- Determining default
umask
-
umask
(
/etc/profile
)
[
NOT FOUND
]
-
umask
(
/etc/login.defs
)
[
SUGGESTION
]
- LDAP authentication support
[
NOT ENABLED
]
- Logging failed login attempts
[
ENABLED
]
As you can see from the output,
lynis
found problems with the pluggable authentica‐
tion module (PAM) password strength tools, such that it was willing to offer a sugges‐
tion. Additionally, it found a problem with the default file permission settings. This is
the umask setting that it checked in
/etc/login.defs
. Finally, it found a problem with
the single-user mode authentication. Single-user mode is when you can gain physical
access to the system and reboot it. Unless specifically set, booting into single-user
mode doesn’t require authentication, and the single user is root. Anyone with physical
access to a system can boot into it in single user and add users, change passwords,
and make other changes before booting back into the normal mode.
The console output provides one level of detail, but there is a log file that is created.
Looking at the log file, which defaults to
/var/log/lynis.log
, you can see far more
details.
ing run. The output in this log file shows every step taken by the program as well as
the outcome from each step. You will also notice that when there are findings, the
program will indicate them in the output. You will see in the case of
libpam-usb
that
there is a suggestion for what can be done to further harden the operating system
against attack.
Example 4-4. Log file from run of lynis
2018-01-06 20:11:48
===
------------------------------------------------
===
2018-01-06 20:11:48 Performing
test
ID CUST-0280
(
Checking
if
libpam-tmpdir is
installed and enabled.
)
2018-01-06 20:11:49 - libpam-tmpdir is not installed.
2018-01-06 20:11:49 Hardening: assigned partial number of hardening points
(
0
of 2
)
.
Currently having
0
points
(
out of 2
)
2018-01-06 20:11:49 Suggestion: Install libpam-tmpdir to
set
$TMP
and
$TMPDIR
for
PAM sessions
[
test
:CUST-0280
]
[
details:-
]
[
solution:-
]
2018-01-06 20:11:49 Status: Checking
if
libpam-usb is
installed and enabled...
2018-01-06 20:11:49
===
------------------------------------------------
===
2018-01-06 20:11:49 Performing
test
ID CUST-0285
(
Checking
if
libpam-usb is installed
and enabled.
)
2018-01-06 20:11:49 - libpam-usb is not installed.
2018-01-06 20:11:49 Hardening: assigned partial number of hardening points
(
0
of 10
)
.
Currently having
0
points
(
out of 12
)
2018-01-06 20:11:49 Suggestion: Install libpam-usb to
enable
multi-factor
authentication
for
PAM sessions
[
test
:CUST-0285
]
[
details:-
]
[
solution:-
]
2018-01-06 20:11:49 Status: Starting file system checks...
2018-01-06 20:11:49 Status: Starting file system checks
