Lynis security controls



Controls

ControlCategoryDescription
PKGS-7308SoftwareRPM output

Empty output of RPM command

PKGS-7312SoftwarePackage updates for pacman based system

This control shows up when there are update for systems running pacman.

PKGS-7314SoftwareConfiguration of pacman (package manager)

This control checks the configuration of pacman, a package manager used on Arch Linux.

PKGS-7320SoftwareUsage of arch-audit

To determine which packages have a known vulnerability, consider using a tool like arch-audit.

PKGS-7322SoftwareArch Linux vulnerable packages

The arch-audit tool may have discovered some vulnerable packages.

PKGS-7330SoftwareVulnerable Software Packages

When this Lynis control is triggered, vulnerable software packages have been found on the system.

PKGS-7346SoftwareUnpurged packages

While not directly a security concern, unpurged packages are not installed but still have remains left on the system (e.g. configuration files). In case software is reinstalled, an old configuration might be applied. Proper cleanups are therefore advised.

PKGS-7348SoftwareUnused distfiles

Lynis tests for unused distfiles on FreeBSD systems

PKGS-7370SoftwareInstall debsums utility

Install the debsums utility for additional checks.

PKGS-7380SoftwareNetBSD vulnerable packages

Vulnerable packages are a serious risk for the stability and security of a system. When this control shows up, one or more vulnerable software packages have been found. These packages, especially when listening on a network interface, might be abused by attackers.

PKGS-7382SoftwareVulnerable packages (portaudit)

Portaudit tests packages on FreeBSD based systems and determines what software is vulnerable. Discovered software is a security risk and should be investigated.

PKGS-7383SoftwareNo repolist on yum based system

For systems using the yum package manager, a repolist is being checked. If not found, this might indicate that the system is not properly configured to receive updates. Check if yum is properly functioning and receiving package updates. Registration might be needed to fix this problem.

PKGS-7384Softwareyum-utils package

Install package 'yum-utils' for better consistency checking of the package database

PKGS-7386Softwareyum-plugin-security

Install package yum-plugin-security to maintain security updates easier

PKGS-7387SoftwareYUM repositories

This control test if the software repositories via YUM are available. If not, it might be due to bad configuration (e.g. missing registration with RHN).

PKGS-7388SoftwareSecurity updates on Debian and others

This control tests for the presence of a security repository in the updates. On most Debian based systems this line is there by default, to allow the installation of security patches. When this line is not available, it might indicate that this system does not receive security patches. An alternative is that it uses a merged tree, in that case this control should be ignored for this particular system.

PKGS-7392SoftwareVulnerable packages

Lynis tests for vulnerable packages, packages with known security flaws and which already have an update available.

PKGS-7393SoftwareGentoo vulnerable packages

This controls checks for vulnerable packages on Gentoo based systems

PKGS-7394SoftwareUbuntu upgrade packages

This control tests for available upgrades on Ubuntu. Depending on your software upgrade policy, determine if this control is too strict.

PKGS-7398SoftwarePackage audit tool

Most operating systems provide a tool to check for security packages, to fix vulnerable versions of installed software. When possible, install such tool.

PKGS-7410SoftwareNumber of installed kernel packages

Most Linux distributions use a kernel package to easily allow upgrading it when bugs or security flaws were found. This test determines the number of installed packages.

PKGS-7420SoftwareToolkit for unattended upgrades

This Lynis test determines if there is a toolkit installed to automatically download and apply upgrades.