Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- - Checking /usr/local/libexec... [ NOT FOUND ]
- - Checking /usr/libexec... [ FOUND ]
- - Checking /usr/sfw/bin... [ NOT FOUND ]
- - Checking /usr/sfw/sbin... [ NOT FOUND ]
- - Checking /usr/sfw/libexec... [ NOT FOUND ]
- - Checking /opt/sfw/bin... [ NOT FOUND ]
- - Checking /opt/sfw/sbin... [ NOT FOUND ]
- - Checking /opt/sfw/libexec... [ NOT FOUND ]
- - Checking /usr/xpg4/bin... [ NOT FOUND ]
- - Checking /usr/css/bin... [ NOT FOUND ]
- - Checking /usr/ucb... [ NOT FOUND ]
- - Checking /usr/X11R6/bin... [ FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Unable to find Digest::SHA or Digest::SHA::PurePerl
- [+] Boot and services
- ------------------------------------
- - Checking boot loaders
- - Checking presence GRUB... [ NOT FOUND ]
- - Checking presence LILO... [ NOT FOUND ]
- - Checking boot loader SILO [ NOT FOUND ]
- - Checking boot loader YABOOT [ NOT FOUND ]
- - Check startup files (permissions)... [ OK ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Kernel
- ------------------------------------
- - Checking default runlevel [ UNKNOWN ]
- - Checking CPU support (NX/PAE)
- CPU support: No PAE or NoeXecute supported [ NONE ]
- - Checking kernel version and release [ DONE ]
- - Checking kernel type [ DONE ]
- - Checking loaded kernel modules [ DONE ]
- Found 58 active modules
- - Checking Linux kernel configuration file... [ NOT FOUND ]
- - Checking core dumps configuration... [ DISABLED ]
- - Checking setuid core dumps configuration... [ DEFAULT ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Memory and processes
- ------------------------------------
- - Checking /proc/meminfo... [ FOUND ]
- - Searching for dead/zombie processes... [ OK ]
- - Searching for IO waiting processes... [ OK ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Users, Groups and Authentication
- ------------------------------------
- - Search administrator accounts... [ OK ]
- - Checking consistency of group files (grpck)... [ WARNING ]
- - Checking non unique group ID's... [ WARNING ]
- - Checking non unique group names... [ WARNING ]
- - Checking password file consistency... [ WARNING ]
- - Query system users (non daemons)... [ DONE ]
- - Checking NIS+ authentication support [ NOT ENABLED ]
- - Checking NIS authentication support [ NOT ENABLED ]
- - Checking sudoers file [ FOUND ]
- - Check sudoers file permissions [ WARNING ]
- - Checking PAM password strength tools [ SUGGESTION ]
- - Checking PAM configuration file (pam.conf) [ NOT FOUND ]
- - Checking PAM configuration files (pam.d) [ FOUND ]
- - Checking PAM modules [ FOUND ]
- - Checking accounts without expire date [ OK ]
- - Checking accounts without password [ OK ]
- - Checking Linux single user mode authentication [ WARNING ]
- - Determining default umask
- - Checking umask (/etc/profile) [ UNKNOWN ]
- - Checking LDAP authentication support [ NOT ENABLED ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Shells
- ------------------------------------
- - Checking shells from /etc/shells...
- Result: found 3 shells (valid shells: 3).
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] File systems
- ------------------------------------
- - Checking mount points
- - Checking /tmp mount point... [ OK ]
- - Checking for old files in /tmp... [ OK ]
- - Checking /tmp sticky bit... [ OK ]
- tune2fs: No such file or directory while trying to open /dev/root
- Couldn't find valid filesystem superblock.
- - ACL support root file system... [ DISABLED ]
- - Checking Locate database... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Storage
- ------------------------------------
- - Checking usb-storage driver (modprobe config)... [ NOT DISABLED ]
- - Checking firewire ohci driver (modprobe config)... [ NOT DISABLED ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] NFS
- ------------------------------------
- - Check running NFS daemon... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: name services
- ------------------------------------
- - Checking default DNS search domain... [ NONE ]
- - Checking search domains... [ FOUND ]
- - Checking /etc/resolv.conf options... [ NONE ]
- - Searching DNS domain name... [ UNKNOWN ]
- - Checking nscd status... [ NOT FOUND ]
- - Checking BIND status... [ NOT FOUND ]
- - Checking PowerDNS status... [ NOT FOUND ]
- - Checking ypbind status... [ NOT FOUND ]
- - Checking /etc/hosts
- - Checking /etc/hosts (duplicates) [ OK ]
- - Checking /etc/hosts (hostname) [ OK ]
- - Checking /etc/hosts (localhost) [ SUGGESTION ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Ports and packages
- ------------------------------------
- - Searching package managers...
