Close

Приклад внутрішнього IT аудиту VPS-сервера Linux

У цій замітці я розповім, що таке IT Аудит, про його основні принципи та особливості. Дам визначення, навіщо він потрібен, хто і як його, зазвичай, проводить. Хочу прояснити цей процес для допитливих клієнтів на прикладі експрес-аудиту VPS-сервера під управлінням ОС Linux. Викладений нижче аудит є довільним, створеним для ознайомлення .

Зміст статті

Основні поняття і терміни

Що таке IT аудит

IT Аудит — це незалежне експертне оцінювання якості та ефективності ІТ-інфраструктури, експертиза на усіх рівнях OSI-моделі, яка включає комплексний збір і аналіз інформації про досліджуваний об’єкт, його апаратні і програмні засоби, інтерфейси, мережу, застосунки, додатки, пристрої та інше.

Внутрішній аудит — це ІТ-аудит, який виконується з повним доступом до системи.

Зовнішній аудит — це ІТ-аудит без доступу до системи, виконується робота з даними із відкритих джерел.

Аудитор — це сертифікований фахівець, кваліфікований в усіх сферах інформаційних технологій, уповноважений для проведення процедури аудиту.

В залежності від цілей і характеру, бувають різні типи аудитів, до прикладу:

  • Аудит програмного забезпечення — аналіз програмних засобів, додатків, застосунків, перевірка вихідного коду.
  • Аудит ІТ персоналу — визначення рівня зрілості співробітників компанії, їх професійних навиків, оцінка ризиків безпеки, пов’язаних з людським фактором.
  • Аудит робочих місць — інвентаризація комп’ютерної, офісної техніки, оцінка відповідності стандартам безпеки і охорони праці.
  • Аудит інформаційної безпеки — аналіз організаційної структури компанії, її політик безпеки.
  • Аудит кібербезпеки — аналіз безпеки веб-сайтів і додатків, застосунків та інших електронних ресурсів і програм.
  • Аудит відповідності стандартам аудит інфраструктури по методологіям міжнародних стандартів, наприклад: ISO/IEC, PCI-DSS, HIPAA, ITIL, COBIT, NIST, CIS, OWASP, SANS та ін.

Кому і навіщо потрібен ІТ аудит?

Кому і навіщо потрібен аудит

  • ІТ-директорам, засновникам компаній, керівникам офісів, відділів інформаційних систем і технологій, бізнесменам, підприємцям, власникам серверів і ІТ-інфраструктури, веб-майстрам, системним адміністраторам, програмістам та просто користувачам, дотичним до ІТ, яким необхідна загальна картина усіх процесів, що відбуваються в їх інфраструктурі, фахова оцінка поточного рівня якості і рекомендація щодо потенційного покращення.
  • ІТ Аудит дозволяє виявити слабкі місця, знайти першопричину збоїв, виявити помилки конфігурації і недоліки в роботі, проаналізувати навантаження і архітектуру, оцінити її ефективність, успішність, виробити рекомендації щодо надійності, стійкості, працездатності, швидкодії.
  • На базі ІТ Аудиту можна розробити якісну стратегію та концепцію розвитку ІТ-інфраструктури, підготуватись до міграції в хмару, спрогнозувати бюджет на підтримку і обслуговування, скласти технічне завдання на усунення помилок, доопрацювання і масштабування.
  • ІТ Аудит є своєрідним знаком якості, що свідчить про серйозність намірів власника, бажання відповідати міжнародним нормам та стандартам. Часто аудит є обов’язковим і регулюється державними службами.

Стандарти і методології ІТ Аудиту

Стандарти IT аудиту

  • ISO/IEC — один з найкращих та найстаріших комплексних збірників вимог, щодо організації, забезпечення якості та безпеки ІТ-проєктів. Активно застосовується в різних країнах світу більше 20-ти років.
  • ITIL (IT Infrastructure Library) — бібліотека інфраструктури інформаційних технологій, містить основні принципи та вказівки щодо ведення і підтримки ІТ-проєктів.
  • COBIT (Control Objectives for Information and Related Technology) — міжнародний стандарт, який містить кращий cвітовий досвід розгортання та управління ІТ-проєктами, допомагає гармонійно вибудувати архітектуру і стратегію розвитку інфраструктури, містить кращі практики контролю якості та основні заходи безпеки.
  • ITAF (The Information Technology Assurance Framework)— збірник настанов, рекомендацій, стандартів для фахівців з ІТ-аудиту.
  • PRINCE2 — метод управління ІТ-проєктами. Включає в себе контроль і організацію проєкту.
  • PCI-DSS — всесвітньовідомий стандарт безпеки фінансових операцій і платіжних даних, карток VISA/MasterCard, POS-терміналів, бізнес-процесів тощо.
  • HIPAA — міжнародний стандарт із захисту інформації, пов’язаний з інформаційними технологіями у сфері охорони здоров’я.

Етапи ІТ аудиту. План роботи.

Фази і етапи IT аудиту

  1. Аналіз апаратних засобів
  2. Аналіз програмних засобів
  3. Аналіз файлової системи
  4. Аналіз системних служб
  5. Аналіз мережевих інтерфейсів
  6. Аналіз системних подій, процесів, журналів
  7. Аналіз облікових записів
  8. Висновки і рекомендації
  9. Використані інструменти і утиліти

Для проведення аудиту необхідний письмовий дозвіл власника, закріплений NDA-договором (Non-disclosure agreement, Договір про нерозголошення інформації).

Також необхідно надати аудитору доступ до сервера по каналу SSH з правами Адміністратора (root).

У своїй роботі аудитор проводить збір даних та здійснює численні перевірки, користуючись вбудованими засобами командого рядка Linux та спеціалізованими аудиторськими інструментами, список яких узгоджується заздалегідь.

Аудитор не має права втручатись в роботу системи, якось змінювати її конфігурацію. Фактично, його робота— це лише збір і структурування даних, документація (звітність) і рекомендація (оцінка).

Всесвітньовідома організація ISACA склала список рекомендацій під назвою “Етичний кодекс аудитора”, який включає наступні положення:

  • Сприяти приведенню інформаційних ІТ-систем у відповідність до прийнятих стандартів та методологій
  • Діяти на користь роботодавців, акціонерів, клієнтів та суспільства у старанній та лояльній манері, у чесний спосіб
  • Свідомо не брати участі у незаконній чи недобросовісній діяльності
  • Зберігати конфіденційність інформації, отриманої під час виконання своїх посадових обов’язків
  • Не використовувати конфіденційну інформацію для отримання особистої вигоди та не передавати її третім особам без дозволу її власника
  • Виконувати свої посадові обов’язки, залишаючись незалежним та об’єктивним
  • Уникати діяльності, яка ставить під загрозу незалежність аудитора
  • Підтримувати на належному рівні свою компетентність у галузях знань, пов’язаних із проведенням аудиту інформаційних систем, брати участь у професійних заходах
  • Виявляти сумлінність при отриманні та документуванні фактографічних матеріалів, на яких базуються висновки та рекомендації аудитора
  • Інформувати усі зацікавлені сторони про результати проведення аудиту
  • Сприяти підвищенню обізнаності керівництва організацій, клієнтів та суспільства у питаннях, пов’язаних із проведенням аудиту інформаційних систем
  • Відповідати високим етичним принципам і стандартам у професійній та особистій діяльності
  • Удосконалювати свої особисті якості та навички.

Розділ 1. Аналіз апаратних засобів

Аналіз центрального процесора (CPU)

root@server:~# lscpu
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   40 bits physical, 48 bits virtual
CPU(s):                          1
On-line CPU(s) list:             0
Thread(s) per core:              1
Core(s) per socket:              1
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       AuthenticAMD
CPU family:                      23
Model:                           49
Model name:                      DO-Regular
Stepping:                        0
CPU MHz:                         1996.247
BogoMIPS:                        3992.49
Virtualization:                  AMD-V
Hypervisor vendor:               KVM
Virtualization type:             full
L1d cache:                       32 KiB
L1i cache:                       32 KiB
L2 cache:                        512 KiB
L3 cache:                        16 MiB
NUMA node0 CPU(s):               0
Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Not affected
Vulnerability Meltdown:          Not affected
Vulnerability Mmio stale data:   Not affected
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Retpolines, IBPB conditional, STIBP disabled, RSB filling
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm svm cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext perfctr_core ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero xsaveerptr wbnoinvd arat npt nrip_save umip rdpid
root@server:~# cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model  : 49
model name : DO-Regular
stepping : 0
microcode : 0x1000065
cpu MHz  : 1996.247
cache size : 512 KB
physical id : 0
siblings : 1
core id  : 0
cpu cores : 1
apicid  : 0
initial apicid : 0
fpu  : yes
fpu_exception : yes
cpuid level : 13
wp  : yes
flags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm svm cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw topoext perfctr_core ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 xsaves clzero xsaveerptr wbnoinvd arat npt nrip_save umip rdpid
bugs  : sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips : 3992.49
TLB size : 1024 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 40 bits physical, 48 bits virtual
power management:

Оцінка і рекомендації: Cервер використовує процесор компанії AMD моделі DO-Regular, одноядерний, з тактовою частотою 1996 МГц. Підтримує 64-бітну архітектуру і використовує повнопривідну віртуалізацію на базі гіпервізора KVM.

Процесор вразливий по деяким пунктам, зокрема:

  • CVE-2018–3639 (Variant 4, speculative store bypass)
  • CVE-2017–5753 (Spectre Variant 1, bounds check bypass)
  • CVE-2017–5715 (Spectre Variant 2, branch target injection)

Загалом, процесор початкового класу, розрахований на невеликі навантаження, відсутня багатопоточність. Для трафікових та складних проєктів його буде недостатньо. Окрім того, дана модель показала не найкращі результати в тестуванні швидкодії і працездатності (див. Benchmark). Для розгортання серйозних проєктів — необхідне масштабування (збільшення кількості ядер) або заміна процесора. Також рекомендується замість стандартного KVM використати більш сучасний гіпервізор XEN. Для усунення вразливостей процесора варто шукати патчі від виробника і правити конфігурацію ядра.

Аналіз оперативної пам’яті (RAM)

root@server:~# free -h
              total        used        free      shared  buff/cache   available
Mem:          967Mi       641Mi        82Mi        25Mi       244Mi       144Mi
Swap:            0B          0B          0B
root@server:~# cat /proc/meminfo
MemTotal:         991156 kB
MemFree:           84208 kB
MemAvailable:     148188 kB
Buffers:            7808 kB
Cached:           203572 kB
SwapCached:            0 kB
Active:           124540 kB
Inactive:         622872 kB
Active(anon):      26628 kB
Inactive(anon):   548484 kB
Active(file):      97912 kB
Inactive(file):    74388 kB
Unevictable:       23068 kB
Mlocked:           18532 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:               212 kB
Writeback:             0 kB
AnonPages:        559140 kB
Mapped:            75576 kB
Shmem:             26344 kB
KReclaimable:      38640 kB
Slab:              91096 kB
SReclaimable:      38640 kB
SUnreclaim:        52456 kB
KernelStack:        3644 kB
PageTables:         6532 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:      495576 kB
Committed_AS:    1777032 kB
VmallocTotal:   34359738367 kB
VmallocUsed:       19128 kB
VmallocChunk:          0 kB
Percpu:            14720 kB
HardwareCorrupted:     0 kB
AnonHugePages:         0 kB
ShmemHugePages:        0 kB
ShmemPmdMapped:        0 kB
FileHugePages:         0 kB
FilePmdMapped:         0 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB
Hugetlb:               0 kB
DirectMap4k:      270336 kB
DirectMap2M:      778240 kB
root@server:~# sudo memtester 200M 1
memtester version 4.3.0 (64-bit)
Copyright (C) 2001-2012 Charles Cazabon.
Licensed under the GNU General Public License version 2 (only).
pagesize is 4096
pagesizemask is 0xfffffffffffff000
want 200MB (209715200 bytes)
got  200MB (209715200 bytes), trying mlock ...locked.
Loop 1/1:
  Stuck Address       : ok         
  Random Value        : ok
  Compare XOR         : ok
  Compare SUB         : ok
  Compare MUL         : ok
  Compare DIV         : ok
  Compare OR          : ok
  Compare AND         : ok
  Sequential Increment: ok
  Solid Bits          : ok         
  Block Sequential    : ok         
  Checkerboard        : ok         
  Bit Spread          : ok         
  Bit Flip            : ok         
  Walking Ones        : ok         
  Walking Zeroes      : ok         
  8-bit Writes        : ok
  16-bit Writes       : ok
Done.

Оцінка і рекомендації: Сервер використовує оперативну пам’ять об’ємом 1 Гб. Swapfile відсутній. Помилок в роботі пам’яті не виявлено. Однак, для складних та габаритних проєктів, обслуговування великих баз даних існуючої кількості оперативної пам’яті не вистачить. Необхідно масштабувати, а також терміново створити файл підкачки SWAP, щоби у випадку перенавантажень сервер залишався робочим.

Аналіз дискового накопичувача

root@server:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        944M     0  944M   0% /dev
tmpfs           963M  368K  962M   1% /dev/shm
tmpfs           963M   93M  870M  10% /run
tmpfs           963M     0  963M   0% /sys/fs/cgroup
/dev/sda1        38G   18G   18G  50% /
/dev/loop0      1.5G   84M  1.3G   7% /tmp
/dev/sda15       64M  2.2M   62M   4% /boot/efi
tmpfs           193M     0  193M   0% /run/user/5005
root@server:~# smartctl --info /dev/sda
smartctl 7.1 2020-08-23 r5080 [x86_64-linux-4.18.0-408.el8.x86_64] (local build)
Copyright (C) 2002-19, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION ===
Vendor:               QEMU
Product:              QEMU HARDDISK
Revision:             2.5+
Compliance:           SPC-3
User Capacity:        40,961,572,864 bytes [40.9 GB]
Logical block size:   512 bytes
LU is thin provisioned, LBPRZ=0
Device type:          disk
Local Time is:        Wed Oct 12 20:33:41 2022 CEST
SMART support is:     Unavailable - device lacks SMART capability.
SMART Health Status:  OK
root@server:~# sudo fdisk -l /dev/sda1
Disk /dev/sda1: 38.1 GiB, 40892349952 bytes, 79867871 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
root@server:~# sudo badblocks -v /dev/sda1 > badsectors.txt
Checking blocks 0 to 39933934
Checking for bad blocks (read-only test): done                                                 
Pass completed, 0 bad blocks found. (0/0/0 errors)

Оцінка і рекомендації: Сервер використовує віртуальний жорсткий диск (віртуалізація QEMU) об’ємом 38 Гб. Усі звернення до жорсткого диску пересилаються з віртуальної машини на фізичний диск, що при роботі з велими даними може створювати delay (затримку), скачки в швидкодії та працездатності (-10–15%). Крім того дискового об’єму 38-40 Гб для габаритних, масштабних проєктів, наприклад хмарних хранилищ, резервних копій, кешу, логів, баз даних може не вистачити. Проблем в роботі жорстокого диску не помічено. Битих секторів не виявлено.

Розділ 2. Аналіз програмних засобів

Аналіз операційної системи (OS)

root@server:~# uname -a
Linux ubuntu-02 5.4.0-126-generic (buildd@lcy02-amd64-095) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
root@server:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
root@server:~# lynis audit system
[ Lynis 2.6.2 ]
#####################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
#####################################################################
[+] Initializing program
------------------------------------
  - Detecting OS...                                           [DONE]
  - Checking profiles...                                      [DONE]
---------------------------------------------------
  Program version:           2.6.2
  Operating system:          Linux
  Operating system name:     Ubuntu Linux
  Operating system version:  20.04
  Kernel version:            5.4.0
  Hardware platform:         x86_64
  Hostname:                  ubuntu-s-1vcpu-1gb-lr1-02
  ---------------------------------------------------
  Profiles:                  /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /etc/lynis/plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Language:                  en
  Test category:             all
  Test group:                all
  ---------------------------------------------------
[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests and may take several minutes to complete
  
