Lynis Security Controls


Security Controls: Overview

FreeBSD process accountingCategoryControl
Process accounting is a method to track system resources. It includes a way to monitor system resources and how these resources are used for the users on the system. On FreeBSD accounting can be enabled to track these resources.AccountingACCT-2754
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Linux process accountingCategoryControl
Process accounting is a method to track system resources. It includes a way to monitor system resources and how these resources are used for the users on the system. On Linux systems, process accounting can be enabled to track these resources.AccountingACCT-9622
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Sysstat accounting dataCategoryControl
Sysstat collects system informationAccountingACCT-9626
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Audit daemon statusCategoryControl
For Linux systems the Linux audit daemon can audit files and processes. This control checks for the status of the audit daemon. Suspicious changes or activities will trigger an event to be logged by the audit daemon.AccountingACCT-9628
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Empty Linux audit daemon rulesetCategoryControl
This control checks for an empty ruleset of the Linux audit daemon.AccountingACCT-9630
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Auditd configuration file locationCategoryControl
The Linux audit framework consists of an audit daemon (auditd), utilities, audit rules and a configuration file for the daemon. This file (auditd.conf) is generally located in the /etc/audit directory or similar. Lynis tries to determine where this file is located. If this control shows up, the location could not be discovered. This is unusual, as the binaries of the framework are present and the audit daemon is running.AccountingACCT-9632
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Linux audit trail (Snoopy)CategoryControl
This control checks if the Snoopy library can be found, which is a wrapper around execve() and logger. By implementing Snoopy an audit trail can be created by logging all executed commands.AccountingACCT-9636
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Multiple users with uid 0CategoryControl
While allowed, usually configuration of multiple users with an ID of zero (0) is bad practice. Better is to create separated accounts and use proper group membership.AuthenticationAUTH-9204
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Duplicate accounts or IDsCategoryControl
Lynis checks for any duplicates by checking the passwd file and count them. Any ID which shows up more than a single time is reported as a finding. Accounts and user IDs should be unique to enable proper accounting. Using several accounts with the same ID may result in data loss.AuthenticationAUTH-9208
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Consistency of password/group filesCategoryControl
The password and group files (and their shadow equivalents) are an important part in the authentication process. Also the security controls like access control and file permissions are impacted by proper authentication and accounting of users. Inconsistencies in the password file can be caused by malicious activities or in some cases due to improper usage of tools, like a file editor. Inconsistencies should therefore be checked and fixed.AuthenticationAUTH-9216
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Accounts without passwordCategoryControl
Lynis checks for users accounts and which ones do not have a password. Accounts without a password are considered to be a bad practice, as each user should prove he or she is the rightful owner of the account. Lacking a password may give more than 1 authorized user access to the account and therefore seriously impact proper accounting. Loss of data or impact to the integrity of data may be the result of lacking passwords.AuthenticationAUTH-9218
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Unique authentication groupsCategoryControl
Groups should be unique to ensure each user has the appropriate permissions.AuthenticationAUTH-9222
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Linux password file consistencyCategoryControl
Password files like /etc/passwd and /etc/shadow should be checked on a regular basis to see if any errors are present.AuthenticationAUTH-9228
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

PAM password strengthening toolsCategoryControl
Several modules within the PAM framework can help restricting access to facilities to only authorized people, including limitations as a strong password, the right console, or the right software. Passwords should be protected and strengthened where possible. On Unix and Linux based systems this is usually done via PAM modules and the related configuration files. Examples include tools like passwdqc (password quality control) and cracklib (password cracking library).AuthenticationAUTH-9262
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Passwords (expire date)CategoryControl
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found passwords without an expire date. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.AuthenticationAUTH-9282
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Passwords (no password set)CategoryControl
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found accounts without a password. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.AuthenticationAUTH-9283
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Password agingCategoryControl
Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people.AuthenticationAUTH-9286
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Protect single user modeCategoryControl
Physical access to the machine can be used to load alternative software or a different operating system, during the boot phase. Configure a password in the boot loader to prevent this risk. This test applies to Linux based systems only.AuthenticationAUTH-9308
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Default umaskCategoryControl
The umask defines what default file permissions will be applied on a file or directory. Usually servers can have a more strict umask like 027, where desktops may be less strict (022).AuthenticationAUTH-9328
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Single user mode for systemdCategoryControl
Systemd has a single user mode, named rescue.service. Similar to normal single user mode, it allows access to the system and bypass several levels of authorization. To protect against this, reconfigure the service with the sulogin option.AuthenticationBOOT-5260
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Banner in /etc/motdCategoryControl
Authorized and unauthorized users should know that the system is monitored and deter unauthorized users from attempting to log in.BannerBANN-7122
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Banner /etc/issueCategoryControl
Make users aware that systems are monitored and their privacy might be limited, if required by legal requirements or law. Add a banner to /etc/issue to warn users.BannerBANN-7126
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Banner /etc/issue.netCategoryControl
Make users aware that systems are monitored and their privacy might be limited, if required by legal requirements or law. Add a banner to /etc/issue.net to warn users.BannerBANN-7130
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

