Lynis security controls



Controls

ControlCategoryDescription
AUTH-9204AuthenticationMultiple users with uid 0

While allowed, usually configuration of multiple users with an ID of zero (0) is bad practice. Better is to create separated accounts and use proper group membership.

AUTH-9208AuthenticationDuplicate accounts or IDs

Lynis checks for any duplicates by checking the passwd file and count them. Any ID which shows up more than a single time is reported as a finding. Accounts and user IDs should be unique to enable proper accounting. Using several accounts with the same ID may result in data loss.

AUTH-9216AuthenticationConsistency of password/group files

The password and group files (and their shadow equivalents) are an important part in the authentication process. Also the security controls like access control and file permissions are impacted by proper authentication and accounting of users. Inconsistencies in the password file can be caused by malicious activities or in some cases due to improper usage of tools, like a file editor. Inconsistencies should therefore be checked and fixed.

AUTH-9218AuthenticationAccounts without password

Lynis checks for users accounts and which ones do not have a password. Accounts without a password are considered to be a bad practice, as each user should prove he or she is the rightful owner of the account. Lacking a password may give more than 1 authorized user access to the account and therefore seriously impact proper accounting. Loss of data or impact to the integrity of data may be the result of lacking passwords.

AUTH-9222AuthenticationUnique authentication groups

Groups should be unique to ensure each user has the appropriate permissions.

AUTH-9228AuthenticationLinux password file consistency

Password files like /etc/passwd and /etc/shadow should be checked on a regular basis to see if any errors are present.

AUTH-9262AuthenticationPAM password strengthening tools

Several modules within the PAM framework can help restricting access to facilities to only authorized people, including limitations as a strong password, the right console, or the right software.

Passwords should be protected and strengthened where possible. On Unix and Linux based systems this is usually done via PAM modules and the related configuration files. Examples include tools like passwdqc (password quality control) and cracklib (password cracking library).

AUTH-9282AuthenticationPasswords (expire date)

Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found passwords without an expire date. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.

AUTH-9283AuthenticationPasswords (no password set)

Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found accounts without a password. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.

AUTH-9286AuthenticationPassword aging

Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people.

AUTH-9288AuthenticationExpired passwords

Some accounts have been found with an expired password.

AUTH-9308AuthenticationProtect single user mode

Physical access to the machine can be used to load alternative software or a different operating system, during the boot phase. Configure a password in the boot loader to prevent this risk. This test applies to Linux based systems only.

AUTH-9328AuthenticationDefault umask

The umask defines what default file permissions will be applied on a file or directory. Usually servers can have a more strict umask like 027, where desktops may be less strict (022).

BOOT-5260AuthenticationSingle user mode for systemd

Systemd has a single user mode, named rescue.service. Similar to normal single user mode, it allows access to the system and bypass several levels of authorization. To protect against this, reconfigure the service with the sulogin option.