Lynis security controls
|AUTH-9204||Authentication||Multiple users with uid 0|
While allowed, usually configuration of multiple users with an ID of zero (0) is bad practice. Better is to create separated accounts and use proper group membership.
|AUTH-9208||Authentication||Duplicate accounts or IDs|
Lynis checks for any duplicates by checking the passwd file and count them. Any ID which shows up more than a single time is reported as a finding. Accounts and user IDs should be unique to enable proper accounting. Using several accounts with the same ID may result in data loss.
|AUTH-9216||Authentication||Consistency of password/group files|
The password and group files (and their shadow equivalents) are an important part in the authentication process. Also the security controls like access control and file permissions are impacted by proper authentication and accounting of users. Inconsistencies in the password file can be caused by malicious activities or in some cases due to improper usage of tools, like a file editor. Inconsistencies should therefore be checked and fixed.
|AUTH-9218||Authentication||Accounts without password|
Lynis checks for users accounts and which ones do not have a password. Accounts without a password are considered to be a bad practice, as each user should prove he or she is the rightful owner of the account. Lacking a password may give more than 1 authorized user access to the account and therefore seriously impact proper accounting. Loss of data or impact to the integrity of data may be the result of lacking passwords.
|AUTH-9222||Authentication||Unique authentication groups|
Groups should be unique to ensure each user has the appropriate permissions.
|AUTH-9228||Authentication||Linux password file consistency|
Password files like /etc/passwd and /etc/shadow should be checked on a regular basis to see if any errors are present.
|AUTH-9262||Authentication||PAM password strengthening tools|
Several modules within the PAM framework can help restricting access to facilities to only authorized people, including limitations as a strong password, the right console, or the right software.
Passwords should be protected and strengthened where possible. On Unix and Linux based systems this is usually done via PAM modules and the related configuration files. Examples include tools like passwdqc (password quality control) and cracklib (password cracking library).
|AUTH-9282||Authentication||Passwords (expire date)|
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found passwords without an expire date. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.
|AUTH-9283||Authentication||Passwords (no password set)|
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found accounts without a password. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.
Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people.
|AUTH-9308||Authentication||Protect single user mode|
Physical access to the machine can be used to load alternative software or a different operating system, during the boot phase. Configure a password in the boot loader to prevent this risk. This test applies to Linux based systems only.
The umask defines what default file permissions will be applied on a file or directory. Usually servers can have a more strict umask like 027, where desktops may be less strict (022).
|BOOT-5260||Authentication||Single user mode for systemd|
Systemd has a single user mode, named rescue.service. Similar to normal single user mode, it allows access to the system and bypass several levels of authorization. To protect against this, reconfigure the service with the sulogin option.