GRUB boot loader checkCategoryControl
Check if GRUB boot loader existsBootBOOT-5121
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Set boot loader passwordCategoryControl
By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in grub to prevent this possibility.BootBOOT-5122
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

LILO bootloader passwordCategoryControl
By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in LILO to prevent this possibility.BootBOOT-5139
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Linux boot services (Debian)CategoryControl
Lynis determines what services are started during runlevel 2 (boot). All boot services should be equal to the ones running, with the exception of the "one-time" processes. The latter group are processes which need a task to perform during or just after booting, like checking the file system. For all others it's common to be equal: if MySQL is running now, it is likely to be found in the boot services scripts as well. Missing processes in the boot list may lead to unavailability of important services after a reboot. Regular testing and reboots help in determining any missing services.BootBOOT-5180
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Writable start-up scriptsCategoryControl
Unix based systems have an extensive boot process, from loading the bootloader up to the execution of post-boot scripts. Protecting the boot process is important for the integrity of the system. Start-up scripts define what services will be initialized and started during the boot process. Lynis tests if there are scripts with world writable permissions. These files can be changed by all users on the system and usually started with root permissions. Therefore they impose a risk to the system, as one might include a backdoor into a start-up script.BootBOOT-5184
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Docker warningsCategoryControl
Docker should preferably run without any warnings.ContainersCONT-8104
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Expiry of certificatesCategoryControl
Certificates have a begin and end date configured to prevent misuse of expired certificates.CryptoCRYP-7902
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Empty root password for MySQLCategoryControl
No password has been set for MySQL 'root' userDatabaseDBS-1816
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Redis configuration fileCategoryControl
This Lynis control tests for file permissions of the Redis configuration file.DatabaseDBS-1882
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Redis 'requirepass' optionCategoryControl
Require a password for Redis instances to prevent unauthorized connections from connecting to your Redis instances.DatabaseDBS-1884
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Redis CONFIG parameterCategoryControl
By default the CONFIG command can be used. To prevent users from using this command, it can be disabled or renamed for an additional level of security.DatabaseDBS-1886
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Check empty MongoDB authorizationCategoryControl
This control is displayed when no configured authorization mechanism was found on MongoDB.DatabasesDBS-1820
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Separation of partitionsCategoryControl
Some partitions like /tmp and /home can be easily filled by users of a system. When not being separated from the root file system, this might increase the risk of filling up this file system and cause malfunctioning to other system components.File IntegrityFILE-6310
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Swap in /etc/fstabCategoryControl
This control checks if there is a swap partition configured in /etc/fstab. Usually it should be there, depending on how the system has been configured.File IntegrityFILE-6332
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Swap partition optionsCategoryControl
The /etc/fstab file determines the available mount points for your system. This particular test looks for a swap partition and determines if there is any unexpected mount parameter used for these kind of partitions.File IntegrityFILE-6336
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Old files in /tmpCategoryControl
Lynis tests for the presence of old files in /tmp, as these files might be filling up space without any reason. Secondly to prevent file systems running out of space, or be used as permanent storage. Also malware is commonly found in /tmp, as a temporary staging place.File IntegrityFILE-6354
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Locate databaseCategoryControl
When locate has been found, Lynis checks for the related database.File IntegrityFILE-6410
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

File permissionsCategoryControl
This control describes the expected file permissions as configured in the profile. Depending on the tested files and related result, determine why a different permission set is being used, or correct it where appropriate.File IntegrityFILE-7524
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

