mboelen
commented
8 years ago Why is the text incorrect?
Closed kristous closed 8 years ago
mboelen
commented
8 years ago Why is the text incorrect?
kristous
commented
8 years ago Because it mentions 'harden your SSH'
! Consider hardening SSH configuration [DBS-1816] https://cisofy.com/controls/DBS-1816/
but if I follow the link there is
DBS-1816 - Empty root password for MySQL Description
No password has been set for MySQL 'root' userGroup
DatabaseHow to solve
Define a password, to prevent that unauthorized users can log in asOn 2016-08-12 09:36, Michael Boelen wrote:
Why is the text incorrect?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/CISOfy/lynis/issues/260#issuecomment-239380886, or mute the thread https://github.com/notifications/unsubscribe-auth/AF3WsjclZzmfccq0Que7jEMgI_DjXTfTks5qfCKGgaJpZM4JiyZO.
toscom - the open source company
Christian Rusa Breiteneckergasse 32 1230 Wien Mobil: 0699 10205595 Fax: 01 9249633 www.toscom.at christian.rusa@toscom.at
mboelen
commented
8 years ago I see what you mean. Looks like something goes wrong with parsing the log file.
Can you share the output of grep "Suggestion" /var/log/lynis.log (if you executed Lynis as root). Then we can hunt down the line where things go wrong.
kristous
commented
8 years ago Here it is. BTW the problem DBS-1816 does exist on my system, so it is possible to login as root to mysql without password.
2016-08-12 07:07:16 Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: Configure minimum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [details:-] [solution:-] 2016-08-12 07:07:19 Suggestion: To decrease the impact of a full /var file system, place /var on a separated partition [test:FILE-6310] [details:-] [solution:-] 2016-08-12 07:07:21 Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-] 2016-08-12 07:07:21 Suggestion: Remove duplicate lines in /etc/hosts [test:NAME-4402] [details:-] [solution:-] 2016-08-12 07:07:28 Suggestion: Purge old/removed packages (120 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346] [details:-] [solution:-] 2016-08-12 07:07:37 Suggestion: Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [test:PKGS-7392] [details:-] [solution:-] 2016-08-12 07:07:39 Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705] [details:-] [solution:-] 2016-08-12 07:07:40 Suggestion: Consider running ARP monitoring software (arpwatch) [test:NETW-3032] [details:-] [solution:-] 2016-08-12 07:07:40 Suggestion: Check iptables rules to see which rules are currently not used [test:FIRE-4513] [details:-] [solution:-] 2016-08-12 07:07:41 Suggestion: Install Apache mod_evasive to guard webserver against DoS/brute force attempts [test:HTTP-6640] [details:-] [solution:-] 2016-08-12 07:07:41 Suggestion: Install Apache mod_qos to guard webserver against Slowloris attacks [test:HTTP-6641] [details:-] [solution:-] 2016-08-12 07:07:41 Suggestion: Install Apache modsecurity to guard webserver against web application attacks [test:HTTP-6643] [details:-] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (YES --> NO)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:ClientAliveCountMax (3 --> 2)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Compression (DELAYED --> NO)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:LogLevel (INFO --> VERBOSE)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxAuthTries (6 --> 1)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (10 --> 2)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:PermitRootLogin (WITHOUT-PASSWORD --> NO)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:TCPKeepAlive (YES --> NO)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:UsePrivilegeSeparation (YES --> SANDBOX)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:X11Forwarding (YES --> NO)] [solution:-] 2016-08-12 07:07:41 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowAgentForwarding (YES --> NO)] [solution:-] 2016-08-12 07:07:48 Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-] 2016-08-12 07:07:48 Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-] 2016-08-12 07:07:48 Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-] 2016-08-12 07:07:48 Suggestion: Enable process accounting [test:ACCT-9622] [details:-] [solution:-] 2016-08-12 07:07:48 Suggestion: Enable sysstat to collect accounting (no results) [test:ACCT-9626] [details:-] [solution:-] 2016-08-12 07:07:48 Suggestion: Enable auditd to collect audit information [test:ACCT-9628] [details:-] [solution:-] 2016-08-12 07:07:49 Suggestion: Install a file integrity tool to monitor changes to critical and sensitive files [test:FINT-4350] [details:-] [solution:-] 2016-08-12 07:07:50 Suggestion: Determine if automation tools are present for system management [test:TOOL-5002] [details:-] [solution:-] 2016-08-12 07:07:51 Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:-] [solution:-] 2016-08-12 07:07:51 Suggestion: Harden compilers like restricting access to root user only [test:HRDN-7222] [details:-] [solution:-]
mboelen
commented
8 years ago Several changes have been made. Can you see if you still have the issue?
kristous
commented
8 years ago This fixed the issue.
Just tested my Desktop (Ubuntu 16.04) with 2.3.2.
An empty MySQL root pasword led to following suggestion in the results:
! Consider hardening SSH configuration [DBS-1816] https://cisofy.com/controls/DBS-1816/
If you visit the link you get the recommendation to set a mysql root password.
I guess it is wrong text for the mysql root password check. It could also be wrong link for the SSH checks.
SSH Results was:
[+] SSH Support