Lynis - Instalação e Relatório

Lynis - Instalao e Relattio de Anlises
elisangela@elisangela-Inspiron-1525 ~ $ sudo su
[sudo] password for elisangela:
elisangela-Inspiron-1525 elisangela # cd Downloads (entra na pasta do download)
elisangela-Inspiron-1525 Downloads # tar -zxvf lynis-1.5.2.tar.gz (descompacta o arquivo)
lynis-1.5.2/CHANGELOG
lynis-1.5.2/CONTRIBUTORS
lynis-1.5.2/FAQ
lynis-1.5.2/INSTALL
lynis-1.5.2/LICENSE
lynis-1.5.2/README
lynis-1.5.2/db/
lynis-1.5.2/db/integrity.db
lynis-1.5.2/db/sbl.db
lynis-1.5.2/db/fileperms.db
lynis-1.5.2/db/malware-susp.db
lynis-1.5.2/db/malware.db
lynis-1.5.2/db/hints.db
lynis-1.5.2/default.prf
lynis-1.5.2/dev/
lynis-1.5.2/dev/README
lynis-1.5.2/dev/files.dat
lynis-1.5.2/dev/TODO
lynis-1.5.2/dev/openbsd/
lynis-1.5.2/dev/openbsd/+CONTENTS
lynis-1.5.2/dev/check-lynis.sh
lynis-1.5.2/dev/build-lynis.sh
lynis-1.5.2/include/
lynis-1.5.2/include/profiles
lynis-1.5.2/include/tests_malware
lynis-1.5.2/include/tests_accounting
lynis-1.5.2/include/parameters
lynis-1.5.2/include/tests_ssh
lynis-1.5.2/include/tests_time
lynis-1.5.2/include/tests_firewalls
lynis-1.5.2/include/tests_nameservices
lynis-1.5.2/include/binaries
lynis-1.5.2/include/tests_webservers
lynis-1.5.2/include/tests_squid
lynis-1.5.2/include/tests_storage_nfs
lynis-1.5.2/include/tests_insecure_services
lynis-1.5.2/include/tests_scheduling
lynis-1.5.2/include/tests_tooling
lynis-1.5.2/include/tests_hardening
lynis-1.5.2/include/tests_networking
lynis-1.5.2/include/tests_custom.template
lynis-1.5.2/include/report
lynis-1.5.2/include/tests_boot_services
lynis-1.5.2/include/functions
lynis-1.5.2/include/tests_memory_processes
lynis-1.5.2/include/tests_file_permissions
lynis-1.5.2/include/tests_file_integrity
lynis-1.5.2/include/tests_shells
lynis-1.5.2/include/tests_databases
lynis-1.5.2/include/tests_homedirs
lynis-1.5.2/include/osdetection
lynis-1.5.2/include/tests_ldap
lynis-1.5.2/include/tests_ports_packages
lynis-1.5.2/include/tests_hardening_tools
lynis-1.5.2/include/tests_logging
lynis-1.5.2/include/tests_mail_messaging
lynis-1.5.2/include/tests_banners
lynis-1.5.2/include/tests_crypto
lynis-1.5.2/include/tests_kernel
lynis-1.5.2/include/tests_mac_frameworks
lynis-1.5.2/include/tests_solaris
lynis-1.5.2/include/tests_virtualization
lynis-1.5.2/include/tests_kernel_hardening
lynis-1.5.2/include/tests_snmp
lynis-1.5.2/include/tests_authentication
lynis-1.5.2/include/tests_filesystems
lynis-1.5.2/include/tests_storage
lynis-1.5.2/include/data_upload
lynis-1.5.2/include/tests_printers_spools
lynis-1.5.2/include/tests_php
lynis-1.5.2/include/consts
lynis-1.5.2/include/tests_tcpwrappers
lynis-1.5.2/lynis
lynis-1.5.2/lynis.8
lynis-1.5.2/plugins/
lynis-1.5.2/plugins/README
lynis-1.5.2/plugins/custom_plugin.template
elisangela-Inspiron-1525 Downloads # cd lynis-1.5.2/ (entra na pasta descompactada)
elisangela-Inspiron-1525 lynis-1.5.2 # sh lynis (instala o lynis)
[ Lynis 1.5.2 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
Copyright 2007-2014 - Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################
[+] Initializing program
------------------------------------
Scan options:
--auditor "<name>"
: Auditor name
--check-all (-c)
: Check system
--no-log
: Don't create a log file
--profile <profile>
: Scan the system with the given profile file
--quick (-Q)
: Quick mode, don't wait for user input
--tests "<tests>"
: Run only tests defined by <tests>
--tests-category "<category>" : Run only tests defined by <category>
Layout options:
--no-colors
--quiet (-q)
--reverse-colors
: Don't use colors in output