  - Plugin: debian
    [
[+] Debian Tests
------------------------------------
  - Checking for system binaries that are required by Debian Tests...
    - Checking /bin...                                        [ FOUND ]
    - Checking /sbin...                                       [ FOUND ]
    - Checking /usr/bin...                                    [ FOUND ]
    - Checking /usr/sbin...                                   [ FOUND ]
    - Checking /usr/local/bin...                              [ FOUND ]
    - Checking /usr/local/sbin...                             [ FOUND ]
  - Authentication:
    - PAM (Pluggable Authentication Modules):
      - libpam-tmpdir                                         [ Not Installed ]
      - libpam-usb                                            [ Not Installed ]
  - File System Checks:
    - DM-Crypt, Cryptsetup & Cryptmount:
      - Checking / on /dev/vda1                               [ NOT ENCRYPTED ]
      - Checking /snap/core20/1623 on /var/lib/snapd/snaps/core20_1623.snap  [ NOT ENCRYPTED ]
      - Checking /snap/core20/1611 on /var/lib/snapd/snaps/core20_1611.snap  [ NOT ENCRYPTED ]
      - Checking /snap/lxd/22753 on /var/lib/snapd/snaps/lxd_22753.snap  [ NOT ENCRYPTED ]
      - Checking /snap/snapd/16778 on /var/lib/snapd/snaps/snapd_16778.snap  [ NOT ENCRYPTED ]
      - Checking /snap/snapd/17029 on /var/lib/snapd/snaps/snapd_17029.snap  [ NOT ENCRYPTED ]
      - Checking /boot/efi on /dev/vda15                      [ NOT ENCRYPTED ]
  - Software:
    - apt-listbugs                                            [ Not Installed ]
    - apt-listchanges                                         [ Not Installed ]
    - checkrestart                                            [ Not Installed ]
    - needrestart                                             [ Not Installed ]
    - debsecan                                                [ Not Installed ]
    - debsums                                                 [ Not Installed ]
    - fail2ban                                                [ Not Installed ]
]
[+] Boot and services
------------------------------------
  - Service Manager                                           [ systemd ]
  - Checking UEFI boot                                        [ DISABLED ]
  - Checking presence GRUB2                                   [ FOUND ]
    - Checking for password protection                        [ WARNING ]
  - Check running services (systemctl)                        [ DONE ]
        Result: found 25 running services
  - Check enabled services at boot (systemctl)                [ DONE ]
        Result: found 64 enabled services
  - Check startup files (permissions)                         [ OK ]
  - Checking sulogin in rescue.service                        [ NOT FOUND ]
[+] Kernel
------------------------------------
  - Checking default run level                                [ RUNLEVEL 5 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported               [ FOUND ]
  - Checking kernel version and release                       [ DONE ]
  - Checking kernel type                                      [ DONE ]
  - Checking loaded kernel modules                            [ DONE ]
      Found 52 active modules
  - Checking Linux kernel configuration file                  [ FOUND ]
  - Checking default I/O kernel scheduler                     [ NOT FOUND ]
  - Checking for available kernel update                      [ UNKNOWN ]
  - Checking core dumps configuration                         [ DISABLED ]
    - Checking setuid core dumps configuration                [ PROTECTED ]
  - Check if reboot is needed                                 [ YES ]
[+] Memory and Processes
------------------------------------
  - Checking /proc/meminfo                                    [ FOUND ]
  - Searching for dead/zombie processes                       [ OK ]
  - Searching for IO waiting processes                        [ OK ]
[+] Users, Groups and Authentication
------------------------------------
  - Administrator accounts                                    [ OK ]
  - Unique UIDs                                               [ OK ]
  - Consistency of group files (grpck)                        [ OK ]
  - Unique group IDs                                          [ OK ]
  - Unique group names                                        [ OK ]
  - Password file consistency                                 [ OK ]
  - Query system users (non daemons)                          [ DONE ]
  - NIS+ authentication support                               [ NOT ENABLED ]
  - NIS authentication support                                [ NOT ENABLED ]
  - sudoers file                                              [ FOUND ]
    - Check sudoers file permissions                          [ OK ]
  - PAM password strength tools                               [ SUGGESTION ]
  - PAM configuration files (pam.conf)                        [ FOUND ]
  - PAM configuration files (pam.d)                           [ FOUND ]
  - PAM modules                                               [ FOUND ]
  - LDAP module in PAM                                        [ NOT FOUND ]
  - Accounts without expire date                              [ OK ]
  - Accounts without password                                 [ OK ]
  - Checking user password aging (minimum)                    [ DISABLED ]
  - User password aging (maximum)                             [ DISABLED ]
  - Checking expired passwords                                [ OK ]
  - Checking Linux single user mode authentication            [ WARNING ]
  - Determining default umask
    - umask (/etc/profile)                                    [ NOT FOUND ]
    - umask (/etc/login.defs)                                 [ SUGGESTION ]
  - LDAP authentication support                               [ NOT ENABLED ]
  - Logging failed login attempts                             [ ENABLED ]
[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 9 shells (valid shells: 9).
    - Session timeout settings/tools                          [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc              [ NONE ]
    - Checking default umask in /etc/profile                  [ NONE ]
[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                              [ SUGGESTION ]
    - Checking /tmp mount point                               [ SUGGESTION ]
    - Checking /var mount point                               [ SUGGESTION ]
  - Query swap partitions (fstab)                             [ NONE ]
  - Testing swap partitions                                   [ OK ]
  - Testing /proc mount (hidepid)                             [ SUGGESTION ]
  - Checking for old files in /tmp                            [ OK ]
  - Checking /tmp sticky bit                                  [ OK ]
  - Checking /var/tmp sticky bit                              [ OK ]
  - ACL support root file system                              [ ENABLED ]
  - Mount options of /                                        [ OK ]
  - Disable kernel support of some filesystems
    - Discovered kernel modules: udf
[+] USB Devices
------------------------------------
  - Checking usb-storage driver (modprobe config)             [ NOT DISABLED ]
  - Checking USB devices authorization                        [ ENABLED ]
  - Checking USBGuard                                         [ NOT FOUND ]
[+] Storage
------------------------------------
  - Checking firewire ohci driver (modprobe config)           [ DISABLED ]
[+] NFS
------------------------------------
  - Check running NFS daemon                                  [ NOT FOUND ]
[+] Name services
------------------------------------
  - Checking /etc/resolv.conf options                         [ FOUND ]
  - Searching DNS domain name                                 [ UNKNOWN ]
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)                        [ OK ]
    - Checking /etc/hosts (hostname)                          [ OK ]
    - Checking /etc/hosts (localhost)                         [ OK ]
    - Checking /etc/hosts (localhost to IP)                   [ OK ]
[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                          [ FOUND ]
      - Querying package manager
    - Query unpurged packages                                 [ FOUND ]
  - Checking security repository in sources.list file         [ OK ]
  - Checking APT package database                             [ OK ]
  - Checking vulnerable packages                              [ WARNING ]
  - Checking upgradeable packages                             [ SKIPPED ]
  - Checking package audit tool                               [ INSTALLED ]
    Found: apt-get
[+] Networking
------------------------------------
  - Checking IPv6 configuration                               [ ENABLED ]
      Configuration method                                    [ AUTO ]
      IPv6 only                                               [ NO ]
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 127.0.0.53                                [ OK ]
    - Minimal of 2 responsive nameservers                     [ WARNING ]
  - Checking default gateway                                  [ DONE ]
  - Getting listening ports (TCP/UDP)                         [ DONE ]
      * Found 4 ports
  - Checking promiscuous interfaces                           [ OK ]
  - Checking waiting connections                              [ OK ]
  - Checking status DHCP client                               [ NOT ACTIVE ]
  - Checking for ARP monitoring software                      [ NOT FOUND ]
[+] Printers and Spools
------------------------------------
  - Checking cups daemon                                      [ NOT FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ FOUND ]
    - Checking iptables policies of chains                    [ FOUND ]
    - Checking for empty ruleset                              [ WARNING ]
    - Checking for unused rules                               [ OK ]
  - Checking host based firewall                              [ ACTIVE ]
[+] Software: webserver
------------------------------------
  - Checking Apache                                           [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]
[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - SSH option: AllowTcpForwarding                          [ SUGGESTION ]
    - SSH option: ClientAliveCountMax                         [ SUGGESTION ]
    - SSH option: ClientAliveInterval                         [ OK ]
    - SSH option: Compression                                 [ SUGGESTION ]
    - SSH option: FingerprintHash                             [ OK ]
    - SSH option: GatewayPorts                                [ OK ]
    - SSH option: IgnoreRhosts                                [ OK ]
    - SSH option: LoginGraceTime                              [ OK ]
    - SSH option: LogLevel                                    [ SUGGESTION ]
    - SSH option: MaxAuthTries                                [ SUGGESTION ]
    - SSH option: MaxSessions                                 [ SUGGESTION ]
    - SSH option: PermitRootLogin                             [ SUGGESTION ]
    - SSH option: PermitUserEnvironment                       [ OK ]
    - SSH option: PermitTunnel                                [ OK ]
    - SSH option: Port                                        [ SUGGESTION ]
    - SSH option: PrintLastLog                                [ OK ]
    - SSH option: Protocol                                    [ NOT FOUND ]
    - SSH option: StrictModes                                 [ OK ]
    - SSH option: TCPKeepAlive                                [ SUGGESTION ]
    - SSH option: UseDNS                                      [ OK ]
    - SSH option: UsePrivilegeSeparation                      [ NOT FOUND ]
    - SSH option: VerifyReverseMapping                        [ NOT FOUND ]
    - SSH option: X11Forwarding                               [ SUGGESTION ]
    - SSH option: AllowAgentForwarding                        [ SUGGESTION ]
    - SSH option: AllowUsers                                  [ NOT FOUND ]
    - SSH option: AllowGroups                                 [ NOT FOUND ]
[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                              [ NOT FOUND ]
[+] Databases
------------------------------------
    No database engines found
[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                                [ NOT FOUND ]
[+] PHP
------------------------------------
  - Checking PHP                                              [ NOT FOUND ]
[+] Squid Support
------------------------------------
  - Checking running Squid daemon                             [ NOT FOUND ]
[+] Logging and files
------------------------------------
  - Checking for a running log daemon                         [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking systemd journal status                         [ FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
    - Checking minilogd instances                             [ NOT FOUND ]
  - Checking logrotate presence                               [ OK ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ FILES FOUND ]
[+] Insecure services
------------------------------------
  - Checking inetd status                                     [ NOT ACTIVE ]
[+] Banners and identification
------------------------------------
  - /etc/issue                                                [ FOUND ]
    - /etc/issue contents                                     [ WEAK ]
  - /etc/issue.net                                            [ FOUND ]
    - /etc/issue.net contents                                 [ WEAK ]
[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]
  - Checking atd status                                       [ RUNNING ]
    - Checking at users                                       [ DONE ]
    - Checking at jobs                                        [ NONE ]
[+] Accounting
------------------------------------
  - Checking accounting information                           [ NOT FOUND ]
  - Checking sysstat accounting data                          [ NOT FOUND ]
  - Checking auditd                                           [ NOT FOUND ]
[+] Time and Synchronization
------------------------------------
  - NTP daemon found: systemd (timesyncd)                     [ FOUND ]
  - Checking for a running NTP daemon or client               [ OK ]
[+] Cryptography
------------------------------------
  - Checking for expired SSL certificates [0/3]               [ NONE ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ FOUND ]
    - Checking AppArmor status                                [ ENABLED ]
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
  - Checking for implemented MAC framework                    [ OK ]
[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
  - Checking presence integrity tool                          [ NOT FOUND ]
[+] Software: System tooling
------------------------------------
  - Checking automation tooling
  - Automation tooling                                        [ NOT FOUND ]
  - Checking for IDS/IPS tooling                              [ NONE ]
[+] Software: Malware
------------------------------------
[+] File Permissions
------------------------------------
  - Starting file permissions check
    /root/.ssh                                                [ OK ]
[+] Home directories
------------------------------------
  - Checking shell history files                              [ OK ]
[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - fs.protected_hardlinks (exp: 1)                         [ OK ]
    - fs.protected_symlinks (exp: 1)                          [ OK ]
    - fs.suid_dumpable (exp: 0)                               [ DIFFERENT ]
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.dmesg_restrict (exp: 1)                          [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)                      [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)                   [ OK ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ DIFFERENT ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)                      [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]
[+] Hardening
------------------------------------
    - Installed compiler(s)                                   [ FOUND ]
    - Installed malware scanner                               [ NOT FOUND ]
[+] Custom Tests
------------------------------------
  - Running custom tests...                                   [ NONE ]
[+] Plugins (phase 2)
------------------------------------
=====================================================================
-[ Lynis 2.6.2 Results ]-
Warnings (5):
  ----------------------------
! Reboot of system is most likely needed [KRNL-5830] 
    - Solution : reboot
      https://cisofy.com/controls/KRNL-5830/
! No password set for single mode [AUTH-9308] 
      https://cisofy.com/controls/AUTH-9308/
! Found one or more vulnerable packages. [PKGS-7392] 
      https://cisofy.com/controls/PKGS-7392/
! Couldn't find 2 responsive nameservers [NETW-2705] 
      https://cisofy.com/controls/NETW-2705/
! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/controls/FIRE-4512/
Suggestions (51):
  ----------------------------
  * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280] 
      https://your-domain.example.org/controls/CUST-0280/
* Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285] 
      https://your-domain.example.org/controls/CUST-0285/
* Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810] 
      https://your-domain.example.org/controls/CUST-0810/
* Install apt-listchanges to display any significant changes prior to any upgrade via APT. [CUST-0811] 
      https://your-domain.example.org/controls/CUST-0811/
* Install debian-goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830] 
      https://your-domain.example.org/controls/CUST-0830/
* Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [CUST-0831] 
      https://your-domain.example.org/controls/CUST-0831/
* Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870] 
      https://your-domain.example.org/controls/CUST-0870/
* Install debsums for the verification of installed package files against MD5 checksums. [CUST-0875] 
      https://your-domain.example.org/controls/CUST-0875/
* Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
      https://cisofy.com/controls/DEB-0880/
* Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/controls/BOOT-5122/
* Protect rescue.service by using sulogin [BOOT-5260] 
      https://cisofy.com/controls/BOOT-5260/
* Determine why /vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
    - Details  : /vmlinuz
      https://cisofy.com/controls/KRNL-5788/
* Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788] 
      https://cisofy.com/controls/KRNL-5788/
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      https://cisofy.com/controls/AUTH-9262/
* Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/
* Set password for single user mode to minimize physical access attack surface [AUTH-9308] 
      https://cisofy.com/controls/AUTH-9308/
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/controls/STRG-1840/
* Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/controls/NAME-4028/
* Purge old/removed packages (6 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
      https://cisofy.com/controls/PKGS-7346/
* Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      https://cisofy.com/controls/PKGS-7370/
* Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
      https://cisofy.com/controls/PKGS-7392/
* Install package apt-show-versions for patch management purposes [PKGS-7394] 
      https://cisofy.com/controls/PKGS-7394/
* Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] 
      https://cisofy.com/controls/NETW-2705/
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
      https://cisofy.com/controls/NETW-3032/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> (DELAYED|NO))
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 2)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> NO)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/
* Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/controls/BANN-7130/
* Enable process accounting [ACCT-9622] 
      https://cisofy.com/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/controls/ACCT-9628/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
      https://cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222] 
      https://cisofy.com/controls/HRDN-7222/
* Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/controls/HRDN-7230/
Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)
=====================================================================
Lynis security scan details:
Hardening index : 50 [##########          ]
  Tests performed : 221
  Plugins enabled : 1

Оцінка і рекомендації: Деякі компоненти операційної системи не оновлені, хоча сама версія Linux  – Ubuntu 20.04 є актуальною. Необхідно встановити додаткові модулі і налаштувати файєрвол (IPtables/Fail2ban). Звернути увагу на шифрування даних і контроль доступу по SSH. Служба захисту SELinux — вимкнена. Для корпоративних систем з високим рівнем конфіденційності це може бути недоліком, тому рекомендується її активувати. Загалом, бажано задовільнити усі вимоги аудиторської утиліти Lynis.

Аналіз PHP

[root@server ~]# php -v
PHP Warning:  Module 'zip' already loaded in Unknown on line 0
PHP 7.4.28 (cli) (built: Apr  4 2022 11:52:05) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.28, Copyright (c), by Zend Technologies
[root@server ~]# php -m
PHP Warning:  Module 'zip' already loaded in Unknown on line 0
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dba
dom
enchant
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
igbinary
imagick
imap
intl
json
ldap
libxml
mbstring
mcrypt
memcached
msgpack
mysqli
mysqlnd
odbc
openssl
pcntl
pcre
PDO
pdo_mysql
PDO_ODBC
pdo_pgsql
pdo_sqlite
pgsql
Phar
posix
pspell
readline
redis
Reflection
session
shmop
SimpleXML
snmp
soap
sockets
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tidy
timezonedb
tokenizer
xml
xmlreader
xmlrpc
xmlwriter
xsl
Zend OPcache
zip
zlib
[Zend Modules]
Zend OPcache

Оцінка і рекомендації: на сервері використовується стабільна версія PHP 7.4. Усі необхідні PHP-модулі встановлені. Лише виявлена помилка модуля “zip”, яку потрібно виправити.

Аналіз MySQL бази даних

root@server:~# sudo mysqltuner
 >>  MySQLTuner 1.7.13 - Major Hayden <major@mhtx.net>
 >>  Bug reports, feature requests, and downloads at http://mysqltuner.com/
[--] Skipped version check for MySQLTuner script
[!!] FAIL Execute SQL / return code: 256
[!!] failed to execute: SHOW SLAVE HOSTS\G
[!!] FAIL Execute SQL / return code: 256
[OK] Currently running supported MySQL version 10.3.32-MariaDB
[OK] Operating on 64-bit architecture
 
-------- Log file Recommendations -----------------------------------
[OK] Log file /var/log/mariadb/mariadb.log exists
[--] Log file: /var/log/mariadb/mariadb.log(99B)
[OK] Log file /var/log/mariadb/mariadb.log is not empty
[OK] Log file /var/log/mariadb/mariadb.log is smaller than 32 Mb
[OK] Log file /var/log/mariadb/mariadb.log is readable.
[!!] /var/log/mariadb/mariadb.log contains 1 warning(s).
[OK] /var/log/mariadb/mariadb.log doesn't contain any error.
[--] 0 start(s) detected in /var/log/mariadb/mariadb.log
[--] 0 shutdown(s) detected in /var/log/mariadb/mariadb.log
 
-------- Storage Engine Statistics ----------------------------------
[--] Status: +ARCHIVE +Aria +BLACKHOLE +CSV +FEDERATED +InnoDB +MEMORY +MRG_MyISAM +MyISAM +PERFORMANCE_SCHEMA +SEQUENCE 
[--] Data in InnoDB tables: 2.8M (Tables: 22)
[--] Data in MyISAM tables: 42.0M (Tables: 66)
[OK] Total fragmented tables: 0
 
-------- Analysis Performance Metrics -------------------------------
[--] innodb_stats_on_metadata: OFF
[OK] No stat updates during querying INFORMATION_SCHEMA.
 
-------- Security Recommendations -----------------------------------
[--] Skipped due to none of known auth columns exists
 
-------- CVE Security Recommendations -------------------------------
[--] Skipped due to --cvefile option undefined
[!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS
[!!] FAIL Execute SQL / return code: 256
[!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS
[!!] FAIL Execute SQL / return code: 256
 
-------- Performance Metrics ----------------------------------------
[--] Up for: 6d 16h 14m 58s (2M q [4.511 qps], 55K conn, TX: 33G, RX: 842M)
[--] Reads / Writes: 94% / 6%
[--] Binary logging is disabled
[--] Physical Memory     : 1.9G
[--] Max MySQL memory    : 1.6G
[--] Other process memory: 0B
[--] Total buffers: 928.0M global + 23.3M per thread (30 max threads)
[!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS
[!!] FAIL Execute SQL / return code: 256
[--] P_S Max memory usage: 0B
[!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS
[!!] FAIL Execute SQL / return code: 256
[!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS
[!!] FAIL Execute SQL / return code: 256
[--] Galera GCache Max memory usage: 0B
[OK] Maximum reached memory usage: 1.5G (80.89% of installed RAM)
[OK] Maximum possible memory usage: 1.6G (84.52% of installed RAM)
[OK] Overall possible memory usage with other process is compatible with memory available
[OK] Slow queries: 0% (0/2M)
[!!] Highest connection usage: 90%  (27/30)
[OK] Aborted connections: 0.00%  (1/55665)
[!!] name resolution is active : a reverse name resolution is made for each new connection and can reduce performance
[OK] Query cache is disabled by default due to mutex contention on multiprocessor machines.
[OK] Sorts requiring temporary tables: 0% (0 temp sorts / 748K sorts)
[OK] No joins without indexes
[!!] Temporary tables created on disk: 41% (141K on disk / 341K total)
[OK] Thread cache hit rate: 99% (503 created / 55K connections)
[OK] Table cache hit rate: 98% (2M hits / 2M requests)
[OK] table_definition_cache(400) is upper than number of tables(166)
[OK] Open file limit used: 0% (97/32K)
[OK] Table locks acquired immediately: 99% (1M immediate / 1M locks)
 
-------- Performance schema -----------------------------------------
[!!] failed to execute: SHOW ENGINE PERFORMANCE_SCHEMA STATUS
[!!] FAIL Execute SQL / return code: 256
[--] Memory used by P_S: 0B
[--] Sys schema isn't installed.
 
-------- ThreadPool Metrics -----------------------------------------
[--] ThreadPool stat is enabled.
[--] Thread Pool Size: 2 thread(s).
[--] Using default value is good enough for your version (10.3.32-MariaDB)
 
-------- MyISAM Metrics ---------------------------------------------
[!!] Key buffer used: 33.4% (5M used / 16M cache)
[OK] Key buffer size / total MyISAM indexes: 16.0M/6.1M
[OK] Read Key buffer hit rate: 100.0% (53M cached / 4K reads)
[!!] Write Key buffer hit rate: 92.2% (206K cached / 190K writes)
 
-------- InnoDB Metrics ---------------------------------------------
[--] InnoDB is enabled.
[--] InnoDB Thread Concurrency: 0
[OK] InnoDB File per table is activated
[OK] InnoDB buffer pool / data size: 640.0M/2.8M
[OK] Ratio InnoDB log file size / InnoDB Buffer pool size: 80.0M * 2/640.0M should be equal to 25%
[OK] InnoDB buffer pool instances: 1
[--] Number of InnoDB Buffer Pool Chunk : 5 for 1 Buffer Pool Instance(s)
[OK] Innodb_buffer_pool_size aligned with Innodb_buffer_pool_chunk_size & Innodb_buffer_pool_instances
[OK] InnoDB Read buffer efficiency: 99.98% (17261092 hits/ 17263905 total)
[!!] InnoDB Write Log efficiency: 80.77% (198628 hits/ 245908 total)
[OK] InnoDB log waits: 0.00% (0 waits / 47280 writes)
 
-------- Aria Metrics -----------------------------------------------
[--] Aria Storage Engine is enabled.
[OK] Aria pagecache size / total Aria indexes: 128.0M/0B
[!!] Aria pagecache hit rate: 92.8% (1M cached / 80K reads)
 
-------- TokuDB Metrics ---------------------------------------------
[--] TokuDB is disabled.
 
-------- XtraDB Metrics ---------------------------------------------
[--] XtraDB is disabled.
 
-------- Galera Metrics ---------------------------------------------
[--] Galera is disabled.
 
-------- Replication Metrics ----------------------------------------
[--] Galera Synchronous replication: NO
[--] No replication slave(s) for this server.
[--] Binlog format: MIXED
[--] XA support enabled: ON
[--] Semi synchronous replication Master: OFF
[--] Semi synchronous replication Slave: OFF
[--] This is a standalone server
 
-------- Recommendations ---------------------------------------------------------------------------
General recommendations:
    Check warning line(s) in /var/log/mariadb/mariadb.log file
    Reduce or eliminate persistent connections to reduce connection usage
    Configure your accounts with ip or subnets only, then update your configuration with skip-name-resolve=1
    When making adjustments, make tmp_table_size/max_heap_table_size equal
    Reduce your SELECT DISTINCT queries which have no LIMIT clause
    Consider installing Sys schema from https://github.com/mysql/mysql-sys for MySQL
    Consider installing Sys schema from https://github.com/FromDual/mariadb-sys for MariaDB
Variables to adjust:
    max_connections (> 30)
    wait_timeout (< 28800)
    interactive_timeout (< 28800)
    tmp_table_size (> 128M)
    max_heap_table_size (> 128M)

Оцінка: на сервері встановлена база даних MySQL під управлінням MariaDB 10.3.32. База даних не оновлена (останній реліз — MariaDB 10.3.36) і належним чином не налаштована, потребує ретельної конфігурації. Є проблеми зі швидкістю з’єднання. Бажано налаштувати запис помилок у системні логи і проаналізувати їх.

