Security Audit: Lynis Auditing tool

[teusink]

Security Audit: Lynis Auditing tool

Audit ran on: 25-12-2017

Sources:

• https://cisofy.com/lynis/
• https://packages.cisofy.com/community/

Note: Old version of Lynis available on Raspbian repo. Version is 240, and the latest is 257.

Suggestions:

• Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285] https://your-domain.example.org/controls/CUST-0285/

• Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810] https://your-domain.example.org/controls/CUST-0810/

• Install debian-goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830] https://your-domain.example.org/controls/CUST-0830/

• Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [CUST-0831] https://your-domain.example.org/controls/CUST-0831/

• Install debsums for the verification of installed package files against MD5 checksums. [CUST-0875] https://your-domain.example.org/controls/CUST-0875/

• Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] https://cisofy.com/controls/KRNL-5677/

• Discover why /vmlinuz is missing. Consider manually re-linking. [KRNL-5788] https://cisofy.com/controls/KRNL-5788/

• Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788] https://cisofy.com/controls/KRNL-5788/

• Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] https://cisofy.com/controls/AUTH-9262/

• Configure minimum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/

• Configure maximum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/

• Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/controls/AUTH-9328/

• To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/

• To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/

• To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/

• Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] https://cisofy.com/controls/STRG-1840/

• Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] https://cisofy.com/controls/STRG-1846/

• Install debsums utility for the verification of packages with known good database. [PKGS-7370] https://cisofy.com/controls/PKGS-7370/

• Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/controls/NETW-3032/

• Check iptables rules to see which rules are currently not used [FIRE-4513] https://cisofy.com/controls/FIRE-4513/

• Consider hardening SSH configuration [SSH-7408]

  • Details : Port (22 --> ) https://cisofy.com/controls/SSH-7408/

• Consider hardening SSH configuration [SSH-7408]

  • Details : TCPKeepAlive (YES --> NO) https://cisofy.com/controls/SSH-7408/

• Check what deleted files are still in use and why. [LOGG-2190] https://cisofy.com/controls/LOGG-2190/

• Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/controls/BANN-7126/

• Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/controls/BANN-7130/

• Enable process accounting [ACCT-9622] https://cisofy.com/controls/ACCT-9622/

• Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/controls/ACCT-9626/

• Enable auditd to collect audit information [ACCT-9628] https://cisofy.com/controls/ACCT-9628/

• Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/controls/FINT-4350/

• Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/controls/TOOL-5002/

• One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] https://cisofy.com/controls/KRNL-6000/

• Harden compilers like restricting access to root user only [HRDN-7222] https://cisofy.com/controls/HRDN-7222/

[teusink]

• Some suggestions taken over in Hardening: https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md
• Some suggestions explicitly skipped: https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md
• Some high level suggestions 'ignored'.
• Suggestions on partitioning and USB/Firewire in a new ticket: https://github.com/teusink/Home-Security-by-Pi/issues/28

[teusink]

Updated the list as of 14th January 2018. I will not undertake further work based on this.