Безпека веб-серверів, Cloud-платформ.
Надійний захист від атак відмова в обслуговуванні
Комплексний захист електронних ресурсів.
Пошук та видалення вірусів на веб-сайтах.
Захист та рішення безпеки для сайтів на WordPress.
Пентест сайтів і веб-додатків.
Безпека веб-серверів, Cloud-платформ.
Надійний захист від атак відмова в обслуговуванні
Комплексний захист електронних ресурсів.
Пошук та видалення вірусів на веб-сайтах.
Захист та рішення безпеки для сайтів на WordPress.
Пентест сайтів і веб-додатків.
Безпека веб-серверів, Cloud-платформ.
Надійний захист від атак відмова в обслуговуванні
Комплексний захист електронних ресурсів.
Пошук та видалення вірусів на веб-сайтах.
Захист та рішення безпеки для сайтів на WordPress.
Пентест сайтів і веб-додатків.
Безпека веб-серверів, Cloud-платформ.
Надійний захист від атак відмова в обслуговуванні
Комплексний захист електронних ресурсів.
Пошук та видалення вірусів на веб-сайтах.
Захист та рішення безпеки для сайтів на WordPress.
Пентест сайтів і веб-додатків.
У цій замітці я розповім, що таке IT Аудит, про його основні принципи та особливості. Дам визначення, навіщо він потрібен, хто і як його, зазвичай, проводить. Хочу прояснити цей процес для допитливих клієнтів на прикладі експрес-аудиту VPS-сервера під управлінням ОС Linux. Викладений нижче аудит є довільним, створеним для ознайомлення .
IT Аудит — це незалежне експертне оцінювання якості та ефективності ІТ-інфраструктури, експертиза на усіх рівнях OSI-моделі, яка включає комплексний збір і аналіз інформації про досліджуваний об’єкт, його апаратні і програмні засоби, інтерфейси, мережу, застосунки, додатки, пристрої та інше.
Внутрішній аудит — це ІТ-аудит, який виконується з повним доступом до системи.
Зовнішній аудит — це ІТ-аудит без доступу до системи, виконується робота з даними із відкритих джерел.
Аудитор — це сертифікований фахівець, кваліфікований в усіх сферах інформаційних технологій, уповноважений для проведення процедури аудиту.
В залежності від цілей і характеру, бувають різні типи аудитів, до прикладу:
Для проведення аудиту необхідний письмовий дозвіл власника, закріплений NDA-договором (Non-disclosure agreement, Договір про нерозголошення інформації).
Також необхідно надати аудитору доступ до сервера по каналу SSH з правами Адміністратора (root).
У своїй роботі аудитор проводить збір даних та здійснює численні перевірки, користуючись вбудованими засобами командого рядка Linux та спеціалізованими аудиторськими інструментами, список яких узгоджується заздалегідь.
Аудитор не має права втручатись в роботу системи, якось змінювати її конфігурацію. Фактично, його робота— це лише збір і структурування даних, документація (звітність) і рекомендація (оцінка).
Всесвітньовідома організація ISACA склала список рекомендацій під назвою “Етичний кодекс аудитора”, який включає наступні положення:
root@server:~# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 40 bits physical, 48 bits virtual CPU(s): 1 On-line CPU(s) list: 0 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 1 NUMA node(s): 1 Vendor ID: AuthenticAMD CPU family: 23 Model: 49 Model name: DO-Regular Stepping: 0 CPU MHz: 1996.247 BogoMIPS: 3992.49 Virtualization: AMD-V Hypervisor vendor: KVM Virtualization type: full L1d cache: 32 KiB L1i cache: 32 KiB L2 cache: 512 KiB L3 cache: 16 MiB NUMA node0 CPU(s): 0 Vulnerability Itlb multihit: Not affected Vulnerability L1tf: Not affected Vulnerability Mds: Not affected Vulnerability Meltdown: Not affected Vulnerability Mmio stale data: Not affected Vulnerability Spec store bypass: Vulnerable Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Vulnerability Spectre v2: Mitigation; Retpolines, IBPB conditional, STIBP disabled, RSB filling Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm svm cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext perfctr_core ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero xsaveerptr wbnoinvd arat npt nrip_save umip rdpid
root@server:~# cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 23 model : 49 model name : DO-Regular stepping : 0 microcode : 0x1000065 cpu MHz : 1996.247 cache size : 512 KB physical id : 0 siblings : 1 core id : 0 cpu cores : 1 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm svm cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext perfctr_core ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero xsaveerptr wbnoinvd arat npt nrip_save umip rdpid bugs : sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass bogomips : 3992.49 TLB size : 1024 4K pages clflush size : 64 cache_alignment : 64 address sizes : 40 bits physical, 48 bits virtual power management:
Оцінка і рекомендації: Cервер використовує процесор компанії AMD моделі DO-Regular, одноядерний, з тактовою частотою 1996 МГц. Підтримує 64-бітну архітектуру і використовує повнопривідну віртуалізацію на базі гіпервізора KVM.
Процесор вразливий по деяким пунктам, зокрема:
Загалом, процесор початкового класу, розрахований на невеликі навантаження, відсутня багатопоточність. Для трафікових та складних проєктів його буде недостатньо. Окрім того, дана модель показала не найкращі результати в тестуванні швидкодії і працездатності (див. Benchmark). Для розгортання серйозних проєктів — необхідне масштабування (збільшення кількості ядер) або заміна процесора. Також рекомендується замість стандартного KVM використати більш сучасний гіпервізор XEN. Для усунення вразливостей процесора варто шукати патчі від виробника і правити конфігурацію ядра.
root@server:~# free -h total used free shared buff/cache available Mem: 967Mi 641Mi 82Mi 25Mi 244Mi 144Mi Swap: 0B 0B 0B
root@server:~# cat /proc/meminfo MemTotal: 991156 kB MemFree: 84208 kB MemAvailable: 148188 kB Buffers: 7808 kB Cached: 203572 kB SwapCached: 0 kB Active: 124540 kB Inactive: 622872 kB Active(anon): 26628 kB Inactive(anon): 548484 kB Active(file): 97912 kB Inactive(file): 74388 kB Unevictable: 23068 kB Mlocked: 18532 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 212 kB Writeback: 0 kB AnonPages: 559140 kB Mapped: 75576 kB Shmem: 26344 kB KReclaimable: 38640 kB Slab: 91096 kB SReclaimable: 38640 kB SUnreclaim: 52456 kB KernelStack: 3644 kB PageTables: 6532 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 495576 kB Committed_AS: 1777032 kB VmallocTotal: 34359738367 kB VmallocUsed: 19128 kB VmallocChunk: 0 kB Percpu: 14720 kB HardwareCorrupted: 0 kB AnonHugePages: 0 kB ShmemHugePages: 0 kB ShmemPmdMapped: 0 kB FileHugePages: 0 kB FilePmdMapped: 0 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB Hugetlb: 0 kB DirectMap4k: 270336 kB DirectMap2M: 778240 kB
root@server:~# sudo memtester 200M 1 memtester version 4.3.0 (64-bit) Copyright (C) 2001-2012 Charles Cazabon. Licensed under the GNU General Public License version 2 (only).
pagesize is 4096 pagesizemask is 0xfffffffffffff000 want 200MB (209715200 bytes) got 200MB (209715200 bytes), trying mlock ...locked. Loop 1/1: Stuck Address : ok Random Value : ok Compare XOR : ok Compare SUB : ok Compare MUL : ok Compare DIV : ok Compare OR : ok Compare AND : ok Sequential Increment: ok Solid Bits : ok Block Sequential : ok Checkerboard : ok Bit Spread : ok Bit Flip : ok Walking Ones : ok Walking Zeroes : ok 8-bit Writes : ok 16-bit Writes : ok
Done.
Оцінка і рекомендації: Сервер використовує оперативну пам’ять об’ємом 1 Гб. Swapfile відсутній. Помилок в роботі пам’яті не виявлено. Однак, для складних та габаритних проєктів, обслуговування великих баз даних існуючої кількості оперативної пам’яті не вистачить. Необхідно масштабувати, а також терміново створити файл підкачки SWAP, щоби у випадку перенавантажень сервер залишався робочим.
root@server:~# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 944M 0 944M 0% /dev tmpfs 963M 368K 962M 1% /dev/shm tmpfs 963M 93M 870M 10% /run tmpfs 963M 0 963M 0% /sys/fs/cgroup /dev/sda1 38G 18G 18G 50% / /dev/loop0 1.5G 84M 1.3G 7% /tmp /dev/sda15 64M 2.2M 62M 4% /boot/efi tmpfs 193M 0 193M 0% /run/user/5005
root@server:~# smartctl --info /dev/sda smartctl 7.1 2020-08-23 r5080 [x86_64-linux-4.18.0-408.el8.x86_64] (local build) Copyright (C) 2002-19, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION === Vendor: QEMU Product: QEMU HARDDISK Revision: 2.5+ Compliance: SPC-3 User Capacity: 40,961,572,864 bytes [40.9 GB] Logical block size: 512 bytes LU is thin provisioned, LBPRZ=0 Device type: disk Local Time is: Wed Oct 12 20:33:41 2022 CEST SMART support is: Unavailable - device lacks SMART capability. SMART Health Status: OK
root@server:~# sudo fdisk -l /dev/sda1 Disk /dev/sda1: 38.1 GiB, 40892349952 bytes, 79867871 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
root@server:~# sudo badblocks -v /dev/sda1 > badsectors.txt Checking blocks 0 to 39933934 Checking for bad blocks (read-only test): done Pass completed, 0 bad blocks found. (0/0/0 errors)
Оцінка і рекомендації: Сервер використовує віртуальний жорсткий диск (віртуалізація QEMU) об’ємом 38 Гб. Усі звернення до жорсткого диску пересилаються з віртуальної машини на фізичний диск, що при роботі з велими даними може створювати delay (затримку), скачки в швидкодії та працездатності (-10–15%). Крім того дискового об’єму 38-40 Гб для габаритних, масштабних проєктів, наприклад хмарних хранилищ, резервних копій, кешу, логів, баз даних може не вистачити. Проблем в роботі жорстокого диску не помічено. Битих секторів не виявлено.
root@server:~# uname -a Linux ubuntu-02 5.4.0-126-generic (buildd@lcy02-amd64-095) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
root@server:~# cat /etc/os-release NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal
root@server:~# lynis audit system
[ Lynis 2.6.2 ]
##################################################################### Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) #####################################################################
[+] Initializing program ------------------------------------ - Detecting OS... [DONE] - Checking profiles... [DONE]
--------------------------------------------------- Program version: 2.6.2 Operating system: Linux Operating system name: Ubuntu Linux Operating system version: 20.04 Kernel version: 5.4.0 Hardware platform: x86_64 Hostname: ubuntu-s-1vcpu-1gb-lr1-02 --------------------------------------------------- Profiles: /etc/lynis/default.prf Log file: /var/log/lynis.log Report file: /var/log/lynis-report.dat Report version: 1.0 Plugin directory: /etc/lynis/plugins --------------------------------------------------- Auditor: [Not Specified] Language: en Test category: all Test group: all ---------------------------------------------------
[+] System Tools ------------------------------------ - Scanning available tools... - Checking system binaries...
[+] Plugins (phase 1) ------------------------------------ Note: plugins have more extensive tests and may take several minutes to complete - Plugin: debian [ [+] Debian Tests ------------------------------------ - Checking for system binaries that are required by Debian Tests... - Checking /bin... [ FOUND ] - Checking /sbin... [ FOUND ] - Checking /usr/bin... [ FOUND ] - Checking /usr/sbin... [ FOUND ] - Checking /usr/local/bin... [ FOUND ] - Checking /usr/local/sbin... [ FOUND ] - Authentication: - PAM (Pluggable Authentication Modules): - libpam-tmpdir [ Not Installed ] - libpam-usb [ Not Installed ] - File System Checks: - DM-Crypt, Cryptsetup & Cryptmount: - Checking / on /dev/vda1 [ NOT ENCRYPTED ] - Checking /snap/core20/1623 on /var/lib/snapd/snaps/core20_1623.snap [ NOT ENCRYPTED ] - Checking /snap/core20/1611 on /var/lib/snapd/snaps/core20_1611.snap [ NOT ENCRYPTED ] - Checking /snap/lxd/22753 on /var/lib/snapd/snaps/lxd_22753.snap [ NOT ENCRYPTED ] - Checking /snap/snapd/16778 on /var/lib/snapd/snaps/snapd_16778.snap [ NOT ENCRYPTED ] - Checking /snap/snapd/17029 on /var/lib/snapd/snaps/snapd_17029.snap [ NOT ENCRYPTED ] - Checking /boot/efi on /dev/vda15 [ NOT ENCRYPTED ] - Software: - apt-listbugs [ Not Installed ] - apt-listchanges [ Not Installed ] - checkrestart [ Not Installed ] - needrestart [ Not Installed ] - debsecan [ Not Installed ] - debsums [ Not Installed ] - fail2ban [ Not Installed ] ]
[+] Boot and services ------------------------------------ - Service Manager [ systemd ] - Checking UEFI boot [ DISABLED ] - Checking presence GRUB2 [ FOUND ] - Checking for password protection [ WARNING ] - Check running services (systemctl) [ DONE ] Result: found 25 running services - Check enabled services at boot (systemctl) [ DONE ] Result: found 64 enabled services - Check startup files (permissions) [ OK ] - Checking sulogin in rescue.service [ NOT FOUND ]
[+] Kernel ------------------------------------ - Checking default run level [ RUNLEVEL 5 ] - Checking CPU support (NX/PAE) CPU support: PAE and/or NoeXecute supported [ FOUND ] - Checking kernel version and release [ DONE ] - Checking kernel type [ DONE ] - Checking loaded kernel modules [ DONE ] Found 52 active modules - Checking Linux kernel configuration file [ FOUND ] - Checking default I/O kernel scheduler [ NOT FOUND ] - Checking for available kernel update [ UNKNOWN ] - Checking core dumps configuration [ DISABLED ] - Checking setuid core dumps configuration [ PROTECTED ] - Check if reboot is needed [ YES ]
[+] Memory and Processes ------------------------------------ - Checking /proc/meminfo [ FOUND ] - Searching for dead/zombie processes [ OK ] - Searching for IO waiting processes [ OK ]
[+] Users, Groups and Authentication ------------------------------------ - Administrator accounts [ OK ] - Unique UIDs [ OK ] - Consistency of group files (grpck) [ OK ] - Unique group IDs [ OK ] - Unique group names [ OK ] - Password file consistency [ OK ] - Query system users (non daemons) [ DONE ] - NIS+ authentication support [ NOT ENABLED ] - NIS authentication support [ NOT ENABLED ] - sudoers file [ FOUND ] - Check sudoers file permissions [ OK ] - PAM password strength tools [ SUGGESTION ] - PAM configuration files (pam.conf) [ FOUND ] - PAM configuration files (pam.d) [ FOUND ] - PAM modules [ FOUND ] - LDAP module in PAM [ NOT FOUND ] - Accounts without expire date [ OK ] - Accounts without password [ OK ] - Checking user password aging (minimum) [ DISABLED ] - User password aging (maximum) [ DISABLED ] - Checking expired passwords [ OK ] - Checking Linux single user mode authentication [ WARNING ] - Determining default umask - umask (/etc/profile) [ NOT FOUND ] - umask (/etc/login.defs) [ SUGGESTION ] - LDAP authentication support [ NOT ENABLED ] - Logging failed login attempts [ ENABLED ]
[+] Shells ------------------------------------ - Checking shells from /etc/shells Result: found 9 shells (valid shells: 9). - Session timeout settings/tools [ NONE ] - Checking default umask values - Checking default umask in /etc/bash.bashrc [ NONE ] - Checking default umask in /etc/profile [ NONE ]
[+] File systems ------------------------------------ - Checking mount points - Checking /home mount point [ SUGGESTION ] - Checking /tmp mount point [ SUGGESTION ] - Checking /var mount point [ SUGGESTION ] - Query swap partitions (fstab) [ NONE ] - Testing swap partitions [ OK ] - Testing /proc mount (hidepid) [ SUGGESTION ] - Checking for old files in /tmp [ OK ] - Checking /tmp sticky bit [ OK ] - Checking /var/tmp sticky bit [ OK ] - ACL support root file system [ ENABLED ] - Mount options of / [ OK ] - Disable kernel support of some filesystems - Discovered kernel modules: udf
[+] USB Devices ------------------------------------ - Checking usb-storage driver (modprobe config) [ NOT DISABLED ] - Checking USB devices authorization [ ENABLED ] - Checking USBGuard [ NOT FOUND ]
[+] Storage ------------------------------------ - Checking firewire ohci driver (modprobe config) [ DISABLED ]
[+] NFS ------------------------------------ - Check running NFS daemon [ NOT FOUND ]
[+] Name services ------------------------------------ - Checking /etc/resolv.conf options [ FOUND ] - Searching DNS domain name [ UNKNOWN ] - Checking /etc/hosts - Checking /etc/hosts (duplicates) [ OK ] - Checking /etc/hosts (hostname) [ OK ] - Checking /etc/hosts (localhost) [ OK ] - Checking /etc/hosts (localhost to IP) [ OK ]
[+] Ports and packages ------------------------------------ - Searching package managers - Searching dpkg package manager [ FOUND ] - Querying package manager - Query unpurged packages [ FOUND ] - Checking security repository in sources.list file [ OK ] - Checking APT package database [ OK ] - Checking vulnerable packages [ WARNING ] - Checking upgradeable packages [ SKIPPED ] - Checking package audit tool [ INSTALLED ] Found: apt-get
[+] Networking ------------------------------------ - Checking IPv6 configuration [ ENABLED ] Configuration method [ AUTO ] IPv6 only [ NO ] - Checking configured nameservers - Testing nameservers Nameserver: 127.0.0.53 [ OK ] - Minimal of 2 responsive nameservers [ WARNING ] - Checking default gateway [ DONE ] - Getting listening ports (TCP/UDP) [ DONE ] * Found 4 ports - Checking promiscuous interfaces [ OK ] - Checking waiting connections [ OK ] - Checking status DHCP client [ NOT ACTIVE ] - Checking for ARP monitoring software [ NOT FOUND ]
[+] Printers and Spools ------------------------------------ - Checking cups daemon [ NOT FOUND ] - Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging ------------------------------------
[+] Software: firewalls ------------------------------------ - Checking iptables kernel module [ FOUND ] - Checking iptables policies of chains [ FOUND ] - Checking for empty ruleset [ WARNING ] - Checking for unused rules [ OK ] - Checking host based firewall [ ACTIVE ]
[+] Software: webserver ------------------------------------ - Checking Apache [ NOT FOUND ] - Checking nginx [ NOT FOUND ]
[+] SSH Support ------------------------------------ - Checking running SSH daemon [ FOUND ] - Searching SSH configuration [ FOUND ] - SSH option: AllowTcpForwarding [ SUGGESTION ] - SSH option: ClientAliveCountMax [ SUGGESTION ] - SSH option: ClientAliveInterval [ OK ] - SSH option: Compression [ SUGGESTION ] - SSH option: FingerprintHash [ OK ] - SSH option: GatewayPorts [ OK ] - SSH option: IgnoreRhosts [ OK ] - SSH option: LoginGraceTime [ OK ] - SSH option: LogLevel [ SUGGESTION ] - SSH option: MaxAuthTries [ SUGGESTION ] - SSH option: MaxSessions [ SUGGESTION ] - SSH option: PermitRootLogin [ SUGGESTION ] - SSH option: PermitUserEnvironment [ OK ] - SSH option: PermitTunnel [ OK ] - SSH option: Port [ SUGGESTION ] - SSH option: PrintLastLog [ OK ] - SSH option: Protocol [ NOT FOUND ] - SSH option: StrictModes [ OK ] - SSH option: TCPKeepAlive [ SUGGESTION ] - SSH option: UseDNS [ OK ] - SSH option: UsePrivilegeSeparation [ NOT FOUND ] - SSH option: VerifyReverseMapping [ NOT FOUND ] - SSH option: X11Forwarding [ SUGGESTION ] - SSH option: AllowAgentForwarding [ SUGGESTION ] - SSH option: AllowUsers [ NOT FOUND ] - SSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support ------------------------------------ - Checking running SNMP daemon [ NOT FOUND ]
