In virtualized containers for OpenVZ or Parallels Virtuozzo, auditd kernel doesn't work by design. So when you report auditd is not found in Accounting section, maybe also do a check for see if Lynis is being run within an OpenVZ like container and make a note as such ?

i.e.

NOT FOUND (Not supported in OpenVZ kernels) ?

[+] Accounting
------------------------------------
  - Checking accounting information                           [ NOT FOUND ]
  - Checking sysstat accounting data                          [ ENABLED ]
  - Checking auditd                                           [ NOT FOUND ]

for CentOS at least there's yum package to check for it virt-what

yum list virt-what -q
Installed Packages
virt-what.x86_64                                                   1.13-5.el7

running check

virt-what
openvz

also you can check for openvz virtualization via file /proc/user_beancounters

ls -lah /proc/user_beancounters 
-r-------- 1 root root 0 Mar  9 21:52 /proc/user_beancounters

While "Checking swap mount options", if there is a discard option in the line, in addition to the sw option, it fails.
You may want to avoid checking the whole field, rather using a regex to check the occurence of sw.

Performing test ID FILE-6336 (Checking swap mount options)
Test: check swap partitions with incorrect mount options
Result: possible incorrect mount options used for mounting swap partition (UUID="b5d01449-60b6-48ec-b806-20fa0b47a718")
Suggestion: Check your /etc/fstab file. Swap partition usually have 'sw' or 'swap' in the options field (4th). [FILE-6336]

For the Squid unsafe port check. An entry in my squid.conf is being tagged incorrectly by the grep statement and being interpreted as SSH 22.

Line in my squid.conf:

acl Safe_ports port 2222 # DirectAdmin

The grep output is matching it as:

acl Safe_ports port 22

False positive warning given in audit:

Warning: Squid configuration possibly allows relaying traffic via configured Safe_port 22 [SQD-3624]

Port 22 is not actually within Safe_ports at all.

Test # NETW-2705 is "fooled" by entering the same nameserver more than once in /etc/resolv.conf. This doesn't, technically, satisfy the 2 resolver requirement implied by the check.

Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It's main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.

I know little to nothing about how OS X boots. Let me know what information you need. I'll post here or send via email, depending on size and confidentiality.

Grub is installed.

Gentoo contains a utility to simplify kernel building and installation, called genkernel. Genkernel names the kernel files kernel-genkernel-{arch}-{version}-gentoo(-r_n_), instead of vmlinuz.

Example: current running kernel is /boot/kernel-genkernel-x86-3.14.16-gentoo.

/boot is mounted. /boot/grub2/grub.cfg exists.

When I click the url in suggestion:

• Install 'ecryptfs-utils' and configure for each user. [FILE-####]
  http://cisofy.com/controls/FILE-####/
  The content of this url does not exist!

As a standard user all I did was git clone https://github.com/CISOfy/Lynis.git, afterwards I went into the git dir and did this:

~/scripts/Lynis [0] (master=) 
$ sudo ./lynis -c
[sudo] password for me:
[!] Change file permissions of ./include/consts to 640.
    Command: chmod 640 ./include/consts
[!] Change file permissions of ./include/functions to 640.
    Command: chmod 640 ./include/functions
[!] Change ownership of ./include/consts to 'root' or similar (found: me with UID 1000).
    Command: chown root:root ./include/consts
[!] Change ownership of ./include/functions to 'root' or similar (found: me with UID 1000).
    Command: chown root:root ./include/functions


[X] Security check failed: See action above to correct this issue.
    Please change ownership and permissions of the related files and start Lynis again.

After setting the appropriate permissions for the files, it still asked me to change permission of certain files:

~/scripts/Lynis [0] (master *=) 
$ sudo ./lynis -c

[ Lynis 2.0.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2015 - CISOfy, https://cisofy.com
 Enterprise support and plugins available via CISOfy
################################################################################

[+] Initializing program
------------------------------------
Fatal error: file ./include/osdetection should be owned by user 'root' or similar (found: me).

Afterwards, I simply did sudo chown -R root:root Lynis/, went into the Lynis git dir again but now as root and did ./lynis -c. This resulted in Invalid permissions on tests file tests_boot_services and similar permission errors. Full lynis.log can be seen here.