: No output, except warnings
: Optimize color display for light backgrounds
Misc options:
--check-update
: Check for updates
--debug
: Debug logging to screen
--view-manpage (--man)
: View man page
--version (-V)
: Display version number and quit
Enterprise options:
--plugin-dir "<path">
: Define path of available plugins
--upload
: Upload data to central node
Error: No parameters specified!
See man page and documentation for all available options.
Exiting..
elisangela-Inspiron-1525 lynis-1.5.2 # ./lynis
[ Lynis 1.5.2 ]
################################################################################
################################################################################
-----------------------------------Scan options:
--auditor "<name>"
: Auditor name
--check-all (-c)
: Check system
--no-log
: Don't create a log file
--profile <profile>
: Scan the system with the given profile file
--quick (-Q)
: Quick mode, don't wait for user input
--tests "<tests>"
: Run only tests defined by <tests>
--tests-category "<category>" : Run only tests defined by <category>
Layout options:
--no-colors
--quiet (-q)
--reverse-colors
: Don't use colors in output

: No output, except warnings
: Optimize color display for light backgrounds
Misc options:
--check-update
: Check for updates
--debug
: Debug logging to screen
--view-manpage (--man)
: View man page
--version (-V)
: Display version number and quit
Enterprise options:
--plugin-dir "<path">
: Define path of available plugins
--upload
: Upload data to central node
Error: No parameters specified!
See man page and documentation for all available options.
Exiting..
elisangela-Inspiron-1525 lynis-1.5.2 # sh lynis --auditor "elis" -c
auditor)
(criando um usurio
[ Lynis 1.5.2 ]
################################################################################
################################################################################
------------------------------------ Detecting OS...
- Clearing log file (/var/log/lynis.log)...
[ DONE ]
[ DONE ]
--------------------------------------------------Program version:
1.5.2
Operating system:
Linux
Operating system name: Debian
Operating system version: wheezy/sid
Kernel version:
3.11.0-12-generic
Hardware platform:
x86_64
Hostname:
elisangela-Inspiron-1525
Auditor:
elis
Profile:
./default.prf
Log file:
/var/log/lynis.log
Report file:
/var/log/lynis-report.dat
Report version:
1.0
Plugin directory:
./plugins
--------------------------------------------------[ Press [ENTER] to continue, or [CTRL]+C to stop ]
Inicializando o Lynis - Varredura por auditor Resultado
------------------------------------ Detecting OS...
- Clearing log file (/var/log/lynis.log)...
[ DONE ]
[ DONE ]
--------------------------------------------------Program version:
1.5.2
Operating system:
Linux
Operating system name: Debian
Operating system version: wheezy/sid
Kernel version:
3.11.0-12-generic
Hardware platform:
x86_64
Hostname:
elisangela-Inspiron-1525
Auditor:
elisangela
Profile:
./default.prf
Log file:
/var/log/lynis.log
Report file:
/var/log/lynis-report.dat
Report version:
1.0
Plugin directory:
./plugins
--------------------------------------------------[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Checking profile file (./default.prf)...
- Program update status...
[+] System Tools
------------------------------------ Scanning available tools...
- Checking system binaries...
- Checking /bin...
- Checking /sbin...
- Checking /usr/bin...
- Checking /usr/sbin...
- Checking /usr/local/bin...
- Checking /usr/local/sbin...
- Checking /usr/local/libexec...
- Checking /usr/libexec...
- Checking /usr/sfw/bin...
- Checking /usr/sfw/sbin...
- Checking /usr/sfw/libexec...
- Checking /opt/sfw/bin...
- Checking /opt/sfw/sbin...
- Checking /opt/sfw/libexec...
[ NO UPDATE ]
[ FOUND ]
[ FOUND ]
[ FOUND ]
[ FOUND ]
[ FOUND ]
[ FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
- Checking /usr/xpg4/bin...
- Checking /usr/css/bin...
- Checking /usr/ucb...
- Checking /usr/X11R6/bin...
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Plugins (phase 1)
------------------------------------ Plugins enabled
[+] Boot and services
------------------------------------ Checking boot loaders
- Checking presence GRUB2...
- Checking presence LILO...
- Checking boot loader SILO
- Checking boot loader YABOOT
- Check services at startup (rc2.d)...
Result: found 14 services
- Check startup files (permissions)...
[ NONE ]
[ FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ DONE ]
[ OK ]