[+] Databases ------------------------------------ No database engines found
[+] LDAP Services ------------------------------------ - Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP ------------------------------------ - Checking PHP [ NOT FOUND ]
[+] Squid Support ------------------------------------ - Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files ------------------------------------ - Checking for a running log daemon [ OK ] - Checking Syslog-NG status [ NOT FOUND ] - Checking systemd journal status [ FOUND ] - Checking Metalog status [ NOT FOUND ] - Checking RSyslog status [ FOUND ] - Checking RFC 3195 daemon status [ NOT FOUND ] - Checking minilogd instances [ NOT FOUND ] - Checking logrotate presence [ OK ] - Checking log directories (static list) [ DONE ] - Checking open log files [ DONE ] - Checking deleted files in use [ FILES FOUND ]
[+] Insecure services ------------------------------------ - Checking inetd status [ NOT ACTIVE ]
[+] Banners and identification ------------------------------------ - /etc/issue [ FOUND ] - /etc/issue contents [ WEAK ] - /etc/issue.net [ FOUND ] - /etc/issue.net contents [ WEAK ]
[+] Scheduled tasks ------------------------------------ - Checking crontab/cronjob [ DONE ] - Checking atd status [ RUNNING ] - Checking at users [ DONE ] - Checking at jobs [ NONE ]
[+] Accounting ------------------------------------ - Checking accounting information [ NOT FOUND ] - Checking sysstat accounting data [ NOT FOUND ] - Checking auditd [ NOT FOUND ]
[+] Time and Synchronization ------------------------------------ - NTP daemon found: systemd (timesyncd) [ FOUND ] - Checking for a running NTP daemon or client [ OK ]
[+] Cryptography ------------------------------------ - Checking for expired SSL certificates [0/3] [ NONE ]
[+] Virtualization ------------------------------------
[+] Containers ------------------------------------
[+] Security frameworks ------------------------------------ - Checking presence AppArmor [ FOUND ] - Checking AppArmor status [ ENABLED ] - Checking presence SELinux [ NOT FOUND ] - Checking presence grsecurity [ NOT FOUND ] - Checking for implemented MAC framework [ OK ]
[+] Software: file integrity ------------------------------------ - Checking file integrity tools - Checking presence integrity tool [ NOT FOUND ]
[+] Software: System tooling ------------------------------------ - Checking automation tooling - Automation tooling [ NOT FOUND ] - Checking for IDS/IPS tooling [ NONE ]
[+] Software: Malware ------------------------------------
[+] File Permissions ------------------------------------ - Starting file permissions check /root/.ssh [ OK ]
[+] Home directories ------------------------------------ - Checking shell history files [ OK ]
[+] Kernel Hardening ------------------------------------ - Comparing sysctl key pairs with scan profile - fs.protected_hardlinks (exp: 1) [ OK ] - fs.protected_symlinks (exp: 1) [ OK ] - fs.suid_dumpable (exp: 0) [ DIFFERENT ] - kernel.core_uses_pid (exp: 1) [ DIFFERENT ] - kernel.ctrl-alt-del (exp: 0) [ OK ] - kernel.dmesg_restrict (exp: 1) [ DIFFERENT ] - kernel.kptr_restrict (exp: 2) [ DIFFERENT ] - kernel.randomize_va_space (exp: 2) [ OK ] - kernel.sysrq (exp: 0) [ DIFFERENT ] - kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ] - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] - net.ipv4.conf.all.forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] - net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] - net.ipv4.tcp_syncookies (exp: 1) [ OK ] - net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening ------------------------------------ - Installed compiler(s) [ FOUND ] - Installed malware scanner [ NOT FOUND ]
[+] Custom Tests ------------------------------------ - Running custom tests... [ NONE ]
[+] Plugins (phase 2) ------------------------------------
=====================================================================
-[ Lynis 2.6.2 Results ]-
Warnings (5): ----------------------------
! Reboot of system is most likely needed [KRNL-5830] - Solution : reboot https://cisofy.com/controls/KRNL-5830/
! No password set for single mode [AUTH-9308] https://cisofy.com/controls/AUTH-9308/
! Found one or more vulnerable packages. [PKGS-7392] https://cisofy.com/controls/PKGS-7392/
! Couldn't find 2 responsive nameservers [NETW-2705] https://cisofy.com/controls/NETW-2705/
! iptables module(s) loaded, but no rules active [FIRE-4512] https://cisofy.com/controls/FIRE-4512/
Suggestions (51): ---------------------------- * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280] https://your-domain.example.org/controls/CUST-0280/
* Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285] https://your-domain.example.org/controls/CUST-0285/
* Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810] https://your-domain.example.org/controls/CUST-0810/
* Install apt-listchanges to display any significant changes prior to any upgrade via APT. [CUST-0811] https://your-domain.example.org/controls/CUST-0811/
* Install debian-goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830] https://your-domain.example.org/controls/CUST-0830/
* Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [CUST-0831] https://your-domain.example.org/controls/CUST-0831/
* Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870] https://your-domain.example.org/controls/CUST-0870/
* Install debsums for the verification of installed package files against MD5 checksums. [CUST-0875] https://your-domain.example.org/controls/CUST-0875/
* Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] https://cisofy.com/controls/DEB-0880/
* Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/controls/BOOT-5122/
* Protect rescue.service by using sulogin [BOOT-5260] https://cisofy.com/controls/BOOT-5260/
* Determine why /vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] - Details : /vmlinuz https://cisofy.com/controls/KRNL-5788/
* Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788] https://cisofy.com/controls/KRNL-5788/
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] https://cisofy.com/controls/AUTH-9262/
* Configure minimum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/
* Set password for single user mode to minimize physical access attack surface [AUTH-9308] https://cisofy.com/controls/AUTH-9308/
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] https://cisofy.com/controls/STRG-1840/
* Check DNS configuration for the dns domain name [NAME-4028] https://cisofy.com/controls/NAME-4028/
* Purge old/removed packages (6 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] https://cisofy.com/controls/PKGS-7346/
* Install debsums utility for the verification of packages with known good database. [PKGS-7370] https://cisofy.com/controls/PKGS-7370/
* Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] https://cisofy.com/controls/PKGS-7392/
* Install package apt-show-versions for patch management purposes [PKGS-7394] https://cisofy.com/controls/PKGS-7394/
* Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] https://cisofy.com/controls/NETW-2705/
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/controls/NETW-3032/
* Consider hardening SSH configuration [SSH-7408] - Details : AllowTcpForwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : ClientAliveCountMax (3 --> 2) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : Compression (YES --> (DELAYED|NO)) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : LogLevel (INFO --> VERBOSE) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : MaxAuthTries (6 --> 2) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : MaxSessions (10 --> 2) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : PermitRootLogin (YES --> NO) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : Port (22 --> ) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : TCPKeepAlive (YES --> NO) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : X11Forwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] - Details : AllowAgentForwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/
* Check what deleted files are still in use and why. [LOGG-2190] https://cisofy.com/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/controls/BANN-7130/
* Enable process accounting [ACCT-9622] https://cisofy.com/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628] https://cisofy.com/controls/ACCT-9628/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>) https://cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222] https://cisofy.com/controls/HRDN-7222/
* Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] - Solution : Install a tool like rkhunter, chkrootkit, OSSEC https://cisofy.com/controls/HRDN-7230/
Follow-up: ---------------------------- - Show details of a test (lynis show details TEST-ID) - Check the logfile for all details (less /var/log/lynis.log) - Read security controls texts (https://cisofy.com) - Use --upload to upload data to central system (Lynis Enterprise users)
=====================================================================
Lynis security scan details:
Hardening index : 50 [########## ] Tests performed : 221 Plugins enabled : 1
Оцінка і рекомендації: Деякі компоненти операційної системи не оновлені, хоча сама версія Linux – Ubuntu 20.04 є актуальною. Необхідно встановити додаткові модулі і налаштувати файєрвол (IPtables/Fail2ban). Звернути увагу на шифрування даних і контроль доступу по SSH. Служба захисту SELinux — вимкнена. Для корпоративних систем з високим рівнем конфіденційності це може бути недоліком, тому рекомендується її активувати. Загалом, бажано задовільнити усі вимоги аудиторської утиліти Lynis.
[root@server ~]# php -v PHP Warning: Module 'zip' already loaded in Unknown on line 0 PHP 7.4.28 (cli) (built: Apr 4 2022 11:52:05) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.28, Copyright (c), by Zend Technologies
[root@server ~]# php -m PHP Warning: Module 'zip' already loaded in Unknown on line 0 [PHP Modules] bcmath bz2 calendar Core ctype curl date dba dom enchant exif fileinfo filter ftp gd gettext gmp hash iconv igbinary imagick imap intl json ldap libxml mbstring mcrypt memcached msgpack mysqli mysqlnd odbc openssl pcntl pcre PDO pdo_mysql PDO_ODBC pdo_pgsql pdo_sqlite pgsql Phar posix pspell readline redis Reflection session shmop SimpleXML snmp soap sockets SPL sqlite3 standard sysvmsg sysvsem sysvshm tidy timezonedb tokenizer xml xmlreader xmlrpc xmlwriter xsl Zend OPcache zip zlib
[Zend Modules] Zend OPcache
Оцінка і рекомендації: на сервері використовується стабільна версія PHP 7.4. Усі необхідні PHP-модулі встановлені. Лише виявлена помилка модуля “zip”, яку потрібно виправити.
root@server:~# sudo mysqltuner >> MySQLTuner 1.7.13 - Major Hayden <major@mhtx.net> >> Bug reports, feature requests, and downloads at http://mysqltuner.com/
[--] Skipped version check for MySQLTuner script [!!] FAIL Execute SQL / return code: 256 [!!] failed to execute: SHOW SLAVE HOSTS\G [!!] FAIL Execute SQL / return code: 256 [OK] Currently running supported MySQL version 10.3.32-MariaDB [OK] Operating on 64-bit architecture -------- Log file Recommendations ----------------------------------- [OK] Log file /var/log/mariadb/mariadb.log exists [--] Log file: /var/log/mariadb/mariadb.log(99B) [OK] Log file /var/log/mariadb/mariadb.log is not empty [OK] Log file /var/log/mariadb/mariadb.log is smaller than 32 Mb [OK] Log file /var/log/mariadb/mariadb.log is readable. [!!] /var/log/mariadb/mariadb.log contains 1 warning(s). [OK] /var/log/mariadb/mariadb.log doesn't contain any error. [--] 0 start(s) detected in /var/log/mariadb/mariadb.log [--] 0 shutdown(s) detected in /var/log/mariadb/mariadb.log -------- Storage Engine Statistics ---------------------------------- [--] Status: +ARCHIVE +Aria +BLACKHOLE +CSV +FEDERATED +InnoDB +MEMORY +MRG_MyISAM +MyISAM +PERFORMANCE_SCHEMA +SEQUENCE [--] Data in InnoDB tables: 2.8M (Tables: 22) [--] Data in MyISAM tables: 42.0M (Tables: 66) [OK] Total fragmented tables: 0 -------- Analysis Performance Metrics ------------------------------- [--] innodb_stats_on_metadata: OFF [OK] No stat updates during querying INFORMATION_SCHEMA. -------- Security Recommendations ----------------------------------- [--] Skipped due to none of known auth columns exists -------- CVE Security Recommendations ------------------------------- [--] Skipped due to --cvefile option undefined [!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS [!!] FAIL Execute SQL / return code: 256 [!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS [!!] FAIL Execute SQL / return code: 256 -------- Performance Metrics ---------------------------------------- [--] Up for: 6d 16h 14m 58s (2M q [4.511 qps], 55K conn, TX: 33G, RX: 842M) [--] Reads / Writes: 94% / 6% [--] Binary logging is disabled [--] Physical Memory : 1.9G [--] Max MySQL memory : 1.6G [--] Other process memory: 0B [--] Total buffers: 928.0M global + 23.3M per thread (30 max threads) [!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS [!!] FAIL Execute SQL / return code: 256 [--] P_S Max memory usage: 0B [!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS [!!] FAIL Execute SQL / return code: 256 [!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS [!!] FAIL Execute SQL / return code: 256 [--] Galera GCache Max memory usage: 0B [OK] Maximum reached memory usage: 1.5G (80.89% of installed RAM) [OK] Maximum possible memory usage: 1.6G (84.52% of installed RAM) [OK] Overall possible memory usage with other process is compatible with memory available [OK] Slow queries: 0% (0/2M) [!!] Highest connection usage: 90% (27/30) [OK] Aborted connections: 0.00% (1/55665) [!!] name resolution is active : a reverse name resolution is made for each new connection and can reduce performance [OK] Query cache is disabled by default due to mutex contention on multiprocessor machines. [OK] Sorts requiring temporary tables: 0% (0 temp sorts / 748K sorts) [OK] No joins without indexes [!!] Temporary tables created on disk: 41% (141K on disk / 341K total) [OK] Thread cache hit rate: 99% (503 created / 55K connections) [OK] Table cache hit rate: 98% (2M hits / 2M requests) [OK] table_definition_cache(400) is upper than number of tables(166) [OK] Open file limit used: 0% (97/32K) [OK] Table locks acquired immediately: 99% (1M immediate / 1M locks) -------- Performance schema ----------------------------------------- [!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS [!!] FAIL Execute SQL / return code: 256 [--] Memory used by P_S: 0B [--] Sys schema isn't installed. -------- ThreadPool Metrics ----------------------------------------- [--] ThreadPool stat is enabled. [--] Thread Pool Size: 2 thread(s). [--] Using default value is good enough for your version (10.3.32-MariaDB) -------- MyISAM Metrics --------------------------------------------- [!!] Key buffer used: 33.4% (5M used / 16M cache) [OK] Key buffer size / total MyISAM indexes: 16.0M/6.1M [OK] Read Key buffer hit rate: 100.0% (53M cached / 4K reads) [!!] Write Key buffer hit rate: 92.2% (206K cached / 190K writes) -------- InnoDB Metrics --------------------------------------------- [--] InnoDB is enabled. [--] InnoDB Thread Concurrency: 0 [OK] InnoDB File per table is activated [OK] InnoDB buffer pool / data size: 640.0M/2.8M [OK] Ratio InnoDB log file size / InnoDB Buffer pool size: 80.0M * 2/640.0M should be equal to 25% [OK] InnoDB buffer pool instances: 1 [--] Number of InnoDB Buffer Pool Chunk : 5 for 1 Buffer Pool Instance(s) [OK] Innodb_buffer_pool_size aligned with Innodb_buffer_pool_chunk_size & Innodb_buffer_pool_instances [OK] InnoDB Read buffer efficiency: 99.98% (17261092 hits/ 17263905 total) [!!] InnoDB Write Log efficiency: 80.77% (198628 hits/ 245908 total) [OK] InnoDB log waits: 0.00% (0 waits / 47280 writes) -------- Aria Metrics ----------------------------------------------- [--] Aria Storage Engine is enabled. [OK] Aria pagecache size / total Aria indexes: 128.0M/0B [!!] Aria pagecache hit rate: 92.8% (1M cached / 80K reads) -------- TokuDB Metrics --------------------------------------------- [--] TokuDB is disabled. -------- XtraDB Metrics --------------------------------------------- [--] XtraDB is disabled. -------- Galera Metrics --------------------------------------------- [--] Galera is disabled. -------- Replication Metrics ---------------------------------------- [--] Galera Synchronous replication: NO [--] No replication slave(s) for this server. [--] Binlog format: MIXED [--] XA support enabled: ON [--] Semi synchronous replication Master: OFF [--] Semi synchronous replication Slave: OFF [--] This is a standalone server -------- Recommendations --------------------------------------------------------------------------- General recommendations: Check warning line(s) in /var/log/mariadb/mariadb.log file Reduce or eliminate persistent connections to reduce connection usage Configure your accounts with ip or subnets only, then update your configuration with skip-name-resolve=1 When making adjustments, make tmp_table_size/max_heap_table_size equal Reduce your SELECT DISTINCT queries which have no LIMIT clause Consider installing Sys schema from https://github.com/mysql/mysql-sys for MySQL Consider installing Sys schema from https://github.com/FromDual/mariadb-sys for MariaDB Variables to adjust: max_connections (> 30) wait_timeout (< 28800) interactive_timeout (< 28800) tmp_table_size (> 128M) max_heap_table_size (> 128M)
Оцінка: на сервері встановлена база даних MySQL під управлінням MariaDB 10.3.32. База даних не оновлена (останній реліз — MariaDB 10.3.36) і належним чином не налаштована, потребує ретельної конфігурації. Є проблеми зі швидкістю з’єднання. Бажано налаштувати запис помилок у системні логи і проаналізувати їх.
root@server:# sudo ./nixauditor2.0
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% # Nix Audit Script ^Tested on RHEL 6,7... CentOS 6,7 ^ # %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% # For best results, run as ROOT. Always be ROOT. *Evil grin* # https://the-infosec.com #########################################################
General CIS Checks start here...
