Lynis security controls
Controls
| Control | Category | Description |
|---|---|---|
| TIME-3104 | Time | Running NTP daemon Proper time synchronization is important for authentication services, forensics and troubleshooting. Therefore a time daemon (like ntpd) should be running, or a scheduled task to sync time (like ntpdate). |
| TIME-3106 | Time | Check status of timedatectl NTP is enabled, however timedatectl is not syncing time |
| TIME-3116 | Time | Stratum 16 servers Time servers are used to sync the time with the host. When a used server is not properly configured or not working, it will be listed as a stratum 16 server, giving it a very low priority. Usually when finding a server with a value of 16, the server should be checked or replaced with an alternative server. |
| TIME-3120 | Time | Reliability of NTP servers Lynis tests if the used NTP server candidates are reliable enough to be used. If items show up with a dash or minus, they are unreliable and should be checked or replaced. The NTP configuration and time synchronization in particular, is important for systems. It helps with properly logging the actual time, which is needed for many services. Having the right time is also important for accounting purposes and forensics. |
| TIME-3124 | Time | NTP time local source used When only a local source is being used on a system, it might indicate that external sources are not reachable or usable. The NTP configuration and time synchronization in particular, is important for systems. It helps with properly logging the actual time, which is needed for many services. Having the right time is also important for accounting purposes and forensics. Check the NTP configuration of this system to determine the cause of this finding. |
| TIME-3128 | Time | NTP time source candidates Lynis checks if the NTP time source candidates can be found in the peers overview. If not, then the configuration usually needs to be checked and updated. Differences between the active configuration and the one stored on disk, may result in a non-functional NTP configuration after reboot. |
| TIME-3132 | Time | NTP false-tickers False-tickers are NTP sources which do not work properly (e.g. non-functional, time not accurate). Lynis checks for false-tickers to prevent systems using bad sources for time synchronization. This may otherwise result in incorrect timestamps in log files and accounting data. |
| TIME-3136 | Time | NTP protocol version The NTP protocol version is gathered by Lynis as an informational test. Only when Lynis is not being able to detect the version, it will provide a suggestion to check it manually. |
| TIME-3160 | Time | NTP step-tickers configuration Lynis checks if step-tickers are configured in /etc/ntp/step-tickers and compares them with the list of servers in the general NTP configuration file. |