machine-role=desktop - Options Seem Extreme For Desktop...

[ghost]

I have my .prf for machine-role=desktop, using a stand alone, single user, at home only desktop, I find Lynis options a bit extreme.

Don't take me wrong, I love lynis and thank you very much, but for a desktop user this needs to be toned down, you're going to scare the Newbies! LOL...

I understand trying to find a happy balance here for a desktop user a possible bit of a task, but I think the desktop feedback when running Lynis could stand for some triming back.

Maybe in time there can be something created as a more easier desktop option, seems a little to Fort Knox as the Americans would say for a desktop.

My Suggestions;

**. Bootloader - Password option presence should be a Suggestion

**. Linux single user mode authentication - Starting or Logging in? I'm not sure in Slackware you can get around it and log in without the root password...

**. umask for a home user - weak in /etc/profile is relevant based on needs, and a home user doesn't need to consider changing. I've used umask 022 for many years without problem as a desktop user... Should be changed to Suggestion for machine-role=desktop, servers as weak is a more appropriate label...

**. Testing swap partitions - label should be changed to Not Found, swap isn't needed with large amounts of ram, I stopped using swap YEARS ago. :)

**. Testing proc mount - if this is about hiding it from a user, then in Slackware as an example it doesn't work loading it from fstab, it needs to be added to rc.local like this;

mount -o remount,hidepid=2 /proc

So testing for /proc in fstab for an entry doesn't work on all distros...

**. Checking usb-storage driver - extreme for a single user at home desktop user. For machine-role=desktop this should be changed to Suggestion. Same thing for firewire...

**. /etc/issue contents listed as weak, should be changed to Suggestions for machine-role=desktop

**. /etc/issue.net contents listed as weak, should be changed to Suggestions for machine-role=desktop

**. Installed compiler(s) - compiler hardending on a home box is extreme, should be Suggestion

**. Installed malware scanner - should be Suggestion when not found, not red not found and then an X below, because I've never run a malware scanner ever as a home desktop user in Linux. It depends on the needs, Red wording and a X not needed. Suggestion and Yellow question ? mark, better for machine-role=desktop

I hope in time we will see a better based output geared towards the Desktop user, it still looks to much like Server output IMHO...

[mboelen]

We recently added one detection method to determine if a system is a notebook. Together with the configuration setting, this opens up the possibility to add some more fine-grained advice, depending on the hardware type.

Your suggestions look reasonable for the "desktop" profile. So let me ask a question in return: Care to make a few pull requests? If so, please do one item per request, so it is easy to check and apply.

[ghost]

Pull requests I'm not geek enough for all this, I need the experts here to do all this...

[mboelen]

It's not that scary as it looks ;-)

Here is a good tutorial to start: http://hisham.hm/2016/01/01/how-to-make-a-pull-request-on-github-a-quick-tutorial/

[ghost]

ACTUALLY I shouldn't of made it sound the way I did, and under sale myself, oh I'm plenty geek enough, just not the geek that likes messing with Git that is...

So I just come here make my reports and move on.

I also just assumed that the things I suggested, you'd take them, for any you like and make the changes, not something I had to do is all...

[ghost]

I just downloaded and used 2.3.3

I removed these two from plugins; plugin=pam plugin=systemd

Next I ran lynis audit system and under the Users, Groups and Authentication it shows me this;

• PAM password strength tools [ SUGGESTION ]
  • PAM configuration file (pam.conf) [ NOT FOUND ]
  • PAM configuration files (pam.d) [ NOT FOUND ]
  • PAM modules [ NOT FOUND ]

I'm assuming if the end-user removes the plugin=pam entry there is not going to be any mention of Pam under the Users, Groups and Authentication section, this information should no longer appear.

I also see in the default.prf this for the plugins; Lynis Plugins (some are for Lynis Enterprise users only)

Because under the output when I removed pam and systemd I see it say none;

Plugins (phase 1)

• Plugins enabled [ NONE ]

Before I removed them, it only showed pam and systemd as the plugins, is this correct there are only 2 for the free lynis version?