AIDE configuration checkCategoryControl
AIDE configuration errors were foundFile IntegrityFINT-4315
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Install a file integrity toolCategoryControl
To monitor for unauthorized changes, a file integrity tool can help with the detection of such event. Each time the contents or the properties of a file change, it will have a different checksum. With regular checks of the related integrity database, discovering changes becomes easy.Install a tool like AIDE, Samhain or Tripwire to monitor important system and data files. Additionally configure the tool to alert system or security personnel on events.File IntegrityFINT-4350
CfengineChefShell scriptPuppetEffortRisk
--ticktick
12345
12345
More information available: See details

Usage of SHA256/SHA512 in AIDE configurationCategoryControl
This check found that SHA256 or SHA512 were not used to create hashes of files.File IntegrityFINT-4402
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Restricting process details to usersCategoryControl
The pseudo file system /proc reveals a process data for all users. Especially in shared environments, or where multiple users have access, this is a security risk. Even for a basic web server it may help restricting who can see process data in /proc, to prevent possible information leakage.File SystemsFILE-6344
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Sticky bit on /tmpCategoryControl
Check if a sticky bit is set on /tmpFile SystemsFILE-6362
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Empty iptables rulesetCategoryControl
Lynis checks for the availability of IPtables, but also if the ruleset is not empty. This might indicate bad configuration or a missing ruleset on the system.FirewallFIRE-4512
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Unused iptables rulesCategoryControl
This control checks what iptables rules are currently not being used. Proper maintenance of firewall rules is essential for accuracy and proper network traffic filtering. Regular checks on the proper working and rule-sets help in limiting traffic to the bare minimum and decrease general risk of unauthorized connections. Note: Some rules might have no hits, while still being applicable. Before removing rules, make sure that the time to monitor is long enough.FirewallFIRE-4513
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Active firewallCategoryControl
Depending on the type of system and sensitivity of the data being stored and processed, a firewall is advised.FirewallFIRE-4590
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

AppArmor statusCategoryControl
This test determines the status of AppArmor, on systems like Debian, Ubuntu, openSUSE, and others.FrameworkMACF-6208
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

SELinux statusCategoryControl
This test compares the SELinux system configuration with the actual status.FrameworkMACF-6234
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Limit access to compilersCategoryControl
Compilers are usually not needed on production systems, unless the upgrade mechanism of the particular system uses the source code of a package and compiles it into an executable form. Leaving compilers accessible to all users increases the risk of abuse or give attackers additional leverage when finding other flaws. One example is privilege escalation, by compiling and execution a discovered weakness in an existing system component.HardeningHRDN-7220
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Permissions on installed compilersCategoryControl
Compilers turn source code into binary executable code. For a production system a compiler is usually not needed, unless package upgrades are performed by means of their source code. If a compiler is found, execution should be limited to authorized users only (e.g. root user).HardeningHRDN-7222
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Inetd configuration CategoryControl
When inetd is not used in production, remove it all together, or make sure no entries can be started by accident.HardeningINSE-8006
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

PAE kernel testCategoryControl
Kernels with PAE support have additional security controls like No eXecute. When possible, it is advised to use such kernel. For other systems where it is not possible to run such kernel, this control might be hidden/ignored.KernelKRNL-5677
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Linux kernel update availableCategoryControl
This control is for systems based on Debian/Ubuntu and tests the availability of a new Linux kernel. When an update is available, it's usually a security related update or an update to fix serious flaws.KernelKRNL-5788
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Required system rebootCategoryControl
If this test shows up, a reboot of the system is required. Schedule down time for a reboot.KernelKRNL-5830
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Kernel sysctl valuesCategoryControl
By means of sysctl values we can adjust kernel related parameters. Many of them are related to hardening of the network stack, how the kernel deals with processes or files. This control is a generic test with several sysctl variables (configured by the scan profile).KernelKRNL-6000
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Kernel logger (klogd)CategoryControl
For most Linux systems the kernel log daemon is used. Newer Linux versions may not include this kernel logger, but have an alternative to capture kernel related events. In that case, this control can be ignored. For all other systems it is advised to check why the kernel log daemon is not running.LoggingLOGG-2138
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

Remote sysloggingCategoryControl
To prevent log data from being lost (e.g. destroyed on purpose), logging all data to a remote system is advised.LoggingLOGG-2154
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