Hello,
I downloaded the package mentioned in the subject from the website but when running Lynis it says it is version 1.6.4; furthermore, issuing --check-update effectively tag it as outdated.

/me scratches his head trying to figure out what's happening here...

      - Containers
        - Total containers                                    [ UNKNOWN ]
./include/tests_containers: line 134: /usr/libexec/docker: Is a directory
        - Running containers                                  [ 0 ]
./include/tests_containers: line 145: [: -gt: unary operator expected

This doesn't happen in Ubuntu with Docker installed.

Systemd has it own /dev/log implementation, making klogd useless and it seems even harmful

However, when running lynis on a systemd system, I still get klogd is not running, which could lead to missing kernel messages in log files [LOGG-2138] which seems wrong.

Am I right ? Shouldn't this check be disabled if systemd is running ?

Thanks !

Hi,

I'm getting some exceptions running Lynis on Slackware.

[22:16:43] Performing test ID KRNL-5830 (Checking if system is running on the latest kernel)
[22:16:43] Test: Checking presence /var/run/reboot-required.pkgs
[22:16:43] Result: file /var/run/reboot-required.pkgs not found
[22:16:43] Result: /boot exists, performing more tests from here
[22:16:43] Result: found symlink of /boot/vmlinuz, skipping file
[22:16:43] Result: using 3.18.11 as my kernel version (stripped)
[22:16:43] Result: Found generic
[22:16:43] Result: Found huge
[22:16:43] Result: Found vmlinuz
[22:16:43] Result: Found generic.3.18.11
[22:16:43] Result: Found huge.3.18.11
[22:16:43] Exception: test has an exceptional event (KRNL-5830:3) with text Could not find our running kernel on disk, which is unexpected

A stock Slackware /boot layout is:

$ls -la /boot/vmlinuz*
lrwxrwxrwx 1 root root      20 Abr 26 19:04 /boot/vmlinuz -> vmlinuz-huge-3.18.11
lrwxrwxrwx 1 root root      23 Abr 26 19:04 /boot/vmlinuz-generic -> vmlinuz-generic-3.18.11
-rw-r--r-- 1 root root 3942896 Abr  7 15:04 /boot/vmlinuz-generic-3.18.11
lrwxrwxrwx 1 root root      20 Abr 26 19:04 /boot/vmlinuz-huge -> vmlinuz-huge-3.18.11
-rw-r--r-- 1 root root 7144496 Abr  7 15:10 /boot/vmlinuz-huge-3.18.11

As you can see, Lynis is looking for vmlinuz-huge.3.18.11, while the stock kernels are vmlinuz-huge-3.18.11.

It would be nice to have a proper treatment for this.

Due to differences in Linux distros, the swap test should be altered, combining different possibilities.

   #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`

    FIND=`awk '{ if ($2=="swap" && $3~/sw/) { print $1 }}' /etc/fstab`

Hi,

when no umask is setted in /etc/profile, the result of the test is :

[17:19:19] Result: found several umask values configured in /etc/profile
[17:19:19] Hardening: assigned 1 hardening points (max for this item: 2), current: 1, total: 2
[17:19:19] Hardening: assigned 2 hardening points (max for this item: 2), current: 3, total: 4

because the item :

FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l`

returns 0, and the following test is

if [ "${FIND2}" = "1" ]; then OK ; else "found several values"; fi

doesn't act differently if the result is 0 or a number greater than 1.

I'm using a distro which has all classical bindirs (/bin, /sbin, /usr/sbin, etc.) symlinked to /usr/bin, so only the actual directory (/usr/bin in my case) should be scanned. What happens for me is every symlink seems to be scanned, effectively meaning the same folder is scanned multiple times.

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
    - Checking /bin...                                        [ FOUND ]
    - Checking /sbin...                                       [ FOUND ]
    - Checking /usr/bin...                                    [ FOUND ]
    - Checking /usr/sbin...                                   [ FOUND ]
    - Checking /usr/local/bin...                              [ FOUND ]
    - Checking /usr/local/sbin...                             [ FOUND ]

Red Hat RHEL 7 uses Chrony by default. Initial support for Chrony should be added.

