Lynis CheckSystem Tools
Check System executable program environment variable path
Boot and Services
GRUB2 menu entry into single user mode already set password
The other is to check the start of the service, is currently running 24 services, boot start is 21 services
* Service Script directory:/lib/systemd/system/
* Service file permissions: 0644
Kernel
RunLevel, mounted modules, kernel configuration, and core dumps
- Check Run level RUNLEVEL 5
- Check the kernel version type and the number of modules loaded
- Check the kernel config file, default I/O kernel scheduler,
- Core dumps configuration, not enabled by default,
- Setuid core dumps configured as default
- Check if a restart is required
Kernel Hardening
- Comparing Sysctl key pairs with the scan profile, followed by the recommended values for Lynis, for example (exp:1)
-Kernel.core_uses_pid (exp:1) per message queue size (in bytes) limit-Kernel.ctrl-alt-de L (exp:0) whether to capture Ctrl+alt+delete key combination signal, 0, capture, 1, not capture-KERNEL.SYSRQ (exp:0) Whether to turn on the SysRq feature, 0, disable, 1, enable-net.ipv4.conf.all.accept_redirects (exp:0) ICMP receive redirect message (global setting) 0, ignore, 1, forward-net.ipv4.conf.all.accept_source_route (exp:0) Accept all Source address packets (Global Settings) 0, discard, 1, forward -Net.ipv4.conf.all.bootp_relay (exp:0)-net.ipv4.conf.all.forwarding (exp:0) Configure the behavior of the host network interface, 0 prohibit forwarding, 1, allow forwarding-Net.ipv4.conf.all.log_martians (exp:1) IP packets that will contain illegal address information Log to kernel log (global setting) 0 off, 1 on-net.ipv4.conf.all.mc_forwarding (exp:0) Multicast routing 0 off, 1 open-net.ipv4.conf.all.proxy_arp (exp:0) ARP proxy 0 off, 1 Open-net.ipv4.conf.alL.rp_filter (exp:1) Reverse path Filtering (Reverse path Filtering) 0 off, 1 Strict mode, 2 Loose mode-net.ipv4.co Nf.all.send_redirects (exp:0) ICMP send redirect message 0 off, 1 open-net.ipv4.conf.default.acce Pt_redirects (exp:0) ICMP receive redirect message (default setting) 0 ignored, 1 forwarding-net.ipv4.conf.default.accept_source_route ( exp:0) accepts all source address packets (default setting) 0 drops, 1 forwards-Net.ipv4.conf.default.log_martians (exp:1) will contain illegal IP packet to the kernel log (default setting) 0 off, 1 on-net.ipv4.icmp_echo_ignore_broadcasts (exp:1) set whether to respond to ICMP Echo request broadcast, 0 responses, 1 Ignore-net.ipv4.icmp_ignore_bogus_error_responses (exp:1) ignores ICMP error 0 responses generated by hosts in the network claiming that the response address is broadcast address, 1 ignored -Net.ipv4.tcp_syncookies (exp:1) indicates that SYN cookies are turned on, cookies are enabled when a SYN wait queue overflows, protection against a small number of SYN attacks, 0 off, 1 Enable-Net.ipv4.tcp_timestamps (exp:0) turn on timestamps to protect against those forged sequence numbers 0 off Closed, 1 Open the following is for IPv6, and IPv4Same parameter Function-net.ipv6.conf.all.accept_redirects (exp:0)-Net.ipv6.conf.all.accept_source_route (exp : 0)-net.ipv6.conf.default.accept_redirects (exp:0)-net.ipv6.conf.default.accept_source_rout E (exp:0)
- Mans proc
- Network part Https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
Memory and processes
Check the zombie process and the input/output wait process,ps -aux
- /proc/memento
- Dead/zombie processes
- IO Waiting processes
Users, Groups and authentication
User group number, sudoers file, pluggable authentication module (PAM) configuration, password aging, and default mask
- To check the uniqueness of UID ID groupname
- Check the consistency of the group files and password file files (TODO)
- Check the naming service:
- Web Information Service (Network Information Service, NIS)
- Lightweight Directory Access Protocol (Lightweight directory, Access Protocol,ldap)
- Check sudo configuration and its permissions,/etc/sudoers default permissions 0440
- Pam Authentication profile Check, password strength configuration check
- Check whether the LDAP module in PAM is configured, and its LDAP authentication support