Розділ 3. Аналіз файлової системи

root@server:# sudo ./nixauditor2.0
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#  Nix Audit Script ^Tested on RHEL 6,7... CentOS 6,7 ^ #
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# For best results, run as ROOT. Always be ROOT. *Evil grin*
# https://the-infosec.com
#########################################################
General CIS Checks start here...
separate_partition /tmp Passed
mount_option /tmp nodev Passed
mount_option /tmp nosuid Passed
mount_option /tmp noexec Passed
separate_partition /var Failed
bind_mounted_to /var/tmp /tmp Passed
separate_partition /var/log Failed
separate_partition /var/log/audit Failed
separate_partition /home Failed
mount_option /home nodev Failed
mount_option /dev/shm nodev Failed
mount_option /dev/shm nosuid Failed
mount_option /dev/shm noexec Failed
sticky_wrld_w_dirs Failed
test_disable_mounting cramfs Failed
modprobe: FATAL: Module freevxfs not found in directory /lib/modules/4.18.0-408.el8.x86_64
test_disable_mounting freevxfs Failed
modprobe: FATAL: Module jffs2 not found in directory /lib/modules/4.18.0-408.el8.x86_64
test_disable_mounting jffs2 Failed
modprobe: FATAL: Module hfs not found in directory /lib/modules/4.18.0-408.el8.x86_64
test_disable_mounting hfs Failed
modprobe: FATAL: Module hfsplus not found in directory /lib/modules/4.18.0-408.el8.x86_64
test_disable_mounting hfsplus Failed
test_disable_mounting squashfs Failed
test_disable_mounting udf Failed
centos_gpg_key_installed Failed
yum_gpgcheck Passed
yum_update Failed
pkg_integrity Failed
rpm_installed aide Failed
verify_aide_cron Failed
verify_selinux_grubcfg Passed
verify_selinux_state Failed
verify_selinux_policy Passed
rpm_not_installed setroubleshoot Passed
rpm_not_installed mcstrans Passed
unconfined_procs Passed
check_root_owns /boot/grub2/grub.cfg Passed
check_grub_perms Failed
check_boot_pass Passed
restrict_core_dumps Failed
chk_sysctl kernel.randomize_va_space 2 Passed
chk_latest_rel Failed
rpm_not_installed telnet-server Passed
rpm_not_installed telnet Failed
rpm_not_installed rsh-server Passed
rpm_not_installed rsh Passed
rpm_not_installed ypbind Passed
rpm_not_installed ypserv Passed
rpm_not_installed tftp Passed
rpm_not_installed tftp-server Passed
rpm_not_installed talk Passed
rpm_not_installed talk-server Passed
rpm_not_installed xinetd Passed
check_svc_not_enabled chargen-dgram Passed
check_svc_not_enabled chargen-stream Passed
check_svc_not_enabled daytime-dgram Passed
check_svc_not_enabled daytime-stream Passed
check_svc_not_enabled echo-dgram Passed
check_svc_not_enabled echo-stream Passed
check_svc_not_enabled tcpmux-server Passed
cut: /etc/sysconfig/init: No such file or directory
check_umask Failed
check_def_tgt Passed
rpm_not_installed xorg-x11-server-common Passed
check_svc_not_enabled avahi-daemon Passed
check_svc_not_enabled cups Passed
rpm_not_installed dhcp Passed
cut: /etc/ntp.conf: No such file or directory
grep: /etc/ntp.conf: No such file or directory
ntp_cfg Failed
rpm_not_installed openldap-servers Passed
rpm_not_installed openldap-clients Passed
check_svc_not_enabled nfslock Passed
check_svc_not_enabled rpcgssd Passed
check_svc_not_enabled rpcbind Passed
check_svc_not_enabled rpcidmapd Passed
check_svc_not_enabled rpcsvcgssd Passed
rpm_not_installed bind Passed
rpm_not_installed vsftpd Passed
rpm_not_installed httpd Passed
rpm_not_installed dovecot Passed
rpm_not_installed samba Passed
rpm_not_installed squid Passed
rpm_not_installed net-snmp Failed
chk_sysctl net.ipv4.ip_forward 0 Passed
chk_sysctl net.ipv4.conf.all.send_redirects 0 Failed
chk_sysctl net.ipv4.conf.default.send_redirects 0 Failed
chk_sysctl net.ipv4.conf.all.accept_source_route 0 Passed
chk_sysctl net.ipv4.conf.default.accept_source_route 0 Failed
chk_sysctl net.ipv4.conf.all.accept_redirects 0 Failed
chk_sysctl net.ipv4.conf.default.accept_redirects 0 Failed
chk_sysctl net.ipv4.conf.all.secure_redirects 0 Failed
chk_sysctl net.ipv4.conf.all.secure_redirects 0 Failed
chk_sysctl net.ipv4.conf.default.secure_redirects 0 Failed
chk_sysctl net.ipv4.conf.all.log_martians 1 Failed
chk_sysctl net.ipv4.conf.default.log_martians 1 Failed
chk_sysctl net.ipv4.icmp_echo_ignore_broadcasts 1 Passed
chk_sysctl net.ipv4.icmp_ignore_bogus_error_responses 1 Passed
chk_sysctl net.ipv4.conf.all.rp_filter 1 Passed
chk_sysctl net.ipv4.conf.default.rp_filter 1 Failed
chk_sysctl net.ipv4.tcp_syncookies 1 Passed
ip6_router_advertisements_dis Failed
ip6_redirect_accept_dis Failed
chk_sysctl net.ipv6.conf.all.disable_ipv6 1 Failed
rpm_installed tcp_wrappers Failed
chk_file_exists /etc/hosts.allow Failed
stat: cannot statx '/etc/hosts.allow': No such file or directory
check_root_owns /etc/hosts.allow Failed
stat: cannot statx '/etc/hosts.allow': No such file or directory
check_file_perms /etc/hosts.allow 644 Failed
chk_file_exists /etc/hosts.deny Failed
cut: /etc/hosts.deny: No such file or directory
chk_hosts_deny_content Failed
stat: cannot statx '/etc/hosts.deny': No such file or directory
check_root_owns /etc/hosts.deny Failed
stat: cannot statx '/etc/hosts.deny': No such file or directory
check_file_perms /etc/hosts.deny 644 Failed
grep: /etc/modprobe.d/CIS.conf: No such file or directory
chk_cis_cnf dccp /etc/modprobe.d/CIS.conf Failed
grep: /etc/modprobe.d/CIS.conf: No such file or directory
chk_cis_cnf sctp /etc/modprobe.d/CIS.conf Failed
grep: /etc/modprobe.d/CIS.conf: No such file or directory
chk_cis_cnf rds /etc/modprobe.d/CIS.conf Failed
grep: /etc/modprobe.d/CIS.conf: No such file or directory
chk_cis_cnf tipc /etc/modprobe.d/CIS.conf Failed
check_svc_enabled firewalld Failed
rpm_installed rsyslog Passed
check_svc_enabled rsyslog Passed
chk_file_exists /etc/rsyslog.conf Passed
check_root_owns /etc/rsyslog.conf Passed
check_file_perms /etc/rsyslog.conf 600 Failed
chk_rsyslog_content Failed
audit_log_storage_size Passed
dis_on_audit_log_full Failed
keep_all_audit_info Failed
check_svc_enabled auditd Passed
audit_procs_prior_2_auditd Passed
audit_date_time Failed
audit_user_group Failed
audit_network_env Failed
audit_sys_mac Failed
audit_logins_logouts Failed
audit_session_init Failed
audit_dac_perm_mod_events Failed
unsuc_unauth_acc_attempts Failed
coll_priv_cmds Failed
coll_suc_fs_mnts Failed
coll_file_del_events Failed
coll_chg2_sysadm_scope Failed
coll_sysadm_actions Failed
kmod_lod_unlod Failed
audit_cfg_immut Failed
logrotate_cfg Failed
rpm_installed cronie-anacron Passed
check_svc_enabled crond Passed
check_root_owns /etc/anacrontab Passed
check_file_perms /etc/anacrontab 600 Failed
check_root_owns /etc/crontab Passed
check_file_perms /etc/crontab 600 Failed
check_root_owns /etc/cron.hourly Passed
check_file_perms /etc/cron.hourly 600 Failed
check_root_owns /etc/cron.daily Passed
check_file_perms /etc/cron.daily 600 Failed
check_root_owns /etc/cron.weekly Passed
check_file_perms /etc/cron.weekly 600 Failed
check_root_owns /etc/cron.monthly Passed
check_file_perms /etc/cron.monthly 600 Failed
check_root_owns /etc/cron.d Passed
check_file_perms /etc/cron.d 600 Failed
atd_cfg Failed
at_cron_auth_users Failed
chk_param /etc/ssh/sshd_config Protocol 2 Failed
chk_param /etc/ssh/sshd_config LogLevel INFO Failed
check_root_owns /etc/ssh/sshd_config Passed
check_file_perms /etc/ssh/sshd_config 600 Passed
chk_param /etc/ssh/sshd_config X11Forwarding no Failed
ssh_maxauthtries 4 Passed
chk_param /etc/ssh/sshd_config IgnoreRhosts yes Failed
chk_param /etc/ssh/sshd_config HostbasedAuthentication no Failed
chk_param /etc/ssh/sshd_config PermitRootLogin no Passed
chk_param /etc/ssh/sshd_config PermitEmptyPasswords no Failed
chk_param /etc/ssh/sshd_config PermitUserEnvironment no Failed
chk_param /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr Failed
chk_param /etc/ssh/sshd_config ClientAliveInterval 300 Failed
chk_param /etc/ssh/sshd_config ClientAliveCountMax 0 Failed
ssh_access Failed
chk_param /etc/ssh/sshd_config Banner /etc/issue.net Failed
./nixauditor2.0: line 782: authconfig: command not found
pass_hash_algo sha512 Failed
pass_req_params Failed
failed_pass_lock Failed
lim_passwd_reuse Failed
su_access Failed
chk_param /etc/login.defs PASS_MAX_DAYS 90 Failed
chk_param /etc/login.defs PASS_MIN_DAYS 7 Failed
chk_param /etc/login.defs PASS_WARN_AGE 7 Passed
dis_sys_accs Passed
root_def_grp Passed
def_umask_for_users Failed
inactive_usr_acs_locked Failed
check_root_owns /etc/motd Passed
check_file_perms /etc/motd 644 Passed
check_root_owns /etc/issue Passed
check_file_perms /etc/issue 644 Passed
check_root_owns /etc/issue.net Passed
check_file_perms /etc/issue.net 644 Passed
warning_banners Failed
gnome_banner Passed
check_file_perms /etc/passwd 644 Passed
check_file_perms /etc/shadow 0 Passed
check_file_perms /etc/gshadow 0 Passed
check_file_perms /etc/group 644 Passed
check_root_owns /etc/passwd Passed
check_root_owns /etc/shadow Passed
check_root_owns /etc/gshadow Passed
check_root_owns /etc/group Passed
world_w_dirs Failed
unowned_files Failed
ungrouped_files Failed
suid_exes Failed
sgid_exes Failed
passwd_field_chk Passed
nis_in_file /etc/passwd Passed
nis_in_file /etc/shadow Passed
nis_in_file /etc/group Passed
no_uid0_other_root Passed
root_path Passed
home_dir_perms Passed
dot_file_perms Passed
dot_netrc_perms Passed
dot_rhosts_files Passed
chk_groups_passwd Passed
chk_home_dirs_exist Passed
chk_home_dirs_owns Passed
duplicate_uids Passed
duplicate_gids Passed
chk_uids_4_res Failed
duplicate_usernames Passed
duplicate_groupnames Passed
user_dot_netrc Passed
user_dot_forward Passed
### SCAN COMPLETE ####
Go fix them, will you?
root@server:~# lsat
****************************************
bashtop is not chmod 644.
frontend is not chmod 644.
goaccess-1.4.6 is not chmod 644.
hst_backups is not chmod 644.
hst_install_backups is not chmod 644.
lsat.out is not chmod 644.
roundcubemail-1.4.11 is not chmod 644.
snap is not chmod 644.
/var/log/wtmp is not chmod 644.
/boot/vmlinuz-4.15.0-1021-aws is not chmod 644.
****************************************
Checking default umask on system:
Default umask should be 022, 027 or 077. 002 is ok for RedHat.
Here are the filenames, and the umask number
found in each. Please read through the file and ensure that is what you want.
/etc/rssh.conf: = 022
/etc/vsftpd.conf:local_=022
/etc/vsftpd.conf:anon_=022
root@server:# ./sysechk -f
22 tests ran in 13 seconds.
9 problems detected:
CCE-14011-1  Major: Create separate partition or logical volume for /var/log
CCE-14107-7  Minor: Add 'UMASK 077' to /etc/login.defs
CCE-14161-4  Major: Create separate partition or logical volume for /tmp
CCE-14559-9  Minor: Since you are using local home directories, create separate partition or logical volume for /home
CCE-14777-7  Minor: Create separate partition or logical volume for /var
CCE-3561-8  Major: Is this system going to be used as a firewall or gateway to pass IP traffic between different networks? If not, add 'net.ipv4.ip_forward = 0' to /etc/sysctl.conf
CCE-4060-0  Minor: You should not expose your FQDN (\n) through the system login banner, edit /etc/issue
CCE-4292-9  Minor: Enable the auditd service with 'update-rc.d auditd enable'
NSA-2-1-2-3-1  Major: Update your packages with 'apt-get upgrade'
root@server:~# find / -xdev \( -nouser -o -nogroup \) -print
/var/cache/private/fwupdmgr

Оцінка: деякі директорії рекомендується по можливості розмістити на окремих розділах жорсткого диску (/var/log, /tmp). Репозиторії потребують оновлення. Необхідно встановити додаткові модулі, вказані у звітах. На деякі системні директорії рекомендується встановити права доступу 600, а файли і виконувані програми — 644. Проаналізувати файли, які не закріплені за жодним користувачем та адміністративною групою.