[+] Kernel
------------------------------------ Checking default run level...
[ RUNLEVEL 2 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported
[ FOUND ]
- Checking kernel version and release
[ DONE ]
- Checking kernel type
[ DONE ]
- Checking loaded kernel modules
[ DONE ]
Found 79 active modules
- Checking Linux kernel configuration file
[ FOUND ]
- Checking default I/O kernel scheduler
[ FOUND ]
- Checking for available kernel update...
[ OK ]
- Checking core dumps configuration...
[ DISABLED ]
- Checking setuid core dumps configuration...
[ DEFAULT ]
[+] Memory and processes
------------------------------------ Checking /proc/meminfo...
- Searching for dead/zombie processes...
- Searching for IO waiting processes...
[ FOUND ]
[ OK ]
[ WARNING ]
[+] Users, Groups and Authentication

------------------------------------ Search administrator accounts...
[ OK ]
- Checking for non-unique UIDs...
[ OK ]
- Checking consistency of group files (grpck)...
[ OK ]
- Checking non unique group ID's...
[ OK ]
- Checking non unique group names...
[ OK ]
- Checking password file consistency...
[ OK ]
- Query system users (non daemons)...
[ DONE ]
- Checking NIS+ authentication support
[ NOT ENABLED ]
- Checking NIS authentication support
[ NOT ENABLED ]
- Checking sudoers file
[ FOUND ]
- Check sudoers file permissions
[ OK ]
- Checking PAM password strength tools
[ SUGGESTION ]
- Checking PAM configuration files (pam.conf)
[ FOUND ]
- Checking PAM configuration files (pam.d)
[ FOUND ]
- Checking PAM modules
[ FOUND ]
- Checking LDAP module in PAM
[ NOT FOUND ]
- Checking accounts without expire date
[ OK ]
- Checking accounts without password
[ OK ]
- Checking user password aging
[ DISABLED ]
- Determining default umask
- Checking umask (/etc/profile)
[ UNKNOWN ]
- Checking umask (/etc/login.defs)
[ SUGGESTION ]
- Checking umask (/etc/init.d/rc)
[ SUGGESTION ]
- Checking LDAP authentication support
[ NOT ENABLED ]
[+] Shells
------------------------------------ Checking shells from /etc/shells...
Result: found 4 shells (valid shells: 4).
[+] File systems
------------------------------------ Checking mount points
- Checking /home mount point...
- Checking /tmp mount point...
- Checking LVM volume groups...
- Checking for old files in /tmp...
- Checking /tmp sticky bit...
- ACL support root file system...
- Checking Locate database...
[ SUGGESTION ]
[ SUGGESTION ]
[ NONE ]
[ OK ]
[ OK ]
[ ENABLED ]
[ FOUND ]
[+] Storage
------------------------------------ Checking usb-storage driver (modprobe config)...
- Checking firewire ohci driver (modprobe config)...
[ NOT DISABLED ]
[ DISABLED ]

