You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

https://git.ncsa.illinois.edu/irst/lynis-ncsa-plugins

Usage:

Method 1:

  1. Download the Lynis package from https://cisofy.com/downloads/lynis/ and extract the tarball with tar -xf lynis*.tar.gz 

  2. Clone the above repository and copy the plugin_ncsa_phase2  file into the lynis/plugins folder.
  3. Modify the Lynis profile lynis/default.prf to add plugin=ncsa under other plugins.
  4. Go into the lynis folder and execute ./lynis audit system
Method 2:
  1. Install the lynis-ncsa RedHat package
  2. Run lynis audit system

Checks inside the plugin:

Each of these checks can be skipped by adding skip-test=TEST-NAME to the default.prf file.

NCSA-IPTABLES

Checks if the default INPUT chain policy is DROP or REJECT, default policy meaning -A rules without any IP, port, or protocol exceptions. If the iptables is flushed, then check the default -P INPUT policy.

(Legacy) Checks if the policy for ICMP packets is ACCEPT.

Checks if the policy for ICMP type 3, 8, and 11 in IPv4, type 2 and 3 in IPv6 is ACCEPT.

NCSA-QUALYS

Checks if the qualys user exists and has a proper shell as defined in QUALYS_ALLOWED_SHELLS on top.

Checks the SSHD config specific to qualys user is compliant with setup specified in Qualys Authenticated Scanning Host setup

If pam_access is enabled in SSHD, checks that qualys from the IP specified by QUALYS_IP has access.

Checks iptables INPUT rule for the IP specified by QUALYS_IP is ACCEPT.

Checks if qualys owns its home directory.

Checks if qualys has an authorized_keys file in its .ssh directory and owns that key.

Checks if qualys user has ever logged in.

NCSA-RSYSLOG

Checks if rsyslog remote destination is set per Syslog Remote Logging Best Practices suggests.


  • No labels