- - Searching RPM package manager... [ FOUND ]
- - Querying RPM package manager...
- /bin/rpm: invalid option -- 'a'
- BusyBox v1.21.0 (2013-02-18 15:57:06 WST) multi-call binary.
- Usage: rpm -i PACKAGE.rpm; rpm -qp[ildc] PACKAGE.rpm
- Manipulate RPM packages
- Commands:
- -i Install package
- -qp Query package
- -i Show information
- -l List contents
- -d List documents
- -c List config files
- - Searching dpkg package manager... [ FOUND ]
- - Querying package manager...
- - Query unpurged packages... [ NONE ]
- - Checking package audit tool... [ NONE ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Networking
- ------------------------------------
- - Checking configured nameservers...
- - Testing nameservers...
- Nameserver: 192.168.1.1... [ SKIPPED ]
- - Minimal of 2 responsive nameservers... [ SKIPPED ]
- - Checking default gateway... [ DONE ]
- - Getting listening ports (TCP/TCP)... [ DONE ]
- * Found 1 ports
- - Checking promiscuous interfaces... [ OK ]
- - Checking waiting connections... [ OK ]
- - Checking status DHCP client... [ NOT ACTIVE ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Printers and Spools
- ------------------------------------
- - Checking cups daemon... [ RUNNING ]
- - Checking cups configuration file... [ OK ]
- - Checking CUPS addresses/sockets... [ FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: e-mail and messaging
- ------------------------------------
- - Checking Exim status... [ NOT FOUND ]
- - Checking Postfix status... [ NOT FOUND ]
- - Checking Qmail smtpd status... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: firewalls
- ------------------------------------
- - Checking iptables kernel module [ FOUND ]
- - Checking for empty ruleset [ OK ]
- - Checking for unused rules [ WARNING ]
- Status pf [ NOT FOUND ]
- - Checking host based firewall [ ACTIVE ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: webserver
- ------------------------------------
- httpd: bind: Address already in use
- - Checking Apache (binary /usr/sbin/httpd)... [ NO MATCH ]
- - Checking nginx... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] SSH Support
- ------------------------------------
- - Checking running SSH daemon... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] SNMP Support
- ------------------------------------
- - Checking running SNMP daemon... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Databases
- ------------------------------------
- - MySQL process status... [ NOT FOUND ]
- - PostgreSQL processes status... [ NOT FOUND ]
- - Oracle processes status... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] LDAP Services
- ------------------------------------
- - Checking OpenLDAP instance... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: PHP
- ------------------------------------
- - Checking PHP... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Squid Support
- ------------------------------------
- - Checking running Squid daemon... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Logging and files
- ------------------------------------
- - Checking for a running log daemon... [ OK ]
- - Checking Syslog-NG status [ NOT FOUND ]
- - Checking Metalog status [ NOT FOUND ]
- - Checking RSyslog status [ NOT FOUND ]
- - Checking RFC 3195 daemon status [ NOT FOUND ]
- - Checking klogd [ FOUND ]
- - Checking minilogd instances [ NONE ]
- - Checking logrotate presence [ WARNING ]
- - Checking log directories (static list) [ DONE ]
- - Checking open log files [ DONE ]
- - Checking deleted files in use [ DONE ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Insecure services
- ------------------------------------
- - Checking inetd status... [ NOT ACTIVE ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Banners and identification
- ------------------------------------
- - /etc/motd... [ NOT FOUND ]
- - /etc/issue... [ FOUND ]
- - /etc/issue contents... [ WEAK ]
- - /etc/issue.net... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Scheduled tasks
- ------------------------------------
- - Checking crontab/cronjob [ DONE ]
- - Checking atd status [ NOT RUNNING ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Accounting
- ------------------------------------
- - Checking accounting information... [ NOT FOUND ]
- - Checking auditd [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Time and Synchronization
- ------------------------------------
- - Checking running NTP daemon (ntpd)... [ NOT FOUND ]
- - Checking running NTP daemon (timed)... [ NOT FOUND ]
- - Checking running NTP daemon (dntpd)... [ NOT FOUND ]
- - Checking NTP client in cron.d files... [ NOT FOUND ]
- - Checking for a running NTP daemon or client... [ WARNING ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Cryptography
- ------------------------------------
- - Checking SSL certificate expiration... [ OK ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Virtualization
- ------------------------------------
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Security frameworks
- ------------------------------------
- - Checking presence AppArmor [ NOT FOUND ]
- - Checking presence SELinux [ NOT FOUND ]
- - Checking presence grsecurity [ NOT FOUND ]
- - Checking for implemented MAC framework [ NONE ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: file integrity
- ------------------------------------
- - Checking file integrity tools...
