Lynis security controls
|FIRE-4520||Networking||Configuration warnings in pf firewall|
Lynis uses the built-in check of pf to determine if the configuration has any warnings. When the utility shows any, Lynis will trigger this control.
|NAME-4018||Networking||Search entries for name resolving|
A misconfigured resolver configuration may result in unexpected system behavior or a decrease in network performance. Worst case it may even make the system unavailable to other systems.
|NAME-4402||Networking||Duplicate entries in hosts file|
This test found multiple duplicates in the hosts file
Add the IP name and FQDN to /etc/hosts for proper name resolving
|NAME-4406||Networking||Name resolving: local hostname|
For proper resolving, the entries of localhost and the local defined hostname, could be split. Especially with some middleware and some applications, resolving of the hostname to localhost, might confuse the software.
Nameservers, or DNS servers, are being used to do host resolving. They resolve a hostname like www.google.com into an IP address like 220.127.116.11. If one or more nameservers are not working as expected, it might influence the performance of the system and result in other unexpected issues.
|NETW-2705||Networking||Properly functioning name servers|
Connectivity is the central link for systems to communicate. Most communication occurs on layer 3 (network) for interconnected systems. There DNS resolving is very important for proper functioning.DNS resolving, while it is part of the basics, is often overlooked. To limit the chance of failure or bad performance, at least two working name servers are advised.Lynis tests the availability of name servers and if they actually respond to queries. To determine what DNS servers are used, consult the /etc/resolv.conf file.
When a network interface is actively listening it is in "promiscuous mode". This may happen when running a tool like tcpdump, an IDS, or some other software component.
|NETW-3015||Networking||Promiscuous network interface (Linux)|
This test determines which network interfaces are in a listening state (promiscuous).
|NETW-3028||Networking||Network connections in WAIT state|
When systems are exchanging data and one of them is waiting, the connection will be displayed as "WAIT" in netstat. In such case it's up to the systems to decide how long they want to keep the connection open, for possible new data. Too much waiting connections might have a bad influence on new connections, as the kernel needs to maintain a long list. If this control shows up, it's usually a matter of determining if the behavior is common and if related applications need to be fine-tuned.
Consider the usage of a tool which monitors ARP traffic