[+] NFS
------------------------------------ Check running NFS daemon...
[ NOT FOUND ]

[+] Software: name services
------------------------------------ Checking default DNS search domain...
- Checking search domains...
- Checking /etc/resolv.conf options...
- Searching DNS domain name...
- Checking nscd status...
- Checking BIND status...
- Checking PowerDNS status...
- Checking ypbind status...
- Checking /etc/hosts
- Checking /etc/hosts (duplicates)
- Checking /etc/hosts (hostname)
- Checking /etc/hosts (localhost)
[ NONE ]
[ FOUND ]
[ NONE ]
[ UNKNOWN ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ OK ]
[ OK ]
[ OK ]

[+] Ports and packages
------------------------------------ Searching package managers...
- Searching dpkg package manager...
[ FOUND ]
- Querying package manager...
- Query unpurged packages...
[ FOUND ]
- Checking security repository in sources.list file...
[ WARNING ]
- Checking vulnerable packages (apt-get only)...
[ DONE ]
- Checking package audit tool...
[ NONE ]
[+] Networking
------------------------------------ Checking configured nameservers...
- Testing nameservers...
Nameserver: 127.0.1.1...
- Minimal of 2 responsive nameservers...
[ OK ]
[ WARNING ]
- Checking default gateway...

- Getting listening ports (TCP/TCP)...
* Found 16 ports
- Checking promiscuous interfaces...
- Checking waiting connections...
- Checking status DHCP client...
[ DONE ]
[ DONE ]
[ OK ]
[ OK ]
[ RUNNING ]

[+] Printers and Spools
------------------------------------ Checking cups daemon...
- Checking CUPS configuration file...
- File permissions
- Checking CUPS addresses/sockets...
[+] Software: e-mail and messaging
------------------------------------ Checking Exim status...
- Checking Postfix status...
- Checking Qmail smtpd status...
[ RUNNING ]
[ OK ]
[ WARNING ]
[ FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]

[+] Software: firewalls
------------------------------------ Checking iptables kernel module
Status pf
- Checking host based firewall
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT ACTIVE ]

[+] Software: webserver
------------------------------------ Checking Apache (binary /usr/sbin/apache2)...
[ FOUND ]
apache2: Could not open configuration file /etc/apache2/apache2.conf: No such file or directory
Result: Can't find the configuration file, so skipping some Apache related tests#[-25C
Info: No virtual hosts found
* Loadable modules
[ FOUND ]
- Found 105 loadable modules
mod_evasive: anti-DoS/brute force
[ NOT FOUND ]
mod_qos: anti-Slowloris
[ NOT FOUND ]
mod_spamhaus: anti-spam (spamhaus)
[ NOT FOUND ]
ModSecurity: web application firewall
[ NOT FOUND ]
- Checking nginx...
[ NOT FOUND ]
[+] SSH Support

------------------------------------ Checking running SSH daemon...
[ NOT FOUND ]

[+] SNMP Support
------------------------------------ Checking running SNMP daemon...
[ NOT FOUND ]

[+] Databases
------------------------------------ MySQL process status...
- PostgreSQL processes status...
- Oracle processes status...
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]

[+] LDAP Services
------------------------------------ Checking OpenLDAP instance...
[ NOT FOUND ]

[+] Software: PHP
------------------------------------ Checking PHP...
[ NOT FOUND ]

