Lynis security controls
Controls
Control | Category | Description |
---|---|---|
PKGS-7308 | Software | RPM output Empty output of RPM command |
PKGS-7312 | Software | Package updates for pacman based system This control shows up when there are update for systems running pacman. |
PKGS-7314 | Software | Configuration of pacman (package manager) This control checks the configuration of pacman, a package manager used on Arch Linux. |
PKGS-7320 | Software | Usage of arch-audit To determine which packages have a known vulnerability, consider using a tool like arch-audit. |
PKGS-7322 | Software | Arch Linux vulnerable packages The arch-audit tool may have discovered some vulnerable packages. |
PKGS-7330 | Software | Vulnerable Software Packages When this Lynis control is triggered, vulnerable software packages have been found on the system. |
PKGS-7346 | Software | Unpurged packages While not directly a security concern, unpurged packages are not installed but still have remains left on the system (e.g. configuration files). In case software is reinstalled, an old configuration might be applied. Proper cleanups are therefore advised. |
PKGS-7348 | Software | Unused distfiles Lynis tests for unused distfiles on FreeBSD systems |
PKGS-7370 | Software | Install debsums utility Install the debsums utility for additional checks. |
PKGS-7380 | Software | NetBSD vulnerable packages Vulnerable packages are a serious risk for the stability and security of a system. When this control shows up, one or more vulnerable software packages have been found. These packages, especially when listening on a network interface, might be abused by attackers. |
PKGS-7382 | Software | Vulnerable packages (portaudit) Portaudit tests packages on FreeBSD based systems and determines what software is vulnerable. Discovered software is a security risk and should be investigated. |
PKGS-7383 | Software | No repolist on yum based system For systems using the yum package manager, a repolist is being checked. If not found, this might indicate that the system is not properly configured to receive updates. Check if yum is properly functioning and receiving package updates. Registration might be needed to fix this problem. |
PKGS-7384 | Software | yum-utils package Install package 'yum-utils' for better consistency checking of the package database |
PKGS-7386 | Software | yum-plugin-security Install package yum-plugin-security to maintain security updates easier |
PKGS-7387 | Software | YUM repositories This control test if the software repositories via YUM are available. If not, it might be due to bad configuration (e.g. missing registration with RHN). |
PKGS-7388 | Software | Security updates on Debian and others This control tests for the presence of a security repository in the updates. On most Debian based systems this line is there by default, to allow the installation of security patches. When this line is not available, it might indicate that this system does not receive security patches. An alternative is that it uses a merged tree, in that case this control should be ignored for this particular system. |
PKGS-7392 | Software | Vulnerable packages Lynis tests for vulnerable packages, packages with known security flaws and which already have an update available. |
PKGS-7393 | Software | Gentoo vulnerable packages This controls checks for vulnerable packages on Gentoo based systems |
PKGS-7394 | Software | Ubuntu upgrade packages This control tests for available upgrades on Ubuntu. Depending on your software upgrade policy, determine if this control is too strict. |
PKGS-7398 | Software | Package audit tool Most operating systems provide a tool to check for security packages, to fix vulnerable versions of installed software. When possible, install such tool. |
PKGS-7410 | Software | Number of installed kernel packages Most Linux distributions use a kernel package to easily allow upgrading it when bugs or security flaws were found. This test determines the number of installed packages. |
PKGS-7420 | Software | Toolkit for unattended upgrades This Lynis test determines if there is a toolkit installed to automatically download and apply upgrades. |