- - AFICK... [ NOT FOUND ]
- - AIDE... [ NOT FOUND ]
- - Osiris... [ NOT FOUND ]
- - Samhain... [ NOT FOUND ]
- - Tripwire... [ NOT FOUND ]
- - OSSEC (syscheck)... [ NOT FOUND ]
- - Checking presence integrity tool... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Software: Malware scanners
- ------------------------------------
- - Checking chkrootkit... [ NOT FOUND ]
- - Checking Rootkit Hunter... [ NOT FOUND ]
- - Checking ClamAV scanner... [ NOT FOUND ]
- - Checking ClamAV daemon... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] System Tools
- ------------------------------------
- - Starting file permissions check...
- /etc/lilo.conf [ NOT FOUND ]
- /root/.ssh [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Home directories
- ------------------------------------
- find: `/home': No such file or directory
- - Checking shell history files... [ OK ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Kernel Hardening
- ------------------------------------
- - Comparing sysctl key pairs with scan profile...
- - kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- - kernel.ctrl-alt-del (exp: 0) [ OK ]
- - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- - net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- - net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- - net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
- - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- - net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- - net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Hardening
- ------------------------------------
- - Installed compiler(s)... [ NOT FOUND ]
- - Installed malware scanner... [ NOT FOUND ]
- [ Press [ENTER] to continue, or [CTRL]+C to stop ]
- [+] Custom Tests
- ------------------------------------
- - Running custom tests... [ SKIPPED ]
- ================================================================================
- -[ Lynis 1.3.9 Results ]-
- Tests performed: 142
- Warnings:
- ----------------------------
- - grpck binary found errors in one or more group files [test:AUTH-9216]
- - Found multiple groups with same group ID [test:AUTH-9222]
- - Found inconsistencies in group file (multiple occurences of a single group) [test:AUTH-9226]
- - pwck found one or more errors/warnings in the password file [test:AUTH-9228]
- - No password set for single mode [test:AUTH-9308]
- - Found possible unused iptables rules (2 1 1 2) [test:FIRE-4513]
- - No logrotate configuration has been found [test:LOGG-2146]
- - No running NTP daemon or available client found [test:TIME-3104]
- Suggestions:
- ----------------------------
- - Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support [test:KRNL-5677]
- - Run grpck manually and check your group files [test:AUTH-9216]
- - Check your /etc/group file and correct inconsistencies [test:AUTH-9222]
- - Check your /etc/group file and correct inconsistencies [test:AUTH-9226]
- - Run pwck manually and correct found issues. [test:AUTH-9228]
- - Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
- - Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
- - The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410]
- - Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
- - Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
- - Split resolving between localhost and the hostname of the system [test:NAME-4406]
- - Install a package audit tool to determine vulnerable packages [test:PKGS-7398]
- - Check iptables rules to see which rules are currently not used (iptables --list --numeric --verbose) [test:FIRE-4513]
- - Check if files are properly rotated by a some tool instead of logrotate [test:LOGG-2146]
- - Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
- - Enable auditd to collect audit information [test:ACCT-9628]
- - Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
- - Install a file integrity tool [test:FINT-4350]
- - One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
- - Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
- ================================================================================
- Files:
- - Test and debug information : /var/log/lynis.log
- - Report data : /var/log/lynis-report.dat
- ================================================================================
- Hardening index : [59] [########### ]
- Enterprise support and plugins available via CISOfy - http://cisofy.com
- ================================================================================
- Tip: Disable all tests which are not relevant or are too strict for the
- purpose of this particular machine. This will remove unwanted suggestions
- and also boost the hardening index. Each test should be properly analyzed
- to see if the related risks can be accepted, before disabling the test.
- ================================================================================
- Lynis 1.3.9
- Copyright 2007-2014 - Michael Boelen, http://cisofy.com
- ================================================================================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement