn't find hashed password line in GRUB configuration 2022-04-17 23:44:05 Suggestion: Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-] Test: Checking presence /var/run/reboot-required.pkgs: FAILED 2022-04-17 23:44:09 Result: file /var/run/reboot-required.pkgs not found 2022-04-17 23:44:09 Result: /boot exists, performing more tests from here 2022-04-17 23:44:09 Result: found /boot/vmlinuz 2022-04-17 23:44:09 Result: found a symlink, retrieving destination 2022-04-17 23:44:09 Result: destination file is vmlinuz-4.15.0-173-generic 2022-04-17 23:44:09 Result: version derived from file name is '4.15.0-173-generic' 2022-04-17 23:44:09 Result: found version 4.15.0-173-generic 2022-04-17 23:44:09 Result: active kernel version 4.15.18 2022-04-17 23:44:09 Result: reboot needed, as there is a difference between active kernel and the one on disk 2022-04-17 23:44:09 Result: /var/cache/apt/archives/ does not exist 2022-04-17 23:44:09 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot] Performing test ID AUTH-9229 (Check password hashing methods): FAILED 2022-04-17 23:44:09 Result: poor password hashing methods found: sha256crypt/sha512crypt(default<=5000rounds) 2022-04-17 23:44:09 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-] Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: FAILED 2022-04-17 23:44:09 Result: number of minimum rounds used by the encryption algorithm is not configured 2022-04-17 23:44:09 Suggestion: Configure minimum encryption algorithm rounds in /etc/login.defs [test:AUTH-9230] [details:-] [solution:-] 2022-04-17 23:44:09 Result: number of maximum rounds used by the encryption algorithm is not configured 2022-04-17 23:44:09 Suggestion: Configure maximum encryption algorithm rounds in /etc/login.defs [test:AUTH-9230] [details:-] [solution:-]
Test: Checking PASS_MAX_DAYS option in /etc/login.defs: FAILED 2022-04-17 23:44:10 Result: password aging limits are not configured 2022-04-17 23:44:10 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Performing test ID AUTH-9328 (Default umask values): FAILED 2022-04-17 23:44:10 Result: found umask 022, which could be improved 2022-04-17 23:44:10 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-] Performing test ID USB-2000 (Check USB authorizations): FAILED 2022-04-17 23:44:11 Result: Some USB devices are authorized by default (or temporary) to connect to the system Performing test ID USB-3000 (Check for presence of USBGuard): FAILED 2022-04-17 23:44:11 Result: USBGuard not found Performing test ID PKGS-7370 (Checking for debsums utility): FAILED 2022-04-17 23:44:23 Result: debsums utility is not installed. Performing test ID SSH-7408 (Check SSH specific defined options): FAILED 2022-04-17 23:44:50 Result: Option AllowTcpForwarding found 2022-04-17 23:44:50 Result: Option AllowTcpForwarding value is YES 2022-04-17 23:44:50 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-] 2022-04-17 23:44:50 Result: Option ClientAliveCountMax found 2022-04-17 23:44:50 Result: Option ClientAliveCountMax value is 3 2022-04-17 23:44:50 Result: OpenSSH option ClientAliveCountMax is configured reasonably 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:ClientAliveCountMax (set 3 to 2)] [solution:-] 2022-04-17 23:44:50 Result: Option Compression found 2022-04-17 23:44:50 Result: Option Compression value is YES 2022-04-17 23:44:50 Result: OpenSSH option Compression is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Compression (set YES to NO)] [solution:-] 2022-04-17 23:44:50 Result: Option LogLevel found 2022-04-17 23:44:50 Result: Option LogLevel value is INFO 2022-04-17 23:44:50 Result: OpenSSH option LogLevel is configured reasonably 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:LogLevel (set INFO to VERBOSE)] [solution:-] 2022-04-17 23:44:50 Result: Option MaxAuthTries found 2022-04-17 23:44:50 Result: Option MaxAuthTries value is 6 2022-04-17 23:44:50 Result: OpenSSH option MaxAuthTries is configured reasonably 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxAuthTries (set 6 to 3)] [solution:-] 2022-04-17 23:44:50 Result: Option MaxSessions found 2022-04-17 23:44:50 Result: Option MaxSessions value is 10 2022-04-17 23:44:50 Result: OpenSSH option MaxSessions is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 10 to 2)] [solution:-] 2022-04-17 23:44:50 Result: Option PermitRootLogin found 2022-04-17 23:44:50 Result: Option PermitRootLogin value is YES 2022-04-17 23:44:50 Result: OpenSSH option PermitRootLogin is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))] [solution:-] 2022-04-17 23:44:50 Result: Option Port found 2022-04-17 23:44:50 Result: Option Port value is 22 2022-04-17 23:44:50 Result: OpenSSH option Port is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )] [solution:-] 2022-04-17 23:44:50 Result: Option TCPKeepAlive found 2022-04-17 23:44:50 Result: Option TCPKeepAlive value is YES 2022-04-17 23:44:50 Result: OpenSSH option TCPKeepAlive is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:TCPKeepAlive (set YES to NO)] [solution:-] 2022-04-17 23:44:50 Result: Option X11Forwarding found 2022-04-17 23:44:50 Result: Option X11Forwarding value is YES 2022-04-17 23:44:50 Result: OpenSSH option X11Forwarding is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:X11Forwarding (set YES to NO)] [solution:-] 2022-04-17 23:44:50 Result: Option AllowAgentForwarding found 2022-04-17 23:44:50 Result: Option AllowAgentForwarding value is YES 2022-04-17 23:44:50 Result: OpenSSH option AllowAgentForwarding is in a weak configuration state and should be fixed 2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowAgentForwarding (set YES to NO)] [solution:-] Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED 2022-04-17 23:45:41 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 2022-04-17 23:45:41 Result: key hw.kbd.keymap_restrict_change does not exist on this machine 2022-04-17 23:45:41 Result: key kern.sugid_coredump does not exist on this machine 2022-04-17 23:45:41 Result: key kernel.core_setuid_ok does not exist on this machine 2022-04-17 23:45:41 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0 2022-04-17 23:45:41 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0 2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1 2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2022-04-17 23:45:42 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-04-17 23:45:42 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine 2022-04-17 23:45:42 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 Test: Check if one or more compilers can be found on the system: FAILED 2022-04-17 23:45:42 Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' 2022-04-17 23:37:28 Found known binary: as (compiler) - /usr/bin/as 2022-04-17 23:37:28 Found known binary: cc (compiler) - /usr/bin/cc 2022-04-17 23:37:28 Found known binary: g++ (compiler) - /usr/bin/g++ 2022-04-17 23:37:28 Found known binary: gcc (compiler) - /usr/bin/gcc 2022-04-17 23:44:13 Found package: device-tree-compiler (version: 1.4.5-3) 2022-04-17 23:44:21 Found package: protobuf-compiler (version: 3.0.0-9.1ubuntu1)
|