[+] Squid Support
------------------------------------ Checking running Squid daemon...
[ NOT FOUND ]

[+] Logging and files
------------------------------------ Checking for a running log daemon...
- Checking Syslog-NG status
- Checking Metalog status
- Checking RSyslog status
- Checking RFC 3195 daemon status
- Checking minilogd instances
[ OK ]
[ NOT FOUND ]
[ NOT FOUND ]
[ FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
- Checking logrotate presence

- Checking log directories (static list)
- Checking open log files
- Checking deleted files in use
[ OK ]
[ DONE ]
[ DONE ]
[ FILES FOUND ]

[+] Insecure services
------------------------------------ Checking inetd status...
[ NOT ACTIVE ]

[+] Banners and identification
------------------------------------ /etc/motd...
- /etc/issue...
- /etc/issue contents...
- /etc/issue.net...
- /etc/issue.net contents...
[ NOT FOUND ]
[ FOUND ]
[ WEAK ]
[ FOUND ]
[ WEAK ]

[+] Scheduled tasks
------------------------------------ Checking crontab/cronjob
- Checking atd status
[ DONE ]
[ NOT RUNNING ]

[+] Accounting
------------------------------------ Checking accounting information...
- Checking sysstat accounting data
- Checking auditd
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]

[+] Time and Synchronization
------------------------------------ Checking running NTP daemon (ntpd)...
[ NOT FOUND ]
- Checking running NTP daemon (timed)...
[ NOT FOUND ]
- Checking running NTP daemon (dntpd)...
[ NOT FOUND ]
- Checking NTP client in crontab file (/etc/anacrontab)... [ NOT FOUND ]
- Checking NTP client in crontab file (/etc/crontab)... [ NOT FOUND ]
- Checking NTP client in cron.d files...
[ NOT FOUND ]
- Checking event based ntpdate (if-up)...
[ FOUND ]
- Checking for a running NTP daemon or client...
[ OK ]
[+] Cryptography
------------------------------------ Checking SSL certificate expiration...
[ OK ]

[+] Virtualization
-----------------------------------[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Security frameworks

------------------------------------ Checking presence AppArmor
- Checking presence SELinux
- Checking presence grsecurity
- Checking for implemented MAC framework
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NONE ]

[+] Software: file integrity
------------------------------------ Checking file integrity tools...
- AFICK...
- AIDE...
- Osiris...
- Samhain...
- Tripwire...
- OSSEC (syscheck)...
- Checking presence integrity tool...
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]

[+] Software: Malware scanners
------------------------------------ Checking chkrootkit...
- Checking Rootkit Hunter...
- Checking ClamAV scanner...
- Checking ClamAV daemon...
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]
[ NOT FOUND ]

[+] System Tools
------------------------------------ Starting file permissions check...
/etc/lilo.conf
[ NOT FOUND ]
/root/.ssh
[ NOT FOUND ]

[+] Home directories
------------------------------------ Checking shell history files...
[ OK ]

[+] Kernel Hardening
------------------------------------ Comparing sysctl key pairs with scan profile...
- kernel.core_uses_pid (exp: 1)
[ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0)
[ OK ]
- kernel.sysrq (exp: 0)
[ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0)
[ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0)
[ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0)
[ OK ]
- net.ipv4.conf.all.forwarding (exp: 0)
[ OK ]
- net.ipv4.conf.all.log_martians (exp: 1)
[ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0)
[ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0)
[ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1)
[ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0)
[ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0)
[ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0)
[ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1)
[ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)
[ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1)
[ OK ]
- net.ipv4.tcp_timestamps (exp: 0)
[ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0)
[ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0)
[ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0)
[ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0)
[ OK ]
[+] Hardening
------------------------------------ Installed compiler(s)...
- Installed malware scanner...
[ FOUND ]
[ NOT FOUND ]
[+] Custom Tests