separate_partition /tmp Passed mount_option /tmp nodev Passed mount_option /tmp nosuid Passed mount_option /tmp noexec Passed separate_partition /var Failed bind_mounted_to /var/tmp /tmp Passed separate_partition /var/log Failed separate_partition /var/log/audit Failed separate_partition /home Failed mount_option /home nodev Failed mount_option /dev/shm nodev Failed mount_option /dev/shm nosuid Failed mount_option /dev/shm noexec Failed sticky_wrld_w_dirs Failed test_disable_mounting cramfs Failed modprobe: FATAL: Module freevxfs not found in directory /lib/modules/4.18.0-408.el8.x86_64 test_disable_mounting freevxfs Failed modprobe: FATAL: Module jffs2 not found in directory /lib/modules/4.18.0-408.el8.x86_64 test_disable_mounting jffs2 Failed modprobe: FATAL: Module hfs not found in directory /lib/modules/4.18.0-408.el8.x86_64 test_disable_mounting hfs Failed modprobe: FATAL: Module hfsplus not found in directory /lib/modules/4.18.0-408.el8.x86_64 test_disable_mounting hfsplus Failed test_disable_mounting squashfs Failed test_disable_mounting udf Failed centos_gpg_key_installed Failed yum_gpgcheck Passed yum_update Failed pkg_integrity Failed rpm_installed aide Failed verify_aide_cron Failed verify_selinux_grubcfg Passed verify_selinux_state Failed verify_selinux_policy Passed rpm_not_installed setroubleshoot Passed rpm_not_installed mcstrans Passed unconfined_procs Passed check_root_owns /boot/grub2/grub.cfg Passed check_grub_perms Failed check_boot_pass Passed restrict_core_dumps Failed chk_sysctl kernel.randomize_va_space 2 Passed chk_latest_rel Failed rpm_not_installed telnet-server Passed rpm_not_installed telnet Failed rpm_not_installed rsh-server Passed rpm_not_installed rsh Passed rpm_not_installed ypbind Passed rpm_not_installed ypserv Passed rpm_not_installed tftp Passed rpm_not_installed tftp-server Passed rpm_not_installed talk Passed rpm_not_installed talk-server Passed rpm_not_installed xinetd Passed check_svc_not_enabled chargen-dgram Passed check_svc_not_enabled chargen-stream Passed check_svc_not_enabled daytime-dgram Passed check_svc_not_enabled daytime-stream Passed check_svc_not_enabled echo-dgram Passed check_svc_not_enabled echo-stream Passed check_svc_not_enabled tcpmux-server Passed cut: /etc/sysconfig/init: No such file or directory check_umask Failed check_def_tgt Passed rpm_not_installed xorg-x11-server-common Passed check_svc_not_enabled avahi-daemon Passed check_svc_not_enabled cups Passed rpm_not_installed dhcp Passed cut: /etc/ntp.conf: No such file or directory grep: /etc/ntp.conf: No such file or directory ntp_cfg Failed rpm_not_installed openldap-servers Passed rpm_not_installed openldap-clients Passed check_svc_not_enabled nfslock Passed check_svc_not_enabled rpcgssd Passed check_svc_not_enabled rpcbind Passed check_svc_not_enabled rpcidmapd Passed check_svc_not_enabled rpcsvcgssd Passed rpm_not_installed bind Passed rpm_not_installed vsftpd Passed rpm_not_installed httpd Passed rpm_not_installed dovecot Passed rpm_not_installed samba Passed rpm_not_installed squid Passed rpm_not_installed net-snmp Failed chk_sysctl net.ipv4.ip_forward 0 Passed chk_sysctl net.ipv4.conf.all.send_redirects 0 Failed chk_sysctl net.ipv4.conf.default.send_redirects 0 Failed chk_sysctl net.ipv4.conf.all.accept_source_route 0 Passed chk_sysctl net.ipv4.conf.default.accept_source_route 0 Failed chk_sysctl net.ipv4.conf.all.accept_redirects 0 Failed chk_sysctl net.ipv4.conf.default.accept_redirects 0 Failed chk_sysctl net.ipv4.conf.all.secure_redirects 0 Failed chk_sysctl net.ipv4.conf.all.secure_redirects 0 Failed chk_sysctl net.ipv4.conf.default.secure_redirects 0 Failed chk_sysctl net.ipv4.conf.all.log_martians 1 Failed chk_sysctl net.ipv4.conf.default.log_martians 1 Failed chk_sysctl net.ipv4.icmp_echo_ignore_broadcasts 1 Passed chk_sysctl net.ipv4.icmp_ignore_bogus_error_responses 1 Passed chk_sysctl net.ipv4.conf.all.rp_filter 1 Passed chk_sysctl net.ipv4.conf.default.rp_filter 1 Failed chk_sysctl net.ipv4.tcp_syncookies 1 Passed ip6_router_advertisements_dis Failed ip6_redirect_accept_dis Failed chk_sysctl net.ipv6.conf.all.disable_ipv6 1 Failed rpm_installed tcp_wrappers Failed chk_file_exists /etc/hosts.allow Failed stat: cannot statx '/etc/hosts.allow': No such file or directory check_root_owns /etc/hosts.allow Failed stat: cannot statx '/etc/hosts.allow': No such file or directory check_file_perms /etc/hosts.allow 644 Failed chk_file_exists /etc/hosts.deny Failed cut: /etc/hosts.deny: No such file or directory chk_hosts_deny_content Failed stat: cannot statx '/etc/hosts.deny': No such file or directory check_root_owns /etc/hosts.deny Failed stat: cannot statx '/etc/hosts.deny': No such file or directory check_file_perms /etc/hosts.deny 644 Failed grep: /etc/modprobe.d/CIS.conf: No such file or directory chk_cis_cnf dccp /etc/modprobe.d/CIS.conf Failed grep: /etc/modprobe.d/CIS.conf: No such file or directory chk_cis_cnf sctp /etc/modprobe.d/CIS.conf Failed grep: /etc/modprobe.d/CIS.conf: No such file or directory chk_cis_cnf rds /etc/modprobe.d/CIS.conf Failed grep: /etc/modprobe.d/CIS.conf: No such file or directory chk_cis_cnf tipc /etc/modprobe.d/CIS.conf Failed check_svc_enabled firewalld Failed rpm_installed rsyslog Passed check_svc_enabled rsyslog Passed chk_file_exists /etc/rsyslog.conf Passed check_root_owns /etc/rsyslog.conf Passed check_file_perms /etc/rsyslog.conf 600 Failed chk_rsyslog_content Failed audit_log_storage_size Passed dis_on_audit_log_full Failed keep_all_audit_info Failed check_svc_enabled auditd Passed audit_procs_prior_2_auditd Passed audit_date_time Failed audit_user_group Failed audit_network_env Failed audit_sys_mac Failed audit_logins_logouts Failed audit_session_init Failed audit_dac_perm_mod_events Failed unsuc_unauth_acc_attempts Failed coll_priv_cmds Failed coll_suc_fs_mnts Failed coll_file_del_events Failed coll_chg2_sysadm_scope Failed coll_sysadm_actions Failed kmod_lod_unlod Failed audit_cfg_immut Failed logrotate_cfg Failed rpm_installed cronie-anacron Passed check_svc_enabled crond Passed check_root_owns /etc/anacrontab Passed check_file_perms /etc/anacrontab 600 Failed check_root_owns /etc/crontab Passed check_file_perms /etc/crontab 600 Failed check_root_owns /etc/cron.hourly Passed check_file_perms /etc/cron.hourly 600 Failed check_root_owns /etc/cron.daily Passed check_file_perms /etc/cron.daily 600 Failed check_root_owns /etc/cron.weekly Passed check_file_perms /etc/cron.weekly 600 Failed check_root_owns /etc/cron.monthly Passed check_file_perms /etc/cron.monthly 600 Failed check_root_owns /etc/cron.d Passed check_file_perms /etc/cron.d 600 Failed atd_cfg Failed at_cron_auth_users Failed chk_param /etc/ssh/sshd_config Protocol 2 Failed chk_param /etc/ssh/sshd_config LogLevel INFO Failed check_root_owns /etc/ssh/sshd_config Passed check_file_perms /etc/ssh/sshd_config 600 Passed chk_param /etc/ssh/sshd_config X11Forwarding no Failed ssh_maxauthtries 4 Passed chk_param /etc/ssh/sshd_config IgnoreRhosts yes Failed chk_param /etc/ssh/sshd_config HostbasedAuthentication no Failed chk_param /etc/ssh/sshd_config PermitRootLogin no Passed chk_param /etc/ssh/sshd_config PermitEmptyPasswords no Failed chk_param /etc/ssh/sshd_config PermitUserEnvironment no Failed chk_param /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr Failed chk_param /etc/ssh/sshd_config ClientAliveInterval 300 Failed chk_param /etc/ssh/sshd_config ClientAliveCountMax 0 Failed ssh_access Failed chk_param /etc/ssh/sshd_config Banner /etc/issue.net Failed ./nixauditor2.0: line 782: authconfig: command not found pass_hash_algo sha512 Failed pass_req_params Failed failed_pass_lock Failed lim_passwd_reuse Failed su_access Failed chk_param /etc/login.defs PASS_MAX_DAYS 90 Failed chk_param /etc/login.defs PASS_MIN_DAYS 7 Failed chk_param /etc/login.defs PASS_WARN_AGE 7 Passed dis_sys_accs Passed root_def_grp Passed def_umask_for_users Failed inactive_usr_acs_locked Failed check_root_owns /etc/motd Passed check_file_perms /etc/motd 644 Passed check_root_owns /etc/issue Passed check_file_perms /etc/issue 644 Passed check_root_owns /etc/issue.net Passed check_file_perms /etc/issue.net 644 Passed warning_banners Failed gnome_banner Passed check_file_perms /etc/passwd 644 Passed check_file_perms /etc/shadow 0 Passed check_file_perms /etc/gshadow 0 Passed check_file_perms /etc/group 644 Passed check_root_owns /etc/passwd Passed check_root_owns /etc/shadow Passed check_root_owns /etc/gshadow Passed check_root_owns /etc/group Passed world_w_dirs Failed unowned_files Failed ungrouped_files Failed suid_exes Failed sgid_exes Failed passwd_field_chk Passed nis_in_file /etc/passwd Passed nis_in_file /etc/shadow Passed nis_in_file /etc/group Passed no_uid0_other_root Passed root_path Passed home_dir_perms Passed dot_file_perms Passed dot_netrc_perms Passed dot_rhosts_files Passed chk_groups_passwd Passed chk_home_dirs_exist Passed chk_home_dirs_owns Passed duplicate_uids Passed duplicate_gids Passed chk_uids_4_res Failed duplicate_usernames Passed duplicate_groupnames Passed user_dot_netrc Passed user_dot_forward Passed ### SCAN COMPLETE #### Go fix them, will you?
root@server:~# lsat
**************************************** bashtop is not chmod 644. frontend is not chmod 644. goaccess-1.4.6 is not chmod 644. hst_backups is not chmod 644. hst_install_backups is not chmod 644. lsat.out is not chmod 644. roundcubemail-1.4.11 is not chmod 644. snap is not chmod 644. /var/log/wtmp is not chmod 644. /boot/vmlinuz-4.15.0-1021-aws is not chmod 644.
**************************************** Checking default umask on system:
Default umask should be 022, 027 or 077. 002 is ok for RedHat. Here are the filenames, and the umask number found in each. Please read through the file and ensure that is what you want.
/etc/rssh.conf: = 022 /etc/vsftpd.conf:local_=022 /etc/vsftpd.conf:anon_=022
root@server:# ./sysechk -f 22 tests ran in 13 seconds. 9 problems detected: CCE-14011-1 Major: Create separate partition or logical volume for /var/log CCE-14107-7 Minor: Add 'UMASK 077' to /etc/login.defs CCE-14161-4 Major: Create separate partition or logical volume for /tmp CCE-14559-9 Minor: Since you are using local home directories, create separate partition or logical volume for /home CCE-14777-7 Minor: Create separate partition or logical volume for /var CCE-3561-8 Major: Is this system going to be used as a firewall or gateway to pass IP traffic between different networks? If not, add 'net.ipv4.ip_forward = 0' to /etc/sysctl.conf CCE-4060-0 Minor: You should not expose your FQDN (\n) through the system login banner, edit /etc/issue CCE-4292-9 Minor: Enable the auditd service with 'update-rc.d auditd enable' NSA-2-1-2-3-1 Major: Update your packages with 'apt-get upgrade'
root@server:~# find / -xdev \( -nouser -o -nogroup \) -print /var/cache/private/fwupdmgr
Оцінка: деякі директорії рекомендується по можливості розмістити на окремих розділах жорсткого диску (/var/log, /tmp). Репозиторії потребують оновлення. Необхідно встановити додаткові модулі, вказані у звітах. На деякі системні директорії рекомендується встановити права доступу 600, а файли і виконувані програми — 644. Проаналізувати файли, які не закріплені за жодним користувачем та адміністративною групою.
root@server:~# systemctl list-unit-files UNIT FILE STATE VENDOR PRESET proc-sys-fs-binfmt_misc.automount static enabled -.mount generated enabled boot-efi.mount generated enabled dev-hugepages.mount static enabled dev-mqueue.mount static enabled proc-sys-fs-binfmt_misc.mount disabled enabled snap-core20-1611.mount enabled enabled snap-core20-1623.mount enabled enabled snap-lxd-22753.mount enabled enabled snap-snapd-16778.mount enabled enabled snap-snapd-17029.mount enabled enabled sys-fs-fuse-connections.mount static enabled sys-kernel-config.mount static enabled sys-kernel-debug.mount static enabled sys-kernel-tracing.mount static enabled apport-autoreport.path enabled enabled systemd-ask-password-console.path static enabled systemd-ask-password-plymouth.path static enabled systemd-ask-password-wall.path static enabled session-3414.scope transient enabled session-3423.scope transient enabled session-3426.scope transient enabled accounts-daemon.service enabled enabled apparmor.service enabled enabled apport-autoreport.service static enabled apport-forward@.service static enabled apport.service generated enabled apt-daily-upgrade.service static enabled apt-daily.service static enabled atd.service enabled enabled autovt@.service enabled enabled blk-availability.service enabled enabled bolt.service static enabled clean-mount-point@.service static enabled cloud-config.service enabled enabled cloud-final.service enabled enabled cloud-init-hotplugd.service static enabled cloud-init-local.service enabled enabled cloud-init.service enabled enabled console-getty.service disabled disabled console-setup.service enabled enabled container-getty@.service static enabled containerd.service enabled enabled cron.service enabled enabled cryptdisks-early.service masked enabled cryptdisks.service masked enabled dbus-org.freedesktop.hostname1.service static enabled dbus-org.freedesktop.locale1.service static enabled dbus-org.freedesktop.login1.service static enabled dbus-org.freedesktop.ModemManager1.service enabled enabled dbus-org.freedesktop.resolve1.service enabled enabled dbus-org.freedesktop.timedate1.service static enabled dbus-org.freedesktop.timesync1.service enabled enabled dbus.service static enabled debug-shell.service disabled disabled dm-event.service static enabled dmesg.service enabled enabled docker.service enabled enabled droplet-agent.service enabled enabled e2scrub@.service static enabled e2scrub_all.service static enabled e2scrub_fail@.service static enabled e2scrub_reap.service enabled enabled emergency.service static enabled finalrd.service enabled enabled friendly-recovery.service static enabled fstrim.service static enabled fwupd-offline-update.service static enabled fwupd-refresh.service static disabled fwupd.service static enabled getty-static.service static enabled getty@.service enabled enabled grub-common.service enabled enabled grub-initrd-fallback.service enabled enabled hwclock.service masked enabled initrd-cleanup.service static enabled initrd-parse-etc.service static enabled initrd-switch-root.service static enabled initrd-udevadm-cleanup-db.service static enabled irqbalance.service enabled enabled iscsi.service enabled enabled iscsid.service disabled enabled keyboard-setup.service enabled enabled kmod-static-nodes.service static enabled kmod.service static enabled logrotate.service static enabled lvm2-lvmpolld.service static enabled lvm2-monitor.service enabled enabled lvm2-pvscan@.service static enabled lvm2.service masked enabled lxd-agent-9p.service enabled enabled lxd-agent.service enabled enabled man-db.service static enabled mdadm-grow-continue@.service static enabled mdadm-last-resort@.service static enabled mdcheck_continue.service static enabled mdcheck_start.service static enabled mdmon@.service static enabled mdmonitor-oneshot.service static enabled mdmonitor.service static enabled metasploit-config-swapper.service static enabled metasploit-env.service static enabled metasploit-postgresql-env.service static enabled metasploit-postgresql.service static enabled metasploit-prosvc.service static enabled metasploit-ui.service static enabled metasploit-update.service static enabled metasploit-worker.service static enabled metasploit.service static enabled ModemManager.service enabled enabled modprobe@.service static enabled motd-news.service static enabled multipath-tools-boot.service masked enabled multipath-tools.service enabled enabled multipathd.service enabled enabled netplan-ovs-cleanup.service enabled-runtime enabled networkd-dispatcher.service enabled enabled ondemand.service enabled enabled open-iscsi.service enabled enabled open-vm-tools.service enabled enabled packagekit-offline-update.service static enabled packagekit.service static enabled phpsessionclean.service static enabled plymouth-halt.service static enabled plymouth-kexec.service static enabled plymouth-log.service static enabled plymouth-poweroff.service static enabled plymouth-quit-wait.service static enabled plymouth-quit.service static enabled plymouth-read-write.service static enabled plymouth-reboot.service static enabled plymouth-start.service static enabled plymouth-switch-root.service static enabled plymouth.service static enabled polkit.service static enabled pollinate.service enabled enabled procps.service static enabled quotaon.service static enabled rc-local.service static enabled rc.service masked enabled rcS.service masked enabled rescue.service static enabled rsync.service enabled enabled rsyslog.service enabled enabled screen-cleanup.service masked enabled secureboot-db.service enabled enabled serial-getty@.service indirect enabled setvtrgb.service enabled enabled snap.lxd.activate.service enabled enabled snap.lxd.daemon.service static enabled snapd.apparmor.service enabled enabled snapd.autoimport.service enabled enabled snapd.core-fixup.service enabled enabled snapd.failure.service static enabled snapd.recovery-chooser-trigger.service enabled enabled snapd.seeded.service enabled enabled snapd.service enabled enabled snapd.snap-repair.service static enabled snapd.system-shutdown.service enabled enabled ssh.service enabled enabled ssh@.service static enabled sshd.service enabled enabled sudo.service masked enabled syslog.service enabled enabled system-update-cleanup.service static enabled systemd-ask-password-console.service static enabled systemd-ask-password-plymouth.service static enabled systemd-ask-password-wall.service static enabled systemd-backlight@.service static enabled systemd-binfmt.service static enabled systemd-bless-boot.service static enabled systemd-boot-check-no-failures.service disabled enabled systemd-boot-system-token.service static enabled systemd-exit.service static enabled systemd-fsck-root.service enabled-runtime enabled systemd-fsck@.service static enabled systemd-fsckd.service static enabled systemd-halt.service static enabled systemd-hibernate-resume@.service static enabled systemd-hibernate.service static enabled systemd-hostnamed.service static enabled systemd-hwdb-update.service static enabled systemd-hybrid-sleep.service static enabled systemd-initctl.service static enabled systemd-journal-flush.service static enabled systemd-journald.service static enabled systemd-journald@.service static enabled systemd-kexec.service static enabled systemd-localed.service static enabled systemd-logind.service static enabled systemd-machine-id-commit.service static enabled systemd-modules-load.service static enabled systemd-network-generator.service disabled enabled systemd-networkd-wait-online.service enabled enabled systemd-networkd.service enabled enabled systemd-poweroff.service static enabled systemd-pstore.service enabled enabled systemd-quotacheck.service static enabled systemd-random-seed.service static enabled systemd-reboot.service static enabled systemd-remount-fs.service enabled-runtime enabled systemd-resolved.service enabled enabled systemd-rfkill.service static enabled systemd-suspend-then-hibernate.service static enabled systemd-suspend.service static enabled systemd-sysctl.service static enabled systemd-sysusers.service static enabled systemd-time-wait-sync.service disabled enabled systemd-timedated.service static enabled systemd-timesyncd.service enabled enabled systemd-tmpfiles-clean.service static enabled systemd-tmpfiles-setup-dev.service static enabled systemd-tmpfiles-setup.service static enabled systemd-udev-settle.service static enabled systemd-udev-trigger.service static enabled systemd-udevd.service static enabled systemd-update-utmp-runlevel.service static enabled systemd-update-utmp.service static enabled systemd-user-sessions.service static enabled systemd-volatile-root.service static enabled ua-reboot-cmds.service enabled enabled ua-timer.service static enabled ubuntu-advantage.service enabled enabled ubuntu-fan.service enabled enabled udev.service static enabled udisks2.service enabled enabled ufw.service enabled enabled unattended-upgrades.service enabled enabled usb_modeswitch@.service static enabled user-runtime-dir@.service static enabled user@.service static enabled uuidd.service indirect enabled vgauth.service enabled enabled vmtoolsd.service enabled enabled x11-common.service masked enabled xfs_scrub@.service static enabled xfs_scrub_all.service static enabled xfs_scrub_fail@.service static enabled machine.slice static enabled system-systemd\x2dcryptsetup.slice static enabled user.slice static enabled apport-forward.socket enabled enabled cloud-init-hotplugd.socket enabled enabled dbus.socket static enabled dm-event.socket enabled enabled docker.socket enabled enabled iscsid.socket enabled enabled lvm2-lvmpolld.socket enabled enabled multipathd.socket enabled enabled snap.lxd.daemon.unix.socket enabled enabled snapd.socket enabled enabled ssh.socket disabled enabled syslog.socket static disabled systemd-fsckd.socket static enabled systemd-initctl.socket static enabled systemd-journald-audit.socket static enabled systemd-journald-dev-log.socket static enabled systemd-journald-varlink@.socket static enabled systemd-journald.socket static enabled systemd-journald@.socket static enabled systemd-networkd.socket enabled enabled systemd-rfkill.socket static enabled systemd-udevd-control.socket static enabled systemd-udevd-kernel.socket static enabled uuidd.socket enabled enabled basic.target static enabled blockdev@.target static enabled bluetooth.target static enabled boot-complete.target static enabled cloud-config.target static enabled cloud-init.target enabled-runtime enabled cryptsetup-pre.target static disabled cryptsetup.target static enabled ctrl-alt-del.target disabled enabled default.target static enabled emergency.target static enabled exit.target disabled disabled final.target static enabled friendly-recovery.target static enabled getty-pre.target static disabled getty.target static enabled graphical.target static enabled halt.target disabled disabled hibernate.target static enabled hybrid-sleep.target static enabled initrd-fs.target static enabled initrd-root-device.target static enabled initrd-root-fs.target static enabled initrd-switch-root.target static enabled initrd.target static enabled kexec.target disabled disabled local-fs-pre.target static disabled local-fs.target static enabled metasploit.target enabled enabled multi-user.target static enabled network-online.target static enabled network-pre.target static disabled network.target static disabled nss-lookup.target static disabled nss-user-lookup.target static disabled paths.target static enabled poweroff.target disabled disabled printer.target static enabled reboot.target disabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static disabled remote-fs.target enabled enabled rescue-ssh.target static enabled rescue.target static disabled rpcbind.target static disabled runlevel0.target disabled enabled runlevel1.target static enabled runlevel2.target static enabled runlevel3.target static enabled runlevel4.target static enabled runlevel5.target static enabled runlevel6.target disabled enabled shutdown.target static enabled sigpwr.target static enabled sleep.target static enabled slices.target static enabled smartcard.target static enabled sockets.target static enabled sound.target static enabled suspend-then-hibernate.target static enabled suspend.target static enabled swap.target static enabled sysinit.target static enabled system-update-pre.target static enabled system-update.target static enabled time-set.target static disabled time-sync.target static disabled timers.target static enabled umount.target static enabled apt-daily-upgrade.timer enabled enabled apt-daily.timer enabled enabled e2scrub_all.timer enabled enabled fstrim.timer enabled enabled fwupd-refresh.timer enabled enabled logrotate.timer enabled enabled man-db.timer enabled enabled mdadm-last-resort@.timer static enabled mdcheck_continue.timer enabled enabled mdcheck_start.timer enabled enabled mdmonitor-oneshot.timer enabled enabled motd-news.timer enabled enabled phpsessionclean.timer enabled enabled snapd.snap-repair.timer enabled enabled systemd-tmpfiles-clean.timer static enabled ua-timer.timer enabled enabled xfs_scrub_all.timer disabled enabled
351 unit files listed.
