Feature request: Lynis Linux Hardening Report

I’d love to see a configuration management capability and at least reporting using Linux’s Lynis reporting tool for hardening. See Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy which output could be created and written to a report link that’s included in the links in Nethserver and updated on a daily basis.

2 Likes

Unfortunately I am a new user on the forum and it won’t let me post the script findings for Nethserver, but there are some security improvements that can be made to it. I will post once the forum allows me to post as a normal user.

It’s a nice tool - maybe too strict for Nethserver. Thanks for sharing.
Were you able to create an HTML/PDF report?

To install for testing:

echo "[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2" > /etc/yum.repos.d/lynis.repo

yum -y install lynis
lynis audit system
I got following suggestions running lynis on a NethServer VM, I didn't see any really bad security issue.
  • If not required, consider explicit disabling of core dump in /etc/security/limits.conf file
  • Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values
  • Configure password hashing rounds in /etc/login.defs
  • When possible set expire dates for all password protected accounts
  • Configure minimum password age in /etc/login.defs
  • Configure maximum password age in /etc/login.defs
  • Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)
  • To decrease the impact of a full /home file system, place /home on a separate partition
  • To decrease the impact of a full /tmp file system, place /tmp on a separate partition
  • To decrease the impact of a full /var file system, place /var on a separate partition
  • Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft
  • Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft
  • Install package ‘yum-utils’ for better consistency checking of the package database
  • Determine if protocol ‘dccp’ is really needed on this system
  • Determine if protocol ‘sctp’ is really needed on this system
  • Determine if protocol ‘rds’ is really needed on this system
  • Determine if protocol ‘tipc’ is really needed on this system
  • You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf)
  • Disable the ‘VRFY’ command
  • Check iptables rules to see which rules are currently not used
  • Install Apache mod_evasive to guard webserver against DoS/brute force attempts
  • Install Apache modsecurity to guard webserver against web application attacks
  • Consider hardening SSH configuration
  • Configure the ‘requirepass’ setting for Redis
  • Use the ‘rename-command CONFIG’ setting for Redis
  • Turn off PHP information exposure
  • Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP
  • Enable logging to an external logging host for archiving purposes and additional protection
  • Check what deleted files are still in use and why.
  • Add a legal banner to /etc/issue, to warn unauthorized users
  • Add legal banner to /etc/issue.net, to warn unauthorized users
  • Enable process accounting
  • Enable sysstat to collect accounting (no results)
  • Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules
  • Install a file integrity tool to monitor changes to critical and sensitive files
  • Consider restricting file permissions
  • One or more sysctl values differ from the scan profile and could be tweaked
  • Harden compilers like restricting access to root user only
  • Harden the system by installing at least one malware scanner, to perform periodic file system scans
2 Likes