Deleted filesCategoryControl
Deleted files may sometimes be in use by applications. While this is uncommon behavior, it's usually seen by malicious software to hide its presence on the system. Investigate the related files by determining which application keeps it open and the related reason.LoggingLOGG-2190
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Postfix information leakageCategoryControl
To prevent announcing software or version to malicious people or scripts, it is advised to hide such information.MailMAIL-8818
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Postfix hardeningCategoryControl
This set of individual tests perform Postfix testing.MailMAIL-8820
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Presence malware scannerCategoryControl
Malware scanners search for any traces of malware. Regular checks are advised to improve the detection rate, in case of an intrusion of the system. Also the proper implementation can prevent malware from spreading to other systems. One example might be installing a virus scanner on a mail gateway, to protect users.MalwareHRDN-7230
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Commercial anti-virus toolCategoryControl
Depending on your requirements, use an anti-virus tool. While open source options are available, some companies or regulations require the usage of a well-tested anti-virus scanner.MalwareMALW-3280
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Up-to-date ClamAV databaseCategoryControl
This control checks if the ClamAV database is kept up-to-date with the freshclam utility.MalwareMALW-3286
CfengineChefShell scriptPuppetEffortRisk
tick-tick-
12345
12345
More information available: See details

ClamXav for Mac OS XCategoryControl
This control checks if ClamXav is installed on Mac OS XMalwareMALW-3288
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

DNS domain nameCategoryControl
DNS resolving is part of the network functionality of systems. Properly configured network settings are needed for providing business services. Unix based systems are usually part of a domain. This domain name is the DNS domain name of the company. Lynis tries to determine what domain name this is, by checking several configuration files. In case this control shows up, Lynis was unable to discover it properly. This might indicate a misconfiguration of the server, or an alternative configuration set-up being used. Check the system and network configuration for the possible cause.NameserversNAME-4028
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Bind versionCategoryControl
The name or version of software should generally be hidden to external users of the software. In case of Bind, there is no clear benefit of revealing the version. To limit the risk of information leakage to malicious people or scripts, hide the Bind version.NameserversNAME-4210
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Configuration warnings in pf firewallCategoryControl
Lynis uses the built-in check of pf to determine if the configuration has any warnings. When the utility shows any, Lynis will trigger this control.NetworkingFIRE-4520
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Search entries for name resolvingCategoryControl
A misconfigured resolver configuration may result in unexpected system behavior or a decrease in network performance. Worst case it may even make the system unavailable to other systems.NetworkingNAME-4018
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Duplicate entries in hosts fileCategoryControl
This test found multiple duplicates in the hosts fileNetworkingNAME-4402
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Name resolvingCategoryControl
Add the IP name and FQDN to /etc/hosts for proper name resolvingNetworkingNAME-4404
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Name resolving: local hostnameCategoryControl
For proper resolving, the entries of localhost and the local defined hostname, could be split. Especially with some middleware and some applications, resolving of the hostname to localhost, might confuse the software.NetworkingNAME-4406
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Nameserver configurationCategoryControl
Nameservers, or DNS servers, are being used to do host resolving. They resolve a hostname like www.google.com into an IP address like 74.135.133.72. If one or more nameservers are not working as expected, it might influence the performance of the system and result in other unexpected issues.NetworkingNETW-2704
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

Properly functioning name serversCategoryControl
Connectivity is the central link for systems to communicate. Most communication occurs on layer 3 (network) for interconnected systems. There DNS resolving is very important for proper functioning.DNS resolving, while it is part of the basics, is often overlooked. To limit the chance of failure or bad performance, at least two working name servers are advised.Lynis tests the availability of name servers and if they actually respond to queries. To determine what DNS servers are used, consult the /etc/resolv.conf file.NetworkingNETW-2705
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Promiscuous interfacesCategoryControl
When a network interface is actively listening it is in "promiscuous mode". This may happen when running a tool like tcpdump, an IDS, or some other software component.NetworkingNETW-3014
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Network connections in WAIT stateCategoryControl
When systems are exchanging data and one of them is waiting, the connection will be displayed as "WAIT" in netstat. In such case it's up to the systems to decide how long they want to keep the connection open, for possible new data. Too much waiting connections might have a bad influence on new connections, as the kernel needs to maintain a long list. If this control shows up, it's usually a matter of determining if the behavior is common and if related applications need to be fine-tuned.NetworkingNETW-3028
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

