lynis

Installation

                    cfbs add lynis@0.1.1

Description

Dependencies

Discussion

Lynis is a security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.

This module provides policy to automate the installation, running, and reporting of CISOfy's lynis system audits finding.

Inventory

CISOfy Lynis Version: The version of Lynis installed
CISOfy Lynis Suggestions: A list of suggestions from the last scan report.
CISOfy Lynis Warnings: A list of warnings from the last scan report
CISOfy Lynis Control ID findings: A list of the Lynis Control IDs surfaced as warnings or suggestions.
CISOfy Lynis finding count: The number of findings resulting from a scan.
CISOfy Lynis datetime scan completed: Datetime of last completed scan.
CISOfy Lynis Hardening Index: Hardening index from last scan.
CISOfy Lynis Update Available: Weather or not there is an updated version of Lynis available.

Usage

When the policy is run with the inform_mode class defined it will report the findings.

R: bundle lynis_inventory: SSH-7408 sshd option AllowTcpForwarding. AllowTcpForwarding prefers NO over YES
R: bundle lynis_inventory: SSH-7408 sshd optio/cfenginen ClientAliveCountMax. ClientAliveCountMax prefers 2 over 3
R: bundle lynis_inventory: SSH-7408 sshd option Compression. Compression prefers NO over DELAYED
R: bundle lynis_inventory: SSH-7408 sshd option LogLevel. LogLevel prefers VERBOSE over INFO
R: bundle lynis_inventory: SSH-7408 sshd option MaxAuthTries. MaxAuthTries prefers 2 over 6
R: bundle lynis_inventory: SSH-7408 sshd option MaxSessions. MaxSessions prefers 2 over 10
R: bundle lynis_inventory: SSH-7408 sshd option PermitRootLogin. PermitRootLogin prefers NO over YES
R: bundle lynis_inventory: SSH-7408 sshd option Port. Port prefers over 22
R: bundle lynis_inventory: SSH-7408 sshd option TCPKeepAlive. TCPKeepAlive prefers NO over YES
R: bundle lynis_inventory: SSH-7408 sshd option X11Forwarding. X11Forwarding prefers NO over YES
R: bundle lynis_inventory: KRNL-6000 Restrict use of dmesg. kernel.dmesg_restrict prefers 1 over 0
R: bundle lynis_inventory: KRNL-6000 Restrict access to kernel symbols. kernel.kptr_restrict prefers 2 over 1
R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv4.conf.all.accept_redirects prefers 0 over 1
R: bundle lynis_inventory: KRNL-6000 Log all packages for which the host does not have a path back to the source. net.ipv4.conf.all.log_martians prefers 1 over 0
R: bundle lynis_inventory: KRNL-6000 Enforce ingress/egress filtering for packets. net.ipv4.conf.all.rp_filter prefers 1 over 0
R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv4.conf.all.send_redirects prefers 0 over 1
R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv4.conf.default.accept_redirects prefers 0 over 1
R: bundle lynis_inventory: KRNL-6000 Log all packages for which the host does not have a path back to the source. net.ipv4.conf.default.log_martians prefers 1 over 0
R: bundle lynis_inventory: KRNL-6000 Do not use TCP time stamps. net.ipv4.tcp_timestamps prefers 0 over 1
R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv6.conf.all.accept_redirects prefers 0 over 1
R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv6.conf.default.accept_redirects prefers 0 over 1

CFEngine Enterprise will automatically collect and report on inventoried variables.

Dependencies

This module has no dependencies

Find related thread in GitHub discussions or Start a new discussion

lynis

Maintainer

Module stats

Installation version

Tags

Installation

Inventory

Usage

Dependencies

lynis

Maintainer

Module stats

Installation version

Tags

Installation

Inventory

Usage

Dependencies

Publish a module