[mboelen]

While we really appreciate any piece of feedback, the Lynis Community version is named that way for a reason. We like to have more people helping out to make the software better. You have good tips and by committing even the smallest changes, you become part of the family. Especially because you already looked deeper in the configuration and code, your pull requests would be great. Git might be unusual to work with in the beginning, but it does make sense quickly. That is why we went from private development to GitHub.

Anyways, hope you want to reconsider. If everyone would make suggestions, but none make actual changes to the code, that nothing changes ;-)

[mboelen]

Yes, currently we have only two community plugins. When people from the community submit more tests that should be in the plugins, then we happily share them.

[ghost]

Thanks and I don't have time...

[mboelen]

Alright, that is fine. I will leave this open for a bit with the "up-for-grabs" tag, and also to determine if there is enough interest for these changes. If someone wants to join development and pick them up, this is a great list to start with.

[marcus-cr]

With a bit more information from @Geyup I can see if I can contribute and make a pull request. You're running Slackware? Still have the log handy?

[ghost]

Slackware 14.2 :)

Log; http://dpaste.com/3A1GK53

[marcus-cr]

Your log compares fairly well to my fresh Linux installs, which usually average an index between 65-70. @mboelen: would you assign this to me? I'll see what I can do with a new pull request. Perhaps a new machine role would be a nice enhancement... such as having the roles as: server, workstation (current desktop role), and a new desktop or a "light" role for more flexibility?

Regarding some of your earlier suggestions:

Bootloader - Password option presence should be a Suggestion

This could be a suggestion for the lighter-desktop role, would be more common for a workstation or server.

Linux single user mode authentication - Starting or Logging in? I'm not sure in Slackware you can get around it and log in without the root password...

I could be wrong but this is referring to the bootloader test. Since there was no password set for starting (or modifying) your bootloader, Lynis is alerting you that the "Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data".

umask for a home user - weak in /etc/profile is relevant based on needs, and a home user doesn't need to consider changing.

This could be adjusted, or you can create a custom profile and just include the test ID in the configuration to "skip-tests". This particular test ID is AUTH-9328

Testing swap partitions - label should be changed to Not Found, swap isn't needed with large amounts of ram, I stopped using swap YEARS ago. :)

Many distros include swap, however I believe I see where it wouldn't say Not Found within test ID FILE-6336.

Testing proc mount - if this is about hiding it from a user, then in Slackware as an example it doesn't work loading it from fstab, it needs to be added to rc.local like this;

This test isn't about /proc being hidden but if it is mounted on a separate partition, to prevent issues with system functionality if partition goes bad (or filled up). Lynis also tests if /home, /var and /tmp on are separate partitions as well, instead of all on the root path ( / )

Checking usb-storage driver - extreme for a single user at home desktop user. For machine-role=desktop this should be changed to Suggestion. Same thing for firewire...

This could be changed with a lighter role, or you can also set this test ID with the others in a custom profile :)

Installed compiler(s) - compiler hardening on a home box is extreme, should be Suggestion

This one is a different beast. Personally I believe your compilers should be hardened, even as a home user. You should utilize two user accounts, one standard every-day user and an admin account. Preventing other users from executing compilers is a good tip. Whenever you need to compile, just su into your admin/root account when needed. Your log shows as and gcc as executable by anybody.

Installed malware scanner - should be Suggestion when not found, not red not found and then an X below

This too could also be adjusted for new "lighter" role. Also, this is another test ID you can throw into the custom profile ;)

If you need help creating and using a new profile, lemme know.

[mboelen]

Let's use the following roles, to avoid confusion between workstation/desktop:

• Server (server installations)
• Workstation (system used by an employee)
• Personal (system owned by an individual, not part of a company)

Hereby @marcus-cr is assigned (can't do it via GitHub on this issue). Please create individual pull requests, so they can quickly be reviewed and approved. Thanks for your help!

[marcus-cr]

@Geyup give this a try. You'll have to edit your profile file in the main lynis directory, but you can copy the default profile to a new file then issue the --profile option to select it.