ARP monitoringCategoryControl
Consider the usage of a tool which monitors ARP trafficNetworkingNETW-3032
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Invalid testCategoryControl
Invalid testOtherDEB-0280
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Invalid testCategoryControl
Invalid testOtherDEB-0285
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Invalid testCategoryControl
Invalid testOtherDEB-0520
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Invalid testCategoryControl
Invalid testOtherDEB-0870
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Invalid testCategoryControl
Invalid testOtherDEB-0880
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Generic LynisCategoryControl
This is a generic Lynis control (see details)OtherLYNIS
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

PHP disabled functionsCategoryControl
PHP enables system administrators to disable possible harmful functions. Depending on the software being used, many functions are not needed for proper functioning. An example of this would be the possibility to download a remote file via PHP, which is only needed in some applications.PHPPHP-2320
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

PHP expose_php optionCategoryControl
Software in general should not display software names or versions to normal users of a service, to avoid information leakage.PHPPHP-2372
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Disable dynamic loading of modulesCategoryControl
This test determines if modules can be loaded with the ld() functionPHPPHP-2374
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

PHP allow_url_fopenCategoryControl
PHP allows file downloads with the allow_url_fopen setting. If not strictly needed for the applications running on the server, make sure this option is disabled.PHPPHP-2376
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

PHP allow_url_includeCategoryControl
PHP allows file downloads with the allow_url_include setting. If not strictly needed for the applications running on the server, make sure this option is disabled.PHPPHP-2378
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

PHP Suhosin extension statusCategoryControl
This control checks for the presence of Suhosin.PHPPHP-2379
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

CUPS configuration file permissionsCategoryControl
The configuration file (cupsd.conf) should be have limited file permissions. This reduces who can see the configuration of the CUPS daemon. Generally it should not be readable for normal users.PrintingPRNT-2307
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

CUPS network configurationCategoryControl
Depending on the usage of the CUPS daemon, listening on the network should be limited. If the daemon is used a local spooler, it should be configured to listen on localhost only.PrintingPRNT-2308
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Zombie processesCategoryControl
This control tests for zombie processesProcessesPROC-3612
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Processes waiting for IOCategoryControl
This control checks if there are processes waiting for IO requests to finish. The availability and performance of a system might be in danger when it occurs too often. High IO might be caused due to high disk activity or in some cases network issues (high bandwidth usage, unstable connectivity).ProcessesPROC-3614
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Permissions of cron jobsCategoryControl
Lynis triggers this control when files have their file permissions set to a dangerous value. For example when everyone can write to them.SchedulingSCHD-7704
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Insecure consoleCategoryControl
Consoles should be protected by only allowing access to single user mode by means of password authentication. Check consoles in /etc/ttys and adjust the related console with parameter 'secure' and mark them as 'insecure'.ShellSHLL-6202
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Idle session handlingCategoryControl
Depending on security requirements, idle sessions should be appropriately checked and dealt with. ShellSHLL-6220
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Shellshock vulnerability in BashCategoryControl
When this control shows up, Bash is vulnerable for one or more Shellshock related issues.ShellSHLL-6290
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Easy guessable SNMP stringCategoryControl
Older protocol versions of SNMP provide no authentication or protection against data gathering via the network. By using easy guessable names, attackers may use SNMP to gather system details.SNMPSNMP-3306
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

RPM outputCategoryControl
Empty output of RPM commandSoftwarePKGS-7308
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Package updates for pacman based systemCategoryControl
This control shows up when there are update for systems running pacman.SoftwarePKGS-7312
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Configuration of pacman (package manager)CategoryControl
This control checks the configuration of pacman, a package manager used on Arch Linux.SoftwarePKGS-7314
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Usage of arch-auditCategoryControl
To determine which packages have a known vulnerability, consider using a tool like arch-audit.SoftwarePKGS-7320
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Vulnerable Software PackagesCategoryControl
When this Lynis control is triggered, vulnerable software packages have been found on the system.SoftwarePKGS-7330
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Unpurged packagesCategoryControl
While not directly a security concern, unpurged packages are not installed but still have remains left on the system (e.g. configuration files). In case software is reinstalled, an old configuration might be applied. Proper cleanups are therefore advised.SoftwarePKGS-7346
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Install debsums utilityCategoryControl
Install the debsums utility for additional checks.SoftwarePKGS-7370
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

