Use Lynis to test hardenings before & after

[pyllyukko]

• Check individual hardenings with lynis show details TEST-ID

• boot_services
• kernel
• memory_processes
• authentication
• shells
• filesystems
• storage
  • USB & FireWire
• storage_nfs
• nameservices
• ports_packages
• networking
• printers_spools
• mail_messaging
• firewalls
• webservers
• ssh
• snmp
• databases
• ldap
• php
• squid
• logging
• insecure_services
• banners
• scheduling
  • cron & at
• accounting
  • sysstat
  • auditd
• time
• crypto
• virtualization
• containers
• mac_frameworks
• file_integrity
• tooling
  • TOOL-5002 - automation tooling
  • TOOL-5190 - IDS/IPS tooling
• malware
• file_permissions
  • permfile & permdir in the profile
• homedirs
  • HOME-9310
• kernel_hardening
• hardening
  • compiler(s)
  • malware scanner

shells

• SHLL-6211 /etc/shells -> remove_shells()
• SHLL-6220 "Search for session timeout tools or settings in shell"
• SHLL-6230 umask -> configure_umask()

authentication

• AUTH-9286 (Checking user password aging)
  • PASS_MIN_DAYS option in /etc/login.defs
  • PASS_MAX_DAYS
• AUTH-9328 (Default umask values)
• AUTH-9308 - Protect single user mode

[pyllyukko]

Implemented in #43. Although with LXC you can't test everything. At least the following can't properly be tested:

• Kernel stuff (as they come from the host)
  • sysctl
  • AppArmor
  • Audit
• Partitioning