Lynis security controls


FIRE-4520NetworkingConfiguration warnings in pf firewall

Lynis uses the built-in check of pf to determine if the configuration has any warnings. When the utility shows any, Lynis will trigger this control.

NAME-4018NetworkingSearch entries for name resolving

A misconfigured resolver configuration may result in unexpected system behavior or a decrease in network performance. Worst case it may even make the system unavailable to other systems.

NAME-4402NetworkingDuplicate entries in hosts file

This test found multiple duplicates in the hosts file

NAME-4404NetworkingName resolving

Add the IP name and FQDN to /etc/hosts for proper name resolving

NAME-4406NetworkingName resolving: local hostname

For proper resolving, the entries of localhost and the local defined hostname, could be split. Especially with some middleware and some applications, resolving of the hostname to localhost, might confuse the software.

NETW-2704NetworkingNameserver configuration

Nameservers, or DNS servers, are being used to do host resolving. They resolve a hostname like into an IP address like If one or more nameservers are not working as expected, it might influence the performance of the system and result in other unexpected issues.

NETW-2705NetworkingProperly functioning name servers

Connectivity is the central link for systems to communicate. Most communication occurs on layer 3 (network) for interconnected systems. There DNS resolving is very important for proper functioning.DNS resolving, while it is part of the basics, is often overlooked. To limit the chance of failure or bad performance, at least two working name servers are advised.Lynis tests the availability of name servers and if they actually respond to queries. To determine what DNS servers are used, consult the /etc/resolv.conf file.

NETW-3014NetworkingPromiscuous interfaces

When a network interface is actively listening it is in "promiscuous mode". This may happen when running a tool like tcpdump, an IDS, or some other software component.

NETW-3028NetworkingNetwork connections in WAIT state

When systems are exchanging data and one of them is waiting, the connection will be displayed as "WAIT" in netstat. In such case it's up to the systems to decide how long they want to keep the connection open, for possible new data. Too much waiting connections might have a bad influence on new connections, as the kernel needs to maintain a long list. If this control shows up, it's usually a matter of determining if the behavior is common and if related applications need to be fine-tuned.

NETW-3032NetworkingARP monitoring

Consider the usage of a tool which monitors ARP traffic