NetBSD vulnerable packagesCategoryControl
Vulnerable packages are a serious risk for the stability and security of a system. When this control shows up, one or more vulnerable software packages have been found. These packages, especially when listening on a network interface, might be abused by attackers.SoftwarePKGS-7380
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Vulnerable packages (portaudit)CategoryControl
Portaudit tests packages on FreeBSD based systems and determines what software is vulnerable. Discovered software is a security risk and should be investigated.SoftwarePKGS-7382
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

No repolist on yum based systemCategoryControl
For systems using the yum package manager, a repolist is being checked. If not found, this might indicate that the system is not properly configured to receive updates. Check if yum is properly functioning and receiving package updates. Registration might be needed to fix this problem.SoftwarePKGS-7383
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

yum-utils packageCategoryControl
Install package 'yum-utils' for better consistency checking of the package databaseSoftwarePKGS-7384
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

yum-plugin-securityCategoryControl
Install package yum-plugin-security to maintain security updates easierSoftwarePKGS-7386
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

YUM repositoriesCategoryControl
This control test if the software repositories via YUM are available. If not, it might be due to bad configuration (e.g. missing registration with RHN).SoftwarePKGS-7387
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Security updates on Debian and othersCategoryControl
This control tests for the presence of a security repository in the updates. On most Debian based systems this line is there by default, to allow the installation of security patches. When this line is not available, it might indicate that this system does not receive security patches. An alternative is that it uses a merged tree, in that case this control should be ignored for this particular system.SoftwarePKGS-7388
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

Vulnerable packagesCategoryControl
Lynis tests for vulnerable packages, packages with known security flaws and which already have an update available.SoftwarePKGS-7392
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Gentoo vulnerable packagesCategoryControl
This controls checks for vulnerable packages on Gentoo based systemsSoftwarePKGS-7393
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Ubuntu upgrade packagesCategoryControl
This control tests for available upgrades on Ubuntu. Depending on your software upgrade policy, determine if this control is too strict.SoftwarePKGS-7394
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Package audit toolCategoryControl
Most operating systems provide a tool to check for security packages, to fix vulnerable versions of installed software. When possible, install such tool.SoftwarePKGS-7398
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Squid configuration file permissionsCategoryControl
The configuration permissions of the Squid configuration file should be as strict as possible. By default it may be world readable, or worse.SquidSQD-3613
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Squid reply_body_max_size optionCategoryControl
Limit the upper size of replies within the Squid proxy configuration. This helps to protect resource exhaustion within Squid and thwart malicious attempts.SquidSQD-3630
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

SSH configurationCategoryControl
Proper hardening of your SSH configuration can reduce known weaknessesSSHSSH-7408
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

SSH permit root loginCategoryControl
For proper authorization purposes, do not use direct root logins. Doing so, may result in actions being performed by administrators without any traceability. Also using root permissions directly might increase the risk of intrusion or availability. (e.g. brute force attacks on the password, account lockout)Unless the owner of each key is traceable, public key authentication can be considered.SSHSSH-7412
CfengineChefShell scriptPuppetEffortRisk
--ticktick
12345
12345
More information available: See details

StrictModes option in SSHCategoryControl
SSH has the option to check for file permissions before use configuration and other files. With the StrictModes option, it will only use those files which are properly configured (e.g. not using chmod 777 applied).SSHSSH-7416
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

USB storage driversCategoryControl
Disable drivers like USB storage when not used, to prevent unauthorized storage or data theftStorageSTRG-1840
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Firewire storage driversCategoryControl
Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theftStorageSTRG-1846
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Limit NFS access to exported filesystemsCategoryControl
When possible, limit the access to NFS exports. If all clients need to access the related NFS exports, then this control might be considered as too strict and should be hidden.StorageSTRG-1930
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

Running NTP daemon CategoryControl
Proper time synchronization is important for authentication services, forensics and troubleshooting. Therefore a time daemon (like ntpd) should be running, or a scheduled task to sync time (like ntpdate).TimeTIME-3104
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Check status of timedatectlCategoryControl
NTP is enabled, however timedatectl is not syncing timeTimeTIME-3106
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Stratum 16 serversCategoryControl
Time servers are used to sync the time with the host. When a used server is not properly configured or not working, it will be listed as a stratum 16 server, giving it a very low priority. Usually when finding a server with a value of 16, the server should be checked or replaced with an alternative server.TimeTIME-3116
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Reliability of NTP serversCategoryControl
Lynis tests if the used NTP server candidates are reliable enough to be used. If items show up with a dash or minus, they are unreliable and should be checked or replaced. The NTP configuration and time synchronization in particular, is important for systems. It helps with properly logging the actual time, which is needed for many services. Having the right time is also important for accounting purposes and forensics.TimeTIME-3120
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

