Lynis Check Log

Lynis CheckSystem Tools

Check System executable program environment variable path

Boot and Services

GRUB2 menu entry into single user mode already set password

The other is to check the start of the service, is currently running 24 services, boot start is 21 services
* Service Script directory:/lib/systemd/system/
* Service file permissions: 0644

Kernel

RunLevel, mounted modules, kernel configuration, and core dumps

1. Check Run level RUNLEVEL 5
2. Check the kernel version type and the number of modules loaded
3. Check the kernel config file, default I/O kernel scheduler,
4. Core dumps configuration, not enabled by default,
5. Setuid core dumps configured as default
6. Check if a restart is required

Kernel Hardening

• Comparing Sysctl key pairs with the scan profile, followed by the recommended values for Lynis, for example (exp:1)

    -Kernel.core_uses_pid (exp:1) per message queue size (in bytes) limit-Kernel.ctrl-alt-de                                   L (exp:0) whether to capture Ctrl+alt+delete key combination signal, 0, capture, 1, not capture-KERNEL.SYSRQ (exp:0)         Whether to turn on the SysRq feature, 0, disable, 1, enable-net.ipv4.conf.all.accept_redirects (exp:0) ICMP receive redirect message (global setting)    0, ignore, 1, forward-net.ipv4.conf.all.accept_source_route (exp:0) Accept all Source address packets (Global Settings) 0, discard, 1, forward                   -Net.ipv4.conf.all.bootp_relay (exp:0)-net.ipv4.conf.all.forwarding (exp:0) Configure the behavior of the host network interface, 0 prohibit forwarding, 1, allow forwarding-Net.ipv4.conf.all.log_martians (exp:1) IP packets that will contain illegal address information                                  Log to kernel log (global setting) 0 off, 1 on-net.ipv4.conf.all.mc_forwarding (exp:0) Multicast routing 0 off, 1 open-net.ipv4.conf.all.proxy_arp (exp:0) ARP proxy 0 off, 1 Open-net.ipv4.conf.alL.rp_filter (exp:1) Reverse path Filtering (Reverse path Filtering) 0 off, 1 Strict mode, 2 Loose mode-net.ipv4.co Nf.all.send_redirects (exp:0) ICMP send redirect message 0 off, 1 open-net.ipv4.conf.default.acce Pt_redirects (exp:0) ICMP receive redirect message (default setting) 0 ignored, 1 forwarding-net.ipv4.conf.default.accept_source_route ( exp:0) accepts all source address packets (default setting) 0 drops, 1 forwards-Net.ipv4.conf.default.log_martians (exp:1) will contain illegal              IP packet to the kernel log (default setting) 0 off, 1 on-net.ipv4.icmp_echo_ignore_broadcasts (exp:1) set whether to respond to ICMP Echo request broadcast,    0 responses, 1 Ignore-net.ipv4.icmp_ignore_bogus_error_responses (exp:1) ignores ICMP error 0 responses generated by hosts in the network claiming that the response address is broadcast address, 1 ignored  -Net.ipv4.tcp_syncookies (exp:1) indicates that SYN cookies are turned on, cookies are enabled when a SYN wait queue overflows, protection against a small number of SYN attacks, 0 off, 1 Enable-Net.ipv4.tcp_timestamps (exp:0) turn on timestamps to protect against those forged sequence numbers 0 off Closed, 1 Open the following is for IPv6, and IPv4Same parameter Function-net.ipv6.conf.all.accept_redirects (exp:0)-Net.ipv6.conf.all.accept_source_route (exp : 0)-net.ipv6.conf.default.accept_redirects (exp:0)-net.ipv6.conf.default.accept_source_rout       E (exp:0)

• Reference documents

1. Mans proc
2. Network part Https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

Memory and processes

Check the zombie process and the input/output wait process,ps -aux

1. /proc/memento
2. Dead/zombie processes
3. IO Waiting processes

Users, Groups and authentication

User group number, sudoers file, pluggable authentication module (PAM) configuration, password aging, and default mask

1. To check the uniqueness of UID ID groupname
2. Check the consistency of the group files and password file files (TODO)
3. Check the naming service:

• Web Information Service (Network Information Service, NIS)
• Lightweight Directory Access Protocol (Lightweight directory, Access Protocol,ldap)

1. Check sudo configuration and its permissions,/etc/sudoers default permissions 0440
2. Pam Authentication profile Check, password strength configuration check
3. Check whether the LDAP module in PAM is configured, and its LDAP authentication support
4. Check the expiration date of the account, the configuration of the password is empty
5. Default Umask (TODO)
   /etc/profile 755
   /etc/login.defs 644
   /ETC/INIT.D/RC 644

