https://git.ncsa.illinois.edu/irst/lynis-ncsa-plugins
Usage:
Method 1:
Download the Lynis package from https://cisofy.com/downloads/lynis/ and extract the tarball with
tar -xf lynis*.tar.gz
- Clone the above repository and copy the
plugin_ncsa_phase2
file into thelynis/plugins
folder. - Modify the Lynis profile
lynis/default.prf
to addplugin=ncsa
under other plugins. - Go into the
lynis
folder and execute./lynis audit system
Method 2:
Install the
lynis-ncsa
RedHat packageRun
lynis audit system
Checks inside the plugin:
Each of these checks can be skipped by adding skip-test=TEST-NAME
to the default.prf file.
NCSA-IPTABLES
Checks if the default INPUT chain policy is DROP or REJECT, default policy meaning -A rules without any IP, port, or protocol exceptions. If the iptables is flushed, then check the default -P INPUT policy.
(Legacy) Checks if the policy for ICMP packets is ACCEPT.
Checks if the policy for ICMP type 3, 8, and 11 in IPv4, type 2 and 3 in IPv6 is ACCEPT.
NCSA-QUALYS
Checks if the qualys user exists and has a proper shell as defined in QUALYS_ALLOWED_SHELLS on top.
Checks the SSHD config specific to qualys user is compliant with setup specified in Qualys Authenticated Scanning Host setup
If pam_access is enabled in SSHD, checks that qualys from the IP specified by QUALYS_IP has access.
Checks iptables INPUT rule for the IP specified by QUALYS_IP is ACCEPT.
Checks if qualys owns its home directory.
Checks if qualys has an authorized_keys file in its .ssh directory and owns that key.
Checks if qualys user has ever logged in.
NCSA-RSYSLOG
Checks if rsyslog remote destination is set per Syslog Remote Logging Best Practices suggests.