root@server:# ./lunar.sh -a -v
Running: In audit mode (no changes will be made to system)
Auditing: OS
# SYSTEM INFORMATION:
Platform: OVH Processor: x86_64 Machine: x86_64 Vendor: Ubuntu Name: Linux Version: 20 Update: 04
Security Warning Message File permissions on /etc/issue Secure: File /etc/issue has correct permissions [1 Passes] Security message in /etc/issue Warning: No security message in /etc/issue [1 Warnings] File permissions on /etc/motd Notice: File /etc/motd does not exist Security message in /etc/motd Warning: No security message in /etc/motd [2 Warnings] File permissions on /etc/issue.net Secure: File /etc/issue.net has correct permissions [2 Passes] Security message in /etc/issue.net Warning: No security message in /etc/issue.net [3 Warnings] SSH SSH Configuration File permissions on /etc/ssh/sshd_config Warning: File /etc/ssh/sshd_config has incorrect permissions [4 Warnings]
[ Fix ] chmod 0600 /etc/ssh/sshd_config [ Fix ] chown root:root /etc/ssh/sshd_config
Value of UseLogin is set to no in /etc/ssh/sshd_config Warning: Parameter "UseLogin" not set to "no" in /etc/ssh/sshd_config [5 Warnings]
[ Fix ] echo "UseLogin no" >> /etc/ssh/sshd_config
Value of Protocol is set to 2 in /etc/ssh/sshd_config Warning: Parameter "Protocol" not set to "2" in /etc/ssh/sshd_config [6 Warnings]
[ Fix ] echo "Protocol 2" >> /etc/ssh/sshd_config
Value of X11Forwarding is set to no in /etc/ssh/sshd_config Secure: Parameter "X11Forwarding" is set to "no" in /etc/ssh/sshd_config [3 Passes] Value of MaxAuthTries is set to 3 in /etc/ssh/sshd_config Warning: Parameter "MaxAuthTries" not set to "3" in /etc/ssh/sshd_config [7 Warnings]
[ Fix ] echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
Value of MaxAuthTriesLog is set to 0 in /etc/ssh/sshd_config Warning: Parameter "MaxAuthTriesLog" not set to "0" in /etc/ssh/sshd_config [8 Warnings]
[ Fix ] echo "MaxAuthTriesLog 0" >> /etc/ssh/sshd_config
Value of RhostsAuthentication is set to no in /etc/ssh/sshd_config Warning: Parameter "RhostsAuthentication" not set to "no" in /etc/ssh/sshd_config [9 Warnings]
[ Fix ] echo "RhostsAuthentication no" >> /etc/ssh/sshd_config
Value of IgnoreRhosts is set to yes in /etc/ssh/sshd_config Secure: Parameter "IgnoreRhosts" is set to "yes" in /etc/ssh/sshd_config [4 Passes] Value of StrictModes is set to yes in /etc/ssh/sshd_config Secure: Parameter "StrictModes" is set to "yes" in /etc/ssh/sshd_config [5 Passes] Value of AllowTcpForwarding is set to no in /etc/ssh/sshd_config Secure: Parameter "AllowTcpForwarding" is set to "no" in /etc/ssh/sshd_config [6 Passes] Value of ServerKeyBits is set to 1024 in /etc/ssh/sshd_config Warning: Parameter "ServerKeyBits" not set to "1024" in /etc/ssh/sshd_config [10 Warnings]
[ Fix ] echo "ServerKeyBits 1024" >> /etc/ssh/sshd_config
Value of GatewayPorts is set to no in /etc/ssh/sshd_config Secure: Parameter "GatewayPorts" is set to "no" in /etc/ssh/sshd_config [7 Passes] Value of RhostsRSAAuthentication is set to no in /etc/ssh/sshd_config Warning: Parameter "RhostsRSAAuthentication" not set to "no" in /etc/ssh/sshd_config [11 Warnings]
[ Fix ] echo "RhostsRSAAuthentication no" >> /etc/ssh/sshd_config
Value of PermitRootLogin is set to no in /etc/ssh/sshd_config Warning: Parameter "PermitRootLogin" not set to "no" in /etc/ssh/sshd_config [12 Warnings]
[ Fix ] echo "PermitRootLogin no" >> /etc/ssh/sshd_config
Value of PermitEmptyPasswords is set to no in /etc/ssh/sshd_config Secure: Parameter "PermitEmptyPasswords" is set to "no" in /etc/ssh/sshd_config [8 Passes] Value of PermitUserEnvironment is set to no in /etc/ssh/sshd_config Secure: Parameter "PermitUserEnvironment" is set to "no" in /etc/ssh/sshd_config [9 Passes] Value of HostbasedAuthentication is set to no in /etc/ssh/sshd_config Secure: Parameter "HostbasedAuthentication" is set to "no" in /etc/ssh/sshd_config [10 Passes] Value of Banner is set to /etc/issue in /etc/ssh/sshd_config Warning: Parameter "Banner" not set to "/etc/issue" in /etc/ssh/sshd_config [13 Warnings]
[ Fix ] echo "Banner /etc/issue" >> /etc/ssh/sshd_config
Value of PrintMotd is set to no in /etc/ssh/sshd_config Secure: Parameter "PrintMotd" is set to "no" in /etc/ssh/sshd_config [11 Passes] Value of ClientAliveInterval is set to 300 in /etc/ssh/sshd_config Warning: Parameter "ClientAliveInterval" not set to "300" in /etc/ssh/sshd_config [14 Warnings]
[ Fix ] echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
Value of ClientAliveCountMax is set to 0 in /etc/ssh/sshd_config Warning: Parameter "ClientAliveCountMax" not set to "0" in /etc/ssh/sshd_config [15 Warnings]
[ Fix ] echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
Value of LogLevel is set to VERBOSE in /etc/ssh/sshd_config Warning: Parameter "LogLevel" not set to "VERBOSE" in /etc/ssh/sshd_config [16 Warnings]
[ Fix ] echo "LogLevel VERBOSE" >> /etc/ssh/sshd_config
Value of RSAAuthentication is set to no in /etc/ssh/sshd_config Warning: Parameter "RSAAuthentication" not set to "no" in /etc/ssh/sshd_config [17 Warnings]
[ Fix ] echo "RSAAuthentication no" >> /etc/ssh/sshd_config
Value of UsePrivilegeSeparation is set to yes|sandbox in /etc/ssh/sshd_config Warning: Parameter "UsePrivilegeSeparation" not set to "yes|sandbox" in /etc/ssh/sshd_config [18 Warnings]
[ Fix ] echo "UsePrivilegeSeparation yes|sandbox" >> /etc/ssh/sshd_config
Value of LoginGraceTime is set to 120 in /etc/ssh/sshd_config Warning: Parameter "LoginGraceTime" not set to "120" in /etc/ssh/sshd_config [19 Warnings]
[ Fix ] echo "LoginGraceTime 120" >> /etc/ssh/sshd_config
SSH Forwarding Value of AllowTcpForwarding is set to no in /etc/ssh/sshd_config Secure: Parameter "AllowTcpForwarding" is set to "no" in /etc/ssh/sshd_config [12 Passes] Telnet and Rlogin Services Telnet and Rlogin Services Service telnet is disabled Service login is disabled Service rlogin is disabled Service rsh is disabled Service shell is disabled Warnings for Standard Login Services File /etc/motd exists Warning: File /etc/motd does not exist [20 Warnings] File /etc/issue exists Secure: File /etc/issue exists [13 Passes] File permissions on /etc/issue Secure: File /etc/issue has correct permissions [14 Passes] Service xinetd is disabled Talk Client Package talk is uninstalled Secure: Package talk is uninstalled [15 Passes]
PAM RHosts Configuration Secure: Rhost authentication disabled in /etc/pam.d/atd [16 Passes] Secure: Rhost authentication disabled in /etc/pam.d/chfn [17 Passes] Secure: Rhost authentication disabled in /etc/pam.d/chpasswd [18 Passes] Secure: Rhost authentication disabled in /etc/pam.d/chsh [19 Passes] Secure: Rhost authentication disabled in /etc/pam.d/common-account [20 Passes] Secure: Rhost authentication disabled in /etc/pam.d/common-auth [21 Passes] Secure: Rhost authentication disabled in /etc/pam.d/common-password [22 Passes] Secure: Rhost authentication disabled in /etc/pam.d/common-session [23 Passes] Secure: Rhost authentication disabled in /etc/pam.d/common-session-noninteractive [24 Passes] Secure: Rhost authentication disabled in /etc/pam.d/cron [25 Passes] Secure: Rhost authentication disabled in /etc/pam.d/login [26 Passes] Secure: Rhost authentication disabled in /etc/pam.d/newusers [27 Passes] Secure: Rhost authentication disabled in /etc/pam.d/other [28 Passes] Secure: Rhost authentication disabled in /etc/pam.d/passwd [29 Passes] Secure: Rhost authentication disabled in /etc/pam.d/polkit-1 [30 Passes] Secure: Rhost authentication disabled in /etc/pam.d/runuser [31 Passes] Secure: Rhost authentication disabled in /etc/pam.d/runuser-l [32 Passes] Secure: Rhost authentication disabled in /etc/pam.d/sshd [33 Passes] Secure: Rhost authentication disabled in /etc/pam.d/su [34 Passes] Secure: Rhost authentication disabled in /etc/pam.d/su-l [35 Passes] Secure: Rhost authentication disabled in /etc/pam.d/sudo [36 Passes] Secure: Rhost authentication disabled in /etc/pam.d/systemd-user [37 Passes] Secure: Rhost authentication disabled in /etc/pam.d/vmtoolsd [38 Passes] User Netrc Files Secure: No user netrc files exist [39 Passes] User RHosts Files Secure: No user rhosts files exist [40 Passes] Rhosts Files File /.rhosts does not exist Secure: File /.rhosts does not exist [41 Passes] File /.shosts does not exist Secure: File /.shosts does not exist [42 Passes] File /root/.rhosts does not exist Secure: File /root/.rhosts does not exist [43 Passes] File /root/.shosts does not exist Secure: File /root/.shosts does not exist [44 Passes] File /etc/hosts.equiv does not exist Secure: File /etc/hosts.equiv does not exist [45 Passes] User Netrc Files Dot Files Secure: File /root/.netrc does not exist [46 Passes] Secure: File /usr/sbin/.netrc does not exist [47 Passes] Secure: File /bin/.netrc does not exist [48 Passes] Secure: File /dev/.netrc does not exist [49 Passes] Secure: File /bin/.netrc does not exist [50 Passes] Secure: File /usr/games/.netrc does not exist [51 Passes] Secure: File /var/cache/man/.netrc does not exist [52 Passes] Secure: File /var/spool/lpd/.netrc does not exist [53 Passes] Secure: File /var/mail/.netrc does not exist [54 Passes] Secure: File /var/spool/news/.netrc does not exist [55 Passes] Secure: File /var/spool/uucp/.netrc does not exist [56 Passes] Secure: File /bin/.netrc does not exist [57 Passes] Secure: File /var/www/.netrc does not exist [58 Passes] Secure: File /var/backups/.netrc does not exist [59 Passes] Secure: File /var/list/.netrc does not exist [60 Passes] Secure: File /var/run/ircd/.netrc does not exist [61 Passes] Secure: File /var/lib/gnats/.netrc does not exist [62 Passes] Secure: File /nonexistent/.netrc does not exist [63 Passes] Secure: File /run/systemd/.netrc does not exist [64 Passes] Secure: File /run/systemd/.netrc does not exist [65 Passes] Secure: File /run/systemd/.netrc does not exist [66 Passes] Secure: File /nonexistent/.netrc does not exist [67 Passes] Secure: File /home/syslog/.netrc does not exist [68 Passes] Secure: File /nonexistent/.netrc does not exist [69 Passes] Secure: File /var/lib/tpm/.netrc does not exist [70 Passes] Secure: File /run/uuidd/.netrc does not exist [71 Passes] Secure: File /nonexistent/.netrc does not exist [72 Passes] Secure: File /run/sshd/.netrc does not exist [73 Passes] Secure: File /var/lib/landscape/.netrc does not exist [74 Passes] Secure: File /var/cache/pollinate/.netrc does not exist [75 Passes] Secure: File /.netrc does not exist [76 Passes] Secure: File /var/snap/lxd/common/lxd/.netrc does not exist [77 Passes] Secure: File /var/lib/misc/.netrc does not exist [78 Passes] Secure: File /home/postgres/.netrc does not exist [79 Passes] Single User Mode Requires Password Value of PROMPT_FOR_CONFIRM is set to no in /etc/sysconfig/boot Warning: Parameter "PROMPT_FOR_CONFIRM" not set to "no" in /etc/sysconfig/boot [21 Warnings]
[ Fix ] echo "PROMPT_FOR_CONFIRM=no" >> /etc/sysconfig/boot
System Accounting Parameter -w /var/log/sudo.log -p wa -k actions is set in /etc/audit/audit.rules Warning: Parameter "-w /var/log/sudo.log -p wa -k actions" does not exist in /etc/audit/audit.rules [22 Warnings] [ Fix ] echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/audit.rules Package sysstat is installed Warning: Package sysstat is not installed [23 Warnings]
[ Fix ] echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/audit.rules
Value of ENABLED is set to true in /etc/default/sysstat Warning: Parameter "ENABLED" not set to "true" in /etc/default/sysstat [24 Warnings]
[ Fix ] echo "ENABLED=true" >> /etc/default/sysstat
Warning: System accounting not enabled [25 Warnings]
[ Fix ] apt-get install sysstat
Parameter -f 1 is set in /etc/audit/audit.rules Warning: Parameter "-f 1" does not exist in /etc/audit/audit.rules [26 Warnings] [ Fix ] echo "-f 1" >> /etc/audit/audit.rules Parameter is set in /etc/audit/audit.rules Warning: Parameter "" does not exist in /etc/audit/audit.rules [27 Warnings] [ Fix ] echo "" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change" does not exist in /etc/audit/audit.rules [28 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change" does not exist in /etc/audit/audit.rules [29 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change" >> /etc/audit/audit.rules Parameter -w /etc/localtime -p wa -k time-change is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/localtime -p wa -k time-change" does not exist in /etc/audit/audit.rules [30 Warnings] [ Fix ] echo "-w /etc/localtime -p wa -k time-change" >> /etc/audit/audit.rules Parameter -w /etc/group -p wa -k identity is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/group -p wa -k identity" does not exist in /etc/audit/audit.rules [31 Warnings] [ Fix ] echo "-w /etc/group -p wa -k identity" >> /etc/audit/audit.rules Parameter -w /etc/passwd -p wa -k identity is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/passwd -p wa -k identity" does not exist in /etc/audit/audit.rules [32 Warnings] [ Fix ] echo "-w /etc/passwd -p wa -k identity" >> /etc/audit/audit.rules Parameter -w /etc/gshadow -p wa -k identity is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/gshadow -p wa -k identity" does not exist in /etc/audit/audit.rules [33 Warnings] [ Fix ] echo "-w /etc/gshadow -p wa -k identity" >> /etc/audit/audit.rules Parameter -w /etc/shadow -p wa -k identity is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/shadow -p wa -k identity" does not exist in /etc/audit/audit.rules [34 Warnings] [ Fix ] echo "-w /etc/shadow -p wa -k identity" >> /etc/audit/audit.rules Parameter -w /etc/security/opasswd -p wa -k identity is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/security/opasswd -p wa -k identity" does not exist in /etc/audit/audit.rules [35 Warnings] [ Fix ] echo "-w /etc/security/opasswd -p wa -k identity" >> /etc/audit/audit.rules Parameter -a exit,always -F arch=b32 -S sethostname,setdomainname -k system-locale is set in /etc/audit/audit.rules Warning: Parameter "-a exit,always -F arch=b32 -S sethostname,setdomainname -k system-locale" does not exist in /etc/audit/audit.rules [36 Warnings] [ Fix ] echo "-a exit,always -F arch=b32 -S sethostname,setdomainname -k system-locale" >> /etc/audit/audit.rules Parameter -a exit,always -F arch=b64 -S sethostname,setdomainname -k system-locale is set in /etc/audit/audit.rules Warning: Parameter "-a exit,always -F arch=b64 -S sethostname,setdomainname -k system-locale" does not exist in /etc/audit/audit.rules [37 Warnings] [ Fix ] echo "-a exit,always -F arch=b64 -S sethostname,setdomainname -k system-locale" >> /etc/audit/audit.rules Parameter -w /etc/issue -p wa -k system-locale is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/issue -p wa -k system-locale" does not exist in /etc/audit/audit.rules [38 Warnings] [ Fix ] echo "-w /etc/issue -p wa -k system-locale" >> /etc/audit/audit.rules Parameter -w /etc/issue.net -p wa -k system-locale is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/issue.net -p wa -k system-locale" does not exist in /etc/audit/audit.rules [39 Warnings] [ Fix ] echo "-w /etc/issue.net -p wa -k system-locale" >> /etc/audit/audit.rules Parameter -w /etc/hosts -p wa -k system-locale is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/hosts -p wa -k system-locale" does not exist in /etc/audit/audit.rules [40 Warnings] [ Fix ] echo "-w /etc/hosts -p wa -k system-locale" >> /etc/audit/audit.rules Parameter -w /etc/sysconfig/network -p wa -k system-locale is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/sysconfig/network -p wa -k system-locale" does not exist in /etc/audit/audit.rules [41 Warnings] [ Fix ] echo "-w /etc/sysconfig/network -p wa -k system-locale" >> /etc/audit/audit.rules Parameter -w /etc/selinux/ -p wa -k MAC-policy is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/selinux/ -p wa -k MAC-policy" does not exist in /etc/audit/audit.rules [42 Warnings] [ Fix ] echo "-w /etc/selinux/ -p wa -k MAC-policy" >> /etc/audit/audit.rules Parameter -w /etc/apparmor/ -p wa -k MAC-policy is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/apparmor/ -p wa -k MAC-policy" does not exist in /etc/audit/audit.rules [43 Warnings] [ Fix ] echo "-w /etc/apparmor/ -p wa -k MAC-policy" >> /etc/audit/audit.rules Parameter -w /etc/apparmor.d/ -p wa -k MAC-policy is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/apparmor.d/ -p wa -k MAC-policy" does not exist in /etc/audit/audit.rules [44 Warnings] [ Fix ] echo "-w /etc/apparmor.d/ -p wa -k MAC-policy" >> /etc/audit/audit.rules Parameter -w /var/log/faillog -p wa -k logins is set in /etc/audit/audit.rules Warning: Parameter "-w /var/log/faillog -p wa -k logins" does not exist in /etc/audit/audit.rules [45 Warnings] [ Fix ] echo "-w /var/log/faillog -p wa -k logins" >> /etc/audit/audit.rules Parameter -w /var/log/lastlog -p wa -k logins is set in /etc/audit/audit.rules Warning: Parameter "-w /var/log/lastlog -p wa -k logins" does not exist in /etc/audit/audit.rules [46 Warnings] [ Fix ] echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/audit.rules Parameter -w /var/run/faillock -p wa -k logins is set in /etc/audit/audit.rules Warning: Parameter "-w /var/run/faillock -p wa -k logins" does not exist in /etc/audit/audit.rules [47 Warnings] [ Fix ] echo "-w /var/run/faillock -p wa -k logins" >> /etc/audit/audit.rules Parameter -w /var/run/utmp -p wa -k session is set in /etc/audit/audit.rules Warning: Parameter "-w /var/run/utmp -p wa -k session" does not exist in /etc/audit/audit.rules [48 Warnings] [ Fix ] echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules Parameter -w /var/log/btmp -p wa -k session is set in /etc/audit/audit.rules Warning: Parameter "-w /var/log/btmp -p wa -k session" does not exist in /etc/audit/audit.rules [49 Warnings] [ Fix ] echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/audit.rules Parameter -w /var/log/wtmp -p wa -k session is set in /etc/audit/audit.rules Warning: Parameter "-w /var/log/wtmp -p wa -k session" does not exist in /etc/audit/audit.rules [50 Warnings] [ Fix ] echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/audit.rules Parameter -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" does not exist in /etc/audit/audit.rules [51 Warnings] [ Fix ] echo "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" >> /etc/audit/audit.rules Parameter -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng" does not exist in /etc/audit/audit.rules [52 Warnings] [ Fix ] echo "-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng" >> /etc/audit/audit.rules Parameter -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" does not exist in /etc/audit/audit.rules [53 Warnings] [ Fix ] echo "-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation" does not exist in /etc/audit/audit.rules [54 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation" does not exist in /etc/audit/audit.rules [55 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [56 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [57 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [58 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [59 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [60 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [61 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [62 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [63 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [64 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [65 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules Parameter -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd" does not exist in /etc/audit/audit.rules [66 Warnings] [ Fix ] echo "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export" does not exist in /etc/audit/audit.rules [67 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export" does not exist in /etc/audit/audit.rules [68 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export" >> /etc/audit/audit.rules Parameter -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod" does not exist in /etc/audit/audit.rules [69 Warnings] [ Fix ] echo "-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" does not exist in /etc/audit/audit.rules [70 