NTP time local source usedCategoryControl
When only a local source is being used on a system, it might indicate that external sources are not reachable or usable. The NTP configuration and time synchronization in particular, is important for systems. It helps with properly logging the actual time, which is needed for many services. Having the right time is also important for accounting purposes and forensics. Check the NTP configuration of this system to determine the cause of this finding.TimeTIME-3124
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

NTP time source candidatesCategoryControl
Lynis checks if the NTP time source candidates can be found in the peers overview. If not, then the configuration usually needs to be checked and updated. Differences between the active configuration and the one stored on disk, may result in a non-functional NTP configuration after reboot.TimeTIME-3128
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

NTP false-tickersCategoryControl
False-tickers are NTP sources which do not work properly (e.g. non-functional, time not accurate). Lynis checks for false-tickers to prevent systems using bad sources for time synchronization. This may otherwise result in incorrect timestamps in log files and accounting data.TimeTIME-3132
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

NTP protocol versionCategoryControl
The NTP protocol version is gathered by Lynis as an informational test. Only when Lynis is not being able to detect the version, it will provide a suggestion to check it manually.TimeTIME-3136
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

NTP step-tickers configurationCategoryControl
Lynis checks if step-tickers are configured in /etc/ntp/step-tickers and compares them with the list of servers in the general NTP configuration file.TimeTIME-3160
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Check for automation toolsCategoryControl
This control checks if there are tools installed which help with automating system management. This increases integrity and stability of systems, by keep systems equally managed and configured, with only minor exceptions depending on the role of the machine.ToolingTOOL-5002
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Presence of fail2banCategoryControl
This test checks if fail2ban is usedToolingTOOL-5102
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

All fail2ban jails are disabledCategoryControl
Lynis triggers this control when none of the jails within fail2ban are enabled.ToolingTOOL-5104
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

mod_evasive moduleCategoryControl
Anti Denial of Service (DoS) module and protects against brute force attempts. This control is advised for systems running a webserver and those in particular which are available from public networks.WebHTTP-6640
CfengineChefShell scriptPuppetEffortRisk
ticktick-tick
12345
12345
More information available: See details

mod_qos moduleCategoryControl
Module to protect against SlowLoris attack, especially useful for webservers which are available from public networks.WebHTTP-6641
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

mod_spamhaus moduleCategoryControl
Module against spammers, useful for webservers which are available from public networks.WebHTTP-6642
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

mod_security moduleCategoryControl
Module for webservers to act as a web application firewall.WebHTTP-6643
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

SSL configuration in nginxCategoryControl
To protect the privacy of users, including sniffing of sensitive data on networks, enable SSL/TLS in nginx.WebHTTP-6710
CfengineChefShell scriptPuppetEffortRisk
--tick-
12345
12345
More information available: See details

Log file configuration in nginxCategoryControl
For auditing purposes logging should be properly configured in nginx. Missing log files or disabled entries might result in losing valuable data for analytics and accounting.WebHTTP-6712
CfengineChefShell scriptPuppetEffortRisk
----
12345
12345
More information available: See details

Missing error logs in nginxCategoryControl
This test searches for the presence of error logs.WebHTTP-6714
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details

Nginx error_log in debugging modeCategoryControl
This test shows up when one or more lines have 'debug' for the error_log configuration in nginx.Web servicesHTTP-6716
CfengineChefShell scriptPuppetEffortRisk
ticktickticktick
12345
12345
More information available: See details


Security Controls: Details

Users of Lynis Enterprise Suite will see more details for each control.
This includes implementation tips, code snippets and control ratings (effort/risk).

Additional benefits:
- Extensive details regarding each control
- See implementation risk and effort for each control
- Most controls have easy to use shell scripts to solve findings
- Optional snippets (e.g. Puppet) for users of the Plus/Premium package
Already Lynis Enterprise user? Please login.