From 7322a8a97f9cc23533a357370b757bc04102aac9 Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Tue, 30 Nov 2021 11:43:35 +0100 Subject: [PATCH] Update Lynis baseline for x86_64 New issues: * Audit missing rules: boo#1191614#c2, fix is submitted * False positive in reboot detection: https://github.com/CISOfy/lynis/issues/1241 * Insecure grub.cfg permissions: boo#1189644 --- ...it-system-nocolors-Tumbleweed-x86_64-gnome | 122 +++++++----------- ...system-nocolors-Tumbleweed-x86_64-textmode | 91 +++++-------- 2 files changed, 76 insertions(+), 137 deletions(-) diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome index 7e0cfc109791..533e1ef3c747 100644 --- a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome +++ b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-gnome @@ -1,5 +1,5 @@ -[ Lynis 3.0.5 ] +[ Lynis 3.0.6 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -17,11 +17,11 @@ - Checking profiles... [ DONE ] --------------------------------------------------- - Program version: 3.0.5 + Program version: 3.0.6 Operating system: Linux Operating system name: openSUSE - Operating system version: 20210703 - Kernel version: 5.12.13 + Operating system version: 20211129 + Kernel version: 5.15.5 Hardware platform: x86_64 Hostname: susetest --------------------------------------------------- @@ -49,65 +49,24 @@   - Plugins enabled [ NONE ] -================================================================= - - Exception found! - - Function/test: [GetHostID] - Message: Can't create hostid (no MAC addresses found) - - Help improving the Lynis community with your feedback! - - Steps: - - Ensure you are running the latest version (/usr/bin/lynis update check) - - If so, create a GitHub issue at https://github.com/CISOfy/lynis - - Include relevant parts of the log file or configuration file - - Thanks! - -================================================================= - - -================================================================= - - Exception found! - - Function/test: [GetHostID] - Message: Can't create HOSTID, command ip not found - - Help improving the Lynis community with your feedback! - - Steps: - - Ensure you are running the latest version (/usr/bin/lynis update check) - - If so, create a GitHub issue at https://github.com/CISOfy/lynis - - Include relevant parts of the log file or configuration file - - Thanks! - -================================================================= - - [+] Boot and services ------------------------------------ - - [WARNING]: Test CORE-1000 had a long execution: 19.703842 seconds - - Service Manager [ systemd ] - Checking UEFI boot [ DISABLED ] - Checking presence GRUB2 [ FOUND ] - Checking for password protection [ NONE ] - Check running services (systemctl) [ DONE ] -Result: found 32 running services +Result: found 33 running services - Check enabled services at boot (systemctl) [ DONE ] Result: found 26 enabled services - Check startup files (permissions) [ OK ] - Running 'systemd-analyze security' - ModemManager.service: [ MEDIUM ] - NetworkManager.service: [ EXPOSED ] -- accounts-daemon.service: [ UNSAFE ] +- accounts-daemon.service: [ EXPOSED ] - after-local.service: [ UNSAFE ] - alsa-state.service: [ UNSAFE ] -- appstream-sync-cache.service: [ UNSAFE ] +- appstream-sync-cache.service: [ MEDIUM ] - auditd.service: [ EXPOSED ] - avahi-daemon.service: [ UNSAFE ] - chronyd.service: [ EXPOSED ] @@ -123,15 +82,17 @@ - getty@tty1.service: [ UNSAFE ] - getty@tty6.service: [ UNSAFE ] - getty@tty7.service: [ UNSAFE ] -- gpm.service: [ UNSAFE ] +- gpm.service: [ EXPOSED ] - haveged.service: [ MEDIUM ] - irqbalance.service: [ MEDIUM ] +- lvm2-lvmpolld.service: [ UNSAFE ] - mcelog.service: [ UNSAFE ] - nscd.service: [ UNSAFE ] -- pcscd.service: [ UNSAFE ] +- pcscd.service: [ EXPOSED ] - plymouth-start.service: [ UNSAFE ] - polkit.service: [ UNSAFE ] - postfix.service: [ UNSAFE ] +- power-profiles-daemon.service: [ EXPOSED ] - rc-local.service: [ UNSAFE ] - rescue.service: [ UNSAFE ] - rtkit-daemon.service: [ MEDIUM ] @@ -140,7 +101,7 @@ - serial-getty@ttyS0.service: [ UNSAFE ] - serial-getty@ttyS1.service: [ UNSAFE ] - serial-getty@ttyS2.service: [ UNSAFE ] -- smartd.service: [ UNSAFE ] +- smartd.service: [ EXPOSED ] - snapperd.service: [ MEDIUM ] - sshd.service: [ UNSAFE ] - systemd-ask-password-console.service: [ UNSAFE ] @@ -151,6 +112,7 @@ - systemd-rfkill.service: [ UNSAFE ] - systemd-timesyncd.service: [ PROTECTED ] - systemd-udevd.service: [ MEDIUM ] +- tuned.service: [ UNSAFE ] - udisks2.service: [ UNSAFE ] - upower.service: [ PROTECTED ] - user@0.service: [ UNSAFE ] @@ -165,7 +127,7 @@ - Checking kernel version and release [ DONE ] - Checking kernel type [ DONE ] - Checking loaded kernel modules [ DONE ] -Found 102 active modules +Found 86 active modules - Checking Linux kernel configuration file [ FOUND ] - Checking default I/O kernel scheduler [ NOT FOUND ] - Checking core dumps configuration @@ -174,7 +136,7 @@ - 'hard' configuration in security/limits.conf [ DEFAULT ] - 'soft' configuration in security/limits.conf [ DEFAULT ] - Checking setuid core dumps configuration [ DISABLED ] -- Check if reboot is needed [ NO ] +- Check if reboot is needed [ YES ] [+] Memory and Processes ------------------------------------ @@ -282,10 +244,10 @@ - Searching RPM package manager [ FOUND ] - Querying RPM package manager - [WARNING]: Test PKGS-7308 had a long execution: 24.410926 seconds + [WARNING]: Test PKGS-7308 had a long execution: 23.399025 seconds - [WARNING]: Test PKGS-7328 had a long execution: 14.423750 seconds + [WARNING]: Test PKGS-7328 had a long execution: 12.376914 seconds - Using Zypper to find vulnerable packages [ NONE ] - Checking package audit tool [ INSTALLED ] @@ -453,7 +415,7 @@ - Checking accounting information [ NOT FOUND ] - Checking sysstat accounting data [ NOT FOUND ] - Checking auditd [ ENABLED ] -- Checking audit rules [ OK ] +- Checking audit rules [ SUGGESTION ] - Checking audit configuration file [ OK ] - Checking auditd log file [ FOUND ] @@ -481,7 +443,7 @@ ------------------------------------ - Checking presence AppArmor [ FOUND ] - Checking AppArmor status [ ENABLED ] -Found 96 unconfined processes +Found 95 unconfined processes - Checking presence SELinux [ NOT FOUND ] - Checking presence TOMOYO Linux [ NOT FOUND ] - Checking presence grsecurity [ NOT FOUND ] @@ -506,7 +468,7 @@ [+] File Permissions ------------------------------------ - Starting file permissions check -File: /boot/grub2/grub.cfg [ OK ] +File: /boot/grub2/grub.cfg [ SUGGESTION ] File: /etc/cron.deny [ OK ] File: /etc/crontab [ OK ] File: /etc/group [ OK ] @@ -515,7 +477,6 @@ File: /etc/hosts.deny [ OK ] File: /etc/issue [ SUGGESTION ] File: /etc/issue.net [ OK ] -File: /etc/motd [ OK ] File: /etc/passwd [ OK ] File: /etc/passwd- [ OK ] File: /etc/hosts.equiv [ OK ] @@ -548,7 +509,6 @@ - kernel.modules_disabled (exp: 1) [ DIFFERENT ] - kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ] - kernel.randomize_va_space (exp: 2) [ OK ] -- kernel.suid_dumpable (exp: 0) [ OK ] - kernel.sysrq (exp: 0) [ DIFFERENT ] - kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ] - net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ] @@ -588,13 +548,15 @@ [WARNING]: Deprecated function used (logtext) -Warning: Package iio-sensor-proxy-3.1-1.1.x86_64 installs an unknown D-BUS autostart/system service: net.hadess.SensorProxy.conf [ WARNING ] -Warning: Package bluez-5.58-1.5.x86_64 installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] -Warning: Package flatpak-1.11.2-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] -Warning: Package bolt-0.9.1-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.bolt.service [ WARNING ] -Warning: Package fwupd-1.5.8-1.3.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] -Warning: Package systemd-248.3-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] -Warning: Package snapper-0.9.0-6.1.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] +Warning: Package power-profiles-daemon-0.10.1-2.1.x86_64 installs an unknown D-BUS autostart/system service: net.hadess.PowerProfiles.conf [ WARNING ] +Warning: Package iio-sensor-proxy-3.3-1.1.x86_64 installs an unknown D-BUS autostart/system service: net.hadess.SensorProxy.conf [ WARNING ] +Warning: Package power-profiles-daemon-0.10.1-2.1.x86_64 installs an unknown D-BUS autostart/system service: net.hadess.PowerProfiles.service [ WARNING ] +Warning: Package bluez-5.62-1.3.x86_64 installs an unknown D-BUS autostart/system service: org.bluez.service [ WARNING ] +Warning: Package flatpak-1.12.2-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.Flatpak.SystemHelper.service [ WARNING ] +Warning: Package bolt-0.9.1-2.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.bolt.service [ WARNING ] +Warning: Package fwupd-1.6.4-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.fwupd.service [ WARNING ] +Warning: Package systemd-249.7-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.9.0-7.1.