Shells

1. /etc/shells View the number of shells that exist on the current system
2. Testing for Shellshock Vulnerabilities

File Systems

mount point, temp file, and root file system

1. Check/home/tmp mount point
2. Check for UNIX File system Ffs/ufs (BSD system)
3. Check swap partition, test swap partition status
4. Check the/tmp old files and sticky bit, correct permissions (1777)
5. Check if the root partition is turned on ACL support is on (TODO)
6. Check Locate database (TODO)
7. Check if there is an encrypted file system no

Storage

Check for USB storage (Usb-storage) and FireWire Open Host Controller interface (FireWire OHCI) not DISABLED

Related configuration Files

• /lib/modprobe.d/aliases.conf
• /etc/modprobe.d/*

Nfs

1. Query for RPC programs (remote Procedure call, remoting procedure calls)
2. Querying NFS versions, protocols, services

Software:name Services

1. Check the default DNS search domain
2. Check Search Domains
3. Check if the/etc/resolv.conf has options configuration items
4. Check DNS domain name
5. Check Nscd,bind,powerdns,ypbind running Status
6. Check/etc/hosts

• Duplicates
• Hostname
• localhost

Ports and Packages

• Package Management Kit: Dpkg Apt-get
• Check the configuration file and whether there is an installation update warehouse: Related configuration/etc/apt/sources.list.d/*
• The database integrity and consistency check for the package management suite is for package dependencies, not package file contents, related commandsdpkg -C
• Check the vulnerable packages (not quite understand the meaning)

Networking

Name servers, promiscuous interfaces, and connection states

• Check if configuration nameservers recommends at least two available nameserver
• Check to see if there is a default gateway,
• Check listening ports (TCP/UDP) found 22, through the following command can query
  

  
  netstat -tlnp  

• Check if the NIC supports promiscuous operation mode (promiscuous operation mode)
  

  
  ifconfig [interface] promiscifconfig [interface] -promisc

• Check current connection status, execute command viewnetstat -nat
• Check the DHCP client program running status

Printers and spools

Print Service is not installed by default

• Cups daemon
• LP Daemon

Software:e-mail and Messaging

Check the operating status of the Exim Postfix Qmail Sendmail in the system

Software:firewalls

• Check iptables running Status
• Check PF Firewall (UNIX BSD system firewall)
• Check that the host based firewall configuration is turned on

SSH Support

• Check SSH run status, configure
• Check Security Configuration items,

1. Permitrootlogin set root telnet policy, default is Without-password
2. Strictmodes set whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request
3. Allowusers User Whitelist
4. Allowgroups User Group White list
5. Protocol Supported protocol versions

Logging and files

• Check Log service running status, current system is rsyslog,
• Other similar software syslog-ng,rfc 3195,MINILOGD
• Logrotate process is running, log file management tool for truncation (or round robin), compression, deletion of old log files, backup history log files, etc.
• Check if you are using a file that has been deleted (deleted files in use)
• Log directories (static list) (TODO)
• Open log files (TODO)

Insecure Services

• inetd Daemon is turned on (default off)

Banners and identification

• Check/etc/motd/etc/issue/etc/issue.net

Scheduled Tasks

1. Check crontab ATD Service running status
2. Check scheduled task run status

Accounting

1. Checking account information
2. Sysstat accounting data is not turned on by default
3. AUDITD check rules, configuration files, log files

Time and synchronization

1. Check whether the NTP service or the client exists
2. Check if NTP client is in/etc/anacrontab,/etc/crontab or CRON.D files

Cryptography

1. Check if the SSL certificate is out of date

VirtualizationSecurity Frameworks

1. Check if apparmor,selinux,grsecurity is turned on or supported

Software:file Integrity

Check if the following file Integrity Check tool exists

Afick,aide,osiris,samhain,tripwire,syscheck,mtree

Software:system Tooling

Saltstack,puppet,cfengine,chef,func,fabric

File Permissions

• Check/etc/lilo.conf and $HOME/.ssh

Home Directories

• Check History files

Hardening

1. Check for the presence of a compiler
2. Check for the presence of malware scanning tools

Check for the presence of the following software or services

• Apache
• Nginx
• Php
• Mysql
• PostgreSQL
• Oracle
• Squid
• OpenLDAP Running Instances
• SNMP Service

Lynis Check Log