You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Good Day,
Just wanted to post a baseline for the new RHEL 9 beta
Keep in mind there are some basic things that need to be done to clear some of the warnings.
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0 Beta"
Architecture: x86_64
Model name: AMD Ryzen 9 3950X 16-Core Processor
Memory: 3200mhz
[ Lynis 3.0.6 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
Detecting OS... [ DONE ]
Checking profiles... [ DONE ]
Program version: 3.0.6
Operating system: Linux
Operating system name: RHEL
Operating system version: 9.0
Kernel version: 5.14.0
Hardware platform: x86_64
Hostname: dsvr103-beta
Checking for a running NTP daemon or client [ OK ]
[+] Cryptography
Checking for expired SSL certificates [0/12] [ NONE ]
Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ]
Kernel entropy is sufficient [ YES ]
HW RNG & rngd [ NO ]
SW prng [ NO ]
MOR variable not found [ WEAK ]
[+] Virtualization
[+] Containers
[+] Security frameworks
Checking presence AppArmor [ NOT FOUND ]
Checking presence SELinux [ FOUND ]
Checking SELinux status [ ENABLED ]
Checking current mode and config file [ OK ]
Current SELinux mode: enforcing
Found 0 permissive SELinux object types
Found 68 unconfined and 0 initrc_t processes
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Good Day,
Just wanted to post a baseline for the new RHEL 9 beta
Keep in mind there are some basic things that need to be done to clear some of the warnings.
Build
VMware 16.2.1 build-18811642
CPU CORE Count - 4
Memory - 8g
System -
Edition Windows 10 Pro
Version 21H1
Installed on 2/7/2021
OS build 19043.1348
Experience Windows Feature Experience Pack 120.2212.3920.0
NAME="Red Hat Enterprise Linux"
VERSION="9.0 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.0"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.0 Beta (Plow)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0 Beta"
Architecture: x86_64
Model name: AMD Ryzen 9 3950X 16-Core Processor
Memory: 3200mhz
[ Lynis 3.0.6 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
Program version: 3.0.6
Operating system: Linux
Operating system name: RHEL
Operating system version: 9.0
Kernel version: 5.14.0
Hardware platform: x86_64
Hostname: dsvr103-beta
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
[+] System tools
[+] Plugins (phase 1)
Note: plugins have more extensive tests and may take several minutes to complete
[.]
[................]
[+] Boot and services
Result: found 36 running services
Result: found 42 enabled services
- ModemManager.service: [ MEDIUM ]
- NetworkManager.service: [ EXPOSED ]
- accounts-daemon.service: [ UNSAFE ]
- alsa-state.service: [ UNSAFE ]
- atd.service: [ UNSAFE ]
- auditd.service: [ EXPOSED ]
- avahi-daemon.service: [ UNSAFE ]
- chronyd.service: [ EXPOSED ]
- colord.service: [ EXPOSED ]
- crond.service: [ UNSAFE ]
- cups.service: [ UNSAFE ]
- dbus-broker.service: [ EXPOSED ]
- dm-event.service: [ UNSAFE ]
- emergency.service: [ UNSAFE ]
- firewalld.service: [ UNSAFE ]
- fwupd.service: [ MEDIUM ]
- gdm.service: [ UNSAFE ]
- [email protected]: [ UNSAFE ]
- irqbalance.service: [ MEDIUM ]
- iscsid.service: [ UNSAFE ]
- iscsiuio.service: [ UNSAFE ]
- libstoragemgmt.service: [ UNSAFE ]
- lvm-activate-rhel_dsvr103-beta.service: [ UNSAFE ]
- lvm2-lvmpolld.service: [ UNSAFE ]
- mcelog.service: [ UNSAFE ]
- mdmonitor.service: [ UNSAFE ]
- mlocate-updatedb.service: [ EXPOSED ]
- multipathd.service: [ UNSAFE ]
- packagekit.service: [ UNSAFE ]
- plymouth-start.service: [ UNSAFE ]
- polkit.service: [ UNSAFE ]
- power-profiles-daemon.service: [ EXPOSED ]
- rc-local.service: [ UNSAFE ]
- rescue.service: [ UNSAFE ]
- rhsm.service: [ UNSAFE ]
- rhsmcertd.service: [ UNSAFE ]
- rsyslog.service: [ UNSAFE ]
- rtkit-daemon.service: [ MEDIUM ]
- smartd.service: [ UNSAFE ]
- sshd.service: [ UNSAFE ]
- sssd-kcm.service: [ EXPOSED ]
- sssd.service: [ EXPOSED ]
- systemd-ask-password-console.service: [ UNSAFE ]
- systemd-ask-password-plymouth.service: [ UNSAFE ]
- systemd-ask-password-wall.service: [ UNSAFE ]
- systemd-initctl.service: [ UNSAFE ]
- systemd-journald.service: [ PROTECTED ]
- systemd-logind.service: [ PROTECTED ]
- systemd-rfkill.service: [ UNSAFE ]
- systemd-udevd.service: [ MEDIUM ]
- udisks2.service: [ UNSAFE ]
- upower.service: [ PROTECTED ]
- [email protected]: [ UNSAFE ]
- [email protected]: [ UNSAFE ]
- vgauthd.service: [ UNSAFE ]
- vmtoolsd.service: [ UNSAFE ]
- wpa_supplicant.service: [ UNSAFE ]
[+] Kernel
CPU support: PAE and/or NoeXecute supported [ FOUND ]
Found 78 active modules
[+] Memory and Processes
[+] Users, Groups and Authentication
[+] Shells
Result: found 4 shells (valid shells: 4).
