Lynis security controls
Controls
Control | Category | Description |
---|---|---|
BOOT-5121 | Boot | GRUB boot loader check Check if GRUB boot loader exists |
BOOT-5122 | Boot | Set boot loader password By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in grub to prevent this possibility. |
BOOT-5139 | Boot | LILO bootloader password By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in LILO to prevent this possibility. |
BOOT-5180 | Boot | Linux boot services (Debian) Lynis determines what services are started during runlevel 2 (boot). All boot services should be equal to the ones running, with the exception of the "one-time" processes. The latter group are processes which need a task to perform during or just after booting, like checking the file system. For all others it's common to be equal: if MySQL is running now, it is likely to be found in the boot services scripts as well. Missing processes in the boot list may lead to unavailability of important services after a reboot. Regular testing and reboots help in determining any missing services. |
BOOT-5184 | Boot | Writable start-up scripts Unix based systems have an extensive boot process, from loading the bootloader up to the execution of post-boot scripts. Protecting the boot process is important for the integrity of the system. Start-up scripts define what services will be initialized and started during the boot process. Lynis tests if there are scripts with world writable permissions. These files can be changed by all users on the system and usually started with root permissions. Therefore they impose a risk to the system, as one might include a backdoor into a start-up script. |