Розділ 4. Аналіз системних служб і сервісів

root@server:~# systemctl list-unit-files
UNIT FILE                                  STATE           VENDOR PRESET
proc-sys-fs-binfmt_misc.automount          static          enabled      
-.mount                                    generated       enabled      
boot-efi.mount                             generated       enabled      
dev-hugepages.mount                        static          enabled      
dev-mqueue.mount                           static          enabled      
proc-sys-fs-binfmt_misc.mount              disabled        enabled      
snap-core20-1611.mount                     enabled         enabled      
snap-core20-1623.mount                     enabled         enabled      
snap-lxd-22753.mount                       enabled         enabled      
snap-snapd-16778.mount                     enabled         enabled      
snap-snapd-17029.mount                     enabled         enabled      
sys-fs-fuse-connections.mount              static          enabled      
sys-kernel-config.mount                    static          enabled      
sys-kernel-debug.mount                     static          enabled      
sys-kernel-tracing.mount                   static          enabled      
apport-autoreport.path                     enabled         enabled      
systemd-ask-password-console.path          static          enabled      
systemd-ask-password-plymouth.path         static          enabled      
systemd-ask-password-wall.path             static          enabled      
session-3414.scope                         transient       enabled      
session-3423.scope                         transient       enabled      
session-3426.scope                         transient       enabled      
accounts-daemon.service                    enabled         enabled      
apparmor.service                           enabled         enabled      
apport-autoreport.service                  static          enabled      
apport-forward@.service                    static          enabled      
apport.service                             generated       enabled      
apt-daily-upgrade.service                  static          enabled      
apt-daily.service                          static          enabled      
atd.service                                enabled         enabled      
autovt@.service                            enabled         enabled      
blk-availability.service                   enabled         enabled      
bolt.service                               static          enabled      
clean-mount-point@.service                 static          enabled      
cloud-config.service                       enabled         enabled      
cloud-final.service                        enabled         enabled      
cloud-init-hotplugd.service                static          enabled      
cloud-init-local.service                   enabled         enabled      
cloud-init.service                         enabled         enabled      
console-getty.service                      disabled        disabled     
console-setup.service                      enabled         enabled      
container-getty@.service                   static          enabled      
containerd.service                         enabled         enabled      
cron.service                               enabled         enabled      
cryptdisks-early.service                   masked          enabled      
cryptdisks.service                         masked          enabled      
dbus-org.freedesktop.hostname1.service     static          enabled      
dbus-org.freedesktop.locale1.service       static          enabled      
dbus-org.freedesktop.login1.service        static          enabled      
dbus-org.freedesktop.ModemManager1.service enabled         enabled      
dbus-org.freedesktop.resolve1.service      enabled         enabled      
dbus-org.freedesktop.timedate1.service     static          enabled      
dbus-org.freedesktop.timesync1.service     enabled         enabled      
dbus.service                               static          enabled      
debug-shell.service                        disabled        disabled     
dm-event.service                           static          enabled      
dmesg.service                              enabled         enabled      
docker.service                             enabled         enabled      
droplet-agent.service                      enabled         enabled      
e2scrub@.service                           static          enabled      
e2scrub_all.service                        static          enabled      
e2scrub_fail@.service                      static          enabled      
e2scrub_reap.service                       enabled         enabled      
emergency.service                          static          enabled      
finalrd.service                            enabled         enabled      
friendly-recovery.service                  static          enabled      
fstrim.service                             static          enabled      
fwupd-offline-update.service               static          enabled      
fwupd-refresh.service                      static          disabled     
fwupd.service                              static          enabled      
getty-static.service                       static          enabled      
getty@.service                             enabled         enabled      
grub-common.service                        enabled         enabled      
grub-initrd-fallback.service               enabled         enabled      
hwclock.service                            masked          enabled      
initrd-cleanup.service                     static          enabled      
initrd-parse-etc.service                   static          enabled      
initrd-switch-root.service                 static          enabled      
initrd-udevadm-cleanup-db.service          static          enabled      
irqbalance.service                         enabled         enabled      
iscsi.service                              enabled         enabled      
iscsid.service                             disabled        enabled      
keyboard-setup.service                     enabled         enabled      
kmod-static-nodes.service                  static          enabled      
kmod.service                               static          enabled      
logrotate.service                          static          enabled      
lvm2-lvmpolld.service                      static          enabled      
lvm2-monitor.service                       enabled         enabled      
lvm2-pvscan@.service                       static          enabled      
lvm2.service                               masked          enabled      
lxd-agent-9p.service                       enabled         enabled      
lxd-agent.service                          enabled         enabled      
man-db.service                             static          enabled      
mdadm-grow-continue@.service               static          enabled      
mdadm-last-resort@.service                 static          enabled      
mdcheck_continue.service                   static          enabled      
mdcheck_start.service                      static          enabled      
mdmon@.service                             static          enabled      
mdmonitor-oneshot.service                  static          enabled      
mdmonitor.service                          static          enabled      
metasploit-config-swapper.service          static          enabled      
metasploit-env.service                     static          enabled      
metasploit-postgresql-env.service          static          enabled      
metasploit-postgresql.service              static          enabled      
metasploit-prosvc.service                  static          enabled      
metasploit-ui.service                      static          enabled      
metasploit-update.service                  static          enabled      
metasploit-worker.service                  static          enabled      
metasploit.service                         static          enabled      
ModemManager.service                       enabled         enabled      
modprobe@.service                          static          enabled      
motd-news.service                          static          enabled      
multipath-tools-boot.service               masked          enabled      
multipath-tools.service                    enabled         enabled      
multipathd.service                         enabled         enabled      
netplan-ovs-cleanup.service                enabled-runtime enabled      
networkd-dispatcher.service                enabled         enabled      
ondemand.service                           enabled         enabled      
open-iscsi.service                         enabled         enabled      
open-vm-tools.service                      enabled         enabled      
packagekit-offline-update.service          static          enabled      
packagekit.service                         static          enabled      
phpsessionclean.service                    static          enabled      
plymouth-halt.service                      static          enabled      
plymouth-kexec.service                     static          enabled      
plymouth-log.service                       static          enabled      
plymouth-poweroff.service                  static          enabled      
plymouth-quit-wait.service                 static          enabled      
plymouth-quit.service                      static          enabled      
plymouth-read-write.service                static          enabled      
plymouth-reboot.service                    static          enabled      
plymouth-start.service                     static          enabled      
plymouth-switch-root.service               static          enabled      
plymouth.service                           static          enabled      
polkit.service                             static          enabled      
pollinate.service                          enabled         enabled      
procps.service                             static          enabled      
quotaon.service                            static          enabled      
rc-local.service                           static          enabled      
rc.service                                 masked          enabled      
rcS.service                                masked          enabled      
rescue.service                             static          enabled      
rsync.service                              enabled         enabled      
rsyslog.service                            enabled         enabled      
screen-cleanup.service                     masked          enabled      
secureboot-db.service                      enabled         enabled      
serial-getty@.service                      indirect        enabled      
setvtrgb.service                           enabled         enabled      
snap.lxd.activate.service                  enabled         enabled      
snap.lxd.daemon.service                    static          enabled      
snapd.apparmor.service                     enabled         enabled      
snapd.autoimport.service                   enabled         enabled      
snapd.core-fixup.service                   enabled         enabled      
snapd.failure.service                      static          enabled      
snapd.recovery-chooser-trigger.service     enabled         enabled      
snapd.seeded.service                       enabled         enabled      
snapd.service                              enabled         enabled      
snapd.snap-repair.service                  static          enabled      
snapd.system-shutdown.service              enabled         enabled      
ssh.service                                enabled         enabled      
ssh@.service                               static          enabled      
sshd.service                               enabled         enabled      
sudo.service                               masked          enabled      
syslog.service                             enabled         enabled      
system-update-cleanup.service              static          enabled      
systemd-ask-password-console.service       static          enabled      
systemd-ask-password-plymouth.service      static          enabled      
systemd-ask-password-wall.service          static          enabled      
systemd-backlight@.service                 static          enabled      
systemd-binfmt.service                     static          enabled      
systemd-bless-boot.service                 static          enabled      
systemd-boot-check-no-failures.service     disabled        enabled      
systemd-boot-system-token.service          static          enabled      
systemd-exit.service                       static          enabled      
systemd-fsck-root.service                  enabled-runtime enabled      
systemd-fsck@.service                      static          enabled      
systemd-fsckd.service                      static          enabled      
systemd-halt.service                       static          enabled      
systemd-hibernate-resume@.service          static          enabled      
systemd-hibernate.service                  static          enabled      
systemd-hostnamed.service                  static          enabled      
systemd-hwdb-update.service                static          enabled      
systemd-hybrid-sleep.service               static          enabled      
systemd-initctl.service                    static          enabled      
systemd-journal-flush.service              static          enabled      
systemd-journald.service                   static          enabled      
systemd-journald@.service                  static          enabled      
systemd-kexec.service                      static          enabled      
systemd-localed.service                    static          enabled      
systemd-logind.service                     static          enabled      
systemd-machine-id-commit.service          static          enabled      
systemd-modules-load.service               static          enabled      
systemd-network-generator.service          disabled        enabled      
systemd-networkd-wait-online.service       enabled         enabled      
systemd-networkd.service                   enabled         enabled      
systemd-poweroff.service                   static          enabled      
systemd-pstore.service                     enabled         enabled      
systemd-quotacheck.service                 static          enabled      
systemd-random-seed.service                static          enabled      
systemd-reboot.service                     static          enabled      
systemd-remount-fs.service                 enabled-runtime enabled      
systemd-resolved.service                   enabled         enabled      
systemd-rfkill.service                     static          enabled      
systemd-suspend-then-hibernate.service     static          enabled      
systemd-suspend.service                    static          enabled      
systemd-sysctl.service                     static          enabled      
systemd-sysusers.service                   static          enabled      
systemd-time-wait-sync.service             disabled        enabled      
systemd-timedated.service                  static          enabled      
systemd-timesyncd.service                  enabled         enabled      
systemd-tmpfiles-clean.service             static          enabled      
systemd-tmpfiles-setup-dev.service         static          enabled      
systemd-tmpfiles-setup.service             static          enabled      
systemd-udev-settle.service                static          enabled      
systemd-udev-trigger.service               static          enabled      
systemd-udevd.service                      static          enabled      
systemd-update-utmp-runlevel.service       static          enabled      
systemd-update-utmp.service                static          enabled      
systemd-user-sessions.service              static          enabled      
systemd-volatile-root.service              static          enabled      
ua-reboot-cmds.service                     enabled         enabled      
ua-timer.service                           static          enabled      
ubuntu-advantage.service                   enabled         enabled      
ubuntu-fan.service                         enabled         enabled      
udev.service                               static          enabled      
udisks2.service                            enabled         enabled      
ufw.service                                enabled         enabled      
unattended-upgrades.service                enabled         enabled      
usb_modeswitch@.service                    static          enabled      
user-runtime-dir@.service                  static          enabled      
user@.service                              static          enabled      
uuidd.service                              indirect        enabled      
vgauth.service                             enabled         enabled      
vmtoolsd.service                           enabled         enabled      
x11-common.service                         masked          enabled      
xfs_scrub@.service                         static          enabled      
xfs_scrub_all.service                      static          enabled      
xfs_scrub_fail@.service                    static          enabled      
machine.slice                              static          enabled      
system-systemd\x2dcryptsetup.slice         static          enabled      
user.slice                                 static          enabled      
apport-forward.socket                      enabled         enabled      
cloud-init-hotplugd.socket                 enabled         enabled      
dbus.socket                                static          enabled      
dm-event.socket                            enabled         enabled      
docker.socket                              enabled         enabled      
iscsid.socket                              enabled         enabled      
lvm2-lvmpolld.socket                       enabled         enabled      
multipathd.socket                          enabled         enabled      
snap.lxd.daemon.unix.socket                enabled         enabled      
snapd.socket                               enabled         enabled      
ssh.socket                                 disabled        enabled      
syslog.socket                              static          disabled     
systemd-fsckd.socket                       static          enabled      
systemd-initctl.socket                     static          enabled      
systemd-journald-audit.socket              static          enabled      
systemd-journald-dev-log.socket            static          enabled      
systemd-journald-varlink@.socket           static          enabled      
systemd-journald.socket                    static          enabled      
systemd-journald@.socket                   static          enabled      
systemd-networkd.socket                    enabled         enabled      
systemd-rfkill.socket                      static          enabled      
systemd-udevd-control.socket               static          enabled      
systemd-udevd-kernel.socket                static          enabled      
uuidd.socket                               enabled         enabled      
basic.target                               static          enabled      
blockdev@.target                           static          enabled      
bluetooth.target                           static          enabled      
boot-complete.target                       static          enabled      
cloud-config.target                        static          enabled      
cloud-init.target                          enabled-runtime enabled      
cryptsetup-pre.target                      static          disabled     
cryptsetup.target                          static          enabled      
ctrl-alt-del.target                        disabled        enabled      
default.target                             static          enabled      
emergency.target                           static          enabled      
exit.target                                disabled        disabled     
final.target                               static          enabled      
friendly-recovery.target                   static          enabled      
getty-pre.target                           static          disabled     
getty.target                               static          enabled      
graphical.target                           static          enabled      
halt.target                                disabled        disabled     
hibernate.target                           static          enabled      
hybrid-sleep.target                        static          enabled      
initrd-fs.target                           static          enabled      
initrd-root-device.target                  static          enabled      
initrd-root-fs.target                      static          enabled      
initrd-switch-root.target                  static          enabled      
initrd.target                              static          enabled      
kexec.target                               disabled        disabled     
local-fs-pre.target                        static          disabled     
local-fs.target                            static          enabled      
metasploit.target                          enabled         enabled      
multi-user.target                          static          enabled      
network-online.target                      static          enabled      
network-pre.target                         static          disabled     
network.target                             static          disabled     
nss-lookup.target                          static          disabled     
nss-user-lookup.target                     static          disabled     
paths.target                               static          enabled      
poweroff.target                            disabled        disabled     
printer.target                             static          enabled      
reboot.target                              disabled        enabled      
remote-cryptsetup.target                   disabled        enabled      
remote-fs-pre.target                       static          disabled     
remote-fs.target                           enabled         enabled      
rescue-ssh.target                          static          enabled      
rescue.target                              static          disabled     
rpcbind.target                             static          disabled     
runlevel0.target                           disabled        enabled      
runlevel1.target                           static          enabled      
runlevel2.target                           static          enabled      
runlevel3.target                           static          enabled      
runlevel4.target                           static          enabled      
runlevel5.target                           static          enabled      
runlevel6.target                           disabled        enabled      
shutdown.target                            static          enabled      
sigpwr.target                              static          enabled      
sleep.target                               static          enabled      
slices.target                              static          enabled      
smartcard.target                           static          enabled      
sockets.target                             static          enabled      
sound.target                               static          enabled      
suspend-then-hibernate.target              static          enabled      
suspend.target                             static          enabled      
swap.target                                static          enabled      
sysinit.target                             static          enabled      
system-update-pre.target                   static          enabled      
system-update.target                       static          enabled      
time-set.target                            static          disabled     
time-sync.target                           static          disabled     
timers.target                              static          enabled      
umount.target                              static          enabled      
apt-daily-upgrade.timer                    enabled         enabled      
apt-daily.timer                            enabled         enabled      
e2scrub_all.timer                          enabled         enabled      
fstrim.timer                               enabled         enabled      
fwupd-refresh.timer                        enabled         enabled      
logrotate.timer                            enabled         enabled      
man-db.timer                               enabled         enabled      
mdadm-last-resort@.timer                   static          enabled      
mdcheck_continue.timer                     enabled         enabled      
mdcheck_start.timer                        enabled         enabled      
mdmonitor-oneshot.timer                    enabled         enabled      
motd-news.timer                            enabled         enabled      
phpsessionclean.timer                      enabled         enabled      
snapd.snap-repair.timer                    enabled         enabled      
systemd-tmpfiles-clean.timer               static          enabled      
ua-timer.timer                             enabled         enabled      
xfs_scrub_all.timer                        disabled        enabled
351 unit files listed.
root@server:# ./lunar.sh -a -v
Running:   In audit mode (no changes will be made to system)
Auditing:  OS
# SYSTEM INFORMATION:
Platform:  OVH
Processor: x86_64
Machine:   x86_64
Vendor:    Ubuntu
Name:      Linux
Version:   20
Update:    04
Security Warning Message
File permissions on /etc/issue
Secure:    File /etc/issue has correct permissions [1 Passes]
Security message in /etc/issue
Warning:   No security message in /etc/issue [1 Warnings]
File permissions on /etc/motd
Notice:    File /etc/motd does not exist
Security message in /etc/motd
Warning:   No security message in /etc/motd [2 Warnings]
File permissions on /etc/issue.net
Secure:    File /etc/issue.net has correct permissions [2 Passes]
Security message in /etc/issue.net
Warning:   No security message in /etc/issue.net [3 Warnings]
SSH
SSH Configuration 
File permissions on /etc/ssh/sshd_config
Warning:   File /etc/ssh/sshd_config has incorrect permissions [4 Warnings]
[ Fix ]    chmod 0600 /etc/ssh/sshd_config
[ Fix ]    chown root:root /etc/ssh/sshd_config
Value of UseLogin is set to no in /etc/ssh/sshd_config
Warning:   Parameter "UseLogin" not set to "no" in /etc/ssh/sshd_config [5 Warnings]
[ Fix ]    echo "UseLogin no" >> /etc/ssh/sshd_config
Value of Protocol is set to 2 in /etc/ssh/sshd_config
Warning:   Parameter "Protocol" not set to "2" in /etc/ssh/sshd_config [6 Warnings]
[ Fix ]    echo "Protocol 2" >> /etc/ssh/sshd_config
Value of X11Forwarding is set to no in /etc/ssh/sshd_config
Secure:    Parameter "X11Forwarding" is set to "no" in /etc/ssh/sshd_config [3 Passes]
Value of MaxAuthTries is set to 3 in /etc/ssh/sshd_config
Warning:   Parameter "MaxAuthTries" not set to "3" in /etc/ssh/sshd_config [7 Warnings]
[ Fix ]    echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
Value of MaxAuthTriesLog is set to 0 in /etc/ssh/sshd_config
Warning:   Parameter "MaxAuthTriesLog" not set to "0" in /etc/ssh/sshd_config [8 Warnings]
[ Fix ]    echo "MaxAuthTriesLog 0" >> /etc/ssh/sshd_config
Value of RhostsAuthentication is set to no in /etc/ssh/sshd_config
Warning:   Parameter "RhostsAuthentication" not set to "no" in /etc/ssh/sshd_config [9 Warnings]
[ Fix ]    echo "RhostsAuthentication no" >> /etc/ssh/sshd_config
Value of IgnoreRhosts is set to yes in /etc/ssh/sshd_config
Secure:    Parameter "IgnoreRhosts" is set to "yes" in /etc/ssh/sshd_config [4 Passes]
Value of StrictModes is set to yes in /etc/ssh/sshd_config
Secure:    Parameter "StrictModes" is set to "yes" in /etc/ssh/sshd_config [5 Passes]
Value of AllowTcpForwarding is set to no in /etc/ssh/sshd_config
Secure:    Parameter "AllowTcpForwarding" is set to "no" in /etc/ssh/sshd_config [6 Passes]
Value of ServerKeyBits is set to 1024 in /etc/ssh/sshd_config
Warning:   Parameter "ServerKeyBits" not set to "1024" in /etc/ssh/sshd_config [10 Warnings]
[ Fix ]    echo "ServerKeyBits 1024" >> /etc/ssh/sshd_config
Value of GatewayPorts is set to no in /etc/ssh/sshd_config
Secure:    Parameter "GatewayPorts" is set to "no" in /etc/ssh/sshd_config [7 Passes]
Value of RhostsRSAAuthentication is set to no in /etc/ssh/sshd_config
Warning:   Parameter "RhostsRSAAuthentication" not set to "no" in /etc/ssh/sshd_config [11 Warnings]
[ Fix ]    echo "RhostsRSAAuthentication no" >> /etc/ssh/sshd_config
Value of PermitRootLogin is set to no in /etc/ssh/sshd_config
Warning:   Parameter "PermitRootLogin" not set to "no" in /etc/ssh/sshd_config [12 Warnings]
[ Fix ]    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
Value of PermitEmptyPasswords is set to no in /etc/ssh/sshd_config
Secure:    Parameter "PermitEmptyPasswords" is set to "no" in /etc/ssh/sshd_config [8 Passes]
Value of PermitUserEnvironment is set to no in /etc/ssh/sshd_config
Secure:    Parameter "PermitUserEnvironment" is set to "no" in /etc/ssh/sshd_config [9 Passes]
Value of HostbasedAuthentication is set to no in /etc/ssh/sshd_config
Secure:    Parameter "HostbasedAuthentication" is set to "no" in /etc/ssh/sshd_config [10 Passes]
Value of Banner is set to /etc/issue in /etc/ssh/sshd_config
Warning:   Parameter "Banner" not set to "/etc/issue" in /etc/ssh/sshd_config [13 Warnings]
[ Fix ]    echo "Banner /etc/issue" >> /etc/ssh/sshd_config
Value of PrintMotd is set to no in /etc/ssh/sshd_config
Secure:    Parameter "PrintMotd" is set to "no" in /etc/ssh/sshd_config [11 Passes]
Value of ClientAliveInterval is set to 300 in /etc/ssh/sshd_config
Warning:   Parameter "ClientAliveInterval" not set to "300" in /etc/ssh/sshd_config [14 Warnings]
[ Fix ]    echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
Value of ClientAliveCountMax is set to 0 in /etc/ssh/sshd_config
Warning:   Parameter "ClientAliveCountMax" not set to "0" in /etc/ssh/sshd_config [15 Warnings]
[ Fix ]    echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
Value of LogLevel is set to VERBOSE in /etc/ssh/sshd_config
Warning:   Parameter "LogLevel" not set to "VERBOSE" in /etc/ssh/sshd_config [16 Warnings]
[ Fix ]    echo "LogLevel VERBOSE" >> /etc/ssh/sshd_config
Value of RSAAuthentication is set to no in /etc/ssh/sshd_config
Warning:   Parameter "RSAAuthentication" not set to "no" in /etc/ssh/sshd_config [17 Warnings]
[ Fix ]    echo "RSAAuthentication no" >> /etc/ssh/sshd_config
Value of UsePrivilegeSeparation is set to yes|sandbox in /etc/ssh/sshd_config
Warning:   Parameter "UsePrivilegeSeparation" not set to "yes|sandbox" in /etc/ssh/sshd_config [18 Warnings]
[ Fix ]    echo "UsePrivilegeSeparation yes|sandbox" >> /etc/ssh/sshd_config
Value of LoginGraceTime is set to 120 in /etc/ssh/sshd_config
Warning:   Parameter "LoginGraceTime" not set to "120" in /etc/ssh/sshd_config [19 Warnings]
[ Fix ]    echo "LoginGraceTime 120" >> /etc/ssh/sshd_config
SSH Forwarding
Value of AllowTcpForwarding is set to no in /etc/ssh/sshd_config
Secure:    Parameter "AllowTcpForwarding" is set to "no" in /etc/ssh/sshd_config [12 Passes]
Telnet and Rlogin Services
Telnet and Rlogin Services
Service telnet is disabled
Service login is disabled
Service rlogin is disabled
Service rsh is disabled
Service shell is disabled
Warnings for Standard Login Services
File /etc/motd exists
Warning:   File /etc/motd does not exist [20 Warnings]
File /etc/issue exists
Secure:    File /etc/issue exists [13 Passes]
File permissions on /etc/issue
Secure:    File /etc/issue has correct permissions [14 Passes]
Service xinetd is disabled
Talk Client
Package talk is uninstalled
Secure:    Package talk is uninstalled [15 Passes]
PAM RHosts Configuration
Secure:    Rhost authentication disabled in /etc/pam.d/atd [16 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/chfn [17 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/chpasswd [18 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/chsh [19 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/common-account [20 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/common-auth [21 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/common-password [22 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/common-session [23 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/common-session-noninteractive [24 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/cron [25 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/login [26 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/newusers [27 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/other [28 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/passwd [29 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/polkit-1 [30 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/runuser [31 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/runuser-l [32 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/sshd [33 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/su [34 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/su-l [35 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/sudo [36 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/systemd-user [37 Passes]
Secure:    Rhost authentication disabled in /etc/pam.d/vmtoolsd [38 Passes]
User Netrc Files
Secure:    No user netrc files exist [39 Passes]
User RHosts Files
Secure:    No user rhosts files exist [40 Passes]
Rhosts Files
File /.rhosts does not exist
Secure:    File /.rhosts does not exist [41 Passes]
File /.shosts does not exist
Secure:    File /.shosts does not exist [42 Passes]
File /root/.rhosts does not exist
Secure:    File /root/.rhosts does not exist [43 Passes]
File /root/.shosts does not exist
Secure:    File /root/.shosts does not exist [44 Passes]
File /etc/hosts.equiv does not exist
Secure:    File /etc/hosts.equiv does not exist [45 Passes]
User Netrc Files
Dot Files
Secure:    File /root/.netrc does not exist [46 Passes]
Secure:    File /usr/sbin/.netrc does not exist [47 Passes]
Secure:    File /bin/.netrc does not exist [48 Passes]
Secure:    File /dev/.netrc does not exist [49 Passes]
Secure:    File /bin/.netrc does not exist [50 Passes]
Secure:    File /usr/games/.netrc does not exist [51 Passes]
Secure:    File /var/cache/man/.netrc does not exist [52 Passes]
Secure:    File /var/spool/lpd/.netrc does not exist [53 Passes]
Secure:    File /var/mail/.netrc does not exist [54 Passes]
Secure:    File /var/spool/news/.netrc does not exist [55 Passes]
Secure:    File /var/spool/uucp/.netrc does not exist [56 Passes]
Secure:    File /bin/.netrc does not exist [57 Passes]
Secure:    File /var/www/.netrc does not exist [58 Passes]
Secure:    File /var/backups/.netrc does not exist [59 Passes]
Secure:    File /var/list/.netrc does not exist [60 Passes]
Secure:    File /var/run/ircd/.netrc does not exist [61 Passes]
Secure:    File /var/lib/gnats/.netrc does not exist [62 Passes]
Secure:    File /nonexistent/.netrc does not exist [63 Passes]
Secure:    File /run/systemd/.netrc does not exist [64 Passes]
Secure:    File /run/systemd/.netrc does not exist [65 Passes]
Secure:    File /run/systemd/.netrc does not exist [66 Passes]
Secure:    File /nonexistent/.netrc does not exist [67 Passes]
Secure:    File /home/syslog/.netrc does not exist [68 Passes]
Secure:    File /nonexistent/.netrc does not exist [69 Passes]
Secure:    File /var/lib/tpm/.netrc does not exist [70 Passes]