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" does not exist in /etc/audit/audit.rules [71 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" >> /etc/audit/audit.rules Parameter -w /etc/sudoers -p wa -k scope is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/sudoers -p wa -k scope" does not exist in /etc/audit/audit.rules [72 Warnings] [ Fix ] echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/audit.rules Parameter -w /etc/sudoers.d -p wa -k scope is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/sudoers.d -p wa -k scope" does not exist in /etc/audit/audit.rules [73 Warnings] [ Fix ] echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/audit.rules Parameter -w /etc/sudoers -p wa -k actions is set in /etc/audit/audit.rules Warning: Parameter "-w /etc/sudoers -p wa -k actions" does not exist in /etc/audit/audit.rules [74 Warnings] [ Fix ] echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/audit.rules Parameter -w /var/log/sudo.log -p wa -k sudo_log_file is set in /etc/audit/audit.rules Warning: Parameter "-w /var/log/sudo.log -p wa -k sudo_log_file" does not exist in /etc/audit/audit.rules [75 Warnings] [ Fix ] echo "-w /var/log/sudo.log -p wa -k sudo_log_file" >> /etc/audit/audit.rules Parameter -w /sbin/insmod -p x -k modules is set in /etc/audit/audit.rules Warning: Parameter "-w /sbin/insmod -p x -k modules" does not exist in /etc/audit/audit.rules [76 Warnings] [ Fix ] echo "-w /sbin/insmod -p x -k modules" >> /etc/audit/audit.rules Parameter -w /sbin/rmmod -p x -k modules is set in /etc/audit/audit.rules Warning: Parameter "-w /sbin/rmmod -p x -k modules" does not exist in /etc/audit/audit.rules [77 Warnings] [ Fix ] echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/audit.rules Parameter -w /sbin/modprobe -p x -k modules is set in /etc/audit/audit.rules Warning: Parameter "-w /sbin/modprobe -p x -k modules" does not exist in /etc/audit/audit.rules [78 Warnings] [ Fix ] echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" does not exist in /etc/audit/audit.rules [79 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" >> /etc/audit/audit.rules Parameter -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset - k kernel_modules is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset - k kernel_modules" does not exist in /etc/audit/audit.rules [80 Warnings] [ Fix ] echo "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset - k kernel_modules" >> /etc/audit/audit.rules Parameter -a always,exit -S init_module -S delete_module -k modules is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -S init_module -S delete_module -k modules" does not exist in /etc/audit/audit.rules [81 Warnings] [ Fix ] echo "-a always,exit -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" does not exist in /etc/audit/audit.rules [82 Warnings] [ Fix ] echo "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" >> /etc/audit/audit.rules Parameter -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts is set in /etc/audit/audit.rules Warning: Parameter "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" does not exist in /etc/audit/audit.rules [83 Warnings] [ Fix ] echo "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" >> /etc/audit/audit.rules Parameter is set in /etc/audit/audit.rules Warning: Parameter "" does not exist in /etc/audit/audit.rules [84 Warnings] [ Fix ] echo "" >> /etc/audit/audit.rules Parameter space_left_action = email is set in /etc/audit/audit.rules Warning: Parameter "space_left_action = email" does not exist in /etc/audit/audit.rules [85 Warnings] [ Fix ] echo "space_left_action = email" >> /etc/audit/audit.rules Parameter action_mail_acct = email is set in /etc/audit/audit.rules Warning: Parameter "action_mail_acct = email" does not exist in /etc/audit/audit.rules [86 Warnings] [ Fix ] echo "action_mail_acct = email" >> /etc/audit/audit.rules Parameter admin_space_left_action = email is set in /etc/audit/audit.rules Warning: Parameter "admin_space_left_action = email" does not exist in /etc/audit/audit.rules [87 Warnings] [ Fix ] echo "admin_space_left_action = email" >> /etc/audit/audit.rules Parameter max_log_file = 8 is set in /etc/audit/audit.rules Warning: Parameter "max_log_file = 8" does not exist in /etc/audit/audit.rules [88 Warnings] [ Fix ] echo "max_log_file = 8" >> /etc/audit/audit.rules Parameter max_log_file_action = keep_logs is set in /etc/audit/audit.rules Warning: Parameter "max_log_file_action = keep_logs" does not exist in /etc/audit/audit.rules [89 Warnings] [ Fix ] echo "max_log_file_action = keep_logs" >> /etc/audit/audit.rules Parameter -e 2 is set in /etc/audit/audit.rules Warning: Parameter "-e 2" does not exist in /etc/audit/audit.rules [90 Warnings] [ Fix ] echo "-e 2" >> /etc/audit/audit.rules Service sysstat is enabled Service auditd is enabled Prelinking Package prelink is uninstalled Secure: Package prelink is uninstalled [80 Passes]
[ Fix ] echo "-e 2" >> /etc/audit/audit.rules
AIDE Package aide is installed Warning: Package aide is not installed [91 Warnings] ./lunar.sh: 69: /usr/sbin/aide: not found
[ Fix ] echo "-e 2" >> /etc/audit/audit.rules
Package aide-common is installed Warning: Package aide-common is not installed [92 Warnings]
[ Fix ] echo "-e 2" >> /etc/audit/audit.rules
Parameter 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check is set in /etc/cron.d/aide Warning: Parameter "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" does not exist in /etc/cron.d/aide [93 Warnings] [ Fix ] echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide Value of /sbin/auditctl is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf Warning: Parameter "/sbin/auditctl" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [94 Warnings]
[ Fix ] echo "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/auditd is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf Warning: Parameter "/sbin/auditd" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [95 Warnings]
[ Fix ] echo "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/ausearch is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf Warning: Parameter "/sbin/ausearch" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [96 Warnings]
[ Fix ] echo "/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/aureport is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf Warning: Parameter "/sbin/aureport" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [97 Warnings]
[ Fix ] echo "/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/autrace is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf Warning: Parameter "/sbin/autrace" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [98 Warnings]
[ Fix ] echo "/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/augenrules is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf Warning: Parameter "/sbin/augenrules" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [99 Warnings]
[ Fix ] echo "/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
TCP Wrappers Value of ALL is set to ALL in /etc/hosts.deny Warning: Parameter "ALL" not set to " ALL" in /etc/hosts.deny [100 Warnings]
[ Fix ] echo "ALL: ALL" >> /etc/hosts.deny
Value of ALL is set to localhost in /etc/hosts.allow Warning: Parameter "ALL" not set to " localhost" in /etc/hosts.allow [101 Warnings]
[ Fix ] echo "ALL: localhost" >> /etc/hosts.allow
Value of ALL is set to 127.0.0.1 in /etc/hosts.allow Warning: Parameter "ALL" not set to " 127.0.0.1" in /etc/hosts.allow [102 Warnings]
[ Fix ] echo "ALL: 127.0.0.1" >> /etc/hosts.allow
File permissions on /etc/hosts.deny Secure: File /etc/hosts.deny has correct permissions [81 Passes] File permissions on /etc/hosts.allow Secure: File /etc/hosts.allow has correct permissions [82 Passes] Package tcpd is installed Warning: Package tcpd is not installed [103 Warnings]
[ Fix ] echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide
IP Tables Package iptables is installed Secure: Package iptables is installed [83 Passes]
[ Fix ] echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide
Service iptables is enabled Service ip6tables is enabled Warning: All other devices allow trafic to the loopback network [104 Warnings] PAM Authentication Value of minlen is set to 14 in /etc/security/pwquality.conf Warning: Parameter "minlen" not set to "14" in /etc/security/pwquality.conf [105 Warnings]
[ Fix ] echo "minlen=14" >> /etc/security/pwquality.conf
Value of dcredit is set to -1 in /etc/security/pwquality.conf Warning: Parameter "dcredit" not set to "-1" in /etc/security/pwquality.conf [106 Warnings]
[ Fix ] echo "dcredit=-1" >> /etc/security/pwquality.conf
Value of ocredit is set to -1 in /etc/security/pwquality.conf Warning: Parameter "ocredit" not set to "-1" in /etc/security/pwquality.conf [107 Warnings]
[ Fix ] echo "ocredit=-1" >> /etc/security/pwquality.conf
Value of ucredit is set to -1 in /etc/security/pwquality.conf Warning: Parameter "ucredit" not set to "-1" in /etc/security/pwquality.conf [108 Warnings]
[ Fix ] echo "ucredit=-1" >> /etc/security/pwquality.conf
Value of lcredit is set to -1 in /etc/security/pwquality.conf Warning: Parameter "lcredit" not set to "-1" in /etc/security/pwquality.conf [109 Warnings]
[ Fix ] echo "lcredit=-1" >> /etc/security/pwquality.conf
For nullok entry in /etc/pam.d/common-auth Warning: Found nullok entry in /etc/pam.d/common-auth [110 Warnings] [ Fix ] cp /etc/pam.d/common-auth /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file |sed 's/ nullok//' > /etc/pam.d/common-auth [ Fix ] rm /opt/LTRLlunar/tmp/temp_file Lockout time for failed password attempts enabled in /etc/pam.d/common-auth Warning: Lockout time for failed password attempts not enabled in /etc/pam.d/common-auth [111 Warnings] [ Fix ] cp /etc/pam.d/common-auth /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file |awk '( auth == "auth" && unlock_time == "required" && 900 == "pam_tally2.so" ) { print "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900"; print ./lunar.sh; next };' > /etc/pam.d/common-auth [ Fix ] rm /opt/LTRLlunar/tmp/temp_file File /etc/security/opasswd exists Secure: File /etc/security/opasswd exists [84 Passes] File permissions on /etc/security/opasswd Secure: File /etc/security/opasswd has correct permissions [85 Passes] Password entry remember set to 5 in /etc/pam.d/common-auth Warning: Password entry remember is not set to 5 in /etc/pam.d/common-auth [112 Warnings] [ Fix ] cp /etc/pam.d/common-auth /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file |awk '( account == "password" && 5 == "pam_unix.so" ) { print ./lunar.sh " remember=5"; next };' > /etc/pam.d/common-auth [ Fix ] rm /opt/LTRLlunar/tmp/temp_file Password minimum strength enabled in /etc/pam.d/common-password Warning: Password strength settings not enabled in /etc/pam.d/common-password [113 Warnings] [ Fix ] cp /etc/pam.d/common-password /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file |sed 's/^password\ssufficient\spam_unix.so/password sufficient pam_unix.so sha512/g' > /etc/pam.d/common-password rm /opt/LTRLlunar/tmp/temp_file The use of su is restricted by sudo Warning: The use of su is not restricted by sudo in /etc/pam.d/su [114 Warnings] [ Fix ] cp /etc/pam.d/su /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file |sed 's/^auth.*use_uid$/& auth required pam_wheel.so use_uid /' > /etc/pam.d/su [ Fix ] rm /opt/LTRLlunar/tmp/temp_file Password Expiration Parameters on Active Accounts Value of PASS_MAX_DAYS is set to 90 in /etc/login.defs Warning: Parameter "PASS_MAX_DAYS" not set to "90" in /etc/login.defs [115 Warnings]
[ Fix ] echo "PASS_MAX_DAYS=90" >> /etc/login.defs
Value of PASS_MIN_DAYS is set to 7 in /etc/login.defs Warning: Parameter "PASS_MIN_DAYS" not set to "7" in /etc/login.defs [116 Warnings]
[ Fix ] echo "PASS_MIN_DAYS=7" >> /etc/login.defs
Value of PASS_WARN_AGE is set to 14 in /etc/login.defs Warning: Parameter "PASS_WARN_AGE" not set to "14" in /etc/login.defs [117 Warnings]
[ Fix ] echo "PASS_WARN_AGE=14" >> /etc/login.defs
Value of PASS_MIN_LEN is set to 9 in /etc/login.defs Warning: Parameter "PASS_MIN_LEN" not set to "9" in /etc/login.defs [118 Warnings]
[ Fix ] echo "PASS_MIN_LEN=9" >> /etc/login.defs
File permissions on /etc/login.defs Warning: File /etc/login.defs has incorrect permissions [119 Warnings]
[ Fix ] chmod 0640 /etc/login.defs [ Fix ] chown root:root /etc/login.defs
Group and Password File Permissions File permissions on /etc/passwd Secure: File /etc/passwd has correct permissions [86 Passes] File permissions on /etc/group Secure: File /etc/group has correct permissions [87 Passes] File permissions on /etc/shadow Warning: File /etc/shadow has incorrect permissions [120 Warnings]
[ Fix ] chmod 0600 /etc/shadow [ Fix ] chown root:root /etc/shadow
File permissions on /etc/gshadow Warning: File /etc/gshadow has incorrect permissions [121 Warnings]
[ Fix ] chmod 0600 /etc/gshadow [ Fix ] chown root:root /etc/gshadow
File permissions on /etc/group- Warning: File /etc/group- has incorrect permissions [122 Warnings]
[ Fix ] chmod 0600 /etc/group- [ Fix ] chown root:root /etc/group-
File permissions on /etc/passwd- Warning: File /etc/passwd- has incorrect permissions [123 Warnings]
[ Fix ] chmod 0600 /etc/passwd- [ Fix ] chown root:root /etc/passwd-
File permissions on /etc/shadow- Warning: File /etc/shadow- has incorrect permissions [124 Warnings]
[ Fix ] chmod 0600 /etc/shadow- [ Fix ] chown root:root /etc/shadow-
File permissions on /etc/gshadow- Warning: File /etc/gshadow- has incorrect permissions [125 Warnings]
[ Fix ] chmod 0600 /etc/gshadow- [ Fix ] chown root:root /etc/gshadow-
PAM SU Configuration Warning: Wheel group membership not required for su in /etc/pam.d/su [126 Warnings]
[ Fix ] cp /etc/pam.d/su /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file |awk '( =="#auth" && =="required" && ~"pam_wheel.so" ) { print "auth required ",," use_uid"; next }; { print }' > /etc/pam.d/su [ Fix ] rm /opt/LTRLlunar/tmp/temp_file
PAM Deny Weak Authentication Services Parameter auth requisite pam_deny.so is set in /etc/pam.d/sshd Warning: Parameter "auth requisite pam_deny.so" does not exist in /etc/pam.d/sshd [127 Warnings] [ Fix ] echo "auth requisite pam_deny.so" >> /etc/pam.d/sshd Value of Defaults timestamp_timeout is set to 0 in /etc/sudoers Warning: Parameter "Defaults timestamp_timeout" not set to "0" in /etc/sudoers [128 Warnings]
[ Fix ] cat /etc/sudoers |sed "s,# Defaults specification,& Defaults timestamp_timeout=0," > /opt/LTRLlunar/tmp/temp_file [ Fix ] cat /opt/LTRLlunar/tmp/temp_file > /etc/sudoers
Sysctl Configuration Value of net.ipv4.conf.default.secure_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.default.secure_redirects" not set to "0" in /etc/sysctl.conf [129 Warnings]
[ Fix ] echo "net.ipv4.conf.default.secure_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.secure_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.all.secure_redirects" not set to "0" in /etc/sysctl.conf [130 Warnings]
[ Fix ] echo "net.ipv4.conf.all.secure_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.icmp_echo_ignore_broadcasts is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv4.icmp_echo_ignore_broadcasts" not set to "1" in /etc/sysctl.conf [131 Warnings]
[ Fix ] echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.accept_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.all.accept_redirects" not set to "0" in /etc/sysctl.conf [132 Warnings]
[ Fix ] echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.accept_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.default.accept_redirects" not set to "0" in /etc/sysctl.conf [133 Warnings]
[ Fix ] echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.tcp_syncookies is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv4.tcp_syncookies" not set to "1" in /etc/sysctl.conf [134 Warnings]
[ Fix ] echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
Value of net.ipv4.tcp_max_syn_backlog is set to 4096 in /etc/sysctl.conf Warning: Parameter "net.ipv4.tcp_max_syn_backlog" not set to "4096" in /etc/sysctl.conf [135 Warnings]
[ Fix ] echo "net.ipv4.tcp_max_syn_backlog=4096" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.rp_filter is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.all.rp_filter" not set to "1" in /etc/sysctl.conf [136 Warnings]
[ Fix ] echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.rp_filter is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.default.rp_filter" not set to "1" in /etc/sysctl.conf [137 Warnings]
[ Fix ] echo "net.ipv4.conf.default.rp_filter=1" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.accept_source_route is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.all.accept_source_route" not set to "0" in /etc/sysctl.conf [138 Warnings]
[ Fix ] echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.accept_source_route is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.default.accept_source_route" not set to "0" in /etc/sysctl.conf [139 Warnings]
[ Fix ] echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.conf
Value of net.ipv4.tcp_max_orphans is set to 256 in /etc/sysctl.conf Warning: Parameter "net.ipv4.tcp_max_orphans" not set to "256" in /etc/sysctl.conf [140 Warnings]
[ Fix ] echo "net.ipv4.tcp_max_orphans=256" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.log_martians is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.all.log_martians" not set to "1" in /etc/sysctl.conf [141 Warnings]
[ Fix ] echo "net.ipv4.conf.all.log_martians=1" >> /etc/sysctl.conf
Value of net.ipv4.ip_forward is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.ip_forward" not set to "0" in /etc/sysctl.conf [142 Warnings]
[ Fix ] echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.send_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.all.send_redirects" not set to "0" in /etc/sysctl.conf [143 Warnings]
[ Fix ] echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.send_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv4.conf.default.send_redirects" not set to "0" in /etc/sysctl.conf [144 Warnings]
[ Fix ] echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.icmp_ignore_bogus_error_responses is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv4.icmp_ignore_bogus_error_responses" not set to "1" in /etc/sysctl.conf [145 Warnings]
[ Fix ] echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf
Value of net.ipv6.conf.default.accept_redirects is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv6.conf.default.accept_redirects" not set to "0" in /etc/sysctl.conf [146 Warnings]
[ Fix ] echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.conf
Value of net.ipv6.conf.all.accept_ra is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv6.conf.all.accept_ra" not set to "0" in /etc/sysctl.conf [147 Warnings]
[ Fix ] echo "net.ipv6.conf.all.accept_ra=0" >> /etc/sysctl.conf
Value of net.ipv6.conf.default.accept_ra is set to 0 in /etc/sysctl.conf Warning: Parameter "net.ipv6.conf.default.accept_ra" not set to "0" in /etc/sysctl.conf [148 Warnings]
[ Fix ] echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf
Value of net.ipv6.route.flush is set to 1 in /etc/sysctl.conf Warning: Parameter "net.ipv6.route.flush" not set to "1" in /etc/sysctl.conf [149 Warnings]
[ Fix ] echo "net.ipv6.route.flush=1" >> /etc/sysctl.conf
Value of kernel.randomize_va_space is set to 2 in /etc/sysctl.conf Warning: Parameter "kernel.randomize_va_space" not set to "2" in /etc/sysctl.conf [150 Warnings]
[ Fix ] echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf
Parameter * hard core 0 is set in /etc/security/limits.conf Warning: Parameter "* hard core 0" does not exist in /etc/security/limits.conf [151 Warnings] [ Fix ] echo "* hard core 0" >> /etc/security/limits.conf File permissions on /etc/security/limits.conf Warning: File /etc/security/limits.conf has incorrect permissions [152 Warnings]
[ Fix ] chmod 0600 /etc/security/limits.conf [ Fix ] chown root:root /etc/security/limits.conf