$ cp default.prf personal.prf $ vim personal.prf

Change machine role to personal, save the file, then run lynis with following command plus any others you choose: ./lynis audit system --profile personal.prf

[marcus-cr]

Also, there is a section in the profile where you can skip tests (e.g. skip-tests=FILE-6336). Just replace the FILE-6336 with the particular test ID you want to skip. I'll have to get my hands on Slackware for further testing if needed.

[ghost]

I don't see why creating two accounts as you've explained for compiling makes a box any more hardended vs permissions and adding a group.

@marcus-cr sorry you lost me, why do I need to change it to personal.prf and run it this way? I see there was a commit, but I'm not seeing that it was commited, if I do git clone?

[ghost]

Something I overlooked, Slackware doesn't use dhclient.

lynis.log shows:

Performing test ID NETW-3030 (Checking DHCP client status) IsRunning: process 'dhclient' not found

Slackware uses the DHCP client program dhcpcd.

[marcus-cr]

The commit you see hasn't been approved and merged yet, so it may be restricted for now.. And not having Slackware leaves me a bit limited with testing. I've forked this repo and made some adjustments you can see. I made a direct mention to you in the comments for easier finding.

With lynis you can create your own auditing templates. There is a default.prf template that comes with lynis in the main directory. It is best to copy this to a new file for a new profile rather than modifying the default auditing profile.

If you open it up and look around you'll find where you can change the machine-role= or even skip-test=. I edited my custom profiles to be verbose and to switch between machine-roles depending on the system I audit.

Anytime I run an audit I just use --profile my-custom-audit.prf as part of the command. This way I don't have to use the same default audit! This isn't a requirement but rather a convenience.

[ghost]

On the commit, that is what I was thinking, wasn't in yet...

As far as the copying the profile and changing, running etc., yes I am aware of these things, but for now, not much of anything to change for any benefit.

Well if you don't have Slack, there is always getting the ISO and VirtualBox... Hint Hint :)

By the way thanks for all your help!

[ghost]

By the way looking at your commit for DHCP, maybe there are many other distros out there also using dhcpd, which I thought was pretty common.

if [ ${OS} = "Slackware" ]; then

I'm not great with code, but maybe better to have tthis just look for it rather then rely on any particular distro, that way any and all distros using this will benefit...

[marcus-cr]

Good call, I'll adjust this and make new commit. Let me know if it detects your dhcpcd process. I'm considering getting Slack on a VM, but don't want to go through the hoops of configuring from scratch (done that enough by now haha).

[marcus-cr]

Go ahead and test it now @Geyup. I've made the changes to detect dhclient or dhcpcd running independently without detecting the OS. New pull request was made, issue #298.

Let me know if it works for you now!

[ghost]

Ok...

First, I ran this as; lynis audit system --profile personal.prf and then it says;

Profiles: /etc/lynis/default.prf

I expected this to say personal.prf that looks confusing...

Next I removed under the Plugins pam and systemd, so I'd assume there would be no testing for Pam;

• PAM password strength tools [ SUGGESTION ]
  • PAM configuration file (pam.conf) [ NOT FOUND ]
  • PAM configuration files (pam.d) [ NOT FOUND ]
  • PAM modules [ NOT FOUND ]

It would be nice if these were removed when I removed the plugins=pam line in the prf Slackware doesn't use Pam, maybe other distros don't too, so would be nice to not test for things you don't have...

Next;

• Checking configured nameservers
  • Testing nameservers
    Nameserver: 12.12.0.1 [ SKIPPED ] Nameserver: 192.168.1.1 [ SKIPPED ]
  • Minimal of 2 responsive nameservers [ SKIPPED ]

Why were the nameservers skipped and not tested?

And last;

Checking status DHCP client [ NOT ACTIVE]

Hmm not active, but it is active...

[ghost]

Later if possible, it wouild be nice to have options in the default.prf to comment out these, so they are not tested, and uncommented for those that want them tested, etc...

