HOWTO - IMPROVE UBUNTU SECURITY WITH LYNIS default.prf:
# ** Skip one or more specific tests ** # (always ignores scan mode and will make sure the test is skipped)
security repository is important. Ignoring tests won't make a system more secure, but at least it helps us to focus on the things we can really improve.
As dealing with each individual result would make this a very long article, it is more useful to have a config:test_skip_always:NETW- look at dealing with suggestions in 2705: general. With each suggestion, the primary focus should be on So now we installed our security understanding the meaning behind updates and told Lynis that we are each suggestion. Secondly, the fine with only one working DNS impact and risk of changing pieces server, let's do another run. of the configuration. Last, but not least, proper testing and making That is already looking much sure the adjustment has no bad better! The index not only turned influence on the goal of the yellow instead of red, it also machine. For example, blocking provided us with additional access to a web server may result in security due to installing the possibly a more secure system, but patches. Since software is usually it won't be able to handle web the weakest link, staying up-torequests. date with patches from the # config:test_skip_always:AAAA1234 BBBB-5678 CCCC-9012:
Since each system has a completely different purpose, some suggestions might be more suitable for servers, while others apply both to desktops and servers. It is up to you, the user, to decide what suggestions are worth investigating. Others can be ignored in the scanning profile, as shown above. Useful hints behind each test can be found in the log file (/var/log/lynis.log), which usually shows the related files. Additionally, the related test itself is in the include directory, to determine what the test is looking for. Then there is the CISOfy website with documentation and information about the individual tests themselves. Finally, of course, the Internet. Usually more people will have similar reported suggestions or questions regarding
the implementation.
Happy hardening and stay secure!
For more security advice, check out Michaels new monthly security column for FCM.
Michael Boelen is the author and
project lead of Lynis. When not working (at his company, CISOfy), he likes to take part in sport, loves reading, and enjoying life with friends. He can be reached via michael@cisofy.com or on Twitter (@mboelen).
full circle magazine #81
19
contents ^