Can anybody tell me whats wrong with this report.
OS: Linuxmint 20 ulyana
Kernel: x86_64 Linux 5.4.0-96-generic
[+] Boot and services
------------------------------------
[WARNING]: Test DEB-0880 had a long execution: 17.754257 seconds
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ NONE ]
- Check running services (systemctl) [ DONE ]
Result: found 31 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 61 enabled services
- Check startup files (permissions) [ OK ]
- Running 'systemd-analyze security'
- ModemManager.service: [ MEDIUM ]
- NetworkManager.service: [ EXPOSED ]
- accounts-daemon.service: [ UNSAFE ]
- acpid.service: [ UNSAFE ]
- alsa-state.service: [ UNSAFE ]
- anacron.service: [ UNSAFE ]
- avahi-daemon.service: [ UNSAFE ]
- bluetooth.service: [ MEDIUM ]
- clamav-freshclam.service: [ UNSAFE ]
- cron.service: [ UNSAFE ]
- cups-browsed.service: [ UNSAFE ]
- cups.service: [ UNSAFE ]
- dbus.service: [ UNSAFE ]
- dm-event.service: [ UNSAFE ]
- dmesg.service: [ UNSAFE ]
- emergency.service: [ UNSAFE ]
- fwupd.service: [ EXPOSED ]
- geoclue.service: [ MEDIUM ]
-
getty@tty1.service: [ UNSAFE ]
-
getty@tty7.service: [ UNSAFE ]
- hddtemp.service: [ UNSAFE ]
- irqbalance.service: [ MEDIUM ]
- kerneloops.service: [ UNSAFE ]
- lightdm.service: [ UNSAFE ]
- lvm2-lvmpolld.service: [ UNSAFE ]
- mintsystem.service: [ UNSAFE ]
- networkd-dispatcher.service: [ UNSAFE ]
- ntp-systemd-netif.service: [ UNSAFE ]
- ntp.service: [ UNSAFE ]
- ondemand.service: [ UNSAFE ]
- plymouth-start.service: [ UNSAFE ]
- polkit.service: [ UNSAFE ]
- rc-local.service: [ UNSAFE ]
- rescue.service: [ UNSAFE ]
- resolvconf.service: [ UNSAFE ]
- rsync.service: [ UNSAFE ]
- rsyslog.service: [ UNSAFE ]
- rtkit-daemon.service: [ MEDIUM ]
- systemd-ask-password-console.service: [ UNSAFE ]
- systemd-ask-password-plymouth.service: [ UNSAFE ]
- systemd-ask-password-wall.service: [ UNSAFE ]
-
systemd-coredump@0.service: [ PROTECTED ]
- systemd-fsckd.service: [ UNSAFE ]
- systemd-initctl.service: [ UNSAFE ]
- systemd-journald.service: [ PROTECTED ]
- systemd-logind.service: [ PROTECTED ]
- systemd-networkd.service: [ PROTECTED ]
- systemd-resolved.service: [ PROTECTED ]
- systemd-rfkill.service: [ UNSAFE ]
- systemd-udevd.service: [ EXPOSED ]
- thermald.service: [ UNSAFE ]
- udisks2.service: [ UNSAFE ]
- upower.service: [ PROTECTED ]
-
user@1000.service: [ UNSAFE ]
- uuidd.service: [ PROTECTED ]
- wpa_supplicant.service: [ UNSAFE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 147 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ NOT FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration
- configuration in systemd conf files [ DEFAULT ]
- configuration in etc/profile [ DEFAULT ]
- 'hard' configuration in security/limits.conf [ DEFAULT ]
- 'soft' configuration in security/limits.conf [ DEFAULT ]
- Checking setuid core dumps configuration [ DISABLED ]
- Check if reboot is needed [ NO ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Memory and Processes
------------------------------------
[WARNING]: Test KRNL-5830 had a long execution: 13.484896 seconds
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ NOT FOUND ]
- Searching for IO waiting processes [ NOT FOUND ]
- Search prelink tooling [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Password hashing methods [ SUGGESTION ]
- Checking password hashing rounds [ DISABLED ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- Sudoers file(s) [ FOUND ]
- Permissions for directory: /etc/sudoers.d [ WARNING ]
- Permissions for: /etc/sudoers [ OK ]
- Permissions for: /etc/sudoers.d/README [ OK ]
- Permissions for: /etc/sudoers.d/0pwfeedback [ OK ]
- Permissions for: /etc/sudoers.d/mintupdate [ OK ]
- PAM password strength tools [ SUGGESTION ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ SUGGESTION ]
- Accounts without password [ OK ]
- Locked accounts [ OK ]
- Checking user password aging (minimum) [ DISABLED ]
- User password aging (maximum) [ DISABLED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 4 shells (valid shells: 4).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Checking LVM volume groups [ FOUND ]
- Checking LVM volumes [ FOUND ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /boot [ DEFAULT ]
- Mount options of /dev [ HARDENED ]
- Mount options of /dev/shm [ PARTIALLY HARDENED ]
