-[ Lynis 1.3.0 Results ]- Tests performed: 159 Warnings: ---------------------------- - [16:54:29] Warning: No password set for single mode [test:AUTH-9308] [impact:L] - [16:55:44] Warning: Nameserver 10.142.2.5 does not respond [test:NETW-2704] [impact:L] - [16:56:01] Warning: Found possible unused iptables rules (2 4 1) [test:FIRE-4513] [impact:L] - [16:56:28] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M] - [16:56:57] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M] Suggestions: ---------------------------- - [16:54:29] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286] - [16:54:29] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308] - [16:54:29] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328] - [16:54:56] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] - [16:55:05] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] - [16:55:05] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846] - [16:55:44] Suggestion: Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [test:NETW-2704] - [16:56:01] Suggestion: Check iptables rules to see which rules are currently not used (iptables --list --numeric --verbose) [test:FIRE-4513] - [16:56:28] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372] - [16:56:28] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376] - [16:56:43] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122] - [16:56:43] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] - [16:56:43] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] - [16:56:55] Suggestion: Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [test:ACCT-9630] - [16:56:57] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104] - [16:57:04] Suggestion: Install a file integrity tool [test:FINT-4350] - [16:57:12] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] - [16:57:21] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220] - [16:57:21] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222] - [16:57:21] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230] ================================================================================ Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat ================================================================================ Hardening index : [59] [########### ] ================================================================================ Tip: Disable all tests which are not relevant or are too strict for the purpose of the particular machine. This will remove unwanted suggestions and also boost the hardening index. Each test should be properly analyzed to see if the related risks can be accepted, before disabling the test. ================================================================================ Lynis 1.3.0 Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/ ================================================================================