TCP SYN Cookie Protection Parameter echo 1 > /proc/sys/net/ipv4/tcp_syncookies is set in /etc/rc.d/local Warning: Parameter "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" does not exist in /etc/rc.d/local [153 Warnings] [ Fix ] echo "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" >> /etc/rc.d/local File permissions on /etc/rc.d/local Notice: File /etc/rc.d/local does not exist Modprobe Configuration Parameter install tipc /bin/true is set in /etc/modprobe.conf Warning: Parameter "install tipc /bin/true" does not exist in /etc/modprobe.conf [154 Warnings] [ Fix ] echo "install tipc /bin/true" >> /etc/modprobe.conf Parameter install rds /bin/true is set in /etc/modprobe.conf Warning: Parameter "install rds /bin/true" does not exist in /etc/modprobe.conf [155 Warnings] [ Fix ] echo "install rds /bin/true" >> /etc/modprobe.conf Parameter install sctp /bin/true is set in /etc/modprobe.conf Warning: Parameter "install sctp /bin/true" does not exist in /etc/modprobe.conf [156 Warnings] [ Fix ] echo "install sctp /bin/true" >> /etc/modprobe.conf Parameter install dccp /bin/true is set in /etc/modprobe.conf Warning: Parameter "install dccp /bin/true" does not exist in /etc/modprobe.conf [157 Warnings] [ Fix ] echo "install dccp /bin/true" >> /etc/modprobe.conf Parameter install udf /bin/true is set in /etc/modprobe.conf Warning: Parameter "install udf /bin/true" does not exist in /etc/modprobe.conf [158 Warnings] [ Fix ] echo "install udf /bin/true" >> /etc/modprobe.conf Parameter install squashfs /bin/true is set in /etc/modprobe.conf Warning: Parameter "install squashfs /bin/true" does not exist in /etc/modprobe.conf [159 Warnings] [ Fix ] echo "install squashfs /bin/true" >> /etc/modprobe.conf Parameter install hfs /bin/true is set in /etc/modprobe.conf Warning: Parameter "install hfs /bin/true" does not exist in /etc/modprobe.conf [160 Warnings] [ Fix ] echo "install hfs /bin/true" >> /etc/modprobe.conf Parameter install hfsplus /bin/true is set in /etc/modprobe.conf Warning: Parameter "install hfsplus /bin/true" does not exist in /etc/modprobe.conf [161 Warnings] [ Fix ] echo "install hfsplus /bin/true" >> /etc/modprobe.conf Parameter install jffs2 /bin/true is set in /etc/modprobe.conf Warning: Parameter "install jffs2 /bin/true" does not exist in /etc/modprobe.conf [162 Warnings] [ Fix ] echo "install jffs2 /bin/true" >> /etc/modprobe.conf Parameter install freevxfs /bin/true is set in /etc/modprobe.conf Warning: Parameter "install freevxfs /bin/true" does not exist in /etc/modprobe.conf [163 Warnings] [ Fix ] echo "install freevxfs /bin/true" >> /etc/modprobe.conf Parameter install cramfs /bin/true is set in /etc/modprobe.conf Warning: Parameter "install cramfs /bin/true" does not exist in /etc/modprobe.conf [164 Warnings] [ Fix ] echo "install cramfs /bin/true" >> /etc/modprobe.conf Parameter install vfat /bin/true is set in /etc/modprobe.conf Warning: Parameter "install vfat /bin/true" does not exist in /etc/modprobe.conf [165 Warnings] [ Fix ] echo "install vfat /bin/true" >> /etc/modprobe.conf Unconfined Daemons Warning: Unconfined daemons [166 Warnings] SELinux Value of SELINUX is set to enforcing in /etc/selinux/config Warning: Parameter "SELINUX" not set to "enforcing" in /etc/selinux/config [167 Warnings]
[ Fix ] echo "SELINUX=enforcing" >> /etc/selinux/config
Value of SELINUXTYPE is set to targeted in /etc/selinux/config Warning: Parameter "SELINUXTYPE" not set to "targeted" in /etc/selinux/config [168 Warnings]
[ Fix ] echo "SELINUXTYPE=targeted" >> /etc/selinux/config
File permissions on /etc/selinux/config Notice: File /etc/selinux/config does not exist File permissions on /boot/grub/grub.cfg Warning: File /boot/grub/grub.cfg has incorrect permissions [169 Warnings]
[ Fix ] chmod 0400 /boot/grub/grub.cfg [ Fix ] chown root:root /boot/grub/grub.cfg
Value of selinux is set to 1 in /boot/grub/grub.cfg Warning: Parameter "selinux" not set to "1" in /boot/grub/grub.cfg [170 Warnings]
[ Fix ] echo "selinux=1" >> /boot/grub/grub.cfg
Value of enforcing is set to 1 in /boot/grub/grub.cfg Warning: Parameter "enforcing" not set to "1" in /boot/grub/grub.cfg [171 Warnings]
[ Fix ] echo "enforcing=1" >> /boot/grub/grub.cfg
XD/NS Support AppArmor Package apparmor is installed Secure: Package apparmor is installed [88 Passes]
[ Fix ] echo "install vfat /bin/true" >> /etc/modprobe.conf
./lunar.sh: 35: [: 0: unexpected operator Secure: AppArmor is not disabled in /boot/grub/grub.cfg /etc/default/grub [89 Passes] Warning: AppArmor is not enabled in /boot/grub/grub.cfg /etc/default/grub [172 Warnings] [ Fix ] cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/* Randomised Virtual Memory Region Placement Sendmail Daemon Service sendmail is disabled Value of DAEMON is set to no in /etc/sysconfig/sendmail Warning: Parameter "DAEMON" not set to "no" in /etc/sysconfig/sendmail [173 Warnings]
[ Fix ] echo "DAEMON=no" >> /etc/sysconfig/sendmail
Value of QUEUE is set to 1h in /etc/sysconfig/sendmail Warning: Parameter "QUEUE" not set to "1h" in /etc/sysconfig/sendmail [174 Warnings]
[ Fix ] echo "QUEUE=1h" >> /etc/sysconfig/sendmail
Sendmail Aliases File permissions on /etc/aliases Notice: File /etc/aliases does not exist Mail Daemons Service cyrus is disabled Package cyrus is uninstalled Secure: Package cyrus is uninstalled [90 Passes]
[ Fix ] cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Service imapd is disabled Package imapd is uninstalled Secure: Package imapd is uninstalled [91 Passes]
[ Fix ] cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Service qpopper is disabled Package qpopper is uninstalled Secure: Package qpopper is uninstalled [92 Passes]
[ Fix ] cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Service dovecot is disabled Package dovecot is uninstalled Secure: Package dovecot is uninstalled [93 Passes]
[ Fix ] cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Value of inet_interfaces is set to localhost in /etc/postfix/main.cf Warning: Parameter "inet_interfaces" not set to "localhost" in /etc/postfix/main.cf [175 Warnings]
[ Fix ] echo "inet_interfaces=localhost" >> /etc/postfix/main.cf
File permissions on /root Warning: File /root has incorrect permissions [176 Warnings]
[ Fix ] chmod 0700 /root [ Fix ] chown root:root /root
Root Primary Group Secure: Primary group for root is root [94 Passes] Root SSH keys Warning: Keys file /root/.ssh/authorized_keys exists [177 Warnings] [ Fix ] mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.disabled Secure: Keys file /root/.ssh/authorized_keys2 does not exist [95 Passes] Default mesg Settings for Users Value of mesg is set to n in /etc/.login Warning: Parameter "mesg" not set to "n" in /etc/.login [178 Warnings]
[ Fix ] echo "mesg n" >> /etc/.login
Value of mesg is set to n in /etc/profile Warning: Parameter "mesg" not set to "n" in /etc/profile [179 Warnings]
[ Fix ] echo "mesg n" >> /etc/profile
Value of mesg is set to n in /etc/skel/.bash_profile Warning: Parameter "mesg" not set to "n" in /etc/skel/.bash_profile [180 Warnings]
[ Fix ] echo "mesg n" >> /etc/skel/.bash_profile
Value of mesg is set to n in /etc/skel/.bashrc Warning: Parameter "mesg" not set to "n" in /etc/skel/.bashrc [181 Warnings]
[ Fix ] echo "mesg n" >> /etc/skel/.bashrc
Value of mesg is set to n in /etc/csh.login Warning: Parameter "mesg" not set to "n" in /etc/csh.login [182 Warnings]
[ Fix ] echo "mesg n" >> /etc/csh.login
Value of mesg is set to n in /etc/csh.cshrc Warning: Parameter "mesg" not set to "n" in /etc/csh.cshrc [183 Warnings]
[ Fix ] echo "mesg n" >> /etc/csh.cshrc
Value of mesg is set to n in /etc/zprofile Warning: Parameter "mesg" not set to "n" in /etc/zprofile [184 Warnings]
[ Fix ] echo "mesg n" >> /etc/zprofile
Value of mesg is set to n in /etc/skel/.zshrc Warning: Parameter "mesg" not set to "n" in /etc/skel/.zshrc [185 Warnings]
[ Fix ] echo "mesg n" >> /etc/skel/.zshrc
Value of mesg is set to n in /etc/skel/.bashrc Warning: Parameter "mesg" not set to "n" in /etc/skel/.bashrc [186 Warnings]
[ Fix ] echo "mesg n" >> /etc/skel/.bashrc
User Groups Secure: No non existant group issues [96 Passes] Home Directory Permissions Ownership of Home Directories Warning: Home Directory for sys is owned by root [187 Warnings] Warning: Home Directory for proxy is owned by root [188 Warnings] Warning: Home Directory for backup is owned by root [189 Warnings] Warning: Home Directory for systemd-network is owned by root [190 Warnings] Warning: Home Directory for systemd-resolve is owned by root [191 Warnings] Warning: Home Directory for systemd-timesync is owned by root [192 Warnings] Warning: Home Directory for uuidd is owned by root [193 Warnings] Warning: User systemd-coredump has no home directory defined [194 Warnings] Warning: Home Directory for lxd is owned by root [195 Warnings] Warning: Home Directory for dnsmasq is owned by root [196 Warnings] Secure: No ownership issues with home directories [97 Passes] Duplicate Users Duplicate IDs Secure: No users with duplicate name [98 Passes] Duplicate IDs Secure: No users with duplicate id [99 Passes] Duplicate Groups Duplicate IDs Secure: No groups with duplicate name [100 Passes] Duplicate IDs Secure: No groups with duplicate id [101 Passes] User Dot Files File permissions on /root/.bash_history Secure: File /root/.bash_history has correct permissions [102 Passes] File permissions on /root/.bash_profile Warning: File /root/.bash_profile has incorrect permissions [187 Warnings]
[ Fix ] chmod 0600 /root/.bash_profile
File permissions on /root/.bashrc Warning: File /root/.bashrc has incorrect permissions [188 Warnings]
[ Fix ] chmod 0600 /root/.bashrc
File permissions on /root/.cloud-locale-test.skip Warning: File /root/.cloud-locale-test.skip has incorrect permissions [189 Warnings]
[ Fix ] chmod 0600 /root/.cloud-locale-test.skip
File permissions on /root/.profile Warning: File /root/.profile has incorrect permissions [190 Warnings]
[ Fix ] chmod 0600 /root/.profile
File permissions on /root/.wget-hsts Warning: File /root/.wget-hsts has incorrect permissions [191 Warnings]
[ Fix ] chmod 0600 /root/.wget-hsts
File permissions on /var/lib/landscape/.cleanup.user Warning: File /var/lib/landscape/.cleanup.user has incorrect permissions [192 Warnings]
[ Fix ] chmod 0600 /var/lib/landscape/.cleanup.user
User Forward Files Dot Files Secure: File /root/.forward does not exist [103 Passes] Secure: File /usr/sbin/.forward does not exist [104 Passes] Secure: File /bin/.forward does not exist [105 Passes] Secure: File /dev/.forward does not exist [106 Passes] Secure: File /bin/.forward does not exist [107 Passes] Secure: File /usr/games/.forward does not exist [108 Passes] Secure: File /var/cache/man/.forward does not exist [109 Passes] Secure: File /var/spool/lpd/.forward does not exist [110 Passes] Secure: File /var/mail/.forward does not exist [111 Passes] Secure: File /var/spool/news/.forward does not exist [112 Passes] Secure: File /var/spool/uucp/.forward does not exist [113 Passes] Secure: File /bin/.forward does not exist [114 Passes] Secure: File /var/www/.forward does not exist [115 Passes] Secure: File /var/backups/.forward does not exist [116 Passes] Secure: File /var/list/.forward does not exist [117 Passes] Secure: File /var/run/ircd/.forward does not exist [118 Passes] Secure: File /var/lib/gnats/.forward does not exist [119 Passes] Secure: File /nonexistent/.forward does not exist [120 Passes] Secure: File /run/systemd/.forward does not exist [121 Passes] Secure: File /run/systemd/.forward does not exist [122 Passes] Secure: File /run/systemd/.forward does not exist [123 Passes] Secure: File /nonexistent/.forward does not exist [124 Passes] Secure: File /home/syslog/.forward does not exist [125 Passes] Secure: File /nonexistent/.forward does not exist [126 Passes] Secure: File /var/lib/tpm/.forward does not exist [127 Passes] Secure: File /run/uuidd/.forward does not exist [128 Passes] Secure: File /nonexistent/.forward does not exist [129 Passes] Secure: File /run/sshd/.forward does not exist [130 Passes] Secure: File /var/lib/landscape/.forward does not exist [131 Passes] Secure: File /var/cache/pollinate/.forward does not exist [132 Passes] Secure: File /.forward does not exist [133 Passes] Secure: File /var/snap/lxd/common/lxd/.forward does not exist [134 Passes] Secure: File /var/lib/misc/.forward does not exist [135 Passes] Secure: File /home/postgres/.forward does not exist [136 Passes] Root PATH Environment Integrity Secure: No empty directory in PATH [137 Passes] Secure: No trailing : in PATH [138 Passes] Secure: Group write permission not set on directory /usr/local/sbin [139 Passes] Secure: Other write permission not set on directory /usr/local/sbin [140 Passes] Secure: Group write permission not set on directory /usr/local/bin [141 Passes] Secure: Other write permission not set on directory /usr/local/bin [142 Passes] Secure: Group write permission not set on directory /usr/sbin [143 Passes] Secure: Other write permission not set on directory /usr/sbin [144 Passes] Secure: Group write permission not set on directory /usr/bin [145 Passes] Secure: Other write permission not set on directory /usr/bin [146 Passes] Warning: Group write permissions set on directory /sbin [193 Warnings] Warning: Other write permissions set on directory /sbin [194 Warnings] Warning: Group write permissions set on directory /bin [195 Warnings] Warning: Other write permissions set on directory /bin [196 Warnings] Secure: Group write permission not set on directory /usr/games [147 Passes] Secure: Other write permission not set on directory /usr/games [148 Passes] Secure: Group write permission not set on directory /usr/local/games [149 Passes] Secure: Other write permission not set on directory /usr/local/games [150 Passes] Secure: Group write permission not set on directory /snap/bin [151 Passes] Secure: Other write permission not set on directory /snap/bin [152 Passes] Default umask for Users Value of umask is set to 077 in /etc/.login Warning: Parameter "umask" not set to "077" in /etc/.login [197 Warnings]
[ Fix ] echo "umask 077" >> /etc/.login
Value of umask is set to 077 in /etc/profile Warning: Parameter "umask" not set to "077" in /etc/profile [198 Warnings]
[ Fix ] echo "umask 077" >> /etc/profile
Value of umask is set to 077 in /etc/skel/.bash_profile Warning: Parameter "umask" not set to "077" in /etc/skel/.bash_profile [199 Warnings]
[ Fix ] echo "umask 077" >> /etc/skel/.bash_profile
Value of umask is set to 077 in /etc/csh.login Warning: Parameter "umask" not set to "077" in /etc/csh.login [200 Warnings]
[ Fix ] echo "umask 077" >> /etc/csh.login
Value of umask is set to 077 in /etc/csh.cshrc Warning: Parameter "umask" not set to "077" in /etc/csh.cshrc [201 Warnings]
[ Fix ] echo "umask 077" >> /etc/csh.cshrc
Value of umask is set to 077 in /etc/zprofile Warning: Parameter "umask" not set to "077" in /etc/zprofile [202 Warnings]
[ Fix ] echo "umask 077" >> /etc/zprofile
Value of umask is set to 077 in /etc/skel/.zshrc Warning: Parameter "umask" not set to "077" in /etc/skel/.zshrc [203 Warnings]
[ Fix ] echo "umask 077" >> /etc/skel/.zshrc
Value of umask is set to 077 in /etc/skel/.bashrc Warning: Parameter "umask" not set to "077" in /etc/skel/.bashrc [204 Warnings]
[ Fix ] echo "umask 077" >> /etc/skel/.bashrc
Value of UMASK is set to 077 in /etc/bashrc Warning: Parameter "UMASK" not set to "077" in /etc/bashrc [205 Warnings]
[ Fix ] echo "UMASK=077" >> /etc/bashrc
Value of UMASK is set to 077 in /etc/skel/.bashrc Warning: Parameter "UMASK" not set to "077" in /etc/skel/.bashrc [206 Warnings]
[ Fix ] echo "UMASK=077" >> /etc/skel/.bashrc
Value of UMASK is set to 077 in /etc/login.defs Warning: Parameter "UMASK" not set to "077" in /etc/login.defs [207 Warnings]
[ Fix ] echo "UMASK=077" >> /etc/login.defs
Password Fields Secure: No empty password entries [153 Passes] Secure: No legacy entries in /etc/passwd [154 Passes] Secure: No legacy entries in /etc/shadow [155 Passes] Reserved IDs Whether reserved UUIDs are assigned to system accounts Warning: User sys has a reserved UID (3) [208 Warnings] Warning: User man has a reserved UID (6) [209 Warnings] Warning: User proxy has a reserved UID (13) [210 Warnings] Warning: User www-data has a reserved UID (33) [211 Warnings] Warning: User backup has a reserved UID (34) [212 Warnings] Warning: User list has a reserved UID (38) [213 Warnings] Warning: User irc has a reserved UID (39) [214 Warnings] Warning: User gnats has a reserved UID (41) [215 Warnings] Warning: User systemd-network has a reserved UID (100) [216 Warnings] Warning: User systemd-resolve has a reserved UID (101) [217 Warnings] Warning: User systemd-timesync has a reserved UID (102) [218 Warnings] Warning: User messagebus has a reserved UID (103) [219 Warnings] Warning: User syslog has a reserved UID (104) [220 Warnings] Warning: User _apt has a reserved UID (105) [221 Warnings] Warning: User tss has a reserved UID (106) [222 Warnings] Warning: User uuidd has a reserved UID (107) [223 Warnings] Warning: User tcpdump has a reserved UID (108) [224 Warnings] Warning: User landscape has a reserved UID (110) [225 Warnings] Warning: User pollinate has a reserved UID (111) [226 Warnings] Warning: User dnsmasq has a reserved UID (112) [227 Warnings] Accounts with UID 0 Daemon Umask Value of umask is set to 027 in /etc/sysconfig/init Warning: Parameter "umask" not set to "027" in /etc/sysconfig/init [208 Warnings]
[ Fix ] echo "umask 027" >> /etc/sysconfig/init
Cron Permissions File permissions on /etc/crontab Warning: File /etc/crontab has incorrect permissions [209 Warnings]
[ Fix ] chmod 0700 /etc/crontab [ Fix ] chown root:root /etc/crontab
File permissions on /var/spool/cron Warning: File /var/spool/cron has incorrect permissions [210 Warnings]
[ Fix ] chmod 0700 /var/spool/cron [ Fix ] chown root:root /var/spool/cron
File permissions on /etc/cron.daily Warning: File /etc/cron.daily has incorrect permissions [211 Warnings]
[ Fix ] chmod 0700 /etc/cron.daily [ Fix ] chown root:root /etc/cron.daily
File permissions on /etc/cron.d Warning: File /etc/cron.d has incorrect permissions [212 Warnings]
[ Fix ] chmod 0700 /etc/cron.d [ Fix ] chown root:root /etc/cron.d
File permissions on /etc/cron.weekly Warning: File /etc/cron.weekly has incorrect permissions [213 Warnings]
[ Fix ] chmod 0700 /etc/cron.weekly [ Fix ] chown root:root /etc/cron.weekly
File permissions on /etc/cron.monthly Warning: File /etc/cron.monthly has incorrect permissions [214 Warnings]
[ Fix ] chmod 0700 /etc/cron.monthly [ Fix ] chown root:root /etc/cron.monthly
File permissions on /etc/cron.hourly Warning: File /etc/cron.hourly has incorrect permissions [215 Warnings]
[ Fix ] chmod 0700 /etc/cron.hourly [ Fix ] chown root:root /etc/cron.hourly
File permissions on /etc/anacrontab Notice: File /etc/anacrontab does not exist Wheel Group Warning: Wheel group does not exist in /etc/group [216 Warnings] Checking: Wheel group ownership File permissions on /usr/bin/su Warning: File /usr/bin/su has incorrect permissions [217 Warnings]
[ Fix ] chmod 4750 /usr/bin/su [ Fix ] chown root:wheel /usr/bin/su
Old users Secure: There are no users who have never logged that do not have their account locked [156 Passes] At/Cron Authorized Users File /etc/cron.d/cron.deny does not exist Secure: File /etc/cron.d/cron.deny does not exist [157 Passes] File /at.deny does not exist Secure: File /at.deny does not exist [158 Passes] File /etc/cron.d/cron.allow exists Warning: File /etc/cron.d/cron.allow does not exist [218 Warnings] File permissions on /etc/cron.d/cron.allow Notice: File /etc/cron.d/cron.allow does not exist File /at.allow exists Warning: File /at.allow does not exist [219 Warnings] File permissions on /at.allow Notice: File /at.allow does not exist File permissions on /at.allow Notice: File /at.allow does not exist File /etc/at.allow exists Warning: File /etc/at.allow does not exist [220 Warnings] File permissions on /etc/at.allow Notice: File /etc/at.allow does not exist File permissions on /etc/cron.d Warning: File /etc/cron.d has incorrect permissions [221 Warnings]
[ Fix ] chmod 0700 /etc/cron.d [ Fix ] chown root:root /etc/cron.d