Secure:    File /run/uuidd/.netrc does not exist [71 Passes]
Secure:    File /nonexistent/.netrc does not exist [72 Passes]
Secure:    File /run/sshd/.netrc does not exist [73 Passes]
Secure:    File /var/lib/landscape/.netrc does not exist [74 Passes]
Secure:    File /var/cache/pollinate/.netrc does not exist [75 Passes]
Secure:    File /.netrc does not exist [76 Passes]
Secure:    File /var/snap/lxd/common/lxd/.netrc does not exist [77 Passes]
Secure:    File /var/lib/misc/.netrc does not exist [78 Passes]
Secure:    File /home/postgres/.netrc does not exist [79 Passes]
Single User Mode Requires Password
Value of PROMPT_FOR_CONFIRM is set to no in /etc/sysconfig/boot
Warning:   Parameter "PROMPT_FOR_CONFIRM" not set to "no" in /etc/sysconfig/boot [21 Warnings]
[ Fix ]    echo "PROMPT_FOR_CONFIRM=no" >> /etc/sysconfig/boot
System Accounting
Parameter -w /var/log/sudo.log -p wa -k actions is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/log/sudo.log -p wa -k actions" does not exist in /etc/audit/audit.rules [22 Warnings]
[ Fix ]    echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/audit.rules
Package sysstat is installed
Warning:   Package sysstat is not installed [23 Warnings]
[ Fix ]    echo "-w /var/log/sudo.log -p wa -k actions" >> /etc/audit/audit.rules
Value of ENABLED is set to true in /etc/default/sysstat
Warning:   Parameter "ENABLED" not set to "true" in /etc/default/sysstat [24 Warnings]
[ Fix ]    echo "ENABLED=true" >> /etc/default/sysstat
Warning:   System accounting not enabled [25 Warnings]
[ Fix ]    apt-get install sysstat
Parameter -f 1 is set in /etc/audit/audit.rules
Warning:   Parameter "-f 1" does not exist in /etc/audit/audit.rules [26 Warnings]
[ Fix ]    echo "-f 1" >> /etc/audit/audit.rules
Parameter  is set in /etc/audit/audit.rules
Warning:   Parameter "" does not exist in /etc/audit/audit.rules [27 Warnings]
[ Fix ]    echo "" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change" does not exist in /etc/audit/audit.rules [28 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change" does not exist in /etc/audit/audit.rules [29 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change" >> /etc/audit/audit.rules
Parameter -w /etc/localtime -p wa -k time-change is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/localtime -p wa -k time-change" does not exist in /etc/audit/audit.rules [30 Warnings]
[ Fix ]    echo "-w /etc/localtime -p wa -k time-change" >> /etc/audit/audit.rules
Parameter -w /etc/group -p wa -k identity is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/group -p wa -k identity" does not exist in /etc/audit/audit.rules [31 Warnings]
[ Fix ]    echo "-w /etc/group -p wa -k identity" >> /etc/audit/audit.rules
Parameter -w /etc/passwd -p wa -k identity is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/passwd -p wa -k identity" does not exist in /etc/audit/audit.rules [32 Warnings]
[ Fix ]    echo "-w /etc/passwd -p wa -k identity" >> /etc/audit/audit.rules
Parameter -w /etc/gshadow -p wa -k identity is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/gshadow -p wa -k identity" does not exist in /etc/audit/audit.rules [33 Warnings]
[ Fix ]    echo "-w /etc/gshadow -p wa -k identity" >> /etc/audit/audit.rules
Parameter -w /etc/shadow -p wa -k identity is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/shadow -p wa -k identity" does not exist in /etc/audit/audit.rules [34 Warnings]
[ Fix ]    echo "-w /etc/shadow -p wa -k identity" >> /etc/audit/audit.rules
Parameter -w /etc/security/opasswd -p wa -k identity is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/security/opasswd -p wa -k identity" does not exist in /etc/audit/audit.rules [35 Warnings]
[ Fix ]    echo "-w /etc/security/opasswd -p wa -k identity" >> /etc/audit/audit.rules
Parameter -a exit,always -F arch=b32 -S sethostname,setdomainname -k system-locale is set in /etc/audit/audit.rules
Warning:   Parameter "-a exit,always -F arch=b32 -S sethostname,setdomainname -k system-locale" does not exist in /etc/audit/audit.rules [36 Warnings]
[ Fix ]    echo "-a exit,always -F arch=b32 -S sethostname,setdomainname -k system-locale" >> /etc/audit/audit.rules
Parameter -a exit,always -F arch=b64 -S sethostname,setdomainname -k system-locale is set in /etc/audit/audit.rules
Warning:   Parameter "-a exit,always -F arch=b64 -S sethostname,setdomainname -k system-locale" does not exist in /etc/audit/audit.rules [37 Warnings]
[ Fix ]    echo "-a exit,always -F arch=b64 -S sethostname,setdomainname -k system-locale" >> /etc/audit/audit.rules
Parameter -w /etc/issue -p wa -k system-locale is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/issue -p wa -k system-locale" does not exist in /etc/audit/audit.rules [38 Warnings]
[ Fix ]    echo "-w /etc/issue -p wa -k system-locale" >> /etc/audit/audit.rules
Parameter -w /etc/issue.net -p wa -k system-locale is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/issue.net -p wa -k system-locale" does not exist in /etc/audit/audit.rules [39 Warnings]
[ Fix ]    echo "-w /etc/issue.net -p wa -k system-locale" >> /etc/audit/audit.rules
Parameter -w /etc/hosts -p wa -k system-locale is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/hosts -p wa -k system-locale" does not exist in /etc/audit/audit.rules [40 Warnings]
[ Fix ]    echo "-w /etc/hosts -p wa -k system-locale" >> /etc/audit/audit.rules
Parameter -w /etc/sysconfig/network -p wa -k system-locale is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/sysconfig/network -p wa -k system-locale" does not exist in /etc/audit/audit.rules [41 Warnings]
[ Fix ]    echo "-w /etc/sysconfig/network -p wa -k system-locale" >> /etc/audit/audit.rules
Parameter -w /etc/selinux/ -p wa -k MAC-policy is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/selinux/ -p wa -k MAC-policy" does not exist in /etc/audit/audit.rules [42 Warnings]
[ Fix ]    echo "-w /etc/selinux/ -p wa -k MAC-policy" >> /etc/audit/audit.rules
Parameter -w /etc/apparmor/ -p wa -k MAC-policy is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/apparmor/ -p wa -k MAC-policy" does not exist in /etc/audit/audit.rules [43 Warnings]
[ Fix ]    echo "-w /etc/apparmor/ -p wa -k MAC-policy" >> /etc/audit/audit.rules
Parameter -w /etc/apparmor.d/ -p wa -k MAC-policy is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/apparmor.d/ -p wa -k MAC-policy" does not exist in /etc/audit/audit.rules [44 Warnings]
[ Fix ]    echo "-w /etc/apparmor.d/ -p wa -k MAC-policy" >> /etc/audit/audit.rules
Parameter -w /var/log/faillog -p wa -k logins is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/log/faillog -p wa -k logins" does not exist in /etc/audit/audit.rules [45 Warnings]
[ Fix ]    echo "-w /var/log/faillog -p wa -k logins" >> /etc/audit/audit.rules
Parameter -w /var/log/lastlog -p wa -k logins is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/log/lastlog -p wa -k logins" does not exist in /etc/audit/audit.rules [46 Warnings]
[ Fix ]    echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/audit.rules
Parameter -w /var/run/faillock -p wa -k logins is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/run/faillock -p wa -k logins" does not exist in /etc/audit/audit.rules [47 Warnings]
[ Fix ]    echo "-w /var/run/faillock -p wa -k logins" >> /etc/audit/audit.rules
Parameter -w /var/run/utmp -p wa -k session is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/run/utmp -p wa -k session" does not exist in /etc/audit/audit.rules [48 Warnings]
[ Fix ]    echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules
Parameter -w /var/log/btmp -p wa -k session is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/log/btmp -p wa -k session" does not exist in /etc/audit/audit.rules [49 Warnings]
[ Fix ]    echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/audit.rules
Parameter -w /var/log/wtmp -p wa -k session is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/log/wtmp -p wa -k session" does not exist in /etc/audit/audit.rules [50 Warnings]
[ Fix ]    echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/audit.rules
Parameter -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" does not exist in /etc/audit/audit.rules [51 Warnings]
[ Fix ]    echo "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" >> /etc/audit/audit.rules
Parameter -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng" does not exist in /etc/audit/audit.rules [52 Warnings]
[ Fix ]    echo "-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng" >> /etc/audit/audit.rules
Parameter -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" does not exist in /etc/audit/audit.rules [53 Warnings]
[ Fix ]    echo "-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation" does not exist in /etc/audit/audit.rules [54 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation" does not exist in /etc/audit/audit.rules [55 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [56 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [57 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [58 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [59 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 - F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [60 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" does not exist in /etc/audit/audit.rules [61 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [62 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [63 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [64 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" does not exist in /etc/audit/audit.rules [65 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" >> /etc/audit/audit.rules
Parameter -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd" does not exist in /etc/audit/audit.rules [66 Warnings]
[ Fix ]    echo "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export" does not exist in /etc/audit/audit.rules [67 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export" does not exist in /etc/audit/audit.rules [68 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export" >> /etc/audit/audit.rules
Parameter -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod" does not exist in /etc/audit/audit.rules [69 Warnings]
[ Fix ]    echo "-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" does not exist in /etc/audit/audit.rules [70 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" does not exist in /etc/audit/audit.rules [71 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" >> /etc/audit/audit.rules
Parameter -w /etc/sudoers -p wa -k scope is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/sudoers -p wa -k scope" does not exist in /etc/audit/audit.rules [72 Warnings]
[ Fix ]    echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/audit.rules
Parameter -w /etc/sudoers.d -p wa -k scope is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/sudoers.d -p wa -k scope" does not exist in /etc/audit/audit.rules [73 Warnings]
[ Fix ]    echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/audit.rules
Parameter -w /etc/sudoers -p wa -k actions is set in /etc/audit/audit.rules
Warning:   Parameter "-w /etc/sudoers -p wa -k actions" does not exist in /etc/audit/audit.rules [74 Warnings]
[ Fix ]    echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/audit.rules
Parameter -w /var/log/sudo.log -p wa -k sudo_log_file is set in /etc/audit/audit.rules
Warning:   Parameter "-w /var/log/sudo.log -p wa -k sudo_log_file" does not exist in /etc/audit/audit.rules [75 Warnings]
[ Fix ]    echo "-w /var/log/sudo.log -p wa -k sudo_log_file" >> /etc/audit/audit.rules
Parameter -w /sbin/insmod -p x -k modules is set in /etc/audit/audit.rules
Warning:   Parameter "-w /sbin/insmod -p x -k modules" does not exist in /etc/audit/audit.rules [76 Warnings]
[ Fix ]    echo "-w /sbin/insmod -p x -k modules" >> /etc/audit/audit.rules
Parameter -w /sbin/rmmod -p x -k modules is set in /etc/audit/audit.rules
Warning:   Parameter "-w /sbin/rmmod -p x -k modules" does not exist in /etc/audit/audit.rules [77 Warnings]
[ Fix ]    echo "-w /sbin/rmmod -p x -k modules" >> /etc/audit/audit.rules
Parameter -w /sbin/modprobe -p x -k modules is set in /etc/audit/audit.rules
Warning:   Parameter "-w /sbin/modprobe -p x -k modules" does not exist in /etc/audit/audit.rules [78 Warnings]
[ Fix ]    echo "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" does not exist in /etc/audit/audit.rules [79 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" >> /etc/audit/audit.rules
Parameter -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset - k kernel_modules is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset - k kernel_modules" does not exist in /etc/audit/audit.rules [80 Warnings]
[ Fix ]    echo "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset - k kernel_modules" >> /etc/audit/audit.rules
Parameter -a always,exit -S init_module -S delete_module -k modules is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -S init_module -S delete_module -k modules" does not exist in /etc/audit/audit.rules [81 Warnings]
[ Fix ]    echo "-a always,exit -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" does not exist in /etc/audit/audit.rules [82 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" >> /etc/audit/audit.rules
Parameter -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts is set in /etc/audit/audit.rules
Warning:   Parameter "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" does not exist in /etc/audit/audit.rules [83 Warnings]
[ Fix ]    echo "-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts" >> /etc/audit/audit.rules
Parameter  is set in /etc/audit/audit.rules
Warning:   Parameter "" does not exist in /etc/audit/audit.rules [84 Warnings]
[ Fix ]    echo "" >> /etc/audit/audit.rules
Parameter space_left_action = email is set in /etc/audit/audit.rules
Warning:   Parameter "space_left_action = email" does not exist in /etc/audit/audit.rules [85 Warnings]
[ Fix ]    echo "space_left_action = email" >> /etc/audit/audit.rules
Parameter action_mail_acct = email is set in /etc/audit/audit.rules
Warning:   Parameter "action_mail_acct = email" does not exist in /etc/audit/audit.rules [86 Warnings]
[ Fix ]    echo "action_mail_acct = email" >> /etc/audit/audit.rules
Parameter admin_space_left_action = email is set in /etc/audit/audit.rules
Warning:   Parameter "admin_space_left_action = email" does not exist in /etc/audit/audit.rules [87 Warnings]
[ Fix ]    echo "admin_space_left_action = email" >> /etc/audit/audit.rules
Parameter max_log_file = 8 is set in /etc/audit/audit.rules
Warning:   Parameter "max_log_file = 8" does not exist in /etc/audit/audit.rules [88 Warnings]
[ Fix ]    echo "max_log_file = 8" >> /etc/audit/audit.rules
Parameter max_log_file_action = keep_logs is set in /etc/audit/audit.rules
Warning:   Parameter "max_log_file_action = keep_logs" does not exist in /etc/audit/audit.rules [89 Warnings]
[ Fix ]    echo "max_log_file_action = keep_logs" >> /etc/audit/audit.rules
Parameter -e 2 is set in /etc/audit/audit.rules
Warning:   Parameter "-e 2" does not exist in /etc/audit/audit.rules [90 Warnings]
[ Fix ]    echo "-e 2" >> /etc/audit/audit.rules
Service sysstat is enabled
Service auditd is enabled
Prelinking
Package prelink is uninstalled
Secure:    Package prelink is uninstalled [80 Passes]
[ Fix ]    echo "-e 2" >> /etc/audit/audit.rules
AIDE
Package aide is installed
Warning:   Package aide is not installed [91 Warnings]
./lunar.sh: 69: /usr/sbin/aide: not found
[ Fix ]    echo "-e 2" >> /etc/audit/audit.rules
Package aide-common is installed
Warning:   Package aide-common is not installed [92 Warnings]
[ Fix ]    echo "-e 2" >> /etc/audit/audit.rules
Parameter 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check is set in /etc/cron.d/aide
Warning:   Parameter "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" does not exist in /etc/cron.d/aide [93 Warnings]
[ Fix ]    echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide
Value of /sbin/auditctl is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf
Warning:   Parameter "/sbin/auditctl" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [94 Warnings]
[ Fix ]    echo "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/auditd is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf
Warning:   Parameter "/sbin/auditd" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [95 Warnings]
[ Fix ]    echo "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/ausearch is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf
Warning:   Parameter "/sbin/ausearch" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [96 Warnings]
[ Fix ]    echo "/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/aureport is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf
Warning:   Parameter "/sbin/aureport" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [97 Warnings]
[ Fix ]    echo "/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/autrace is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf
Warning:   Parameter "/sbin/autrace" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [98 Warnings]
[ Fix ]    echo "/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
Value of /sbin/augenrules is set to p+i+n+u+g+s+b+acl+xattrs+sha512 in /etc/aide/aide.conf
Warning:   Parameter "/sbin/augenrules" not set to "p+i+n+u+g+s+b+acl+xattrs+sha512" in /etc/aide/aide.conf [99 Warnings]
[ Fix ]    echo "/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf
TCP Wrappers
Value of ALL is set to  ALL in /etc/hosts.deny
Warning:   Parameter "ALL" not set to " ALL" in /etc/hosts.deny [100 Warnings]
[ Fix ]    echo "ALL: ALL" >> /etc/hosts.deny
Value of ALL is set to  localhost in /etc/hosts.allow
Warning:   Parameter "ALL" not set to " localhost" in /etc/hosts.allow [101 Warnings]
[ Fix ]    echo "ALL: localhost" >> /etc/hosts.allow
Value of ALL is set to  127.0.0.1 in /etc/hosts.allow
Warning:   Parameter "ALL" not set to " 127.0.0.1" in /etc/hosts.allow [102 Warnings]
[ Fix ]    echo "ALL: 127.0.0.1" >> /etc/hosts.allow
File permissions on /etc/hosts.deny
Secure:    File /etc/hosts.deny has correct permissions [81 Passes]
File permissions on /etc/hosts.allow
Secure:    File /etc/hosts.allow has correct permissions [82 Passes]
Package tcpd is installed
Warning:   Package tcpd is not installed [103 Warnings]
[ Fix ]    echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide
IP Tables
Package iptables is installed
Secure:    Package iptables is installed [83 Passes]
[ Fix ]    echo "0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check" >> /etc/cron.d/aide
Service iptables is enabled
Service ip6tables is enabled
Warning:   All other devices allow trafic to the loopback network [104 Warnings]
PAM Authentication
Value of minlen is set to 14 in /etc/security/pwquality.conf
Warning:   Parameter "minlen" not set to "14" in /etc/security/pwquality.conf [105 Warnings]
[ Fix ]    echo "minlen=14" >> /etc/security/pwquality.conf
Value of dcredit is set to -1 in /etc/security/pwquality.conf
Warning:   Parameter "dcredit" not set to "-1" in /etc/security/pwquality.conf [106 Warnings]
[ Fix ]    echo "dcredit=-1" >> /etc/security/pwquality.conf
Value of ocredit is set to -1 in /etc/security/pwquality.conf
Warning:   Parameter "ocredit" not set to "-1" in /etc/security/pwquality.conf [107 Warnings]
[ Fix ]    echo "ocredit=-1" >> /etc/security/pwquality.conf
Value of ucredit is set to -1 in /etc/security/pwquality.conf
Warning:   Parameter "ucredit" not set to "-1" in /etc/security/pwquality.conf [108 Warnings]
[ Fix ]    echo "ucredit=-1" >> /etc/security/pwquality.conf
Value of lcredit is set to -1 in /etc/security/pwquality.conf
Warning:   Parameter "lcredit" not set to "-1" in /etc/security/pwquality.conf [109 Warnings]
[ Fix ]    echo "lcredit=-1" >> /etc/security/pwquality.conf
For nullok entry in /etc/pam.d/common-auth
Warning:   Found nullok entry in /etc/pam.d/common-auth [110 Warnings]
[ Fix ]    cp /etc/pam.d/common-auth /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file |sed 's/ nullok//' > /etc/pam.d/common-auth
[ Fix ]    rm /opt/LTRLlunar/tmp/temp_file
Lockout time for failed password attempts enabled in /etc/pam.d/common-auth
Warning:   Lockout time for failed password attempts not enabled in /etc/pam.d/common-auth [111 Warnings]
[ Fix ]    cp /etc/pam.d/common-auth /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file |awk '( auth == "auth" && unlock_time == "required" && 900 == "pam_tally2.so" ) { print "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900"; print ./lunar.sh; next };' > /etc/pam.d/common-auth
[ Fix ]    rm /opt/LTRLlunar/tmp/temp_file
File /etc/security/opasswd exists
Secure:    File /etc/security/opasswd exists [84 Passes]
File permissions on /etc/security/opasswd
Secure:    File /etc/security/opasswd has correct permissions [85 Passes]
Password entry remember set to 5 in /etc/pam.d/common-auth
Warning:   Password entry remember is not set to 5 in /etc/pam.d/common-auth [112 Warnings]
[ Fix ]    cp /etc/pam.d/common-auth /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file |awk '( account == "password" && 5 == "pam_unix.so" ) { print ./lunar.sh " remember=5"; next };' > /etc/pam.d/common-auth
[ Fix ]    rm /opt/LTRLlunar/tmp/temp_file
Password minimum strength enabled in /etc/pam.d/common-password
Warning:   Password strength settings not enabled in /etc/pam.d/common-password [113 Warnings]
[ Fix ]    cp /etc/pam.d/common-password /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file |sed 's/^password\ssufficient\spam_unix.so/password sufficient pam_unix.so sha512/g' > /etc/pam.d/common-password
rm /opt/LTRLlunar/tmp/temp_file
The use of su is restricted by sudo
Warning:   The use of su is not restricted by sudo in /etc/pam.d/su [114 Warnings]
[ Fix ]    cp /etc/pam.d/su /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file |sed 's/^auth.*use_uid$/&
auth  required   pam_wheel.so use_uid
/' > /etc/pam.d/su
[ Fix ]    rm /opt/LTRLlunar/tmp/temp_file
Password Expiration Parameters on Active Accounts
Value of PASS_MAX_DAYS is set to 90 in /etc/login.defs
Warning:   Parameter "PASS_MAX_DAYS" not set to "90" in /etc/login.defs [115 Warnings]
[ Fix ]    echo "PASS_MAX_DAYS=90" >> /etc/login.defs
Value of PASS_MIN_DAYS is set to 7 in /etc/login.defs
Warning:   Parameter "PASS_MIN_DAYS" not set to "7" in /etc/login.defs [116 Warnings]
[ Fix ]    echo "PASS_MIN_DAYS=7" >> /etc/login.defs
Value of PASS_WARN_AGE is set to 14 in /etc/login.defs
Warning:   Parameter "PASS_WARN_AGE" not set to "14" in /etc/login.defs [117 Warnings]
[ Fix ]    echo "PASS_WARN_AGE=14" >> /etc/login.defs
Value of PASS_MIN_LEN is set to 9 in /etc/login.defs
Warning:   Parameter "PASS_MIN_LEN" not set to "9" in /etc/login.defs [118 Warnings]
[ Fix ]    echo "PASS_MIN_LEN=9" >> /etc/login.defs
File permissions on /etc/login.defs
Warning:   File /etc/login.defs has incorrect permissions [119 Warnings]
[ Fix ]    chmod 0640 /etc/login.defs
[ Fix ]    chown root:root /etc/login.defs
Group and Password File Permissions
File permissions on /etc/passwd
Secure:    File /etc/passwd has correct permissions [86 Passes]
File permissions on /etc/group
Secure:    File /etc/group has correct permissions [87 Passes]
File permissions on /etc/shadow
Warning:   File /etc/shadow has incorrect permissions [120 Warnings]
[ Fix ]    chmod 0600 /etc/shadow
[ Fix ]    chown root:root /etc/shadow
File permissions on /etc/gshadow
Warning:   File /etc/gshadow has incorrect permissions [121 Warnings]
[ Fix ]    chmod 0600 /etc/gshadow
[ Fix ]    chown root:root /etc/gshadow
File permissions on /etc/group-
Warning:   File /etc/group- has incorrect permissions [122 Warnings]
[ Fix ]    chmod 0600 /etc/group-
[ Fix ]    chown root:root /etc/group-
File permissions on /etc/passwd-
Warning:   File /etc/passwd- has incorrect permissions [123 Warnings]
[ Fix ]    chmod 0600 /etc/passwd-
[ Fix ]    chown root:root /etc/passwd-
File permissions on /etc/shadow-
Warning:   File /etc/shadow- has incorrect permissions [124 Warnings]
[ Fix ]    chmod 0600 /etc/shadow-
[ Fix ]    chown root:root /etc/shadow-
File permissions on /etc/gshadow-
Warning:   File /etc/gshadow- has incorrect permissions [125 Warnings]
[ Fix ]    chmod 0600 /etc/gshadow-
[ Fix ]    chown root:root /etc/gshadow-
PAM SU Configuration
Warning:   Wheel group membership not required for su in /etc/pam.d/su [126 Warnings]
[ Fix ]    cp /etc/pam.d/su /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file |awk '( =="#auth" && =="required" && ~"pam_wheel.so" ) { print "auth  required ",," use_uid"; next }; { print }' > /etc/pam.d/su
[ Fix ]    rm /opt/LTRLlunar/tmp/temp_file
PAM Deny Weak Authentication Services
Parameter auth requisite pam_deny.so is set in /etc/pam.d/sshd
Warning:   Parameter "auth requisite pam_deny.so" does not exist in /etc/pam.d/sshd [127 Warnings]
[ Fix ]    echo "auth requisite pam_deny.so" >> /etc/pam.d/sshd
Value of Defaults timestamp_timeout is set to 0 in /etc/sudoers
Warning:   Parameter "Defaults timestamp_timeout" not set to "0" in /etc/sudoers [128 Warnings]
[ Fix ]    cat /etc/sudoers |sed "s,# Defaults specification,&
Defaults timestamp_timeout=0," > /opt/LTRLlunar/tmp/temp_file
[ Fix ]    cat /opt/LTRLlunar/tmp/temp_file > /etc/sudoers
Sysctl Configuration
Value of net.ipv4.conf.default.secure_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.default.secure_redirects" not set to "0" in /etc/sysctl.conf [129 Warnings]
[ Fix ]    echo "net.ipv4.conf.default.secure_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.secure_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.all.secure_redirects" not set to "0" in /etc/sysctl.conf [130 Warnings]
[ Fix ]    echo "net.ipv4.conf.all.secure_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.icmp_echo_ignore_broadcasts is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.icmp_echo_ignore_broadcasts" not set to "1" in /etc/sysctl.conf [131 Warnings]
[ Fix ]    echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.accept_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.all.accept_redirects" not set to "0" in /etc/sysctl.conf [132 Warnings]
[ Fix ]    echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.accept_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.default.accept_redirects" not set to "0" in /etc/sysctl.conf [133 Warnings]
[ Fix ]    echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.tcp_syncookies is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.tcp_syncookies" not set to "1" in /etc/sysctl.conf [134 Warnings]
[ Fix ]    echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
Value of net.ipv4.tcp_max_syn_backlog is set to 4096 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.tcp_max_syn_backlog" not set to "4096" in /etc/sysctl.conf [135 Warnings]
[ Fix ]    echo "net.ipv4.tcp_max_syn_backlog=4096" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.rp_filter is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.all.rp_filter" not set to "1" in /etc/sysctl.conf [136 Warnings]
[ Fix ]    echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.rp_filter is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.default.rp_filter" not set to "1" in /etc/sysctl.conf [137 Warnings]
[ Fix ]    echo "net.ipv4.conf.default.rp_filter=1" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.accept_source_route is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.all.accept_source_route" not set to "0" in /etc/sysctl.conf [138 Warnings]
[ Fix ]    echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.accept_source_route is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.default.accept_source_route" not set to "0" in /etc/sysctl.conf [139 Warnings]
[ Fix ]    echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.conf
Value of net.ipv4.tcp_max_orphans is set to 256 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.tcp_max_orphans" not set to "256" in /etc/sysctl.conf [140 Warnings]
[ Fix ]    echo "net.ipv4.tcp_max_orphans=256" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.log_martians is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.all.log_martians" not set to "1" in /etc/sysctl.conf [141 Warnings]
[ Fix ]    echo "net.ipv4.conf.all.log_martians=1" >> /etc/sysctl.conf
Value of net.ipv4.ip_forward is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.ip_forward" not set to "0" in /etc/sysctl.conf [142 Warnings]
[ Fix ]    echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.all.send_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.all.send_redirects" not set to "0" in /etc/sysctl.conf [143 Warnings]
[ Fix ]    echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.conf.default.send_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.conf.default.send_redirects" not set to "0" in /etc/sysctl.conf [144 Warnings]
[ Fix ]    echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf
Value of net.ipv4.icmp_ignore_bogus_error_responses is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv4.icmp_ignore_bogus_error_responses" not set to "1" in /etc/sysctl.conf [145 Warnings]
[ Fix ]    echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.conf
Value of net.ipv6.conf.default.accept_redirects is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv6.conf.default.accept_redirects" not set to "0" in /etc/sysctl.conf [146 Warnings]
[ Fix ]    echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.conf
Value of net.ipv6.conf.all.accept_ra is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv6.conf.all.accept_ra" not set to "0" in /etc/sysctl.conf [147 Warnings]
[ Fix ]    echo "net.ipv6.conf.all.accept_ra=0" >> /etc/sysctl.conf
Value of net.ipv6.conf.default.accept_ra is set to 0 in /etc/sysctl.conf
Warning:   Parameter "net.ipv6.conf.default.accept_ra" not set to "0" in /etc/sysctl.conf [148 Warnings]
[ Fix ]    echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf
Value of net.ipv6.route.flush is set to 1 in /etc/sysctl.conf
Warning:   Parameter "net.ipv6.route.flush" not set to "1" in /etc/sysctl.conf [149 Warnings]
[ Fix ]    echo "net.ipv6.route.flush=1" >> /etc/sysctl.conf
Value of kernel.randomize_va_space is set to 2 in /etc/sysctl.conf
Warning:   Parameter "kernel.randomize_va_space" not set to "2" in /etc/sysctl.conf [150 Warnings]
[ Fix ]    echo "kernel.randomize_va_space=2" >> /etc/sysctl.conf
Parameter * hard core 0 is set in /etc/security/limits.conf
Warning:   Parameter "* hard core 0" does not exist in /etc/security/limits.conf [151 Warnings]
[ Fix ]    echo "* hard core 0" >> /etc/security/limits.conf
File permissions on /etc/security/limits.conf
Warning:   File /etc/security/limits.conf has incorrect permissions [152 Warnings]
[ Fix ]    chmod 0600 /etc/security/limits.conf
[ Fix ]    chown root:root /etc/security/limits.conf
TCP SYN Cookie Protection
Parameter echo 1 > /proc/sys/net/ipv4/tcp_syncookies is set in /etc/rc.d/local
Warning:   Parameter "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" does not exist in /etc/rc.d/local [153 Warnings]
[ Fix ]    echo "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" >> /etc/rc.d/local
File permissions on /etc/rc.d/local
Notice:    File /etc/rc.d/local does not exist
Modprobe Configuration
Parameter install tipc /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install tipc /bin/true" does not exist in /etc/modprobe.conf [154 Warnings]
[ Fix ]    echo "install tipc /bin/true" >> /etc/modprobe.conf
Parameter install rds /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install rds /bin/true" does not exist in /etc/modprobe.conf [155 Warnings]
[ Fix ]    echo "install rds /bin/true" >> /etc/modprobe.conf
Parameter install sctp /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install sctp /bin/true" does not exist in /etc/modprobe.conf [156 Warnings]
[ Fix ]    echo "install sctp /bin/true" >> /etc/modprobe.conf
Parameter install dccp /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install dccp /bin/true" does not exist in /etc/modprobe.conf [157 Warnings]
[ Fix ]    echo "install dccp /bin/true" >> /etc/modprobe.conf
Parameter install udf /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install udf /bin/true" does not exist in /etc/modprobe.conf [158 Warnings]
[ Fix ]    echo "install udf /bin/true" >> /etc/modprobe.conf
Parameter install squashfs /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install squashfs /bin/true" does not exist in /etc/modprobe.conf [159 Warnings]
[ Fix ]    echo "install squashfs /bin/true" >> /etc/modprobe.conf
Parameter install hfs /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install hfs /bin/true" does not exist in /etc/modprobe.conf [160 Warnings]
[ Fix ]    echo "install hfs /bin/true" >> /etc/modprobe.conf
Parameter install hfsplus /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install hfsplus /bin/true" does not exist in /etc/modprobe.conf [161 Warnings]
[ Fix ]    echo "install hfsplus /bin/true" >> /etc/modprobe.conf
Parameter install jffs2 /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install jffs2 /bin/true" does not exist in /etc/modprobe.conf [162 Warnings]
[ Fix ]    echo "install jffs2 /bin/true" >> /etc/modprobe.conf
Parameter install freevxfs /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install freevxfs /bin/true" does not exist in /etc/modprobe.conf [163 Warnings]
[ Fix ]    echo "install freevxfs /bin/true" >> /etc/modprobe.conf
Parameter install cramfs /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install cramfs /bin/true" does not exist in /etc/modprobe.conf [164 Warnings]
[ Fix ]    echo "install cramfs /bin/true" >> /etc/modprobe.conf
Parameter install vfat /bin/true is set in /etc/modprobe.conf
Warning:   Parameter "install vfat /bin/true" does not exist in /etc/modprobe.conf [165 Warnings]
[ Fix ]    echo "install vfat /bin/true" >> /etc/modprobe.conf
Unconfined Daemons
Warning:   Unconfined daemons  [166 Warnings]
SELinux
Value of SELINUX is set to enforcing in /etc/selinux/config
Warning:   Parameter "SELINUX" not set to "enforcing" in /etc/selinux/config [167 Warnings]
[ Fix ]    echo "SELINUX=enforcing" >> /etc/selinux/config
Value of SELINUXTYPE is set to targeted in /etc/selinux/config
Warning:   Parameter "SELINUXTYPE" not set to "targeted" in /etc/selinux/config [168 Warnings]
[ Fix ]    echo "SELINUXTYPE=targeted" >> /etc/selinux/config
File permissions on /etc/selinux/config
Notice:    File /etc/selinux/config does not exist
File permissions on /boot/grub/grub.cfg
Warning:   File /boot/grub/grub.cfg has incorrect permissions [169 Warnings]
[ Fix ]    chmod 0400 /boot/grub/grub.cfg
[ Fix ]    chown root:root /boot/grub/grub.cfg
Value of selinux is set to 1 in /boot/grub/grub.cfg
Warning:   Parameter "selinux" not set to "1" in /boot/grub/grub.cfg [170 Warnings]
[ Fix ]    echo "selinux=1" >> /boot/grub/grub.cfg
Value of enforcing is set to 1 in /boot/grub/grub.cfg
Warning:   Parameter "enforcing" not set to "1" in /boot/grub/grub.cfg [171 Warnings]
[ Fix ]    echo "enforcing=1" >> /boot/grub/grub.cfg
XD/NS Support
AppArmor
Package apparmor is installed
Secure:    Package apparmor is installed [88 Passes]
[ Fix ]    echo "install vfat /bin/true" >> /etc/modprobe.conf
./lunar.sh: 35: [: 0: unexpected operator
Secure:    AppArmor is not disabled in /boot/grub/grub.cfg /etc/default/grub [89 Passes]
Warning:   AppArmor is not enabled in /boot/grub/grub.cfg /etc/default/grub [172 Warnings]
[ Fix ]    cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Randomised Virtual Memory Region Placement
Sendmail Daemon
Service sendmail is disabled
Value of DAEMON is set to no in /etc/sysconfig/sendmail
Warning:   Parameter "DAEMON" not set to "no" in /etc/sysconfig/sendmail [173 Warnings]
[ Fix ]    echo "DAEMON=no" >> /etc/sysconfig/sendmail
Value of QUEUE is set to 1h in /etc/sysconfig/sendmail
Warning:   Parameter "QUEUE" not set to "1h" in /etc/sysconfig/sendmail [174 Warnings]
