Lynis security controls

While allowed, usually configuration of multiple users with an ID of zero (0) is bad practice. Better is to create separated accounts and use proper group membership.

Lynis checks for any duplicates by checking the passwd file and count them. Any ID which shows up more than a single time is reported as a finding. Accounts and user IDs should be unique to enable proper accounting. Using several accounts with the same ID may result in data loss.

The password and group files (and their shadow equivalents) are an important part in the authentication process. Also the security controls like access control and file permissions are impacted by proper authentication and accounting of users. Inconsistencies in the password file can be caused by malicious activities or in some cases due to improper usage of tools, like a file editor. Inconsistencies should therefore be checked and fixed.

Lynis checks for users accounts and which ones do not have a password. Accounts without a password are considered to be a bad practice, as each user should prove he or she is the rightful owner of the account. Lacking a password may give more than 1 authorized user access to the account and therefore seriously impact proper accounting. Loss of data or impact to the integrity of data may be the result of lacking passwords.

Groups should be unique to ensure each user has the appropriate permissions.

Password files like /etc/passwd and /etc/shadow should be checked on a regular basis to see if any errors are present.

Several modules within the PAM framework can help restricting access to facilities to only authorized people, including limitations as a strong password, the right console, or the right software.

Passwords should be protected and strengthened where possible. On Unix and Linux based systems this is usually done via PAM modules and the related configuration files. Examples include tools like passwdqc (password quality control) and cracklib (password cracking library).

Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found passwords without an expire date. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.

Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found accounts without a password. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.

Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people.

Some accounts have been found with an expired password.

Physical access to the machine can be used to load alternative software or a different operating system, during the boot phase. Configure a password in the boot loader to prevent this risk. This test applies to Linux based systems only.

The umask defines what default file permissions will be applied on a file or directory. Usually servers can have a more strict umask like 027, where desktops may be less strict (022).

Systemd has a single user mode, named rescue.service. Similar to normal single user mode, it allows access to the system and bypass several levels of authorization. To protect against this, reconfigure the service with the sulogin option.