File permissions on /etc/cron.hourly Warning: File /etc/cron.hourly has incorrect permissions [222 Warnings]
[ Fix ] chmod 0700 /etc/cron.hourly [ Fix ] chown root:root /etc/cron.hourly
File permissions on /etc/cron.daily Warning: File /etc/cron.daily has incorrect permissions [223 Warnings]
[ Fix ] chmod 0700 /etc/cron.daily [ Fix ] chown root:root /etc/cron.daily
File permissions on /etc/cron.yearly Notice: File /etc/cron.yearly does not exist File permissions on /etc/cron.yearly Notice: File /etc/cron.yearly does not exist File permissions on /etc/cron.yearly Notice: File /etc/cron.yearly does not exist File permissions on /etc/cron.yearly Notice: File /etc/cron.yearly does not exist File permissions on /etc/cron.yearly Notice: File /etc/cron.yearly does not exist Cron Daemon Service crond is enabled System Accounts that do not have a shell Warning: System account daemon has an invalid shell [224 Warnings]
[ Fix ] usermod -s /sbin/nologin daemon
Warning: System account bin has an invalid shell [225 Warnings]
[ Fix ] usermod -s /sbin/nologin bin
Warning: System account sys has an invalid shell [226 Warnings]
[ Fix ] usermod -s /sbin/nologin sys
Warning: System account games has an invalid shell [227 Warnings]
[ Fix ] usermod -s /sbin/nologin games
Warning: System account man has an invalid shell [228 Warnings]
[ Fix ] usermod -s /sbin/nologin man
Warning: System account lp has an invalid shell [229 Warnings]
[ Fix ] usermod -s /sbin/nologin lp
Warning: System account mail has an invalid shell [230 Warnings]
[ Fix ] usermod -s /sbin/nologin mail
Warning: System account news has an invalid shell [231 Warnings]
[ Fix ] usermod -s /sbin/nologin news
Warning: System account uucp has an invalid shell [232 Warnings]
[ Fix ] usermod -s /sbin/nologin uucp
Warning: System account proxy has an invalid shell [233 Warnings]
[ Fix ] usermod -s /sbin/nologin proxy
Warning: System account www-data has an invalid shell [234 Warnings]
[ Fix ] usermod -s /sbin/nologin www-data
Warning: System account backup has an invalid shell [235 Warnings]
[ Fix ] usermod -s /sbin/nologin backup
Warning: System account list has an invalid shell [236 Warnings]
[ Fix ] usermod -s /sbin/nologin list
Warning: System account irc has an invalid shell [237 Warnings]
[ Fix ] usermod -s /sbin/nologin irc
Warning: System account gnats has an invalid shell [238 Warnings]
[ Fix ] usermod -s /sbin/nologin gnats
Warning: System account systemd-network has an invalid shell [239 Warnings]
[ Fix ] usermod -s /sbin/nologin systemd-network
Warning: System account systemd-resolve has an invalid shell [240 Warnings]
[ Fix ] usermod -s /sbin/nologin systemd-resolve
Warning: System account systemd-timesync has an invalid shell [241 Warnings]
[ Fix ] usermod -s /sbin/nologin systemd-timesync
Warning: System account messagebus has an invalid shell [242 Warnings]
[ Fix ] usermod -s /sbin/nologin messagebus
Warning: System account syslog has an invalid shell [243 Warnings]
[ Fix ] usermod -s /sbin/nologin syslog
Warning: System account _apt has an invalid shell [244 Warnings]
[ Fix ] usermod -s /sbin/nologin _apt
Warning: System account uuidd has an invalid shell [245 Warnings]
[ Fix ] usermod -s /sbin/nologin uuidd
Warning: System account tcpdump has an invalid shell [246 Warnings]
[ Fix ] usermod -s /sbin/nologin tcpdump
Warning: System account sshd has an invalid shell [247 Warnings]
[ Fix ] usermod -s /sbin/nologin sshd
Warning: System account landscape has an invalid shell [248 Warnings]
[ Fix ] usermod -s /sbin/nologin landscape
Warning: System account dnsmasq has an invalid shell [249 Warnings]
[ Fix ] usermod -s /sbin/nologin dnsmasq
Shadow Group Warning: Shadow group contains members [250 Warnings]
[ Fix ] cat /etc/group |awk -F':' '( == "shadow" ) {print ":"":"":" ; next}; {print}' > /tmp/group [ Fix ] cat /tmp/group > /etc/group [ Fix ] rm /tmp/group
iSCSI Target Service Service iscsi is disabled Warning: Service iscsi is not disabled [251 Warnings] [ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable Service iscsid is disabled Secure: Service iscsid is disabled [159 Passes] Hotplug Service Service pcscd is disabled Service haldaemon is disabled Service kudzu is disabled Power Management Service apmd is disabled Xen Daemons Service xend is disabled Service xendomains is disabled X Windows Gnome Warning Banner Screen Lock for GNOME Users ./lunar.sh: 21: [: -ge: unexpected operator Automount/Autorun for GNOME Users ./lunar.sh: 16: [: -ge: unexpected operator Font Server Service xfs is disabled VNC Daemons Service vncserver is disabled NIS Server Daemons NIS Server Daemons Service yppasswdd is disabled Package yppasswdd is uninstalled Secure: Package yppasswdd is uninstalled [160 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service ypserv is disabled Package ypserv is uninstalled Secure: Package ypserv is uninstalled [161 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service ypxfrd is disabled Package ypxfrd is uninstalled Secure: Package ypxfrd is uninstalled [162 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
NIS Client Daemons Service ypbind is disabled Package ypbind is uninstalled Secure: Package ypbind is uninstalled [163 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service nis is disabled Package nis is uninstalled Warning: Package nis is not uninstalled [252 Warnings]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
LDAP Client Service ldap is disabled Name Server Caching Daemon Service nscd is disabled DNS Server Service dnsmasq is disabled Service named is disabled Service bind9 is disabled Kerberos Service kadmin is disabled Service kprop is disabled Service krb524 is disabled Service krb5kdc is disabled NIS Map Entries Secure: No NIS entries in /etc/passwd [164 Passes] Secure: No NIS entries in /etc/shadow [165 Passes] Secure: No NIS entries in /etc/group [166 Passes] Avahi Server Service avahi is disabled Service avahi-autoipd is disabled Service avahi-daemon is disabled Service avahi-dnsconfd is disabled Multicast DNS Server Value of disable-user-service-publishing is set to yes in /etc/avahi/avahi-daemon.conf Warning: Parameter "disable-user-service-publishing" not set to "yes" in /etc/avahi/avahi-daemon.conf [253 Warnings]
[ Fix ] echo "disable-user-service-publishing=yes" >> /etc/avahi/avahi-daemon.conf
Value of disable-publishing is set to yes in /etc/avahi/avahi-daemon.conf Warning: Parameter "disable-publishing" not set to "yes" in /etc/avahi/avahi-daemon.conf [254 Warnings]
[ Fix ] echo "disable-publishing=yes" >> /etc/avahi/avahi-daemon.conf
Value of publish-address is set to no in /etc/avahi/avahi-daemon.conf Warning: Parameter "publish-address" not set to "no" in /etc/avahi/avahi-daemon.conf [255 Warnings]
[ Fix ] echo "publish-address=no" >> /etc/avahi/avahi-daemon.conf
Value of publish-binfo is set to no in /etc/avahi/avahi-daemon.conf Warning: Parameter "publish-binfo" not set to "no" in /etc/avahi/avahi-daemon.conf [256 Warnings]
[ Fix ] echo "publish-binfo=no" >> /etc/avahi/avahi-daemon.conf
Value of publish-workstation is set to no in /etc/avahi/avahi-daemon.conf Warning: Parameter "publish-workstation" not set to "no" in /etc/avahi/avahi-daemon.conf [257 Warnings]
[ Fix ] echo "publish-workstation=no" >> /etc/avahi/avahi-daemon.conf
Value of publish-domain is set to no in /etc/avahi/avahi-daemon.conf Warning: Parameter "publish-domain" not set to "no" in /etc/avahi/avahi-daemon.conf [258 Warnings]
[ Fix ] echo "publish-domain=no" >> /etc/avahi/avahi-daemon.conf
Value of disallow-other-stacks is set to yes in /etc/avahi/avahi-daemon.conf Warning: Parameter "disallow-other-stacks" not set to "yes" in /etc/avahi/avahi-daemon.conf [259 Warnings]
[ Fix ] echo "disallow-other-stacks=yes" >> /etc/avahi/avahi-daemon.conf
Value of check-response-ttl is set to yes in /etc/avahi/avahi-daemon.conf Warning: Parameter "check-response-ttl" not set to "yes" in /etc/avahi/avahi-daemon.conf [260 Warnings]
[ Fix ] echo "check-response-ttl=yes" >> /etc/avahi/avahi-daemon.conf
Syslog Permissions File permissions on /var/log/secure Notice: File /var/log/secure does not exist File permissions on /var/log/messages Notice: File /var/log/messages does not exist File permissions on /var/log/daemon.log Notice: File /var/log/daemon.log does not exist File permissions on /var/log/unused.log Notice: File /var/log/unused.log does not exist Automount services Service autofs is disabled Set-UID on Mounted Devices File Systems mounted with nodev Warning: Found filesystems that should be mounted nodev [261 Warnings]
[ Fix ] cat /etc/fstab | awk '( ~ /^ext[2,3,4]|tmpfs$/ && != "/" ) { = ",nosuid" }; { printf "%-26s %-22s %-8s %-16s %-1s %-1s ",,,,,, }' > /tmp/group [ Fix ] cat /tmp/group > /etc/fstab [ Fix ] rm /tmp/group
File permissions on /etc/fstab Secure: File /etc/fstab has correct permissions [167 Passes] File Systems mounted with nodev Secure: No filesystem that should be mounted with nodev [168 Passes] File permissions on /etc/fstab Secure: File /etc/fstab has correct permissions [169 Passes] No-exec on /tmp Temp File Systems mounted with noexec Secure: No filesystem that should be mounted with noexec [170 Passes] File permissions on /etc/fstab Secure: File /etc/fstab has correct permissions [171 Passes] User Mountable Filesystems File permissions on /usr/share/hal/fdi/policy/20thirdparty/floppycdrom.fdi Notice: File /usr/share/hal/fdi/policy/20thirdparty/floppycdrom.fdi does not exist NFS Services Service nfs is disabled Service nfslock is disabled Service portmap is disabled Service rpc is disabled Service nfs-kerner-server is disabled Service rpcbind is disabled Filesystem /tmp is a separate filesystem Warning: Filesystem /tmp is not a separate filesystem [262 Warnings] Filesystem /var is a separate filesystem Warning: Filesystem /var is not a separate filesystem [263 Warnings] Filesystem /var/log is a separate filesystem Warning: Filesystem /var/log is not a separate filesystem [264 Warnings] Filesystem /var/log/audit is a separate filesystem Warning: Filesystem /var/log/audit is not a separate filesystem [265 Warnings] Filesystem /home is a separate filesystem Warning: Filesystem /home is not a separate filesystem [266 Warnings] Apache and web based services Service httpd is disabled Package httpd is uninstalled Warning: Package httpd is not uninstalled [267 Warnings]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service apache is disabled Package apache is uninstalled Secure: Package apache is uninstalled [172 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service apache2 is disabled Package apache2 is uninstalled Warning: Package apache2 is not uninstalled [268 Warnings]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service tomcat5 is disabled Package tomcat5 is uninstalled Secure: Package tomcat5 is uninstalled [173 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service squid is disabled Package squid is uninstalled Warning: Package squid is not uninstalled [269 Warnings]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service prixovy is disabled Package prixovy is uninstalled Secure: Package prixovy is uninstalled [174 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
File permissions on /var/log/httpd Notice: File /var/log/httpd does not exist Routing Daemons Routing Daemons Service bgpd is disabled Service ospf6d is disabled Service ospfd is disabled Service ripd is disabled Service ripngd is disabled Samba Daemons Service smb is disabled Package samba is uninstalled Secure: Package samba is uninstalled [175 Passes]
[ Fix ] echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Winbind Daemon Service winbind is disabled Miscellaneous Services Service wu-ftpd is disabled Service ftp is disabled Service vsftpd is disabled Service aaeventd is disabled Service tftp is disabled Service acpid is disabled Service amd is disabled Service arptables_jg is disabled Service arpwatch is disabled Service atd is disabled Warning: Service atd is not disabled [270 Warnings] [ Fix ] echo "atd,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl atd disable Service netfs is disabled Service irda is disabled Service isdn is disabled Service bluetooth is disabled Service capi is disabled Service conman is disabled Service cpuspeed is disabled Service cryrus-imapd is disabled Service dc_client is disabled Service dc_server is disabled Service dhcdbd is disabled Service dhcp6s is disabled Service dhcrelay is disabled Service chargen is disabled Service chargen-udp is disabled Service dovecot is disabled Service dund is disabled Service gpm is disabled Service hidd is disabled Service hplip is disabled Service ibmasm is disabled Service innd is disabled Service ip6tables is disabled Service lisa is disabled Service lm_sensors is disabled Service mailman is disabled Service mctrans is disabled Service mdmonitor is disabled Service mdmpd is disabled Service microcode_ctl is disabled Service mysqld is disabled Service netplugd is disabled Service network is disabled Service NetworkManager is disabled Service openibd is disabled Service yum-updatesd is disabled Service pand is disabled Service postfix is disabled Service psacct is disabled Service mutipathd is disabled Service daytime is disabled Service daytime-udp is disabled Service radiusd is disabled Service radvd is disabled Service rdisc is disabled Service readahead_early is disabled Service readahead_later is disabled Service rhnsd is disabled Service rpcgssd is disabled Service rpcimapd is disabled Service rpcsvcgssd is disabled Service rstatd is disabled Service rusersd is disabled Service rwhod is disabled Service saslauthd is disabled Service settroubleshoot is disabled Service smartd is disabled Service spamassasin is disabled Service echo is disabled Service echo-udp is disabled Service time is disabled Service time-udp is disabled Service vnc is disabled Service svcgssd is disabled Service rpmconfigcheck is disabled Service rsh is disabled Service rsync is disabled Warning: Service rsync is not disabled [271 Warnings] [ Fix ] echo "rsync,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl rsync disable Service rsyncd is disabled Service saslauthd is disabled Service powerd is disabled Service raw is disabled Service rexec is disabled Service rlogin is disabled Service rpasswdd is disabled Service openct is disabled Service ipxmount is disabled Service joystick is disabled Service esound is disabled Service evms is disabled Service fam is disabled Service gpm is disabled Service gssd is disabled Service pcscd is disabled Service tog-pegasus is disabled Service tux is disabled Service wpa_supplicant is disabled Service zebra is disabled Service ncpfs is disabled Legacy Inet/Init Services Inet Services Init Services ./lunar.sh: 27: [: Illegal number: Log File Permissions File permissions on /var/log/dmesg Warning: File /var/log/dmesg has incorrect permissions [272 Warnings]
[ Fix ] chmod 0600 /var/log/dmesg [ Fix ] chown root:root /var/log/dmesg
File permissions on /var/log/lastlog Warning: File /var/log/lastlog has incorrect permissions [273 Warnings]
[ Fix ] chmod 0600 /var/log/lastlog [ Fix ] chown root:root /var/log/lastlog
File permissions on /var/log/wtmp Warning: File /var/log/wtmp has incorrect permissions [274 Warnings]
[ Fix ] chmod 0600 /var/log/wtmp [ Fix ] chown root:root /var/log/wtmp
Syslog Configuration Value of authpriv.* is set to /var/log/secure in /etc/syslog.conf Warning: Parameter "authpriv.*" not set to "/var/log/secure" in /etc/syslog.conf [275 Warnings]
[ Fix ] echo "authpriv.*tab/var/log/secure" >> /etc/syslog.conf
Value of auth.* is set to /var/log/messages in /etc/syslog.conf Warning: Parameter "auth.*" not set to "/var/log/messages" in /etc/syslog.conf [276 Warnings]
[ Fix ] echo "auth.*tab/var/log/messages" >> /etc/syslog.conf
Value of daemon.* is set to /var/log/daemon.log in /etc/syslog.conf Warning: Parameter "daemon.*" not set to "/var/log/daemon.log" in /etc/syslog.conf [277 Warnings]
[ Fix ] echo "daemon.*tab/var/log/daemon.log" >> /etc/syslog.conf
Value of syslog.* is set to /var/log/syslog in /etc/syslog.conf Warning: Parameter "syslog.*" not set to "/var/log/syslog" in /etc/syslog.conf [278 Warnings]
[ Fix ] echo "syslog.*tab/var/log/syslog" >> /etc/syslog.conf
Value of lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* is set to /var/log/unused.log in /etc/syslog.conf Warning: Parameter "lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*" not set to "/var/log/unused.log" in /etc/syslog.conf [279 Warnings]
[ Fix ] echo "lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*tab/var/log/unused.log" >> /etc/syslog.conf
Core Dumps Core Dumps Service kdump is disabled Parameter * hard core 0 is set in /etc/security/limits.conf Warning: Parameter "* hard core 0" does not exist in /etc/security/limits.conf [280 Warnings] [ Fix ] echo "* hard core 0" >> /etc/security/limits.conf Value of fs.suid_dumpable is set to 0 in /etc/sysctl.conf Warning: Parameter "fs.suid_dumpable" not set to "0" in /etc/sysctl.conf [281 Warnings]
[ Fix ] echo "fs.suid_dumpable=0" >> /etc/sysctl.conf
SNMP Daemons and Log Permissions Network Time Protocol Package chrony is installed Warning: Package chrony is not installed [282 Warnings]
[ Fix ] echo "* hard core 0" >> /etc/security/limits.conf
Value of OPTIONS is set to "-u chrony" in /etc/sysconfig/chronyd Warning: Parameter "OPTIONS" not set to ""-u chrony"" in /etc/sysconfig/chronyd [283 Warnings]
[ Fix ] echo "OPTIONS="-u chrony"" >> /etc/sysconfig/chronyd
Value of server is set to 0.au.pool.ntp.org in /etc/chrony/chrony.conf Warning: Parameter "server" not set to "0.au.pool.ntp.org" in /etc/chrony/chrony.conf [284 Warnings]
[ Fix ] echo "server 0.au.pool.ntp.org" >> /etc/chrony/chrony.conf
Value of server is set to 1.au.pool.ntp.org in /etc/chrony/chrony.conf Warning: Parameter "server" not set to "1.au.pool.ntp.org" in /etc/chrony/chrony.conf [285 Warnings]
[ Fix ] echo "server 1.au.pool.ntp.org" >> /etc/chrony/chrony.conf
Value of server is set to 2.au.pool.ntp.org in /etc/chrony/chrony.conf Warning: Parameter "server" not set to "2.au.pool.ntp.org" in /etc/chrony/chrony.conf [286 Warnings]
[ Fix ] echo "server 2.au.pool.ntp.org" >> /etc/chrony/chrony.conf
Value of server is set to 3.au.pool.ntp.org in /etc/chrony/chrony.conf Warning: Parameter "server" not set to "3.au.pool.ntp.org" in /etc/chrony/chrony.conf [287 Warnings]
[ Fix ] echo "server 3.au.pool.ntp.org" >> /etc/chrony/chrony.conf
IPMI Daemons Service ipmi is disabled RARP Daemon Service rarpd is disabled Bootparams Daemon Service bootparamd is disabled TFTP Server Daemon Service tftp is disabled File permissions on /tftpboot Notice: File /tftpboot does not exist File permissions on /var/tftpboot Notice: File /var/tftpboot does not exist DHCP Server Service dhcpd is disabled Package dhcpd is uninstalled Secure: Package dhcpd is uninstalled [176 Passes]
[ Fix ] echo "* hard core 0" >> /etc/security/limits.conf
Wifi information menu ./lunar.sh: 16: nmcli: not found Secure: Wireless status menu is enabled [177 Passes] UFW Package ufw is installed Secure: Package ufw is installed [178 Passes]
[ Fix ] echo "* hard core 0" >> /etc/security/limits.conf
Package iptables-persistent is uninstalled Secure: Package iptables-persistent is uninstalled [179 Passes]
[ Fix ] echo "* hard core 0" >> /etc/security/limits.conf
Service ufw is enabled Secure: Service ufw is enabled [180 Passes] PostgreSQL Database Service postgresql is disabled ./lunar.sh: 7: [: Illegal number: XD/NX No journal files were found. Warning: XD/NX is not enabled [288 Warnings]
Tests: 468 Passes: 180 Warnings: 288
root@server:#crontab -u root -l
command error or empty output
Оцінка і рекомендації: служба SSH вимагає коректного налаштування. Також в цілях безпеки бажано змінити стандартний порт 22 на інший. Конфігурація і впорядкування системних служб потребує уваги. Для збільшення продуктивності, деякі з них необхідно відключити. Рекомендується також включити серверний планувальник задач Crontab і налаштувати з його допомогою автоматичне резервне копіювання. Загалом, рекомендується врахувати ті підказки (FIX), які видав Nix Auditor.