I did tarball lynis 2.0 install but confused as to whether there is a profile specifically for CentOS ?

what is correct syntax for --profile and what are all available options for linux distrubutions available ?

lynis --auditor "centminmod.com initial run" -c -Q --profile CentOS

[ Lynis 2.0.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2015 - CISOfy, https://cisofy.com
 Enterprise support and plugins available via CISOfy
################################################################################

[+] Initializing program
------------------------------------
Fatal error: Can't open profile file (CentOS)

thanks

That way I'll be able to use lynis in CI while building docker containers or full blown images.
I plan to add lynis as one of my serverspec tests and for that it is required that lynis will exit with the correct status code.

Hi,

I've come with a bug on parsing nginx logs :

I get this error on every nginx log available : ```
./include/functions: line 781: [: /var/log/nginx/<my_log_file>: binary operator expected

in the `include/functions:781`, the ${VALUE} contains "<my_log_file> main" so the -f test cannot return true.

```++ '[' '!' -f /var/log/nginx/<my_log_file> main ']'

Thanx for your help

Umask settings are not checked in SHLL-6240 and SHLL-6250.

• grep wasn't provided the name of the file to check in SHLL-6240 (FIND=grep "^umask" | awk '{ print $2 }' without any file to check)
• There was no code for SHLL-6250.

Code included for both in pull request #37

Firewall check in lynis 2.0 doesn't check for CSF Firewall http://configserver.com/cp/csf.html which is commonly used in cpanel.net based control panel installs as well as standalone on CentOS servers.

I use CSF Firewall for CentminMod.com LEMP stack by default which interfaces with iptables http://centminmod.com/csf_firewall.html

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ NOT FOUND ]
  - Checking pf                                               [ NOT FOUND ]
  - Checking host based firewall                              [ NOT ACTIVE ]

Add functionality to determine if built-in support is available, to run the yum security functionality.

The "most current" kernel detection is off. It has to do with the sorting, but I'm not quite sure how to fix it 100% (thus no email with a patch ;-) ).

Changing the simple sort at the end of line # 495, in include/tests_kernel, to this:

sort -t\. -k1n -k2n -k3n

...will get you to the hyphenated part of the version number. Adding something like:

| sort -t\- -k2n

....borks the whole thing, so I'm not quite sure where to go from there. It's almost as if there needs to be a subfunction that sorts the hyphenated mini-version, then re-concatenates it to the rest of the version string. But it needs to take into consideration, the rest of the version string and prioritize that over the hyphenated mini-version.

So, after all of the piped sed's let's use this as our list of kernel versions:

3.13.0-35
3.2.0-57
3.13.1-11
3.13.1-9

Using the first sort string (sort -t\. -k2n -k3n) gets you to here:

3.2.0-57
3.13.0-35
3.13.1-11
3.13.1-9

...but we want version 3.13.1-11 to be at the bottom, since that is our "most current" version.

Using sort -t\. -k2n -k3n is OK, but it's only a 90% solution, as they say. So I'm going to continue poking at other areas, as I find them, but I thought I would document this, as is.....for posterity, or whatever. ;-)

BTW, I played around with awk'ing the hyphen (-) to a period (.) (could also be done with sed), but that didn't get me anywhere.

Also, as an after thought...

| sed 's/[.-]//g' | sort -n

...gets us there, but with some sacrifices. 3.13.1[.-]9 is now at the top of the list, rather than 2nd to last, as it should be.

Ubuntu systems can use update-motd to generate a motd file from .d files. If you have this setup Lynis doesn't see your MOTD file.

Apple ships OS X with pf, but also with their application level firewall. Lynis should also check the status of that firewall. /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate shows you the status of the firewall. It could be added if that binary was detected. I'm not sure if you want to keep adding more and more paths to the binary search path list or if you have a more ideal way of detecting the CTL command.

the USB storage test should also consider whether
authorized_default is set. Because even though the best option is to not
have any USB drivers available, this option still somewhat mitigates
this issue.

See:
https://www.kernel.org/doc/Documentation/usb/authorization.txt

Some tips also in here
pyllyukko/harden.yml@193bda5

I see ntpd and a few other NTP daemons being scanned by Lynis, so it's seems reasonable to scan for systemd's variant as well.

systemd-timecyncd's status can be retrieved via systemctl is-enabled systemd-timesyncd and systemctl is-active systemd-timesyncd, which both return 0 on a service being enabled and active respectively.

does lynis --check-update auto download latest version for tarball manual installs to /usr/local/lynis ?

or do I need to script my own cronjob for updating tarball manual installs

thanks

It would appear that ALL (or, at least most) output from glsa-check is sent to STDERR. As is, lynis expects the string "This system is affected by the following GLSAs:", if the system has vulnerable packages (filtering that particular string out).

If the system does NOT have vulnerable packages, glsa-check send the following string to STDERR: "This system is not affected by any of the listed GLSAs". Since STDERR is redirected to STDOUT in th lynis check, it gives a false positive, even though the system is clean.

I have a 64-bit gentoo VM that I think has some outstanding GLSAs, I may be able to assist with this one.

The test should check savscand process instead of SophosScanD

Actually, at line 277 of "~lynis/include/tests_logging", the check is made against :
sed 's//[a-zA-Z_.-]$//g' | sort | uniq
It should be done against :
sed 's//[^/]$//g'
But because we are checking against a string that should contain a "/", it's better to chack with :
sed 's@/[^/]$@@g'

Pull request #37 available including this correction.

I'm trying to run an hardening compliance tests with Lynis. after the test is done I see:

• Compliance Test [X]
  
  Is the Compliance tests only available in the Lynis enterprise suite or I'm missing something?

Checked locations:
/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database

Linux From Scratch (LFS) and/or some derivations of LFS (smoothwall) store the DB for updatedb in the subject path. It should be checked as a valid path for check FILE-6410

I'd consider this a secure setup and having root login enabled actually makes sense for a couple of reasons:

• Root has reserved memory so if the box runs OOM you can still log in to kill whatever is creating the issue (oom killer doesn't always manage to do that)
• It's really cumbersome to copy files only accessible to root via scp if you can't log in as root
• root is the only one who can log in when /etc/nologin exists or when /home happens to be unaccessible

Could you check if key authentication is required and if it is omit the warning when root login is enabled?

# ./lynis audit Dockerfile ../Dockerfile

[ Lynis 2.1.0 ]
....

  Error: Invalid option '../Dockerfile'
  See man page and documentation for all available options.

both in a vm (Linux vagrant-ubuntu-trusty-64 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux) and OSX.

Do i use this in a wrong way? According to docs

 Mode:

    audit
        audit system                  : Perform security scan
        audit Dockerfile <file>       : Analyze Dockerfile

I ran lynis 2.0 on a CentOS 7 server installed with my custom CentminMod.com LEMP stack where Nginx and PHP-FPM are source compiled.

Lynis detects and reports expose_php is ON while in fact it is OFF

    [+] PHP
------------------------------------
  - Checking PHP                                              [ FOUND ]
    - Checking PHP disabled functions                         [ FOUND ]
    - Checking expose_php option                              [ ON ]
    - Checking enable_dl option                               [ OFF ]
    - Checking allow_url_fopen option                         [ ON ]
    - Checking allow_url_include option                       [ OFF ]

check PHPINFO

php -i | grep expose
expose_php => Off => Off

PHP-FPM install has custom settings set in configscandir defined at PHP compile time

cat /etc/centminmod/php.d/a_customphp.ini

date.timezone = UTC
max_execution_time = 60
short_open_tag = On
realpath_cache_size = 8192k
realpath_cache_ttl = 600
upload_max_filesize = 20M
memory_limit = 160M
post_max_size = 20M
expose_php = Off
mail.add_x_header = Off
max_input_nesting_level = 128
max_input_vars = 2000
mysqlnd.net_cmd_buffer_size = 16384

this overrides the default php.ini set expose_php value

grep expose_php /usr/local/lib/php.ini
expose_php = On

so maybe extend the check to grep php -i output ?

php -i | grep expose

Hi,

Debian Jessie's default runlevel returns N 5, so the BOOT-5180 test returns that it couldn't determine runlevel.

an ugly tweak :

diff --git a/include/tests_boot_services b/include/tests_boot_services
index 5ce609f..f0aad2c 100644
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@@ -464,7 +464,7 @@
     Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Runlevel check
-        sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
+        sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [2,5]"`
         if [ ! "${sRUNLEVEL}" = "" ]; then
             FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
             if [ ! "${FIND}" = "" ]; then

May be it could be nicer to test if debian version is >= 8.0 ;)

Cheers

Official README https://github.com/CISOfy/Lynis/blob/master/README suggests to create directory at /usr/local/lynis for installation but this path is not checked for in lynis itself ?

I symlinked lynis to /usr/bin/lynis so if you run lynis by itself it hangs as it can't find default.prf

so maybe add /usr/local/lynis/default.prf path to tPROFILE_TARGETS array ?

# Try to find a default profile file, if none is specified
if [ "${PROFILE}" = "" ]; then
    tPROFILE_TARGETS="/usr/local/etc/lynis/default.prf /etc/lynis/default.prf ./default.prf"
    for I in ${tPROFILE_TARGETS}; do
        if [ -f ${I} ]; then PROFILE=${I}; fi
    done
fi

I made a quick hack designed to detect installed unsigned packages, and signs of application installation from outside the package manager. Although not always a security issue, that kind of mismanagement can easily lead to one. Installing software from outside the official sources can prove fatal if not done in controlled manner...

You might want to take a look at what I did, and consider including (something similar) in Lynis by default:

https://github.com/mikkolehtisalo/Lynis/blob/master/plugins/plugin_rpmchecks_phase1

glsa-check -t all

manually installed lynis 2.0 tarball on CentOS 7 system which has my own centminmod.com LEMP web stack installed.

running command

lynis --auditor "centminmod.com initial run" -c -Q --profile /usr/local/lynis/default.prf

gives me errors at

[+] Software: webserver
------------------------------------
  - Checking Apache                                           [ NOT FOUND ]
  - Checking nginx                                            [ FOUND ]
    - Searching nginx configuration file                      [ FOUND ]
      - Found nginx includes                                  [ 7 FOUND ]
    - Parsing configuration options
./include/functions: line 772: [: too many arguments
./include/functions: line 772: [: too many arguments
./include/functions: line 772: [: too many arguments
      - SSL configured                                        [ NO ]
      - Checking log file configuration
        - Missing log files (access_log)                      [ NO ]
        - Disabled access logging                             [ NO ]
        - Missing log files (error_log)                       [ NO ]
        - Debugging mode on error_log                         [ NO ]

my Nginx stack is source compiled with following options

nginx -V
nginx version: nginx/1.7.10
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) 
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --add-module=../openresty-memc-nginx-module-1518da4 --add-module=../openresty-srcache-nginx-module-ffa9ab7 --add-module=../nginx-sticky-module-1.2.5 --add-module=../nginx_upstream_check_module-0.3.0 --with-openssl=../openssl-1.0.2 --with-libatomic --with-pcre=../pcre-8.36 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.9.32.3-beta

In the file include/tests_hardening line 105 reads: ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans".

This is not clear. Did you mean "one or more malware scanners"? Did you mean "one of malware scanners"?

The detection method in include/tests_firewall will not detect an empty ruleset when fail2ban is installed. This is caused by fail2ban inserting an extra chain, which makes FIRE-4513 return a "1":

Here's my iptables list, with fail2ban installed:

root@FFF-BASE:~/lynis# iptables --list --numeric
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (0 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

mod_evasive is not detected, though it is installed (but not configured).

File listing from gentoo package:

 * Contents of www-apache/mod_evasive-1.10.1:
/etc
/etc/apache2
/etc/apache2/modules.d
/etc/apache2/modules.d/10_mod_evasive.conf
/usr
/usr/lib
/usr/lib/apache2
/usr/lib/apache2/modules
/usr/lib/apache2/modules/mod_evasive.so
/var
/var/log
/var/log/apache2
/var/log/apache2/evasive
/var/log/apache2/evasive/.keep_www-apache_mod_evasive-0

Solution - use https://packages.cisofy.com instead of a PPA

The project has a PPA but it does not provide any packages.
It could be nice to be able to install this through apt-get.

See PPA here: https://launchpad.net/~cisofy/+archive/ubuntu/lynis

SSL is enabled in the default virtual host config (/etc/nginx/sites-available/default). Lynis reports that SSL should be enabled, indicating that it isn't finding the SSL configuration.

Setting strict umasks in /etc/login.defs and /etc/init.d/rc causes gnome to fail when loading the login screen.

This isn't an issue with Lynis, per se, except that the recommendation is to set the umask to 022.