[ Fix ]    echo "QUEUE=1h" >> /etc/sysconfig/sendmail
Sendmail Aliases
File permissions on /etc/aliases
Notice:    File /etc/aliases does not exist
Mail Daemons
Service cyrus is disabled
Package cyrus is uninstalled
Secure:    Package cyrus is uninstalled [90 Passes]
[ Fix ]    cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Service imapd is disabled
Package imapd is uninstalled
Secure:    Package imapd is uninstalled [91 Passes]
[ Fix ]    cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Service qpopper is disabled
Package qpopper is uninstalled
Secure:    Package qpopper is uninstalled [92 Passes]
[ Fix ]    cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Service dovecot is disabled
Package dovecot is uninstalled
Secure:    Package dovecot is uninstalled [93 Passes]
[ Fix ]    cat /boot/grub/grub.cfg |sed 's/^\s*linux.*/& apparmor=1 security=apparmor/g' > /tmp/apparmor ; cat /tmp/apparmor > /boot/grub/grub.cfg ; aa-enforce /etc/apparmor.d/*
Value of inet_interfaces is set to localhost in /etc/postfix/main.cf
Warning:   Parameter "inet_interfaces" not set to "localhost" in /etc/postfix/main.cf [175 Warnings]
[ Fix ]    echo "inet_interfaces=localhost" >> /etc/postfix/main.cf
File permissions on /root
Warning:   File /root has incorrect permissions [176 Warnings]
[ Fix ]    chmod 0700 /root
[ Fix ]    chown root:root /root
Root Primary Group
Secure:    Primary group for root is root [94 Passes]
Root SSH keys
Warning:   Keys file /root/.ssh/authorized_keys exists [177 Warnings]
[ Fix ]    mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.disabled
Secure:    Keys file /root/.ssh/authorized_keys2 does not exist [95 Passes]
Default mesg Settings for Users
Value of mesg is set to n in /etc/.login
Warning:   Parameter "mesg" not set to "n" in /etc/.login [178 Warnings]
[ Fix ]    echo "mesg n" >> /etc/.login
Value of mesg is set to n in /etc/profile
Warning:   Parameter "mesg" not set to "n" in /etc/profile [179 Warnings]
[ Fix ]    echo "mesg n" >> /etc/profile
Value of mesg is set to n in /etc/skel/.bash_profile
Warning:   Parameter "mesg" not set to "n" in /etc/skel/.bash_profile [180 Warnings]
[ Fix ]    echo "mesg n" >> /etc/skel/.bash_profile
Value of mesg is set to n in /etc/skel/.bashrc
Warning:   Parameter "mesg" not set to "n" in /etc/skel/.bashrc [181 Warnings]
[ Fix ]    echo "mesg n" >> /etc/skel/.bashrc
Value of mesg is set to n in /etc/csh.login
Warning:   Parameter "mesg" not set to "n" in /etc/csh.login [182 Warnings]
[ Fix ]    echo "mesg n" >> /etc/csh.login
Value of mesg is set to n in /etc/csh.cshrc
Warning:   Parameter "mesg" not set to "n" in /etc/csh.cshrc [183 Warnings]
[ Fix ]    echo "mesg n" >> /etc/csh.cshrc
Value of mesg is set to n in /etc/zprofile
Warning:   Parameter "mesg" not set to "n" in /etc/zprofile [184 Warnings]
[ Fix ]    echo "mesg n" >> /etc/zprofile
Value of mesg is set to n in /etc/skel/.zshrc
Warning:   Parameter "mesg" not set to "n" in /etc/skel/.zshrc [185 Warnings]
[ Fix ]    echo "mesg n" >> /etc/skel/.zshrc
Value of mesg is set to n in /etc/skel/.bashrc
Warning:   Parameter "mesg" not set to "n" in /etc/skel/.bashrc [186 Warnings]
[ Fix ]    echo "mesg n" >> /etc/skel/.bashrc
User Groups
Secure:    No non existant group issues [96 Passes]
Home Directory Permissions
Ownership of Home Directories
Warning:   Home Directory for sys is owned by root [187 Warnings]
Warning:   Home Directory for proxy is owned by root [188 Warnings]
Warning:   Home Directory for backup is owned by root [189 Warnings]
Warning:   Home Directory for systemd-network is owned by root [190 Warnings]
Warning:   Home Directory for systemd-resolve is owned by root [191 Warnings]
Warning:   Home Directory for systemd-timesync is owned by root [192 Warnings]
Warning:   Home Directory for uuidd is owned by root [193 Warnings]
Warning:   User systemd-coredump has no home directory defined [194 Warnings]
Warning:   Home Directory for lxd is owned by root [195 Warnings]
Warning:   Home Directory for dnsmasq is owned by root [196 Warnings]
Secure:    No ownership issues with home directories [97 Passes]
Duplicate Users
Duplicate IDs
Secure:    No users with duplicate name [98 Passes]
Duplicate IDs
Secure:    No users with duplicate id [99 Passes]
Duplicate Groups
Duplicate IDs
Secure:    No groups with duplicate name [100 Passes]
Duplicate IDs
Secure:    No groups with duplicate id [101 Passes]
User Dot Files
File permissions on /root/.bash_history
Secure:    File /root/.bash_history has correct permissions [102 Passes]
File permissions on /root/.bash_profile
Warning:   File /root/.bash_profile has incorrect permissions [187 Warnings]
[ Fix ]    chmod 0600 /root/.bash_profile
File permissions on /root/.bashrc
Warning:   File /root/.bashrc has incorrect permissions [188 Warnings]
[ Fix ]    chmod 0600 /root/.bashrc
File permissions on /root/.cloud-locale-test.skip
Warning:   File /root/.cloud-locale-test.skip has incorrect permissions [189 Warnings]
[ Fix ]    chmod 0600 /root/.cloud-locale-test.skip
File permissions on /root/.profile
Warning:   File /root/.profile has incorrect permissions [190 Warnings]
[ Fix ]    chmod 0600 /root/.profile
File permissions on /root/.wget-hsts
Warning:   File /root/.wget-hsts has incorrect permissions [191 Warnings]
[ Fix ]    chmod 0600 /root/.wget-hsts
File permissions on /var/lib/landscape/.cleanup.user
Warning:   File /var/lib/landscape/.cleanup.user has incorrect permissions [192 Warnings]
[ Fix ]    chmod 0600 /var/lib/landscape/.cleanup.user
User Forward Files
Dot Files
Secure:    File /root/.forward does not exist [103 Passes]
Secure:    File /usr/sbin/.forward does not exist [104 Passes]
Secure:    File /bin/.forward does not exist [105 Passes]
Secure:    File /dev/.forward does not exist [106 Passes]
Secure:    File /bin/.forward does not exist [107 Passes]
Secure:    File /usr/games/.forward does not exist [108 Passes]
Secure:    File /var/cache/man/.forward does not exist [109 Passes]
Secure:    File /var/spool/lpd/.forward does not exist [110 Passes]
Secure:    File /var/mail/.forward does not exist [111 Passes]
Secure:    File /var/spool/news/.forward does not exist [112 Passes]
Secure:    File /var/spool/uucp/.forward does not exist [113 Passes]
Secure:    File /bin/.forward does not exist [114 Passes]
Secure:    File /var/www/.forward does not exist [115 Passes]
Secure:    File /var/backups/.forward does not exist [116 Passes]
Secure:    File /var/list/.forward does not exist [117 Passes]
Secure:    File /var/run/ircd/.forward does not exist [118 Passes]
Secure:    File /var/lib/gnats/.forward does not exist [119 Passes]
Secure:    File /nonexistent/.forward does not exist [120 Passes]
Secure:    File /run/systemd/.forward does not exist [121 Passes]
Secure:    File /run/systemd/.forward does not exist [122 Passes]
Secure:    File /run/systemd/.forward does not exist [123 Passes]
Secure:    File /nonexistent/.forward does not exist [124 Passes]
Secure:    File /home/syslog/.forward does not exist [125 Passes]
Secure:    File /nonexistent/.forward does not exist [126 Passes]
Secure:    File /var/lib/tpm/.forward does not exist [127 Passes]
Secure:    File /run/uuidd/.forward does not exist [128 Passes]
Secure:    File /nonexistent/.forward does not exist [129 Passes]
Secure:    File /run/sshd/.forward does not exist [130 Passes]
Secure:    File /var/lib/landscape/.forward does not exist [131 Passes]
Secure:    File /var/cache/pollinate/.forward does not exist [132 Passes]
Secure:    File /.forward does not exist [133 Passes]
Secure:    File /var/snap/lxd/common/lxd/.forward does not exist [134 Passes]
Secure:    File /var/lib/misc/.forward does not exist [135 Passes]
Secure:    File /home/postgres/.forward does not exist [136 Passes]
Root PATH Environment Integrity
Secure:    No empty directory in PATH [137 Passes]
Secure:    No trailing : in PATH [138 Passes]
Secure:    Group write permission not set on directory /usr/local/sbin [139 Passes]
Secure:    Other write permission not set on directory /usr/local/sbin [140 Passes]
Secure:    Group write permission not set on directory /usr/local/bin [141 Passes]
Secure:    Other write permission not set on directory /usr/local/bin [142 Passes]
Secure:    Group write permission not set on directory /usr/sbin [143 Passes]
Secure:    Other write permission not set on directory /usr/sbin [144 Passes]
Secure:    Group write permission not set on directory /usr/bin [145 Passes]
Secure:    Other write permission not set on directory /usr/bin [146 Passes]
Warning:   Group write permissions set on directory /sbin [193 Warnings]
Warning:   Other write permissions set on directory /sbin [194 Warnings]
Warning:   Group write permissions set on directory /bin [195 Warnings]
Warning:   Other write permissions set on directory /bin [196 Warnings]
Secure:    Group write permission not set on directory /usr/games [147 Passes]
Secure:    Other write permission not set on directory /usr/games [148 Passes]
Secure:    Group write permission not set on directory /usr/local/games [149 Passes]
Secure:    Other write permission not set on directory /usr/local/games [150 Passes]
Secure:    Group write permission not set on directory /snap/bin [151 Passes]
Secure:    Other write permission not set on directory /snap/bin [152 Passes]
Default umask for Users
Value of umask is set to 077 in /etc/.login
Warning:   Parameter "umask" not set to "077" in /etc/.login [197 Warnings]
[ Fix ]    echo "umask 077" >> /etc/.login
Value of umask is set to 077 in /etc/profile
Warning:   Parameter "umask" not set to "077" in /etc/profile [198 Warnings]
[ Fix ]    echo "umask 077" >> /etc/profile
Value of umask is set to 077 in /etc/skel/.bash_profile
Warning:   Parameter "umask" not set to "077" in /etc/skel/.bash_profile [199 Warnings]
[ Fix ]    echo "umask 077" >> /etc/skel/.bash_profile
Value of umask is set to 077 in /etc/csh.login
Warning:   Parameter "umask" not set to "077" in /etc/csh.login [200 Warnings]
[ Fix ]    echo "umask 077" >> /etc/csh.login
Value of umask is set to 077 in /etc/csh.cshrc
Warning:   Parameter "umask" not set to "077" in /etc/csh.cshrc [201 Warnings]
[ Fix ]    echo "umask 077" >> /etc/csh.cshrc
Value of umask is set to 077 in /etc/zprofile
Warning:   Parameter "umask" not set to "077" in /etc/zprofile [202 Warnings]
[ Fix ]    echo "umask 077" >> /etc/zprofile
Value of umask is set to 077 in /etc/skel/.zshrc
Warning:   Parameter "umask" not set to "077" in /etc/skel/.zshrc [203 Warnings]
[ Fix ]    echo "umask 077" >> /etc/skel/.zshrc
Value of umask is set to 077 in /etc/skel/.bashrc
Warning:   Parameter "umask" not set to "077" in /etc/skel/.bashrc [204 Warnings]
[ Fix ]    echo "umask 077" >> /etc/skel/.bashrc
Value of UMASK is set to 077 in /etc/bashrc
Warning:   Parameter "UMASK" not set to "077" in /etc/bashrc [205 Warnings]
[ Fix ]    echo "UMASK=077" >> /etc/bashrc
Value of UMASK is set to 077 in /etc/skel/.bashrc
Warning:   Parameter "UMASK" not set to "077" in /etc/skel/.bashrc [206 Warnings]
[ Fix ]    echo "UMASK=077" >> /etc/skel/.bashrc
Value of UMASK is set to 077 in /etc/login.defs
Warning:   Parameter "UMASK" not set to "077" in /etc/login.defs [207 Warnings]
[ Fix ]    echo "UMASK=077" >> /etc/login.defs
Password Fields
Secure:    No empty password entries [153 Passes]
Secure:    No legacy entries in /etc/passwd [154 Passes]
Secure:    No legacy entries in /etc/shadow [155 Passes]
Reserved IDs
Whether reserved UUIDs are assigned to system accounts
Warning:   User sys has a reserved UID (3) [208 Warnings]
Warning:   User man has a reserved UID (6) [209 Warnings]
Warning:   User proxy has a reserved UID (13) [210 Warnings]
Warning:   User www-data has a reserved UID (33) [211 Warnings]
Warning:   User backup has a reserved UID (34) [212 Warnings]
Warning:   User list has a reserved UID (38) [213 Warnings]
Warning:   User irc has a reserved UID (39) [214 Warnings]
Warning:   User gnats has a reserved UID (41) [215 Warnings]
Warning:   User systemd-network has a reserved UID (100) [216 Warnings]
Warning:   User systemd-resolve has a reserved UID (101) [217 Warnings]
Warning:   User systemd-timesync has a reserved UID (102) [218 Warnings]
Warning:   User messagebus has a reserved UID (103) [219 Warnings]
Warning:   User syslog has a reserved UID (104) [220 Warnings]
Warning:   User _apt has a reserved UID (105) [221 Warnings]
Warning:   User tss has a reserved UID (106) [222 Warnings]
Warning:   User uuidd has a reserved UID (107) [223 Warnings]
Warning:   User tcpdump has a reserved UID (108) [224 Warnings]
Warning:   User landscape has a reserved UID (110) [225 Warnings]
Warning:   User pollinate has a reserved UID (111) [226 Warnings]
Warning:   User dnsmasq has a reserved UID (112) [227 Warnings]
Accounts with UID 0
Daemon Umask
Value of umask is set to 027 in /etc/sysconfig/init
Warning:   Parameter "umask" not set to "027" in /etc/sysconfig/init [208 Warnings]
[ Fix ]    echo "umask 027" >> /etc/sysconfig/init
Cron Permissions
File permissions on /etc/crontab
Warning:   File /etc/crontab has incorrect permissions [209 Warnings]
[ Fix ]    chmod 0700 /etc/crontab
[ Fix ]    chown root:root /etc/crontab
File permissions on /var/spool/cron
Warning:   File /var/spool/cron has incorrect permissions [210 Warnings]
[ Fix ]    chmod 0700 /var/spool/cron
[ Fix ]    chown root:root /var/spool/cron
File permissions on /etc/cron.daily
Warning:   File /etc/cron.daily has incorrect permissions [211 Warnings]
[ Fix ]    chmod 0700 /etc/cron.daily
[ Fix ]    chown root:root /etc/cron.daily
File permissions on /etc/cron.d
Warning:   File /etc/cron.d has incorrect permissions [212 Warnings]
[ Fix ]    chmod 0700 /etc/cron.d
[ Fix ]    chown root:root /etc/cron.d
File permissions on /etc/cron.weekly
Warning:   File /etc/cron.weekly has incorrect permissions [213 Warnings]
[ Fix ]    chmod 0700 /etc/cron.weekly
[ Fix ]    chown root:root /etc/cron.weekly
File permissions on /etc/cron.monthly
Warning:   File /etc/cron.monthly has incorrect permissions [214 Warnings]
[ Fix ]    chmod 0700 /etc/cron.monthly
[ Fix ]    chown root:root /etc/cron.monthly
File permissions on /etc/cron.hourly
Warning:   File /etc/cron.hourly has incorrect permissions [215 Warnings]
[ Fix ]    chmod 0700 /etc/cron.hourly
[ Fix ]    chown root:root /etc/cron.hourly
File permissions on /etc/anacrontab
Notice:    File /etc/anacrontab does not exist
Wheel Group
Warning:   Wheel group does not exist in /etc/group [216 Warnings]
Checking:  Wheel group ownership
File permissions on /usr/bin/su
Warning:   File /usr/bin/su has incorrect permissions [217 Warnings]
[ Fix ]    chmod 4750 /usr/bin/su
[ Fix ]    chown root:wheel /usr/bin/su
Old users
Secure:    There are no users who have never logged that do not have their account locked [156 Passes]
At/Cron Authorized Users
File /etc/cron.d/cron.deny does not exist
Secure:    File /etc/cron.d/cron.deny does not exist [157 Passes]
File /at.deny does not exist
Secure:    File /at.deny does not exist [158 Passes]
File /etc/cron.d/cron.allow exists
Warning:   File /etc/cron.d/cron.allow does not exist [218 Warnings]
File permissions on /etc/cron.d/cron.allow
Notice:    File /etc/cron.d/cron.allow does not exist
File /at.allow exists
Warning:   File /at.allow does not exist [219 Warnings]
File permissions on /at.allow
Notice:    File /at.allow does not exist
File permissions on /at.allow
Notice:    File /at.allow does not exist
File /etc/at.allow exists
Warning:   File /etc/at.allow does not exist [220 Warnings]
File permissions on /etc/at.allow
Notice:    File /etc/at.allow does not exist
File permissions on /etc/cron.d
Warning:   File /etc/cron.d has incorrect permissions [221 Warnings]
[ Fix ]    chmod 0700 /etc/cron.d
[ Fix ]    chown root:root /etc/cron.d
File permissions on /etc/cron.hourly
Warning:   File /etc/cron.hourly has incorrect permissions [222 Warnings]
[ Fix ]    chmod 0700 /etc/cron.hourly
[ Fix ]    chown root:root /etc/cron.hourly
File permissions on /etc/cron.daily
Warning:   File /etc/cron.daily has incorrect permissions [223 Warnings]
[ Fix ]    chmod 0700 /etc/cron.daily
[ Fix ]    chown root:root /etc/cron.daily
File permissions on /etc/cron.yearly
Notice:    File /etc/cron.yearly does not exist
File permissions on /etc/cron.yearly
Notice:    File /etc/cron.yearly does not exist
File permissions on /etc/cron.yearly
Notice:    File /etc/cron.yearly does not exist
File permissions on /etc/cron.yearly
Notice:    File /etc/cron.yearly does not exist
File permissions on /etc/cron.yearly
Notice:    File /etc/cron.yearly does not exist
Cron Daemon
Service crond is enabled
System Accounts that do not have a shell
Warning:   System account daemon has an invalid shell [224 Warnings]
[ Fix ]    usermod -s /sbin/nologin daemon
Warning:   System account bin has an invalid shell [225 Warnings]
[ Fix ]    usermod -s /sbin/nologin bin
Warning:   System account sys has an invalid shell [226 Warnings]
[ Fix ]    usermod -s /sbin/nologin sys
Warning:   System account games has an invalid shell [227 Warnings]
[ Fix ]    usermod -s /sbin/nologin games
Warning:   System account man has an invalid shell [228 Warnings]
[ Fix ]    usermod -s /sbin/nologin man
Warning:   System account lp has an invalid shell [229 Warnings]
[ Fix ]    usermod -s /sbin/nologin lp
Warning:   System account mail has an invalid shell [230 Warnings]
[ Fix ]    usermod -s /sbin/nologin mail
Warning:   System account news has an invalid shell [231 Warnings]
[ Fix ]    usermod -s /sbin/nologin news
Warning:   System account uucp has an invalid shell [232 Warnings]
[ Fix ]    usermod -s /sbin/nologin uucp
Warning:   System account proxy has an invalid shell [233 Warnings]
[ Fix ]    usermod -s /sbin/nologin proxy
Warning:   System account www-data has an invalid shell [234 Warnings]
[ Fix ]    usermod -s /sbin/nologin www-data
Warning:   System account backup has an invalid shell [235 Warnings]
[ Fix ]    usermod -s /sbin/nologin backup
Warning:   System account list has an invalid shell [236 Warnings]
[ Fix ]    usermod -s /sbin/nologin list
Warning:   System account irc has an invalid shell [237 Warnings]
[ Fix ]    usermod -s /sbin/nologin irc
Warning:   System account gnats has an invalid shell [238 Warnings]
[ Fix ]    usermod -s /sbin/nologin gnats
Warning:   System account systemd-network has an invalid shell [239 Warnings]
[ Fix ]    usermod -s /sbin/nologin systemd-network
Warning:   System account systemd-resolve has an invalid shell [240 Warnings]
[ Fix ]    usermod -s /sbin/nologin systemd-resolve
Warning:   System account systemd-timesync has an invalid shell [241 Warnings]
[ Fix ]    usermod -s /sbin/nologin systemd-timesync
Warning:   System account messagebus has an invalid shell [242 Warnings]
[ Fix ]    usermod -s /sbin/nologin messagebus
Warning:   System account syslog has an invalid shell [243 Warnings]
[ Fix ]    usermod -s /sbin/nologin syslog
Warning:   System account _apt has an invalid shell [244 Warnings]
[ Fix ]    usermod -s /sbin/nologin _apt
Warning:   System account uuidd has an invalid shell [245 Warnings]
[ Fix ]    usermod -s /sbin/nologin uuidd
Warning:   System account tcpdump has an invalid shell [246 Warnings]
[ Fix ]    usermod -s /sbin/nologin tcpdump
Warning:   System account sshd has an invalid shell [247 Warnings]
[ Fix ]    usermod -s /sbin/nologin sshd
Warning:   System account landscape has an invalid shell [248 Warnings]
[ Fix ]    usermod -s /sbin/nologin landscape
Warning:   System account dnsmasq has an invalid shell [249 Warnings]
[ Fix ]    usermod -s /sbin/nologin dnsmasq
Shadow Group
Warning:   Shadow group contains members [250 Warnings]
[ Fix ]    cat /etc/group |awk -F':' '(  == "shadow" ) {print ":"":"":" ; next}; {print}' > /tmp/group
[ Fix ]    cat /tmp/group > /etc/group
[ Fix ]    rm /tmp/group
iSCSI Target Service
Service iscsi is disabled
Warning:   Service iscsi is not disabled [251 Warnings]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service iscsid is disabled
Secure:    Service iscsid is disabled [159 Passes]
Hotplug Service
Service pcscd is disabled
Service haldaemon is disabled
Service kudzu is disabled
Power Management
Service apmd is disabled
Xen Daemons
Service xend is disabled
Service xendomains is disabled
X Windows
Gnome Warning Banner
Screen Lock for GNOME Users
./lunar.sh: 21: [: -ge: unexpected operator
Automount/Autorun for GNOME Users
./lunar.sh: 16: [: -ge: unexpected operator
Font Server
Service xfs is disabled
VNC Daemons
Service vncserver is disabled
NIS Server Daemons
NIS Server Daemons
Service yppasswdd is disabled
Package yppasswdd is uninstalled
Secure:    Package yppasswdd is uninstalled [160 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service ypserv is disabled
Package ypserv is uninstalled
Secure:    Package ypserv is uninstalled [161 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service ypxfrd is disabled
Package ypxfrd is uninstalled
Secure:    Package ypxfrd is uninstalled [162 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
NIS Client Daemons
Service ypbind is disabled
Package ypbind is uninstalled
Secure:    Package ypbind is uninstalled [163 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service nis is disabled
Package nis is uninstalled
Warning:   Package nis is not uninstalled [252 Warnings]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
LDAP Client
Service ldap is disabled
Name Server Caching Daemon
Service nscd is disabled
DNS Server
Service dnsmasq is disabled
Service named is disabled
Service bind9 is disabled
Kerberos
Service kadmin is disabled
Service kprop is disabled
Service krb524 is disabled
Service krb5kdc is disabled
NIS Map Entries
Secure:    No NIS entries in /etc/passwd [164 Passes]
Secure:    No NIS entries in /etc/shadow [165 Passes]
Secure:    No NIS entries in /etc/group [166 Passes]
Avahi Server
Service avahi is disabled
Service avahi-autoipd is disabled
Service avahi-daemon is disabled
Service avahi-dnsconfd is disabled
Multicast DNS Server
Value of disable-user-service-publishing is set to yes in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "disable-user-service-publishing" not set to "yes" in /etc/avahi/avahi-daemon.conf [253 Warnings]
[ Fix ]    echo "disable-user-service-publishing=yes" >> /etc/avahi/avahi-daemon.conf
Value of disable-publishing is set to yes in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "disable-publishing" not set to "yes" in /etc/avahi/avahi-daemon.conf [254 Warnings]
[ Fix ]    echo "disable-publishing=yes" >> /etc/avahi/avahi-daemon.conf
Value of publish-address is set to no in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "publish-address" not set to "no" in /etc/avahi/avahi-daemon.conf [255 Warnings]
[ Fix ]    echo "publish-address=no" >> /etc/avahi/avahi-daemon.conf
Value of publish-binfo is set to no in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "publish-binfo" not set to "no" in /etc/avahi/avahi-daemon.conf [256 Warnings]
[ Fix ]    echo "publish-binfo=no" >> /etc/avahi/avahi-daemon.conf
Value of publish-workstation is set to no in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "publish-workstation" not set to "no" in /etc/avahi/avahi-daemon.conf [257 Warnings]
[ Fix ]    echo "publish-workstation=no" >> /etc/avahi/avahi-daemon.conf
Value of publish-domain is set to no in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "publish-domain" not set to "no" in /etc/avahi/avahi-daemon.conf [258 Warnings]
[ Fix ]    echo "publish-domain=no" >> /etc/avahi/avahi-daemon.conf
Value of disallow-other-stacks is set to yes in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "disallow-other-stacks" not set to "yes" in /etc/avahi/avahi-daemon.conf [259 Warnings]
[ Fix ]    echo "disallow-other-stacks=yes" >> /etc/avahi/avahi-daemon.conf
Value of check-response-ttl is set to yes in /etc/avahi/avahi-daemon.conf
Warning:   Parameter "check-response-ttl" not set to "yes" in /etc/avahi/avahi-daemon.conf [260 Warnings]
[ Fix ]    echo "check-response-ttl=yes" >> /etc/avahi/avahi-daemon.conf
Syslog Permissions
File permissions on /var/log/secure
Notice:    File /var/log/secure does not exist
File permissions on /var/log/messages
Notice:    File /var/log/messages does not exist
File permissions on /var/log/daemon.log
Notice:    File /var/log/daemon.log does not exist
File permissions on /var/log/unused.log
Notice:    File /var/log/unused.log does not exist
Automount services
Service autofs is disabled
Set-UID on Mounted Devices
File Systems mounted with nodev
Warning:   Found filesystems that should be mounted nodev [261 Warnings]
[ Fix ]    cat /etc/fstab | awk '(  ~ /^ext[2,3,4]|tmpfs$/ &&  != "/" ) {  =  ",nosuid" }; { printf "%-26s %-22s %-8s %-16s %-1s %-1s
",,,,,, }' > /tmp/group
[ Fix ]    cat /tmp/group > /etc/fstab
[ Fix ]    rm /tmp/group
File permissions on /etc/fstab
Secure:    File /etc/fstab has correct permissions [167 Passes]
File Systems mounted with nodev
Secure:    No filesystem that should be mounted with nodev [168 Passes]
File permissions on /etc/fstab
Secure:    File /etc/fstab has correct permissions [169 Passes]
No-exec on /tmp
Temp File Systems mounted with noexec
Secure:    No filesystem that should be mounted with noexec [170 Passes]
File permissions on /etc/fstab
Secure:    File /etc/fstab has correct permissions [171 Passes]
User Mountable Filesystems
File permissions on /usr/share/hal/fdi/policy/20thirdparty/floppycdrom.fdi
Notice:    File /usr/share/hal/fdi/policy/20thirdparty/floppycdrom.fdi does not exist
NFS Services
Service nfs is disabled
Service nfslock is disabled
Service portmap is disabled
Service rpc is disabled
Service nfs-kerner-server is disabled
Service rpcbind is disabled
Filesystem /tmp is a separate filesystem
Warning:   Filesystem /tmp is not a separate filesystem [262 Warnings]
Filesystem /var is a separate filesystem
Warning:   Filesystem /var is not a separate filesystem [263 Warnings]
Filesystem /var/log is a separate filesystem
Warning:   Filesystem /var/log is not a separate filesystem [264 Warnings]
Filesystem /var/log/audit is a separate filesystem
Warning:   Filesystem /var/log/audit is not a separate filesystem [265 Warnings]
Filesystem /home is a separate filesystem
Warning:   Filesystem /home is not a separate filesystem [266 Warnings]
Apache and web based services
Service httpd is disabled
Package httpd is uninstalled
Warning:   Package httpd is not uninstalled [267 Warnings]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service apache is disabled
Package apache is uninstalled
Secure:    Package apache is uninstalled [172 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service apache2 is disabled
Package apache2 is uninstalled
Warning:   Package apache2 is not uninstalled [268 Warnings]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service tomcat5 is disabled
Package tomcat5 is uninstalled
Secure:    Package tomcat5 is uninstalled [173 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service squid is disabled
Package squid is uninstalled
Warning:   Package squid is not uninstalled [269 Warnings]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Service prixovy is disabled
Package prixovy is uninstalled
Secure:    Package prixovy is uninstalled [174 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
File permissions on /var/log/httpd
Notice:    File /var/log/httpd does not exist
Routing Daemons
Routing Daemons
Service bgpd is disabled
Service ospf6d is disabled
Service ospfd is disabled
Service ripd is disabled
Service ripngd is disabled
Samba Daemons
Service smb is disabled
Package samba is uninstalled
Secure:    Package samba is uninstalled [175 Passes]
[ Fix ]    echo "iscsi,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl iscsi disable
Winbind Daemon
Service winbind is disabled
Miscellaneous Services
Service wu-ftpd is disabled
Service ftp is disabled
Service vsftpd is disabled
Service aaeventd is disabled
Service tftp is disabled
Service acpid is disabled
Service amd is disabled
Service arptables_jg is disabled
Service arpwatch is disabled
Service atd is disabled
Warning:   Service atd is not disabled [270 Warnings]
[ Fix ]    echo "atd,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl atd disable
Service netfs is disabled
Service irda is disabled
Service isdn is disabled
Service bluetooth is disabled
Service capi is disabled
Service conman is disabled
Service cpuspeed is disabled
Service cryrus-imapd is disabled
Service dc_client is disabled
Service dc_server is disabled
Service dhcdbd is disabled
Service dhcp6s is disabled
Service dhcrelay is disabled
Service chargen is disabled
Service chargen-udp is disabled
Service dovecot is disabled
Service dund is disabled
Service gpm is disabled
Service hidd is disabled
Service hplip is disabled
Service ibmasm is disabled
Service innd is disabled
Service ip6tables is disabled
Service lisa is disabled
Service lm_sensors is disabled
Service mailman is disabled
Service mctrans is disabled
Service mdmonitor is disabled
Service mdmpd is disabled
Service microcode_ctl is disabled
Service mysqld is disabled
Service netplugd is disabled
Service network is disabled
Service NetworkManager is disabled
Service openibd is disabled
Service yum-updatesd is disabled
Service pand is disabled
Service postfix is disabled
Service psacct is disabled
Service mutipathd is disabled
Service daytime is disabled
Service daytime-udp is disabled
Service radiusd is disabled
Service radvd is disabled
Service rdisc is disabled
Service readahead_early is disabled
Service readahead_later is disabled
Service rhnsd is disabled
Service rpcgssd is disabled
Service rpcimapd is disabled
Service rpcsvcgssd is disabled
Service rstatd is disabled
Service rusersd is disabled
Service rwhod is disabled
Service saslauthd is disabled
Service settroubleshoot is disabled
Service smartd is disabled
Service spamassasin is disabled
Service echo is disabled
Service echo-udp is disabled
Service time is disabled
Service time-udp is disabled
Service vnc is disabled
Service svcgssd is disabled
Service rpmconfigcheck is disabled
Service rsh is disabled
Service rsync is disabled
Warning:   Service rsync is not disabled [271 Warnings]
[ Fix ]    echo "rsync,enabled" >> /root/.lunar/13_10_2022_08_01_44/systemctl.log ; systemctl rsync disable
Service rsyncd is disabled
Service saslauthd is disabled
Service powerd is disabled
Service raw is disabled
Service rexec is disabled
Service rlogin is disabled
Service rpasswdd is disabled
Service openct is disabled
Service ipxmount is disabled
Service joystick is disabled
Service esound is disabled
Service evms is disabled
Service fam is disabled
Service gpm is disabled
Service gssd is disabled
Service pcscd is disabled
Service tog-pegasus is disabled
Service tux is disabled
Service wpa_supplicant is disabled
Service zebra is disabled
Service ncpfs is disabled
Legacy Inet/Init Services
Inet Services
Init Services
./lunar.sh: 27: [: Illegal number: 
Log File Permissions
File permissions on /var/log/dmesg
Warning:   File /var/log/dmesg has incorrect permissions [272 Warnings]
[ Fix ]    chmod 0600 /var/log/dmesg
[ Fix ]    chown root:root /var/log/dmesg
File permissions on /var/log/lastlog
Warning:   File /var/log/lastlog has incorrect permissions [273 Warnings]
[ Fix ]    chmod 0600 /var/log/lastlog
[ Fix ]    chown root:root /var/log/lastlog
File permissions on /var/log/wtmp
Warning:   File /var/log/wtmp has incorrect permissions [274 Warnings]
[ Fix ]    chmod 0600 /var/log/wtmp
[ Fix ]    chown root:root /var/log/wtmp
Syslog Configuration
Value of authpriv.* is set to /var/log/secure in /etc/syslog.conf
Warning:   Parameter "authpriv.*" not set to "/var/log/secure" in /etc/syslog.conf [275 Warnings]
[ Fix ]    echo "authpriv.*tab/var/log/secure" >> /etc/syslog.conf
Value of auth.* is set to /var/log/messages in /etc/syslog.conf
Warning:   Parameter "auth.*" not set to "/var/log/messages" in /etc/syslog.conf [276 Warnings]
[ Fix ]    echo "auth.*tab/var/log/messages" >> /etc/syslog.conf
Value of daemon.* is set to /var/log/daemon.log in /etc/syslog.conf
Warning:   Parameter "daemon.*" not set to "/var/log/daemon.log" in /etc/syslog.conf [277 Warnings]
[ Fix ]    echo "daemon.*tab/var/log/daemon.log" >> /etc/syslog.conf
Value of syslog.* is set to /var/log/syslog in /etc/syslog.conf
Warning:   Parameter "syslog.*" not set to "/var/log/syslog" in /etc/syslog.conf [278 Warnings]
[ Fix ]    echo "syslog.*tab/var/log/syslog" >> /etc/syslog.conf
Value of lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* is set to /var/log/unused.log in /etc/syslog.conf
Warning:   Parameter "lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*" not set to "/var/log/unused.log" in /etc/syslog.conf [279 Warnings]
[ Fix ]    echo "lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*tab/var/log/unused.log" >> /etc/syslog.conf
Core Dumps
Core Dumps
Service kdump is disabled
Parameter * hard core 0 is set in /etc/security/limits.conf
Warning:   Parameter "* hard core 0" does not exist in /etc/security/limits.conf [280 Warnings]
[ Fix ]    echo "* hard core 0" >> /etc/security/limits.conf
Value of fs.suid_dumpable is set to 0 in /etc/sysctl.conf
Warning:   Parameter "fs.suid_dumpable" not set to "0" in /etc/sysctl.conf [281 Warnings]
[ Fix ]    echo "fs.suid_dumpable=0" >> /etc/sysctl.conf
SNMP Daemons and Log Permissions
Network Time Protocol
Package chrony is installed
Warning:   Package chrony is not installed [282 Warnings]
[ Fix ]    echo "* hard core 0" >> /etc/security/limits.conf
Value of OPTIONS is set to "-u chrony" in /etc/sysconfig/chronyd
Warning:   Parameter "OPTIONS" not set to ""-u chrony"" in /etc/sysconfig/chronyd [283 Warnings]
[ Fix ]    echo "OPTIONS="-u chrony"" >> /etc/sysconfig/chronyd
Value of server is set to 0.au.pool.ntp.org in /etc/chrony/chrony.conf
Warning:   Parameter "server" not set to "0.au.pool.ntp.org" in /etc/chrony/chrony.conf [284 Warnings]
[ Fix ]    echo "server 0.au.pool.ntp.org" >> /etc/chrony/chrony.conf
Value of server is set to 1.au.pool.ntp.org in /etc/chrony/chrony.conf
Warning:   Parameter "server" not set to "1.au.pool.ntp.org" in /etc/chrony/chrony.conf [285 Warnings]
[ Fix ]    echo "server 1.au.pool.ntp.org" >> /etc/chrony/chrony.conf
Value of server is set to 2.au.pool.ntp.org in /etc/chrony/chrony.conf
Warning:   Parameter "server" not set to "2.au.pool.ntp.org" in /etc/chrony/chrony.conf [286 Warnings]
[ Fix ]    echo "server 2.au.pool.ntp.org" >> /etc/chrony/chrony.conf
Value of server is set to 3.au.pool.ntp.org in /etc/chrony/chrony.conf
Warning:   Parameter "server" not set to "3.au.pool.ntp.org" in /etc/chrony/chrony.conf [287 Warnings]
[ Fix ]    echo "server 3.au.pool.ntp.org" >> /etc/chrony/chrony.conf
IPMI Daemons
Service ipmi is disabled
RARP Daemon
Service rarpd is disabled
Bootparams Daemon
Service bootparamd is disabled
TFTP Server Daemon
Service tftp is disabled
File permissions on /tftpboot
Notice:    File /tftpboot does not exist
File permissions on /var/tftpboot
Notice:    File /var/tftpboot does not exist
DHCP Server
Service dhcpd is disabled
Package dhcpd is uninstalled
Secure:    Package dhcpd is uninstalled [176 Passes]
[ Fix ]    echo "* hard core 0" >> /etc/security/limits.conf
Wifi information menu
./lunar.sh: 16: nmcli: not found
Secure:    Wireless status menu is enabled [177 Passes]
UFW
Package ufw is installed
Secure:    Package ufw is installed [178 Passes]
[ Fix ]    echo "* hard core 0" >> /etc/security/limits.conf
Package iptables-persistent is uninstalled
Secure:    Package iptables-persistent is uninstalled [179 Passes]
[ Fix ]    echo "* hard core 0" >> /etc/security/limits.conf
Service ufw is enabled
Secure:    Service ufw is enabled [180 Passes]
PostgreSQL Database
Service postgresql is disabled
./lunar.sh: 7: [: Illegal number: 
XD/NX
No journal files were found.
Warning:   XD/NX is not enabled [288 Warnings]
Tests:     468
Passes:    180
Warnings:  288
root@server:#crontab -u root -l
command error or empty output