[+] File systems
[+] USB Devices
[+] Storage
[+] NFS
[+] Name services
Domain name: ksmotech.com
[+] Ports and packages
Found: dnf
[+] Networking
Configuration method [ AUTO ]
IPv6 only [ NO ]
Nameserver: 192.168.1.1 [ OK ]
[+] Printers and Spools
[+] Software: e-mail and messaging
[+] Software: firewalls
[+] Software: webserver
[+] SSH Support
[+] SNMP Support
[+] Databases
[+] LDAP Services
[+] PHP
[+] Squid Support
[+] Logging and files
[+] Insecure services
[+] Banners and identification
[+] Scheduled tasks
[+] Accounting
[+] Time and Synchronization
[+] Cryptography
[+] Virtualization
[+] Containers
[+] Security frameworks
Current SELinux mode: enforcing
Found 0 permissive SELinux object types
Found 68 unconfined and 0 initrc_t processes
[+] Software: file integrity
[+] Software: System tooling
[+] Software: Malware
[+] File Permissions
File: /boot/grub2/grub.cfg [ SUGGESTION ]
File: /etc/at.deny [ SUGGESTION ]
File: /etc/cron.deny [ SUGGESTION ]
File: /etc/crontab [ SUGGESTION ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /etc/cron.d [ SUGGESTION ]
Directory: /etc/cron.daily [ SUGGESTION ]
Directory: /etc/cron.hourly [ SUGGESTION ]
Directory: /etc/cron.weekly [ SUGGESTION ]
Directory: /etc/cron.monthly [ SUGGESTION ]
[+] Home directories
[+] Kernel Hardening
[+] Hardening
[+] Custom tests
[+] Plugins (phase 2)
================================================================================
-[ Lynis 3.0.6 Results ]-
Warnings (1):
! Couldn't find 2 responsive nameservers [NETW-2705]
https://cisofy.com/lynis/controls/NETW-2705/
Suggestions (41):
Consider hardening system services [BOOT-5264]
https://cisofy.com/lynis/controls/BOOT-5264/
If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
https://cisofy.com/lynis/controls/AUTH-9229/
Configure password hashing rounds in /etc/login.defs [AUTH-9230]
https://cisofy.com/lynis/controls/AUTH-9230/
When possible set expire dates for all password protected accounts [AUTH-9282]
https://cisofy.com/lynis/controls/AUTH-9282/
Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
https://cisofy.com/lynis/controls/AUTH-9328/
To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000]
https://cisofy.com/lynis/controls/USB-1000/
Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
https://cisofy.com/lynis/controls/STRG-1846/
Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
https://cisofy.com/lynis/controls/NAME-4404/
Consider using a tool to automatically apply upgrades [PKGS-7420]
https://cisofy.com/lynis/controls/PKGS-7420/
Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
https://cisofy.com/lynis/controls/NETW-2705/
Determine if protocol 'dccp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
Determine if protocol 'sctp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
Determine if protocol 'rds' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
Determine if protocol 'tipc' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
Check CUPS configuration if it really needs to listen on the network [PRNT-2308]
https://cisofy.com/lynis/controls/PRNT-2308/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Consider hardening SSH configuration [SSH-7408]
https://cisofy.com/lynis/controls/SSH-7408/
Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
https://cisofy.com/lynis/controls/LOGG-2154/
Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/lynis/controls/LOGG-2190/
Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/lynis/controls/BANN-7126/
Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/lynis/controls/BANN-7130/
Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/lynis/controls/ACCT-9630/
Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/lynis/controls/TOOL-5002/
Consider restricting file permissions [FILE-7524]
https://cisofy.com/lynis/controls/FILE-7524/
One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
https://cisofy.com/lynis/controls/KRNL-6000/
Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/
Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
https://cisofy.com/lynis/controls/HRDN-7230/
Follow-up:
================================================================================
Lynis security scan details:
Hardening index : 64 [############ ]
Tests performed : 264
Plugins enabled : 2
Components:
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
Files:
================================================================================
Lynis 3.0.6
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
Beta Was this translation helpful? Give feedback.
All reactions