Lynis Controls - Authentication



Security Controls

[AUTH-9204] Multiple users with uid 0 Category  
While allowed, usually configuration of multiple users with an ID of zero (0) is bad practice. Better is to create separated accounts and use proper group membership. Authentication
Cfengine Chef Shell script Puppet Effort Risk
    tick  
1 2 3 4 5
1 2 3 4 5

[AUTH-9208] Duplicate accounts or IDs Category  
Lynis checks for any duplicates by checking the passwd file and count them. Any ID which shows up more than a single time is reported as a finding. Accounts and user IDs should be unique to enable proper accounting. Using several accounts with the same ID may result in data loss. Authentication
Cfengine Chef Shell script Puppet Effort Risk
    tick  
1 2 3 4 5
1 2 3 4 5

[AUTH-9216] Consistency of password/group files Category  
The password and group files (and their shadow equivalents) are an important part in the authentication process. Also the security controls like access control and file permissions are impacted by proper authentication and accounting of users. Inconsistencies in the password file can be caused by malicious activities or in some cases due to improper usage of tools, like a file editor. Inconsistencies should therefore be checked and fixed. Authentication
Cfengine Chef Shell script Puppet Effort Risk
    tick  
1 2 3 4 5
1 2 3 4 5

[AUTH-9218] Accounts without password Category  
Lynis checks for users accounts and which ones do not have a password. Accounts without a password are considered to be a bad practice, as each user should prove he or she is the rightful owner of the account. Lacking a password may give more than 1 authorized user access to the account and therefore seriously impact proper accounting. Loss of data or impact to the integrity of data may be the result of lacking passwords. Authentication
Cfengine Chef Shell script Puppet Effort Risk
    tick  
1 2 3 4 5
1 2 3 4 5

[AUTH-9222] Unique authentication groups Category  
Groups should be unique to ensure each user has the appropriate permissions. Authentication
Cfengine Chef Shell script Puppet Effort Risk
       
1 2 3 4 5
1 2 3 4 5

[AUTH-9228] Linux password file consistency Category  
Password files like /etc/passwd and /etc/shadow should be checked on a regular basis to see if any errors are present. Authentication
Cfengine Chef Shell script Puppet Effort Risk
    tick  
1 2 3 4 5
1 2 3 4 5

[AUTH-9262] PAM password strengthening tools Category  
Several modules within the PAM framework can help restricting access to facilities to only authorized people, including limitations as a strong password, the right console, or the right software. Passwords should be protected and strengthened where possible. On Unix and Linux based systems this is usually done via PAM modules and the related configuration files. Examples include tools like passwdqc (password quality control) and cracklib (password cracking library). Authentication
Cfengine Chef Shell script Puppet Effort Risk
       
1 2 3 4 5
1 2 3 4 5

[AUTH-9282] Passwords (expire date) Category  
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found passwords without an expire date. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy. Authentication
Cfengine Chef Shell script Puppet Effort Risk
       
1 2 3 4 5
1 2 3 4 5

[AUTH-9283] Passwords (no password set) Category  
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found accounts without a password. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy. Authentication
Cfengine Chef Shell script Puppet Effort Risk
       
1 2 3 4 5
1 2 3 4 5

[AUTH-9286] Password aging Category  
Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people. Authentication
Cfengine Chef Shell script Puppet Effort Risk
       
1 2 3 4 5
1 2 3 4 5

[AUTH-9308] Protect single user mode Category  
Physical access to the machine can be used to load alternative software or a different operating system, during the boot phase. Configure a password in the boot loader to prevent this risk. This test applies to Linux based systems only. Authentication
Cfengine Chef Shell script Puppet Effort Risk
    tick  
1 2 3 4 5
1 2 3 4 5

[AUTH-9328] Default umask Category  
The umask defines what default file permissions will be applied on a file or directory. Usually servers can have a more strict umask like 027, where desktops may be less strict (022). Authentication
Cfengine Chef Shell script Puppet Effort Risk
       
1 2 3 4 5
1 2 3 4 5

[BOOT-5260] Single user mode for systemd Category  
Systemd has a single user mode, named rescue.service. Similar to normal single user mode, it allows access to the system and bypass several levels of authorization. To protect against this, reconfigure the service with the sulogin option. Authentication
Cfengine Chef Shell script Puppet Effort Risk
tick tick tick tick
1 2 3 4 5
1 2 3 4 5