- Mount options of /run [ HARDENED ]
- Total without nodev:8 noexec:12 nosuid:6 ro or noexec (W^X): 12 of total 42
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking USBGuard [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ DISABLED ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Name services
------------------------------------
- Searching DNS domain name [ UNKNOWN ]
- Checking /etc/hosts
- Duplicate entries in hosts file [ NONE ]
- Presence of configured hostname in /etc/hosts [ FOUND ]
- Hostname mapped to localhost [ NOT FOUND ]
- Localhost mapping to IP address [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
[WARNING]: Test PKGS-7345 had a long execution: 17.055130 seconds
- Query unpurged packages [ FOUND ]
- Checking security repository in sources.list.d directory [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages (apt-get only) [ DONE ]
- Checking upgradeable packages [ SKIPPED ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
- Toolkit for automatic upgrades [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 10.80.0.1 [ OK ]
- Minimal of 2 responsive nameservers [ WARNING ]
- DNSSEC supported (systemd-resolved) [ NO ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client
- Checking for ARP monitoring software [ NOT FOUND ]
- Uncommon network protocols [ 0 ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ RUNNING ]
- Checking CUPS configuration file [ OK ]
- File permissions [ WARNING ]
- Checking CUPS addresses/sockets [ FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: e-mail and messaging
------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Databases
------------------------------------
No database engines found
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking remote logging [ NOT ENABLED ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ FILES FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Installed xinetd package [ OK ]
- xinetd status
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NOT FOUND ]
- Checking NIS client installation [ OK ]
- Checking NIS server installation [ OK ]
- Checking TFTP client installation [ OK ]
- Checking TFTP server installation [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ WEAK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: ntpd [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ FOUND ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ NONE ]
- Checking selected time source [ OK ]
- Checking time source candidates [ OK ]
- Checking falsetickers [ OK ]
- Checking NTP version [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/4] [ NONE ]
- Found 1 LUKS encrypted block devices. [ OK ]
- Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ]
- Kernel entropy is sufficient [ YES ]
- HW RNG & rngd [ NO ]
- SW prng [ NO ]
- MOR variable not found [ WEAK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Virtualization
------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Containers
------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ ENABLED ]
Found 114 unconfined processes
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- dm-integrity (status) [ DISABLED ]
- dm-verity (status) [ DISABLED ]
- Checking presence integrity tool [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking for IDS/IPS tooling [ NONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: Malware
------------------------------------
- Checking ClamAV scanner [ FOUND ]
- Malware software components [ FOUND ]
- Active agent [ NOT FOUND ]
- Rootkit scanner [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] File Permissions
------------------------------------
- Starting file permissions check
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Home directories
------------------------------------
- Permissions of home directories [ OK ]
- Ownership of home directories [ OK ]
- Checking shell history files [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
- Non-native binary formats [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Custom tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (
https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 60 [############ ]
Tests performed : 266
Plugins enabled : 1
Components:
- Firewall [V]
- Malware scanner [V]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
