so I tested my Workstation with Lynis and these are the suggestions I got;
Suggestions (29): ---------------------------- * Consider hardening system services [BOOT-5264] - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service https://cisofy.com/lynis/controls/BOOT-5264/ * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] https://cisofy.com/lynis/controls/KRNL-5820/ * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] https://cisofy.com/lynis/controls/AUTH-9229/ * Configure password hashing rounds in /etc/login.defs [AUTH-9230] https://cisofy.com/lynis/controls/AUTH-9230/ * When possible set expire dates for all password protected accounts [AUTH-9282] https://cisofy.com/lynis/controls/AUTH-9282/ * Look at the locked accounts and consider removing them [AUTH-9284] https://cisofy.com/lynis/controls/AUTH-9284/ * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/lynis/controls/AUTH-9328/ * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] https://cisofy.com/lynis/controls/FILE-6310/ * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410] https://cisofy.com/lynis/controls/FILE-6410/ * Check DNS configuration for the dns domain name [NAME-4028] https://cisofy.com/lynis/controls/NAME-4028/ * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] https://cisofy.com/lynis/controls/NAME-4404/ * Install debsums utility for the verification of packages with known good database. [PKGS-7370] https://cisofy.com/lynis/controls/PKGS-7370/ * Determine if protocol 'dccp' is really needed on this system [NETW-3200] https://cisofy.com/lynis/controls/NETW-3200/ * Determine if protocol 'sctp' is really needed on this system [NETW-3200] https://cisofy.com/lynis/controls/NETW-3200/ * Determine if protocol 'rds' is really needed on this system [NETW-3200] https://cisofy.com/lynis/controls/NETW-3200/ * Check iptables rules to see which rules are currently not used [FIRE-4513] https://cisofy.com/lynis/controls/FIRE-4513/ * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] https://cisofy.com/lynis/controls/HTTP-6640/ * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] https://cisofy.com/lynis/controls/HTTP-6643/ * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] https://cisofy.com/lynis/controls/LOGG-2154/ * Check what deleted files are still in use and why. [LOGG-2190] https://cisofy.com/lynis/controls/LOGG-2190/ * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/lynis/controls/BANN-7126/ * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/lynis/controls/BANN-7130/ * Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/lynis/controls/ACCT-9626/ * Use NTP daemon or NTP client to prevent time issues. [TIME-3104] https://cisofy.com/lynis/controls/TIME-3104/ * Check available certificates for expiration [CRYP-7902] https://cisofy.com/lynis/controls/CRYP-7902/ * Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/lynis/controls/TOOL-5002/ * Consider restricting file permissions [FILE-7524] - Details : See screen output or log file - Solution : Use chmod to change file permissions https://cisofy.com/lynis/controls/FILE-7524/ * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>) https://cisofy.com/lynis/controls/KRNL-6000/ * Harden compilers like restricting access to root user only [HRDN-7222] https://cisofy.com/lynis/controls/HRDN-7222/
Which ones should I do and how ?