Lynis security controls
|BOOT-5121||Boot||GRUB boot loader check|
Check if GRUB boot loader exists
|BOOT-5122||Boot||Set boot loader password|
By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in grub to prevent this possibility.
|BOOT-5139||Boot||LILO bootloader password|
By default anyone with physical access to the machine can load alternative software or another operating system during the boot phase. Configure a password in LILO to prevent this possibility.
|BOOT-5180||Boot||Linux boot services (Debian)|
Lynis determines what services are started during runlevel 2 (boot). All boot services should be equal to the ones running, with the exception of the "one-time" processes. The latter group are processes which need a task to perform during or just after booting, like checking the file system. For all others it's common to be equal: if MySQL is running now, it is likely to be found in the boot services scripts as well.
Missing processes in the boot list may lead to unavailability of important services after a reboot. Regular testing and reboots help in determining any missing services.
|BOOT-5184||Boot||Writable start-up scripts|
Unix based systems have an extensive boot process, from loading the bootloader up to the execution of post-boot scripts. Protecting the boot process is important for the integrity of the system.
Start-up scripts define what services will be initialized and started during the boot process. Lynis tests if there are scripts with world writable permissions. These files can be changed by all users on the system and usually started with root permissions. Therefore they impose a risk to the system, as one might include a backdoor into a start-up script.