Lynis – Security auditing and hardening tool, for Unix-based systems

Lynis – Security auditing and hardening tool, for Unix-based systems(github.com)

67 points by Qision 1 year ago | 21 comments

Rules like https://cisofy.com/lynis/controls/HRDN-7222/ make me think the whole thing is snake oil. There is zero security benefit to making publicly-available compilers not be world-readable.

AbraKdabra 1 year ago | |

> There is zero security benefit

I assume you don't work in security. The "HRDN" means it's a Hardening rule, and hardening is the action of reducing the attack surface for possible attacks as much as you can, even for the most crazy types, like a normal user or malware having access to download an exploit from exploit-db.com and being able to compile it without being root.

HeatrayEnjoyer 1 year ago | |

Preventing the compilation of code by arbitrary users is not harmful and reduces your attack surface.

perlgeek 1 year ago | |

Where does it say on that page that the hardening is not making them world-readable?

> If a compiler is found, execution should be limited to authorized users only (e.g. root user).

viraptor 1 year ago | | |

Unless you also mount some partitions noexec, making things not executable is useless. And if you have access to python/perl/ruby, you can construct any binary in memory anyway. And that's assuming someone's targeting some vulnerability chain which uses the compiler which is a stretch anyway.

patrakov 1 year ago |

Rules like https://cisofy.com/lynis/controls/AUTH-9282/ are something that NIST calls outdated and dangerous password practice, but foreign security bodies mandate. Go figure.

Also, the suggestion from https://cisofy.com/lynis/controls/NAME-4404/ is just wrong on systems with nss_myhostname (from systemd) configured.

musicale 1 year ago | |

I've noticed that many ineffective and damaging security policies (mandating crowdstrike, increasingly arcane password requirements etc.) that businesses adopt seem to be implemented for "compliance" with ... what exactly? Sets of rules and regulations, apparently written by people who don't understand security, don't care about system reliability, availability, or usability, or have a business interest in dubious security solutions.

patrakov 1 year ago | | |

It's a chain. Take PCI DSS v4.0 for example.

Requirement 2.2.1 says: "Configuration standards are developed, implemented, and maintained to <...> Be consistent with industry-accepted system hardening standards or vendor hardening recommendations."

Then in the third column, it mentions explicitly: "Sources for guidance on configuration standards include but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Cloud Security Alliance, and product vendors."

CIS, at least in the past, was a significant source of overzealous pseudo-hardening. Yet, that's what auditors' automated tools check compliance with, as that's the only configuration standard with a written procedure, often a command that can be copy-pasted, to check compliance with each rule. And I am not allowed to object to the recommendations or not follow the "best practices" because otherwise the next breach will be fully on me (in financial terms).

kosolam 1 year ago |

Seems like a good thing. Anyone here has experience with this tool?