Checking UEFI boot PAM LDAP authentication support NFS Printers and Spools e-mail and messaging webserver SSH SNMP Database LDAP Services PHP Squid Time and Synchronization

All these I listed above, I personally don't use, and for a lot of simple desktop users like myself I'm sure there are plenty others that have no need of any of these...

Sure i can look past these and don't pay attention, the point is to limit the amount of information on the screen, so you don't have to dig through a lot, just the basics that you need is all...

THANKS

[marcus-cr]

@Geyup: you've given me quite a bit of information so let's see if we can break this down bit by bit :)

Did you copy the file "default.prf" into a new file and edited the new one? It sounds like either the custom profile did not copy/isn't being used during auditing/wasn't complete edited (there is a section that has "Default Auditing Template" for the name, as an example).

Do not remove the PAM plugin lines from the new .prf file, instead you must comment it out by adding # in front of the PAM plugin lines like so: #plugin=pam. This should stop it from running. Otherwise you can use --skip-plugins while running the audit, like so: lynis audit system --profile custom.prf --skip-plugins (if you comment out the PAM plugin with #plugin=pam in your custom profile then there is no need to add skip-plugins since there is an extra plugin, other than PAM, that runs while auditing on the community version of lynis.

Are you positive that "dhcpd" is running while you performed the audit, and are you sure that you're using the latest version from GitHub that has the changed networking test to accommodate scanning for DHCPD?

Regarding skipping the list of tests, as mentioned before, the newly copied profile file (ending in .prf) allows you to skip tests. If you run lynis show categories or lynis show groups you'll see the list that you can exclude, and within that lynis show tests will show the full list of tests. With this (the full list of tests from "show tests") just add the test to the --skip-test= line within the custom .prf file you created, such as: skip-test=SSH-7408.

Many of the tests you listed are enabled/installed by default for many distros, especially for desktop (personal) users. The best way around having lynis performing your unneeded tests is to just specify which tests to skip in your custom .prf profile and using it while auditing. @mboelen: does lynis allow skipping whole categories or groups instead of individual test ID's?

I personally added several tests to skip in my custom profile, since it was either unnecessary on my machine to audit or excessive due to my threat profile. The custom profile is a very useful and powerful feature!

[ghost]

Does 2.4.0 have all these changes commited? If so, let me grab that and test again...

[ghost]

With 2.4.0 I copied default.prf to personal.prf and edited these lines;

Defines the role of the system (personal, workstation or server)

machine-role=personal

Profile name, will be used as title/description

profile-name=personal

Plugins

plugin=pam

plugin=systemd

I then ran the cmd as;

lynis audit system --profile personal.prf

And the output shows now as

Profiles: /etc/lynis/default.prf personal.prf

I don't understand, if I'm running lynis audit system --profile personal.prf then in the output for the Profiles it shows both of them? I Get the idea that yes there are two of them in /etc/lynis, but since I'm running the command of --profile personal.prf I think it's best that this output only shows that profile being run, otherwise it's confusing and makes it look like both....

Because also when I ran lynis show profiles this is all it shows; /etc/lynis/default.prf

[ghost]

Hey I'm starting to loose track here, without a reply for so long... LOL

Ok after reading over again, I ran lynis audit system --profile personal.prf is it suppose to show both when it runs now as?

Profiles: /etc/lynis/default.prf personal.prf

[mboelen]

Yes, if you provide a profile, it will show both. Lynis will always use default.prf. If it can find custom.prf, it will apply those changes on top of default.prf. If you provide a profile with --profile, then that one will be applied on top of the previous two.

You don't actually have to copy default.prf. Simply add your specific changes to custom.prf will do the trick as well. This custom.prf can be placed in /etc/lynis. Does that help?

[ghost]

ok thanks

[mboelen]

I am opting to close this open issue.

While many of the suggestions are good, they are not picked up for pull requests by others. Maybe that is because of time, or that the suggested changes are not important enough for them. We have a lot of incoming changes, so as a project manager I will focus on getting those implemented. To prevent this entry from ending up a "zombie", I'm closing it for now.