Lynis suggestions

Hi everyone,

so I tested my Workstation with Lynis and these are the suggestions I got;

  Suggestions (29):

  * Consider hardening system services [BOOT-5264] 
    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]

  * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]

  * Configure password hashing rounds in /etc/login.defs [AUTH-9230]

  * When possible set expire dates for all password protected accounts [AUTH-9282]

  * Look at the locked accounts and consider removing them [AUTH-9284]

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]

  * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]

  * Check DNS configuration for the dns domain name [NAME-4028]

  * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370]

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200]

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200]

  * Determine if protocol 'rds' is really needed on this system [NETW-3200]

  * Check iptables rules to see which rules are currently not used [FIRE-4513]

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]

  * Check what deleted files are still in use and why. [LOGG-2190]

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]

  * Add legal banner to /etc/, to warn unauthorized users [BANN-7130]

  * Enable sysstat to collect accounting (no results) [ACCT-9626]

  * Use NTP daemon or NTP client to prevent time issues. [TIME-3104]

  * Check available certificates for expiration [CRYP-7902]

  * Determine if automation tools are present for system management [TOOL-5002]

  * Consider restricting file permissions [FILE-7524] 
    - Details  : See screen output or log file
    - Solution : Use chmod to change file permissions

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)

  * Harden compilers like restricting access to root user only [HRDN-7222]

Which ones should I do and how ?

Realize that those are suggestions, not must-do, and are mostly related to use on a multi-user internal or internet accessible system.

As with any testing software like lynis it is up to the admin to decide which (if any) changes suggested are necessary and appropriate. The changes you implement depend upon your use case and associated risks and must be determined by you, not the whole world.

My use case may be different, as well as my risks, so suggestions I make would be based on my situation & opinions and not your situation.

Evaluate each of those, case by case, and determine if 1) it applies to your needs and 2) is applicable to your use. Then implement the needed ones and ignore everything else that is not deemed significant.

Well aware of that , I just thought it wouldn’t hurt what others would do, that’s all. I am trying to create a secure workstation for myself.

1 Like

Understood, and suggestions may assist. Just be aware that they may vary wildly based on the individual use case the suggestion is based upon.

Personally, with my home systems behind a double NAT isp connection, almost nothing there is applicable to me. It still would not be applicable unless I had a direct connection with a valid internet IP on my router and then I would add additional firewalling with a pi-hole between the router and my LAN so I had 3 firewall layers (router, pi-hole, PC) for any potential incoming connections.

1 Like