- Check the expiration date of the account, the configuration of the password is empty
- Default Umask (TODO)
/etc/profile 755
/etc/login.defs 644
/ETC/INIT.D/RC 644
Shells
- /etc/shells View the number of shells that exist on the current system
- Testing for Shellshock Vulnerabilities
File Systems
mount point, temp file, and root file system
- Check/home/tmp mount point
- Check for UNIX File system Ffs/ufs (BSD system)
- Check swap partition, test swap partition status
- Check the/tmp old files and sticky bit, correct permissions (1777)
- Check if the root partition is turned on ACL support is on (TODO)
- Check Locate database (TODO)
- Check if there is an encrypted file system no
Storage
Check for USB storage (Usb-storage) and FireWire Open Host Controller interface (FireWire OHCI) not DISABLED
Related configuration Files
- /lib/modprobe.d/aliases.conf
- /etc/modprobe.d/*
Nfs
- Query for RPC programs (remote Procedure call, remoting procedure calls)
- Querying NFS versions, protocols, services
Software:name Services
- Check the default DNS search domain
- Check Search Domains
- Check if the/etc/resolv.conf has options configuration items
- Check DNS domain name
- Check Nscd,bind,powerdns,ypbind running Status
- Check/etc/hosts
- Duplicates
- Hostname
- localhost
Ports and Packages
- Package Management Kit: Dpkg Apt-get
- Check the configuration file and whether there is an installation update warehouse: Related configuration/etc/apt/sources.list.d/*
- The database integrity and consistency check for the package management suite is for package dependencies, not package file contents, related commands
dpkg -C
- Check the vulnerable packages (not quite understand the meaning)
Networking
Name servers, promiscuous interfaces, and connection states
Printers and spools
Print Service is not installed by default
Software:e-mail and Messaging
Check the operating status of the Exim Postfix Qmail Sendmail in the system
Software:firewalls
- Check iptables running Status
- Check PF Firewall (UNIX BSD system firewall)
- Check that the host based firewall configuration is turned on
SSH Support
- Check SSH run status, configure
- Check Security Configuration items,
- Permitrootlogin set root telnet policy, default is Without-password
- Strictmodes set whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request
- Allowusers User Whitelist
- Allowgroups User Group White list
- Protocol Supported protocol versions
Logging and files
- Check Log service running status, current system is rsyslog,
- Other similar software syslog-ng,rfc 3195,MINILOGD
- Logrotate process is running, log file management tool for truncation (or round robin), compression, deletion of old log files, backup history log files, etc.
- Check if you are using a file that has been deleted (deleted files in use)
- Log directories (static list) (TODO)
- Open log files (TODO)
Insecure Services
- inetd Daemon is turned on (default off)
Banners and identification
- Check/etc/motd/etc/issue/etc/issue.net
Scheduled Tasks
- Check crontab ATD Service running status
- Check scheduled task run status
Accounting
- Checking account information
- Sysstat accounting data is not turned on by default
- AUDITD check rules, configuration files, log files
Time and synchronization
- Check whether the NTP service or the client exists
- Check if NTP client is in/etc/anacrontab,/etc/crontab or CRON.D files
Cryptography
- Check if the SSL certificate is out of date
VirtualizationSecurity Frameworks
- Check if apparmor,selinux,grsecurity is turned on or supported
Software:file Integrity
Check if the following file Integrity Check tool exists
Afick,aide,osiris,samhain,tripwire,syscheck,mtree
Software:system Tooling
Saltstack,puppet,cfengine,chef,func,fabric
File Permissions
- Check/etc/lilo.conf and $HOME/.ssh
Home Directories
Hardening
- Check for the presence of a compiler
- Check for the presence of malware scanning tools
Check for the presence of the following software or services
- Apache
- Nginx
- Php
- Mysql
- PostgreSQL
- Oracle
- Squid
- OpenLDAP Running Instances
- SNMP Service
Lynis Check Log