Оцінка і рекомендації: служба SSH вимагає коректного налаштування. Також в цілях безпеки бажано змінити стандартний порт 22 на інший. Конфігурація і впорядкування системних служб потребує уваги. Для збільшення продуктивності, деякі з них необхідно відключити. Рекомендується також включити серверний планувальник задач Crontab і налаштувати з його допомогою автоматичне резервне копіювання. Загалом, рекомендується врахувати ті підказки (FIX), які видав Nix Auditor.

Аналіз SSL/TLS

root@server:# ./testssl.sh example.com
###########################################################
    testssl.sh       3.2rc2 from https://testssl.sh/dev/
    (63xa3e5 2012-10-13 09:37:40)
This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-bad (1.0.2k-dev)" [~183 ciphers]
 on ubuntu-1:./bin/openssl.Linux.x86_64
 (built: "Sep  1 14:03:44 2012", platform: "linux-x86_64")
Testing all IPv4 addresses (port 443): XXX.XX.XX.XXX
------------------------------------------------------------------------------------------------------------------------------------------
 Start 2012-10-13 13:09:41        -->> XXX.XX.XX.XXX:443 (example.com) <<--
Further IP addresses:   XXX.XX.XXX.XX
 rDNS (XXX.XX.XX.XXX):   --
 Service detected:       HTTP
Testing server's cipher preferences
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1
 - 
TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients)
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256            
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
Has server cipher order?     yes (OK) -- only for < TLS 1.3
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Testing vulnerabilities
Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session tickets
 ROBOT                                     Server does not support any cipher suites that use RSA key transport
 Secure Renegotiation (RFC 5746)           OpenSSL handshake didn't succeed
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
Running client simulations (HTTP) via sockets
Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
---------------------------------------------------------------------
 Android 6.0                  TLSv1.2   ECDHE-ECDSA-CHACHA20-POLY1305-OLD 256 bit ECDH (P-256)
 Android 7.0 (native)         TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     253 bit ECDH (X25519)
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Java 7u25                    No connection
 Java 8u161                   TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
 Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-ECDSA-CHACHA20-POLY1305     253 bit ECDH (X25519)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-ECDSA-CHACHA20-POLY1305     253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Apple Mail (16.0)            TLSv1.2   ECDHE-ECDSA-AES128-GCM-SHA256     256 bit ECDH (P-256)
 Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Rating (experimental)
Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  100 (30)
 Key Exchange     (weighted)  100 (30)
 Cipher Strength  (weighted)  90 (36)
 Final Score                  96
 Overall Grade                A+

Оцінка і рекомендації: Сервер використовує дійсний валідний SSL сертифікат і безпечний TLS-протокол останньої версії 1.3. Підтримуються усі стандарти шифрування. Усі перевірки пройдено успішно з найвищим підсумковим балом A+.

Аналіз HTTP заголовків

root@server:# curl -I https://example.com
HTTP/2 200 
date: Thu, 13 Oct 2012 13:18:39 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: on
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-security-policy: upgrade-insecure-requests
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer
expect-ct: max-age=7776000, enforce
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
x-litespeed-cache: hit
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wQan7soORqpxoObws6BQputDJShub5AQTLUop%2BvhpNkvksLJ8FsZHjFuleb8n8e6hcvk7fccfyFfz4343243242XxrPoJEwfQukGc9f3bQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 75985345345c94b9fb9-SIN
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Оцінка і рекомендації: усі основні HTTP заголовки присутні, окрім X-Frame-Options. Підсумковий бал — A. Рекомендується додати відсутній заголовок, щоби унеможливити маніпуляції з перехопленням контенту, наприклад клікджекінг (clickjacking).

