I ran Lynis auditing software and it gave me back some things I need to do to my computer. Some of these I just cannot figure out. Can someone please help? Here is the output of Lynis:

-[ Lynis 1.2.9 Results ]-

Tests performed: 160
Warnings:
----------------------------
- [10:46:25] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
- [10:46:26] Warning: iptables module(s) loaded, but no rules active [test:FIRE-4512] [impact:L]

Suggestions:
----------------------------
- [10:45:56] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [10:45:57] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
- [10:45:58] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
- [10:45:58] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
- [10:46:25] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
- [10:46:25] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
- [10:46:26] Suggestion: Disable iptables kernel module if not used or make sure rules are being used [test:FIRE-4512]
- [10:46:26] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
- [10:46:35] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]
- [10:46:38] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [10:46:44] Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128]
- [10:46:48] Suggestion: Install a file integrity tool [test:FINT-4350]
- [10:46:52] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]

I think the message that you have received are quite clear.
That program give you some suggestions for increase the security on your system.

Use a firewall (write a script or use some gui client for build firewall).
Put an expiration limits on the password that you use for access on your system.
Don't install (or remove) compiler from your system (gcc).
etc
They are nice reccomendations despite someone could be "boring" or not very useful if it is engaged in a home PC.
For example if you disable usb device, you should remember the command for reuse it when you have the necessity to copy something on your usb.

Enable auditd to collect audit information:
ok nice but you should understand the audit information that you collected during the time.
Install a file integrity tool :
ok but after that you should check after every change of your system (have some backup), etc.

To decrease the impact of a full /tmp file system, place /tmp on a separated partition
Partition your hdd so you can put your /tmp in a separated partition.

So yes the suggetions are nice but i think is a bit excessive if the use if for a home pc, while if it for a server pc, maintenance of data collected from these instruments (audit and integrity) should be done frequently.

I don't see a huge pile of stuff you _NEED_ to do, but there are some things worth mentioning, based on that output.

1) It says there are no nameservers in your /etc/resolv.conf file. I find this odd, unless this machine is not connected to the internet. nameservers are used to resolve IP addresses, like when you type "google.com" into your browser, a nameserver converts that name into an IP address. NOT having them in the file is not a security concern in and of itself, that I'm aware, but I suppose, theoretically, some malicious process could stick some bad addresses in there, to hijack your DNS queries and send you to a wrong website, or to a malicious website. But if you don't have a lot of unneeded net-connected services running and listening for connections, and you don't run as root when browsing the internet, and you don't leave the machine unlocked and unattended in a public area, you should be OK. Having no entries in /etc/resolv.conf generally means you may have problems browsing the net, which evidently you are having no trouble doing

2) It says iptables modules are loaded, but no rules are active. This means that you are apparently not running an iptables firewall, but the kernel modules are loaded anyways. Having unused modules loaded is common, and not really bad news, but it would be prudent of me to suggest you look into some sort of firewall if you are not running one. On a secure server, unused kernel modules would likely not even be built, but on a desktop, especially an Ubuntu desktop machine, there are usually a LOAD of modules plugged in by default. No big deal.

3) Password aging: I don't know if ANYONE puts an automatic expiration date on their own user account on a home desktop computer, or on the root account on the home desktop either. It would be a wise suggestion for a server though, that allows user logins. It forces people to change their passwords once in a while, which is a good idea in general.

4) the /tmp folder: it's telling you that if /tmp ever gets full (either by normal use, or by someone maliciously putting a bunch of crap in there) it could cause problems because /tmp is in the same partition as the root filesystem itself.
Not a huge thing to worry about on a desktop machine especially, but you might consider checking /tmp occasionally and cleaning old stuff out of it, or coming up with a way of cleaning out /tmp completely at startup, or just before shutdown. Not an emergency anyhow. I don't know what *most* people do, but my /tmp folder is on the same partition as the rest of my OS.

5) disabling drivers for USB and firewire when not in use? Hmmm.. Overkill in my humble opinion. If you use a password on your machine, and don't leave it unattended in a place where unauthorized people can play with it, I wouldn't worry about this.

6) Logging: in the event that your machine ever gets hacked, and maybe gets the logs deleted, it could be handy to have the logs stored elsewhere than on the machine itself. This allows you to not only have access TO the logs in the event that your machine gets wiped, but also may prevent people who happen to hack into your machine, from covering their tracks by deleting logs. However, this becomes pointless if someone manages to get root access to the machine, because then they could likely wipe your remote logs too, if they were really determined. Remote logs storage is a good idea, but in my humble opinion, not required for a desktop machine, unless you just want to store a long long long history of logs without them occupying a lot of space on your machine.

7) auditd.. This is one of many system auditing tools, that monitors the machine for changes to things that should not be changing. Someone else may have some comments on this. I don't use auditd, so I don't want to comment either way.

8) ntpq.. NTP is a method of getting the correct time of day from a remote time server. It's a decent idea to configure the NTP client (daemon) on your machine, so your time of day is correct. Otherwise, you will need to check the time once in a while and adjust as necessary. Not a big deal, but ntpd is handy to use.

9) file integrity tool. Common tools for monitoring file integrity on a machine, include "rkhunter", "chkrootkits", and "tripwire". It's wise to run one or more of these on a somewhat regular basis, to make sure that nobody or nothing has rootkitted your machine (which means, a bad program has hidden itself inside some program or code on your machine) or that no hidden process has modified parts of your system without your knowledge. I use both rkhunter and chkrootkits on a semi-regular basis..

10) removing unnecessary compilers.. This is ridiculous for a desktop machine, particularly if you want to be able to build (compile) software yourself. On a server, YES, this is a good idea, for the reason mentioned in your report. But unless you want to run two systems in parallel, one to compile stuff on, and one to use and run stuff on, like I said, a desktop machine does not need to have its compilers removed.

Hope this clears some things up for you! And you'll surely get other feedback too, so stay tuned

Welcome to LQ,

Sasha

In addition to what's said already I suggest you run Tiger instead. Javier, the same person who maintains the (still valid) Securing Debian Manual, updated it recently. Tiger has been around for ages, is distro-agnostic but has some Debian-specific checks and should be in anyones assessment kit.

I use both tiger and lynis. I am just working with lynis right now. I want to try a different program than tiger.