root@server:# ./testssl.sh example.com
########################################################### testssl.sh 3.2rc2 from https://testssl.sh/dev/ (63xa3e5 2012-10-13 09:37:40)
This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-bad (1.0.2k-dev)" [~183 ciphers] on ubuntu-1:./bin/openssl.Linux.x86_64 (built: "Sep 1 14:03:44 2012", platform: "linux-x86_64")
Testing all IPv4 addresses (port 443): XXX.XX.XX.XXX ------------------------------------------------------------------------------------------------------------------------------------------ Start 2012-10-13 13:09:41 -->> XXX.XX.XX.XXX:443 (example.com) <<--
Further IP addresses: XXX.XX.XXX.XX rDNS (XXX.XX.XX.XXX): -- Service detected: HTTP
Testing server's cipher preferences
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 - TLSv1.1 - TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients) xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.3 (no server order, thus listed by strength) x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
Has server cipher order? yes (OK) -- only for < TLS 1.3 Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets ROBOT Server does not support any cipher suites that use RSA key transport Secure Renegotiation (RFC 5746) OpenSSL handshake didn't succeed Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested Can be ignored for static pages or if no secrets in the page POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) no RSA certificate, thus certificate can't be used with SSLv2 elsewhere LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Running client simulations (HTTP) via sockets
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy --------------------------------------------------------------------- Android 6.0 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD 256 bit ECDH (P-256) Android 7.0 (native) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 11 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 12 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Java 7u25 No connection Java 8u161 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) go 1.17.8 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Thunderbird (91.9) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519)
Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 100 (30) Key Exchange (weighted) 100 (30) Cipher Strength (weighted) 90 (36) Final Score 96 Overall Grade A+
Оцінка і рекомендації: Сервер використовує дійсний валідний SSL сертифікат і безпечний TLS-протокол останньої версії 1.3. Підтримуються усі стандарти шифрування. Усі перевірки пройдено успішно з найвищим підсумковим балом A+.
root@server:# curl -I https://example.com HTTP/2 200 date: Thu, 13 Oct 2012 13:18:39 GMT content-type: text/html; charset=UTF-8 x-dns-prefetch-control: on vary: Accept-Encoding x-turbo-charged-by: LiteSpeed strict-transport-security: max-age=31536000; includeSubDomains; preload content-security-policy: upgrade-insecure-requests x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer expect-ct: max-age=7776000, enforce permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=() x-litespeed-cache: hit cf-cache-status: DYNAMIC report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wQan7soORqpxoObws6BQputDJShub5AQTLUop%2BvhpNkvksLJ8FsZHjFuleb8n8e6hcvk7fccfyFfz4343243242XxrPoJEwfQukGc9f3bQ%3D%3D"}],"group":"cf-nel","max_age":604800} nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} server: cloudflare cf-ray: 75985345345c94b9fb9-SIN alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Оцінка і рекомендації: усі основні HTTP заголовки присутні, окрім X-Frame-Options. Підсумковий бал — A. Рекомендується додати відсутній заголовок, щоби унеможливити маніпуляції з перехопленням контенту, наприклад клікджекінг (clickjacking).
root@server:~# nmap -sS -sV -O XXX.XXX.XX.X Starting Nmap 7.80 ( https://nmap.org ) at 2012-10-13 11:03 UTC Nmap scan report for XXX.XXX.XX.X Host is up (0.16s latency). Not shown: 975 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp ProFTPD 1.3.5e 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.18 (Ubuntu Linux) 80/tcp open http Apache httpd 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd (Ubuntu) 443/tcp open ssl/http Apache httpd 465/tcp open ssl/smtp Postfix smtpd 587/tcp open smtp Postfix smtpd 993/tcp open ssl/imap Dovecot imapd (Ubuntu) 995/tcp open ssl/pop3 Dovecot pop3d 2222/tcp open ssh ProFTPD mod_sftp 0.9.9 (protocol 2.0) 10000/tcp open http MiniServ 2.001 (Webmin httpd) 10001/tcp closed scp-config 10002/tcp closed documentum 10003/tcp closed documentum_s 10004/tcp closed emcrmirccd 10009/tcp closed swdtp-sv 10010/tcp closed rxapi 10012/tcp closed unknown 10024/tcp closed unknown 10025/tcp closed unknown 10082/tcp closed amandaidx 20000/tcp open http MiniServ 1.860 (Webmin httpd) Service Info: Host: my.host.com; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
root@server:~# nmap -sV --script vulners XXX.XXX.XX.X Starting Nmap 7.80 ( https://nmap.org ) at 2012-10-13 11:13 UTC Host is up (0.16s latency). Not shown: 975 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp ProFTPD 1.3.5e | vulners: | cpe:/a:proftpd:proftpd:1.3.5e: | SAINT:FD1752E124A72FD3A26EEB9B315E8382 10.0 https://vulners.com/saint/SAINT:FD1752E124A72FD3A26EEB9B315E8382 *EXPLOIT* | SAINT:950EB68D408A40399926A4CCAD3CC62E 10.0 https://vulners.com/saint/SAINT:950EB68D408A40399926A4CCAD3CC62E *EXPLOIT* | SAINT:63FB77B9136D48259E4F0D4CDA35E957 10.0 https://vulners.com/saint/SAINT:63FB77B9136D48259E4F0D4CDA35E957 *EXPLOIT* | SAINT:1B08F4664C428B180EEC9617B41D9A2C 10.0 https://vulners.com/saint/SAINT:1B08F4664C428B180EEC9617B41D9A2C *EXPLOIT* | PROFTPD_MOD_COPY 10.0 https://vulners.com/canvas/PROFTPD_MOD_COPY *EXPLOIT* | PACKETSTORM:162777 10.0 https://vulners.com/packetstorm/PACKETSTORM:162777 *EXPLOIT* | PACKETSTORM:132218 10.0 https://vulners.com/packetstorm/PACKETSTORM:132218 *EXPLOIT* | PACKETSTORM:131567 10.0 https://vulners.com/packetstorm/PACKETSTORM:131567 *EXPLOIT* | PACKETSTORM:131555 10.0 https://vulners.com/packetstorm/PACKETSTORM:131555 *EXPLOIT* | PACKETSTORM:131505 10.0 https://vulners.com/packetstorm/PACKETSTORM:131505 *EXPLOIT* | EDB-ID:49908 10.0 https://vulners.com/exploitdb/EDB-ID:49908 *EXPLOIT* | CVE-2015-3306 10.0 https://vulners.com/cve/CVE-2015-3306 | 1337DAY-ID-36298 10.0 https://vulners.com/zdt/1337DAY-ID-36298 *EXPLOIT* | 1337DAY-ID-23720 10.0 https://vulners.com/zdt/1337DAY-ID-23720 *EXPLOIT* | 1337DAY-ID-23544 10.0 https://vulners.com/zdt/1337DAY-ID-23544 *EXPLOIT* | SSV:61050 5.0 https://vulners.com/seebug/SSV:61050 *EXPLOIT* | CVE-2020-9272 5.0 https://vulners.com/cve/CVE-2020-9272 | CVE-2019-19272 5.0 https://vulners.com/cve/CVE-2019-19272 | CVE-2019-19271 5.0 https://vulners.com/cve/CVE-2019-19271 | CVE-2019-19270 5.0 https://vulners.com/cve/CVE-2019-19270 | CVE-2019-18217 5.0 https://vulners.com/cve/CVE-2019-18217 | CVE-2016-3125 5.0 https://vulners.com/cve/CVE-2016-3125 | CVE-2013-4359 5.0 https://vulners.com/cve/CVE-2013-4359 |_ CVE-2017-7418 2.1 https://vulners.com/cve/CVE-2017-7418 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:7.6p1: | EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT* | EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT* | EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT* | EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT* | CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111 | 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT* | 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT* | SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT* | PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT* | EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT* | EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT* | EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT* | EDB-ID:45233 5.0 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT* | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 | CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT* | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110 | CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109 | CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685 | PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT* | MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 0.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT* |_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT* 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.18 (Ubuntu Linux) | vulners: | cpe:/a:isc:bind:9.11.3-1ubuntu1.18: | CVE-2021-25216 6.8 https://vulners.com/cve/CVE-2021-25216 | CVE-2020-8625 6.8 https://vulners.com/cve/CVE-2020-8625 | PACKETSTORM:157836 5.0 https://vulners.com/packetstorm/PACKETSTORM:157836 *EXPLOIT* | FBC03933-7A65-52F3-83F4-4B2253A490B6 5.0 https://vulners.com/githubexploit/FBC03933-7A65-52F3-83F4-4B2253A490B6 *EXPLOIT* | CVE-2021-25220 5.0 https://vulners.com/cve/CVE-2021-25220 | CVE-2021-25219 5.0 https://vulners.com/cve/CVE-2021-25219 | CVE-2021-25215 5.0 https://vulners.com/cve/CVE-2021-25215 | CVE-2020-8616 5.0 https://vulners.com/cve/CVE-2020-8616 | CVE-2019-6470 5.0 https://vulners.com/cve/CVE-2019-6470 | CVE-2018-5744 5.0 https://vulners.com/cve/CVE-2018-5744 | CVE-2018-5740 5.0 https://vulners.com/cve/CVE-2018-5740 | CVE-2020-8623 4.3 https://vulners.com/cve/CVE-2020-8623 | CVE-2020-8617 4.3 https://vulners.com/cve/CVE-2020-8617 | CVE-2019-6471 4.3 https://vulners.com/cve/CVE-2019-6471 | CVE-2019-6465 4.3 https://vulners.com/cve/CVE-2019-6465 | CVE-2018-5743 4.3 https://vulners.com/cve/CVE-2018-5743 | 1337DAY-ID-34485 4.3 https://vulners.com/zdt/1337DAY-ID-34485 *EXPLOIT* | CVE-2021-25214 4.0 https://vulners.com/cve/CVE-2021-25214 | CVE-2020-8624 4.0 https://vulners.com/cve/CVE-2020-8624 | CVE-2020-8622 4.0 https://vulners.com/cve/CVE-2020-8622 | CVE-2018-5741 4.0 https://vulners.com/cve/CVE-2018-5741 | CVE-2018-5745 3.5 https://vulners.com/cve/CVE-2018-5745 | CVE-2022-38178 0.0 https://vulners.com/cve/CVE-2022-38178 | CVE-2022-38177 0.0 https://vulners.com/cve/CVE-2022-38177 |_ CVE-2022-2795 0.0 https://vulners.com/cve/CVE-2022-2795
Оцінка і рекомендації: на сервері велика кількість відкритих мережевих портів і служб, що створює ризики несанкціонованого втручання (DDoS) і доступу (enumeration/exploit). Необхідно закрити мережеві порти, які не використовуються і оновити серверні компоненти, наприклад ProFTP 1.3.5.e (є вразливим згідно CVE-2019–12815), OpenSSH 7.6p1. Від FTP взагалі бажано відмовитися, так як цей протокол застарілий і його функції перебрали більш безпечні SFTP та SSH. Необхідно приділити увагу захисту поштових служб Dovecot і Postfix, або вимкнути їх якщо не використовуються. В ідеалі, поштові сервіси необхідно розгорнути на окремому сервері.
root@server:~# netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:7337 0.0.0.0:* LISTEN 83855/postgres.bin tcp 0 0 127.0.0.1:42545 0.0.0.0:* LISTEN 5698/containerd tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 566/systemd-resolve
Оцінка: Виявлені мережеві інтерфейси потребують окремої перевірки. Зайві необхідно прибрати.
root@server:# uptime 14:00:12 up 62 days, 22:07, 1 user, load average: 0.03, 0.12, 0.06
root@server:# ps -auxenf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
0 2 0.0 0.0 0 0 ? S Aug11 0:00 [kthreadd]
0 3 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [rcu_gp]
0 4 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [rcu_par_gp]
0 6 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [kworker/0:0H-kblockd]
0 9 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [mm_percpu_wq]
0 10 0.0 0.0 0 0 ? S Aug11 1:57 \_ [ksoftirqd/0]
0 11 0.0 0.0 0 0 ? I Aug11 4:40 \_ [rcu_sched]
0 12 0.0 0.0 0 0 ? S Aug11 0:37 \_ [migration/0]
0 13 0.0 0.0 0 0 ? S Aug11 0:00 \_ [idle_inject/0]
0 14 0.0 0.0 0 0 ? S Aug11 0:00 \_ [cpuhp/0]
0 15 0.0 0.0 0 0 ? S Aug11 0:00 \_ [kdevtmpfs]
0 16 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [netns]
0 17 0.0 0.0 0 0 ? S Aug11 0:00 \_ [rcu_tasks_kthre]
0 18 0.0 0.0 0 0 ? S Aug11 0:00 \_ [kauditd]
0 19 0.0 0.0 0 0 ? S Aug11 0:02 \_ [khungtaskd]
0 20 0.0 0.0 0 0 ? S Aug11 0:00 \_ [oom_reaper]
0 21 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [writeback]
0 22 0.0 0.0 0 0 ? S Aug11 0:00 \_ [kcompactd0]
0 23 0.0 0.0 0 0 ? SN Aug11 0:00 \_ [ksmd]
0 24 0.0 0.0 0 0 ? SN Aug11 0:22 \_ [khugepaged]
0 70 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [kintegrityd]
0 71 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [kblockd]
0 72 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [blkcg_punt_bio]
0 73 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [tpm_dev_wq]
0 74 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [ata_sff]
0 75 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [md]
0 76 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [edac-poller]
0 77 0.0 0.0 0 0 ? I< Aug11 0:00 \_ [devfreq_wq]
root@server:~# pstree systemd─┬─ModemManager───2*[{ModemManager}] ├─accounts-daemon───2*[{accounts-daemon}] ├─2*[agetty] ├─atd ├─containerd───9*[{containerd}] ├─cron ├─dbus-daemon ├─dockerd───8*[{dockerd}] ├─droplet-agent───8*[{droplet-agent}] ├─multipathd───6*[{multipathd}] ├─networkd-dispat ├─packagekitd───2*[{packagekitd}] ├─polkitd───2*[{polkitd}] ├─postgres.bin───6*[postgres.bin] ├─rsyslogd───3*[{rsyslogd}] ├─snapd───9*[{snapd}] ├─sshd─┬─2*[sshd───bash] │ ├─sshd │ └─sshd───bash───pstree ├─systemd───(sd-pam) ├─systemd-journal ├─systemd-logind ├─systemd-network ├─systemd-resolve ├─systemd-timesyn───{systemd-timesyn} ├─systemd-udevd ├─udisksd───4*[{udisksd}] ├─unattended-upgr───{unattended-upgr} └─uuidd
root@server:~# journalctl -n 100 Oct 13 08:36:54 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Activating via systemd: service name='org.freedesktop.Tracker3.Miner.Extract' unit='tracker-extract-3.service' requested by ':1.7' (uid=1000 pid=3432 comm="/usr/libexec/tracker-miner-fs-3") Oct 13 08:36:54 nn1 systemd[3363]: Starting Tracker metadata extractor... Oct 13 08:36:56 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Activating via systemd: service name='org.gtk.vfs.MTPVolumeMonitor' unit='gvfs-mtp-volume-monitor.service' requested by ':1.327' (uid=1000 pid=28347 comm="/usr/libexec/tracker-extract-3") Oct 13 08:36:56 nn1 systemd[3363]: Starting Virtual filesystem service - Media Transfer Protocol monitor... Oct 13 08:36:56 nn1 systemd[28353]: gvfs-mtp-volume-monitor.service: Failed to locate executable /usr/libexec/gvfs-mtp-volume-monitor: No such file or directory Oct 13 08:36:56 nn1 systemd[28353]: gvfs-mtp-volume-monitor.service: Failed at step EXEC spawning /usr/libexec/gvfs-mtp-volume-monitor: No such file or directory Oct 13 08:36:56 nn1 systemd[3363]: gvfs-mtp-volume-monitor.service: Main process exited, code=exited, status=203/EXEC Oct 13 08:36:56 nn1 systemd[3363]: gvfs-mtp-volume-monitor.service: Failed with result 'exit-code'. Oct 13 08:36:56 nn1 systemd[3363]: Failed to start Virtual filesystem service - Media Transfer Protocol monitor. Oct 13 08:37:21 nn1 tracker-extract-3[28347]: Error creating proxy: Error calling StartServiceByName for org.gtk.vfs.MTPVolumeMonitor: Timeout was reached (g-io-error-quark, 24) Oct 13 08:37:21 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Successfully activated service 'org.freedesktop.Tracker3.Miner.Extract' Oct 13 08:37:21 nn1 systemd[3363]: Started Tracker metadata extractor. Oct 13 08:38:37 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Activating via systemd: service name='org.freedesktop.Tracker3.Miner.Extract' unit='tracker-extract-3.service' requested by ':1.7' (uid=1000 pid=3432 comm="/usr/libexec/tracker-miner-fs-3") Oct 13 08:38:37 nn1 systemd[3363]: Starting Tracker metadata extractor...
root@server:~# dmesg | tail [9936561.054488] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/system.slice/apache2.service,task=apache2,pid=968751,uid=33 [9936561.054501] Out of memory: Killed process 968751 (apache2) total-vm:253516kB, anon-rss:16720kB, file-rss:3004kB, shmem-rss:20652kB, UID:33 pgtables:280kB oom_score_adj:0 [9936561.066209] oom_reaper: reaped process 968751 (apache2), now anon-rss:0kB, file-rss:0kB, shmem-rss:20652kB
Оцінка і рекомндації: Перенавантажень на боці сервера не виявлено, однак задіяно чимало фонових процесів, які необхідно перевірити і оптимізувати. Зафіксовані проблеми із запуском однієї з системних служб (MTP Volume Monitor). Також знайдені помилки у повідомленні ядра (DMESG) — можливі проблеми з виділенням оперативної пам’яті.
[root@server ~]# awk -F: '($3 == "0") {print}' /etc/passwd root:x:0:0:root:/root:/bin/bash
[root@server ~]# lastlog Username Port From Latest root pts/1 XX.XXX.XXX.X Thu Oct 13 16:51:20 +0200 bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in** sync **Never logged in** shutdown **Never logged in** halt **Never logged in** mail **Never logged in** operator **Never logged in** games **Never logged in** ftp **Never logged in** nobody **Never logged in** systemd-network **Never logged in** dbus **Never logged in** polkitd **Never logged in** sshd **Never logged in** chrony **Never logged in** tss **Never logged in** cyberpanel **Never logged in** docker **Never logged in** lsadm **Never logged in** mysql **Never logged in** ftpuser **Never logged in** pdns **Never logged in** postfix **Never logged in** dovecot **Never logged in** dovenull **Never logged in** vmail **Never logged in** opendkim **Never logged in** lscpd **Never logged in** memcached **Never logged in** redis **Never logged in** saslauth **Never logged in**
Оцінка і рекомендації: на сервері не виявлено прихованих користувачів чи підозрілих входів в систему. Невідомих користувацьких груп теж не знайдено.
Досліджуваний сервер потребує комплексного грамотного налаштування сервера збоку системного адміністратора. Необхідно підібрати усі необхідні компоненти і спроєктувати архітектуру з нуля. Упорядкувати усі служби, сервіси, інтерфейси. Гармонійно розмежувати та розприділити їх між собою, застосовуючи усі необхідні засоби, інструменти контролю і захисту, моніторингу.
Нижче представлені підсумкові рекомендації, які були отримані в рамках цього аудиту. Важливо їх втілити для усунення поточних недоліків й покращення роботи сервера.
ПОДІЛИТИСЬ У СОЦМЕРЕЖАХ:
Вкажіть, будь ласка, контактний номер телефону. Наш менеджер миттєво зв’яжеться з Вами!