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] [WARNING]: Deprecated function used (wait_for_keypress) @@ -621,7 +583,7 @@ [WARNING]: Deprecated function used (logtext) -No bad RPATH usage found in 7973 executables [ OK ] +No bad RPATH usage found in 8179 executables [ OK ] [WARNING]: Deprecated function used (wait_for_keypress) @@ -629,7 +591,7 @@ [+] File systems ------------------------------------ - [WARNING]: Test BINARY-1000 had a long execution: 63.736589 seconds + [WARNING]: Test BINARY-1000 had a long execution: 62.374736 seconds - Starting look-up of symlinks in /tmp... @@ -683,18 +645,25 @@ ================================================================================ - -[ Lynis 3.0.5 Results ]- + -[ Lynis 3.0.6 Results ]- - Warnings (2): + Warnings (3): ---------------------------- + ! Reboot of system is most likely needed [KRNL-5830] + - Solution : reboot + https://cisofy.com/lynis/controls/KRNL-5830/ + ! Couldn't find 2 responsive nameservers [NETW-2705] https://cisofy.com/lynis/controls/NETW-2705/ ! iptables module(s) loaded, but no rules active [FIRE-4512] https://cisofy.com/lynis/controls/FIRE-4512/ - Suggestions (40): + Suggestions (42): ---------------------------- + * This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] + https://cisofy.com/lynis/controls/LYNIS/ + * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/lynis/controls/BOOT-5122/ @@ -809,6 +778,9 @@ * Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/lynis/controls/ACCT-9626/ + * Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630] + https://cisofy.com/lynis/controls/ACCT-9630/ + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/lynis/controls/FINT-4350/ @@ -842,8 +814,8 @@ Lynis security scan details: - Hardening index : 82 [################ ] - Tests performed : 263 + Hardening index : 81 [################ ] + Tests performed : 264 Plugins enabled : 0 Components: @@ -873,7 +845,7 @@ ================================================================================ - Lynis 3.0.5 + Lynis 3.0.6 Auditing, system hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others) diff --git a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode index 7bf4def111e6..be496d8c9b4a 100644 --- a/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode +++ b/data/lynis/baseline-lynis-audit-system-nocolors-Tumbleweed-x86_64-textmode @@ -1,5 +1,5 @@ -[ Lynis 3.0.5 ] +[ Lynis 3.0.6 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -17,11 +17,11 @@ - Checking profiles... [ DONE ] --------------------------------------------------- - Program version: 3.0.5 + Program version: 3.0.6 Operating system: Linux Operating system name: openSUSE - Operating system version: 20210703 - Kernel version: 5.12.13 + Operating system version: 20211129 + Kernel version: 5.15.5 Hardware platform: x86_64 Hostname: susetest --------------------------------------------------- @@ -49,49 +49,8 @@   - Plugins enabled [ NONE ] -================================================================= - - Exception found! - - Function/test: [GetHostID] - Message: Can't create hostid (no MAC addresses found) - - Help improving the Lynis community with your feedback! - - Steps: - - Ensure you are running the latest version (/usr/bin/lynis update check) - - If so, create a GitHub issue at https://github.com/CISOfy/lynis - - Include relevant parts of the log file or configuration file - - Thanks! - -================================================================= - - -================================================================= - - Exception found! - - Function/test: [GetHostID] - Message: Can't create HOSTID, command ip not found - - Help improving the Lynis community with your feedback! - - Steps: - - Ensure you are running the latest version (/usr/bin/lynis update check) - - If so, create a GitHub issue at https://github.com/CISOfy/lynis - - Include relevant parts of the log file or configuration file - - Thanks! - -================================================================= - - [+] Boot and services ------------------------------------ - - [WARNING]: Test CORE-1000 had a long execution: 17.226488 seconds - - Service Manager [ systemd ] - Checking UEFI boot [ DISABLED ] - Checking presence GRUB2 [ FOUND ] @@ -99,7 +58,7 @@ - Check running services (systemctl) [ DONE ] Result: found 24 running services - Check enabled services at boot (systemctl) [ DONE ] -Result: found 25 enabled services +Result: found 24 enabled services - Check startup files (permissions) [ OK ] - Running 'systemd-analyze security' - after-local.service: [ UNSAFE ] @@ -129,7 +88,7 @@ - serial-getty@ttyS0.service: [ UNSAFE ] - serial-getty@ttyS1.service: [ UNSAFE ] - serial-getty@ttyS2.service: [ UNSAFE ] -- smartd.service: [ UNSAFE ] +- smartd.service: [ EXPOSED ] - snapperd.service: [ MEDIUM ] - sshd.service: [ UNSAFE ] - systemd-ask-password-console.service: [ UNSAFE ] @@ -155,7 +114,7 @@ - Checking kernel version and release [ DONE ] - Checking kernel type [ DONE ] - Checking loaded kernel modules [ DONE ] -Found 101 active modules +Found 86 active modules - Checking Linux kernel configuration file [ FOUND ] - Checking default I/O kernel scheduler [ NOT FOUND ] - Checking core dumps configuration @@ -164,7 +123,7 @@ - 'hard' configuration in security/limits.conf [ DEFAULT ] - 'soft' configuration in security/limits.conf [ DEFAULT ] - Checking setuid core dumps configuration [ DISABLED ] -- Check if reboot is needed [ NO ] +- Check if reboot is needed [ YES ] [+] Memory and Processes ------------------------------------ @@ -431,7 +390,7 @@ - Checking accounting information [ NOT FOUND ] - Checking sysstat accounting data [ NOT FOUND ] - Checking auditd [ ENABLED ] -- Checking audit rules [ OK ] +- Checking audit rules [ SUGGESTION ] - Checking audit configuration file [ OK ] - Checking auditd log file [ FOUND ] @@ -483,7 +442,7 @@ [+] File Permissions ------------------------------------ - Starting file permissions check -File: /boot/grub2/grub.cfg [ OK ] +File: /boot/grub2/grub.cfg [ SUGGESTION ] File: /etc/cron.deny [ OK ] File: /etc/crontab [ OK ] File: /etc/group [ OK ] @@ -492,7 +451,6 @@ File: /etc/hosts.deny [ OK ] File: /etc/issue [ SUGGESTION ] File: /etc/issue.net [ OK ] -File: /etc/motd [ OK ] File: /etc/passwd [ OK ] File: /etc/passwd- [ OK ] File: /etc/hosts.equiv [ OK ] @@ -525,7 +483,6 @@ - kernel.modules_disabled (exp: 1) [ DIFFERENT ] - kernel.perf_event_paranoid (exp: 3) [ DIFFERENT ] - kernel.randomize_va_space (exp: 2) [ OK ] -- kernel.suid_dumpable (exp: 0) [ OK ] - kernel.sysrq (exp: 0) [ DIFFERENT ] - kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ] - net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ] @@ -565,8 +522,8 @@ [WARNING]: Deprecated function used (logtext) -Warning: Package systemd-248.3-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] -Warning: Package snapper-0.9.0-6.1.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] +Warning: Package systemd-249.7-1.1.x86_64 installs an unknown D-BUS autostart/system service: org.freedesktop.timesync1.service [ WARNING ] +Warning: Package snapper-0.9.0-7.1.x86_64 installs an unknown D-BUS autostart/system service: org.opensuse.Snapper.service [ WARNING ] [WARNING]: Deprecated function used (wait_for_keypress) @@ -593,7 +550,7 @@ [WARNING]: Deprecated function used (logtext) -No bad RPATH usage found in 4262 executables [ OK ] +No bad RPATH usage found in 4355 executables [ OK ] [WARNING]: Deprecated function used (wait_for_keypress) @@ -601,7 +558,7 @@ [+] File systems ------------------------------------ - [WARNING]: Test BINARY-1000 had a long execution: 30.047560 seconds + [WARNING]: Test BINARY-1000 had a long execution: 31.845813 seconds - Starting look-up of symlinks in /tmp... @@ -654,18 +611,25 @@ ================================================================================ - -[ Lynis 3.0.5 Results ]- + -[ Lynis 3.0.6 Results ]- - Warnings (2): + Warnings (3): ---------------------------- + ! Reboot of system is most likely needed [KRNL-5830] + - Solution : reboot + https://cisofy.com/lynis/controls/KRNL-5830/ + ! Couldn't find 2 responsive nameservers [NETW-2705] https://cisofy.com/lynis/controls/NETW-2705/ ! iptables module(s) loaded, but no rules active [FIRE-4512] https://cisofy.com/lynis/controls/FIRE-4512/ - Suggestions (39): + Suggestions (41): ---------------------------- + * This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] + https://cisofy.com/lynis/controls/LYNIS/ + * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/lynis/controls/BOOT-5122/ @@ -777,6 +741,9 @@ * Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/lynis/controls/ACCT-9626/ + * Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630] + https://cisofy.com/lynis/controls/ACCT-9630/ + * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/lynis/controls/FINT-4350/ @@ -810,7 +777,7 @@ Lynis security scan details: - Hardening index : 81 [################ ] + Hardening index : 80 [################ ] Tests performed : 259 Plugins enabled : 0 @@ -841,7 +808,7 @@ ================================================================================ - Lynis 3.0.5 + Lynis 3.0.6 Auditing, system hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others)