------------------------------------ Running custom tests...
[ NONE ]
=======================================================================
=========
-[ Lynis 1.5.2 Results ]Tests performed: 158 Plugins enabled: 0
Warnings:
---------------------------- Can't find any security repository in /etc/apt/sources.list. [PKGS-7388]
http://cisofy.com/controls/PKGS-7388/
- Couldn't find 2 responsive nameservers [NETW-2705]
http://cisofy.com/controls/NETW-2705/
Suggestions:
---------------------------- Check process listing for processes waiting for IO requests [PROC-3614]
http://cisofy.com/controls/PROC-3614/
- Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc
[AUTH-9262]
http://cisofy.com/controls/AUTH-9262/
- Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
- Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
- Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328]
- To decrease the impact of a full /home file system, place /home on a separated partition [FILE6310]
http://cisofy.com/controls/FILE-6310/
- To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
http://cisofy.com/controls/FILE-6310/
- Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft
[STRG-1840]
http://cisofy.com/controls/STRG-1840/
- Check DNS configuration for the dns domain name [NAME-4028]
http://cisofy.com/controls/NAME-4028/
- Purge old/removed packages (3 found) with aptitude purge or dpkg --purge command. This will
cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346]
- Check /etc/apt/sources.list if a security repository is configured correctly [PKGS-7388]
- Install a package audit tool to determine vulnerable packages [PKGS-7398]
- Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
http://cisofy.com/controls/NETW-2705/
- Access to CUPS configuration could be more strict. [PRNT-2307]

http://cisofy.com/controls/PRNT-2307/
- Check CUPS configuration if it really needs to run on several network addresses [PRNT-2308]
http://cisofy.com/controls/PRNT-2308/
- Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
http://cisofy.com/controls/FIRE-4590/
- Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
http://cisofy.com/controls/HTTP-6640/
- Install Apache mod_qos to guard webserver against Slowloris attacks [HTTP-6641]
- Install Apache mod_spamhaus to guard webserver against spammers [HTTP-6642]
- Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
- Check what deleted files are still in use and why. [LOGG-2190]
http://cisofy.com/controls/LOGG-2190/
- Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
http://cisofy.com/controls/BANN-7126/
- Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
http://cisofy.com/controls/BANN-7130/
- Enable process accounting [ACCT-9622]
http://cisofy.com/controls/ACCT-9622/
- Enable sysstat to collect accounting (no results) [ACCT-9626]
- Enable auditd to collect audit information [ACCT-9628]
- Install a file integrity tool [FINT-4350]
http://cisofy.com/controls/FINT-4350/
- One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
http://cisofy.com/controls/KRNL-6000/
- Harden the system by removing unneeded compilers. This can decrease the chance of customized
trojans, backdoors and rootkits to be compiled and installed [HRDN-7220]
http://cisofy.com/controls/HRDN-7220/
- Harden compilers and restrict access to world [HRDN-7222]
- Harden the system by installing one or malware scanners to perform periodic file system scans
[HRDN-7230]
Follow-up:
---------------------------- Fix findings, see security controls overview and documentation
- Upload data to Lynis Enterprise for further analysis
- Create a report and implementation plan
=======================================================================
=========
Hardening index : [53] [##########
]
=======================================================================
=========
Files:
- Test and debug information

: /var/log/lynis.log
- Report data
: /var/log/lynis-report.dat
=======================================================================
=========
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
=======================================================================
=========
Lynis 1.5.2
=======================================================================
=========

Lynis - Instalação e Relatório

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Lynis - Instalação e Relatório

Enviado por

Direitos autorais:

Formatos disponíveis

Lynis - Instalao e Relattio de Anlises

: Don't use colors in output

: Don't use colors in output

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Users, Groups and Authentication

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

- Checking default gateway...

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] SSH Support

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

- Checking logrotate presence

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Security frameworks

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Custom Tests

- Access to CUPS configuration could be more strict. [PRNT-2307]

- Test and debug information

Você também pode gostar