Use Lynis to test hardenings before & after

[pyllyukko]

• [ ] Check individual hardenings with lynis show details TEST-ID

• [ ] boot_services

• [ ] kernel

• [ ] memory_processes

• [ ] authentication

• [x] shells

• [x] filesystems

• [ ] storage

  • USB & FireWire

• [ ] storage_nfs

• [ ] nameservices

• [ ] ports_packages

• [ ] networking

• [ ] printers_spools

• [ ] mail_messaging

• [ ] firewalls

• [ ] webservers

• [x] ssh

• [ ] snmp

• [ ] databases

• [ ] ldap

• [ ] php

• [ ] squid

• [ ] logging

• [ ] insecure_services

• [x] banners

• [ ] scheduling

  • cron & at

• [ ] accounting

  • sysstat
  • auditd

• [ ] time

• [ ] crypto

• [ ] virtualization

• [ ] containers

• [ ] mac_frameworks

• [ ] file_integrity

• [ ] tooling

  • TOOL-5002 - automation tooling
  • TOOL-5190 - IDS/IPS tooling

• [ ] malware

• [x] file_permissions

  • permfile & permdir in the profile

• [ ] homedirs

  • HOME-9310

• [x] kernel_hardening

• [ ] hardening

  • compiler(s)
  • malware scanner

shells

• SHLL-6211 /etc/shells -> remove_shells()
• SHLL-6220 "Search for session timeout tools or settings in shell"
• SHLL-6230 umask -> configure_umask()

authentication

• AUTH-9286 (Checking user password aging)
  • PASS_MIN_DAYS option in /etc/login.defs
  • PASS_MAX_DAYS
• AUTH-9328 (Default umask values)
• AUTH-9308 - Protect single user mode

[pyllyukko]

Implemented in #43. Although with LXC you can't test everything. At least the following can't properly be tested:

• Kernel stuff (as they come from the host)
  • sysctl
  • AppArmor
  • Audit
• Partitioning