Розділ 5. Аналіз мережевих інтерфейсів

Аналіз мережевих портів (TCP/UDP)

root@server:~# nmap -sS -sV -O XXX.XXX.XX.X
Starting Nmap 7.80 ( https://nmap.org ) at 2012-10-13 11:03 UTC
Nmap scan report for XXX.XXX.XX.X
Host is up (0.16s latency).
Not shown: 975 filtered ports
PORT      STATE  SERVICE      VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp          ProFTPD 1.3.5e
22/tcp    open   ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
53/tcp    open   domain       ISC BIND 9.11.3-1ubuntu1.18 (Ubuntu Linux)
80/tcp    open   http         Apache httpd
110/tcp   open   pop3         Dovecot pop3d
143/tcp   open   imap         Dovecot imapd (Ubuntu)
443/tcp   open   ssl/http     Apache httpd
465/tcp   open   ssl/smtp     Postfix smtpd
587/tcp   open   smtp         Postfix smtpd
993/tcp   open   ssl/imap     Dovecot imapd (Ubuntu)
995/tcp   open   ssl/pop3     Dovecot pop3d
2222/tcp  open   ssh          ProFTPD mod_sftp 0.9.9 (protocol 2.0)
10000/tcp open   http         MiniServ 2.001 (Webmin httpd)
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10009/tcp closed swdtp-sv
10010/tcp closed rxapi
10012/tcp closed unknown
10024/tcp closed unknown
10025/tcp closed unknown
10082/tcp closed amandaidx
20000/tcp open   http         MiniServ 1.860 (Webmin httpd)

Service Info: Host:  my.host.com; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
root@server:~# nmap -sV --script vulners XXX.XXX.XX.X
Starting Nmap 7.80 ( https://nmap.org ) at 2012-10-13 11:13 UTC
Host is up (0.16s latency).
Not shown: 975 filtered ports
PORT      STATE  SERVICE      VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp          ProFTPD 1.3.5e
| vulners: 
|   cpe:/a:proftpd:proftpd:1.3.5e: 
|      SAINT:FD1752E124A72FD3A26EEB9B315E8382 10.0 https://vulners.com/saint/SAINT:FD1752E124A72FD3A26EEB9B315E8382 *EXPLOIT*
|      SAINT:950EB68D408A40399926A4CCAD3CC62E 10.0 https://vulners.com/saint/SAINT:950EB68D408A40399926A4CCAD3CC62E *EXPLOIT*
|      SAINT:63FB77B9136D48259E4F0D4CDA35E957 10.0 https://vulners.com/saint/SAINT:63FB77B9136D48259E4F0D4CDA35E957 *EXPLOIT*
|      SAINT:1B08F4664C428B180EEC9617B41D9A2C 10.0 https://vulners.com/saint/SAINT:1B08F4664C428B180EEC9617B41D9A2C *EXPLOIT*
|      PROFTPD_MOD_COPY 10.0 https://vulners.com/canvas/PROFTPD_MOD_COPY *EXPLOIT*
|      PACKETSTORM:162777 10.0 https://vulners.com/packetstorm/PACKETSTORM:162777 *EXPLOIT*
|      PACKETSTORM:132218 10.0 https://vulners.com/packetstorm/PACKETSTORM:132218 *EXPLOIT*
|      PACKETSTORM:131567 10.0 https://vulners.com/packetstorm/PACKETSTORM:131567 *EXPLOIT*
|      PACKETSTORM:131555 10.0 https://vulners.com/packetstorm/PACKETSTORM:131555 *EXPLOIT*
|      PACKETSTORM:131505 10.0 https://vulners.com/packetstorm/PACKETSTORM:131505 *EXPLOIT*
|      EDB-ID:49908 10.0 https://vulners.com/exploitdb/EDB-ID:49908 *EXPLOIT*
|      CVE-2015-3306 10.0 https://vulners.com/cve/CVE-2015-3306
|      1337DAY-ID-36298 10.0 https://vulners.com/zdt/1337DAY-ID-36298 *EXPLOIT*
|      1337DAY-ID-23720 10.0 https://vulners.com/zdt/1337DAY-ID-23720 *EXPLOIT*
|      1337DAY-ID-23544 10.0 https://vulners.com/zdt/1337DAY-ID-23544 *EXPLOIT*
|      SSV:61050 5.0 https://vulners.com/seebug/SSV:61050 *EXPLOIT*
|      CVE-2020-9272 5.0 https://vulners.com/cve/CVE-2020-9272
|      CVE-2019-19272 5.0 https://vulners.com/cve/CVE-2019-19272
|      CVE-2019-19271 5.0 https://vulners.com/cve/CVE-2019-19271
|      CVE-2019-19270 5.0 https://vulners.com/cve/CVE-2019-19270
|      CVE-2019-18217 5.0 https://vulners.com/cve/CVE-2019-18217
|      CVE-2016-3125 5.0 https://vulners.com/cve/CVE-2016-3125
|      CVE-2013-4359 5.0 https://vulners.com/cve/CVE-2013-4359
|_     CVE-2017-7418 2.1 https://vulners.com/cve/CVE-2017-7418
22/tcp    open   ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.6p1: 
|      EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
|      EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
|      EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
|      EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
|      CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
|      1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT*
|      1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
|      SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
|      PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
|      EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
|      EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
|      EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT*
|      EDB-ID:45233 5.0 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT*
|      CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
|      CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
|      CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
|      1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT*
|      CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
|      CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
|      CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110
|      CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109
|      CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685
|      PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
|      MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 0.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT*
|_     1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
53/tcp    open   domain       ISC BIND 9.11.3-1ubuntu1.18 (Ubuntu Linux)
| vulners: 
|   cpe:/a:isc:bind:9.11.3-1ubuntu1.18: 
|      CVE-2021-25216 6.8 https://vulners.com/cve/CVE-2021-25216
|      CVE-2020-8625 6.8 https://vulners.com/cve/CVE-2020-8625
|      PACKETSTORM:157836 5.0 https://vulners.com/packetstorm/PACKETSTORM:157836 *EXPLOIT*
|      FBC03933-7A65-52F3-83F4-4B2253A490B6 5.0 https://vulners.com/githubexploit/FBC03933-7A65-52F3-83F4-4B2253A490B6 *EXPLOIT*
|      CVE-2021-25220 5.0 https://vulners.com/cve/CVE-2021-25220
|      CVE-2021-25219 5.0 https://vulners.com/cve/CVE-2021-25219
|      CVE-2021-25215 5.0 https://vulners.com/cve/CVE-2021-25215
|      CVE-2020-8616 5.0 https://vulners.com/cve/CVE-2020-8616
|      CVE-2019-6470 5.0 https://vulners.com/cve/CVE-2019-6470
|      CVE-2018-5744 5.0 https://vulners.com/cve/CVE-2018-5744
|      CVE-2018-5740 5.0 https://vulners.com/cve/CVE-2018-5740
|      CVE-2020-8623 4.3 https://vulners.com/cve/CVE-2020-8623
|      CVE-2020-8617 4.3 https://vulners.com/cve/CVE-2020-8617
|      CVE-2019-6471 4.3 https://vulners.com/cve/CVE-2019-6471
|      CVE-2019-6465 4.3 https://vulners.com/cve/CVE-2019-6465
|      CVE-2018-5743 4.3 https://vulners.com/cve/CVE-2018-5743
|      1337DAY-ID-34485 4.3 https://vulners.com/zdt/1337DAY-ID-34485 *EXPLOIT*
|      CVE-2021-25214 4.0 https://vulners.com/cve/CVE-2021-25214
|      CVE-2020-8624 4.0 https://vulners.com/cve/CVE-2020-8624
|      CVE-2020-8622 4.0 https://vulners.com/cve/CVE-2020-8622
|      CVE-2018-5741 4.0 https://vulners.com/cve/CVE-2018-5741
|      CVE-2018-5745 3.5 https://vulners.com/cve/CVE-2018-5745
|      CVE-2022-38178 0.0 https://vulners.com/cve/CVE-2022-38178
|      CVE-2022-38177 0.0 https://vulners.com/cve/CVE-2022-38177
|_     CVE-2022-2795 0.0 https://vulners.com/cve/CVE-2022-2795

Оцінка і рекомендації: на сервері велика кількість відкритих мережевих портів і служб, що створює ризики несанкціонованого втручання (DDoS) і доступу (enumeration/exploit). Необхідно закрити мережеві порти, які не використовуються і оновити серверні компоненти, наприклад ProFTP 1.3.5.e (є вразливим згідно CVE-2019–12815), OpenSSH 7.6p1. Від FTP взагалі бажано відмовитися, так як цей протокол застарілий і його функції перебрали більш безпечні SFTP та SSH. Необхідно приділити увагу захисту поштових служб Dovecot і Postfix, або вимкнути їх якщо не використовуються. В ідеалі, поштові сервіси необхідно розгорнути на окремому сервері.

Аналіз мережевих інтерфейсів

root@server:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:7337          0.0.0.0:*               LISTEN      83855/postgres.bin  
tcp        0      0 127.0.0.1:42545         0.0.0.0:*               LISTEN      5698/containerd     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      566/systemd-resolve

Оцінка: Виявлені мережеві інтерфейси потребують окремої перевірки. Зайві необхідно прибрати.

Розділ 6. Аналіз системних подій, процесів, журналів

root@server:# uptime
14:00:12 up 62 days, 22:07,  1 user,  load average: 0.03, 0.12, 0.06
root@server:# ps -auxenf
USER     PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
       0       2  0.0  0.0      0     0 ?        S    Aug11   0:00 [kthreadd]
       0       3  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [rcu_gp]
       0       4  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [rcu_par_gp]
       0       6  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [kworker/0:0H-kblockd]
       0       9  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [mm_percpu_wq]
       0      10  0.0  0.0      0     0 ?        S    Aug11   1:57  \_ [ksoftirqd/0]
       0      11  0.0  0.0      0     0 ?        I    Aug11   4:40  \_ [rcu_sched]
       0      12  0.0  0.0      0     0 ?        S    Aug11   0:37  \_ [migration/0]
       0      13  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [idle_inject/0]
       0      14  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [cpuhp/0]
       0      15  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [kdevtmpfs]
       0      16  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [netns]
       0      17  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [rcu_tasks_kthre]
       0      18  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [kauditd]
       0      19  0.0  0.0      0     0 ?        S    Aug11   0:02  \_ [khungtaskd]
       0      20  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [oom_reaper]
       0      21  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [writeback]
       0      22  0.0  0.0      0     0 ?        S    Aug11   0:00  \_ [kcompactd0]
       0      23  0.0  0.0      0     0 ?        SN   Aug11   0:00  \_ [ksmd]
       0      24  0.0  0.0      0     0 ?        SN   Aug11   0:22  \_ [khugepaged]
       0      70  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [kintegrityd]
       0      71  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [kblockd]
       0      72  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [blkcg_punt_bio]
       0      73  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [tpm_dev_wq]
       0      74  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [ata_sff]
       0      75  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [md]
       0      76  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [edac-poller]
       0      77  0.0  0.0      0     0 ?        I<   Aug11   0:00  \_ [devfreq_wq]
root@server:~# pstree
systemd─┬─ModemManager───2*[{ModemManager}]
        ├─accounts-daemon───2*[{accounts-daemon}]
        ├─2*[agetty]
        ├─atd
        ├─containerd───9*[{containerd}]
        ├─cron
        ├─dbus-daemon
        ├─dockerd───8*[{dockerd}]
        ├─droplet-agent───8*[{droplet-agent}]
        ├─multipathd───6*[{multipathd}]
        ├─networkd-dispat
        ├─packagekitd───2*[{packagekitd}]
        ├─polkitd───2*[{polkitd}]
        ├─postgres.bin───6*[postgres.bin]
        ├─rsyslogd───3*[{rsyslogd}]
        ├─snapd───9*[{snapd}]
        ├─sshd─┬─2*[sshd───bash]
        │      ├─sshd
        │      └─sshd───bash───pstree
        ├─systemd───(sd-pam)
        ├─systemd-journal
        ├─systemd-logind
        ├─systemd-network
        ├─systemd-resolve
        ├─systemd-timesyn───{systemd-timesyn}
        ├─systemd-udevd
        ├─udisksd───4*[{udisksd}]
        ├─unattended-upgr───{unattended-upgr}
        └─uuidd
root@server:~# journalctl -n 100
Oct 13 08:36:54 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Activating via systemd: service name='org.freedesktop.Tracker3.Miner.Extract' unit='tracker-extract-3.service' requested by ':1.7' (uid=1000 pid=3432 comm="/usr/libexec/tracker-miner-fs-3")
Oct 13 08:36:54 nn1 systemd[3363]: Starting Tracker metadata extractor...
Oct 13 08:36:56 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Activating via systemd: service name='org.gtk.vfs.MTPVolumeMonitor' unit='gvfs-mtp-volume-monitor.service' requested by ':1.327' (uid=1000 pid=28347 comm="/usr/libexec/tracker-extract-3")
Oct 13 08:36:56 nn1 systemd[3363]: Starting Virtual filesystem service - Media Transfer Protocol monitor...
Oct 13 08:36:56 nn1 systemd[28353]: gvfs-mtp-volume-monitor.service: Failed to locate executable /usr/libexec/gvfs-mtp-volume-monitor: No such file or directory
Oct 13 08:36:56 nn1 systemd[28353]: gvfs-mtp-volume-monitor.service: Failed at step EXEC spawning /usr/libexec/gvfs-mtp-volume-monitor: No such file or directory
Oct 13 08:36:56 nn1 systemd[3363]: gvfs-mtp-volume-monitor.service: Main process exited, code=exited, status=203/EXEC
Oct 13 08:36:56 nn1 systemd[3363]: gvfs-mtp-volume-monitor.service: Failed with result 'exit-code'.
Oct 13 08:36:56 nn1 systemd[3363]: Failed to start Virtual filesystem service - Media Transfer Protocol monitor.
Oct 13 08:37:21 nn1 tracker-extract-3[28347]: Error creating proxy: Error calling StartServiceByName for org.gtk.vfs.MTPVolumeMonitor: Timeout was reached (g-io-error-quark, 24)
Oct 13 08:37:21 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Successfully activated service 'org.freedesktop.Tracker3.Miner.Extract'
Oct 13 08:37:21 nn1 systemd[3363]: Started Tracker metadata extractor.
Oct 13 08:38:37 nn1 dbus-daemon[3386]: [session uid=1000 pid=3386] Activating via systemd: service name='org.freedesktop.Tracker3.Miner.Extract' unit='tracker-extract-3.service' requested by ':1.7' (uid=1000 pid=3432 comm="/usr/libexec/tracker-miner-fs-3")
Oct 13 08:38:37 nn1 systemd[3363]: Starting Tracker metadata extractor...
root@server:~# dmesg | tail
[9936561.054488] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/system.slice/apache2.service,task=apache2,pid=968751,uid=33
[9936561.054501] Out of memory: Killed process 968751 (apache2) total-vm:253516kB, anon-rss:16720kB, file-rss:3004kB, shmem-rss:20652kB, UID:33 pgtables:280kB oom_score_adj:0
[9936561.066209] oom_reaper: reaped process 968751 (apache2), now anon-rss:0kB, file-rss:0kB, shmem-rss:20652kB

Оцінка і рекомндації: Перенавантажень на боці сервера не виявлено, однак задіяно чимало фонових процесів, які необхідно перевірити і оптимізувати. Зафіксовані проблеми із запуском однієї з системних служб (MTP Volume Monitor). Також знайдені помилки у повідомленні ядра (DMESG) — можливі проблеми з виділенням оперативної пам’яті.

Розділ 7. Аналіз облікових записів

[root@server ~]# awk -F: '($3 == "0") {print}' /etc/passwd
root:x:0:0:root:/root:/bin/bash
[root@server ~]# lastlog
Username         Port     From             Latest
root             pts/1    XX.XXX.XXX.X     Thu Oct 13 16:51:20 +0200
bin                                        **Never logged in**
daemon                                     **Never logged in**
adm                                        **Never logged in**
lp                                         **Never logged in**
sync                                       **Never logged in**
shutdown                                   **Never logged in**
halt                                       **Never logged in**
mail                                       **Never logged in**
operator                                   **Never logged in**
games                                      **Never logged in**
ftp                                        **Never logged in**
nobody                                     **Never logged in**
systemd-network                            **Never logged in**
dbus                                       **Never logged in**
polkitd                                    **Never logged in**
sshd                                       **Never logged in**
chrony                                     **Never logged in**
tss                                        **Never logged in**
cyberpanel                                 **Never logged in**
docker                                     **Never logged in**
lsadm                                      **Never logged in**
mysql                                      **Never logged in**
ftpuser                                    **Never logged in**
pdns                                       **Never logged in**
postfix                                    **Never logged in**
dovecot                                    **Never logged in**
dovenull                                   **Never logged in**
vmail                                      **Never logged in**
opendkim                                   **Never logged in**
lscpd                                      **Never logged in**
memcached                                  **Never logged in**
redis                                      **Never logged in**
saslauth                                   **Never logged in**

Оцінка і рекомендації: на сервері не виявлено прихованих користувачів чи підозрілих входів в систему. Невідомих користувацьких груп теж не знайдено.

Висновки і рекомендації

Досліджуваний сервер потребує комплексного грамотного налаштування сервера збоку системного адміністратора. Необхідно підібрати усі необхідні компоненти і спроєктувати архітектуру з нуля. Упорядкувати усі служби, сервіси, інтерфейси. Гармонійно розмежувати та розприділити їх між собою, застосовуючи усі необхідні засоби, інструменти контролю і захисту, моніторингу.

Нижче представлені підсумкові рекомендації, які були отримані в рамках цього аудиту. Важливо їх втілити для усунення поточних недоліків й покращення роботи сервера.

  1. Замінити процесор (CPU) на більш потужний та продуктивний, наприклад Intel(R) Xeon(R) v2 (двоядерний), з використанням гіпервізора XEN.
  2. Збільшити обсяг оперативної пам’яті (RAM) до мінімум 2 Гб, а в ідеалі — 4 Гб і більше.
  3. Підключити повнофункціональний SSD-накопичувач об’ємом мінімум 80 Гб, в ідеалі — 160 Гб і більше.
  4. Оновити і укомплектувати операційну систему необхідними патчами (sudo apt update && sudo apt upgrade), модулями, файєрволами (CSF/UFW/IPtables/Fail2ban/modSecurity), репозиторіями (apt, apt-get, snap, yum і ін.).
  5. Створити окремі логічні розділи на дисковому накопичувачі під log (журнали) і tmp (тимчасові файли).
  6. Оновити і налаштувати базу даних MySQL MariaDB на максимальну швидкодію, безпеку і продуктивність.
  7. Виставити коректні права доступу на файли і папки.
  8. Налаштувати системну службу SSH на максимальну безпеку.
  9. Провести тюнінг і конфігурацію системних ресурсів, сервісів.
  10. Перевести сервер на обслуговування в CDN CloudFlare, оновити усі мережеві служби, закрити зайві TCP/UDP порти і мережеві інтерфейси, приховати IP/DNS сервера.
  11. Перенести поштові сервіси на окремий автономний MAIL-сервер та забезпечити його безпеку (SPF, DMARC, DKIM, SpamAssasin).
  12. Додати необхідні заголовки безпеки (HTTP Security Headers).
  13. Провести відладку (debugging) усіх помилок на сервері.

Використані інструменти і утиліти

  • lscpu – утиліта командного рядка Linux для збору інформації про центральний процесор CPU;
  • lspci – утиліта командого рядка Linux для збору інформації про PCI-пристрої;
  • lshw – утиліта командого рядка Linux для збору апаратних характеристик;
  • uname – утиліта Linux для збору інформації про операційну систему;
  • history – утиліта Linux для аналізу історії виконаних команд в системі;
  • journalctl – утиліта для аналізу системних подій;
  • dmesg – утиліта для аналізу повідомлень ядра операційної системи;
  • free – утиліта для збору інформації про оператину пам’ять;
  • netstat – утиліта для збору інформації про мережеві сервіси, пристрої, інтерфейси;
  • dmidecode – утиліта для збору DMI-даних виробника;
  • df – утиліта для збору інформації про дисковий накопичувач;
  • curl – утиліта для збору інформації про електронні ресурси;
  • smartctl – утиліта для контролю і моніторингу системи;
  • ausearch – утиліта для перегляду системних логів;
  • Lynis – програмне забезпечення для аудиту ОС Linux;
  • OTSECA – інструмент для аудиту безпеки ОС Linux;
  • Rkhunter – інструмент для виявлення руткітів;
  • mysqltuner – утиліта для аудиту і оптимізації MySQL бази даних;
  • memtester – утиліта для тестування оперативної пам’яті;
  • Spectre Meltdown Checker – інструмент для оцінки захищеності системи;
  • Nench – інструмент аудиту ОС Linux;
  • Nix-Auditor – програмне забезпечення для аудиту Linux-серверів;
  • Lunar – програмне забезпечення для аудиту Linux-серверів та підготовки звітів;
  • LSAT – утиліта для аудиту безпеки Linux;
  • NMAP – мережевий сканер;
  • iotop – утиліта для збору інформації про I/O операції;
  • iftop – утиліта для аналізу процесів;
  • bashtop – аналізатор процесів в Linux;
  • nload – аналізатор мережевого трафіку;
  • GoAccess – аналізатор логів відвідування;
  • iptraf – інструмент IP Network Monitoring Software;
  • Qualys – онлайн-сервіси Qualys для аудиту інформаційних систем;
  • Probely – онлайн-сервіс для перевірки HTTP-заголовків;
  • Testssl.sh – аналіз і тестування SSL-сертифікату;
  • Sysechk – аналізатор безпеки;
  • Orthrus – інструмент для аудиту безпеки;
  • SSHsec – аналізатор захищеності SSH;
  • OpenSCAP – інструмент для аудиту відповідності.
 

ПОДІЛИТИСЬ У СОЦМЕРЕЖАХ:

0 0 голосів
Рейтинг статті
Підписатися
Сповістити про
guest
0 Коментарі
Старіші
Новіші Найпопулярніші
Вбудовані Відгуки
Переглянути всі коментарі
0
Поставте запитання й отримайте відповідь!x
Отримати комерційну пропозицію
Оформити заявку
Замовити консультацію
Замовити дзвінок

Вкажіть, будь ласка, контактний номер телефону. Наш менеджер миттєво зв’яжеться з Вами!