Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

...

CVE-IDCVSSNVDFix/Notes
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585No fix available
CVE-2021-202369.8https://nvd.nist.gov/vuln/detail/CVE-2021-20236No fix available (latest release of ZeroMQ for Ubuntu 20.04 is 4.3.2-2ubuntu1)
CVE-2021-318709.8https://nvd.nist.gov/vuln/detail/CVE-2021-31870No fix available (latest release of klibc for Ubuntu 20.04 is 2.0.7-1ubuntu5)
CVE-2021-318729.8https://nvd.nist.gov/vuln/detail/CVE-2021-31872No fix available (latest release of klibc for Ubuntu 20.04 is 2.0.7-1ubuntu5)
CVE-2021-318739.8https://nvd.nist.gov/vuln/detail/CVE-2021-31873No fix available (latest release of klibc for Ubuntu 20.04 is 2.0.7-1ubuntu5)
CVE-2021-335749.8https://nvd.nist.gov/vuln/detail/CVE-2021-33574Will not be fixed in Ubuntu stable releases
CVE-2021-459519.8https://nvd.nist.gov/vuln/detail/CVE-2021-45951No fix available (vendor disputed)
CVE-2021-459529.8https://nvd.nist.gov/vuln/detail/CVE-2021-45952No fix available (vendor disputed)
CVE-2021-459539.8https://nvd.nist.gov/vuln/detail/CVE-2021-45953No fix available (vendor disputed)
CVE-2021-459549.8https://nvd.nist.gov/vuln/detail/CVE-2021-45954No fix available (vendor disputed)
CVE-2021-459559.8https://nvd.nist.gov/vuln/detail/CVE-2021-45955No fix available (vendor disputed)
CVE-2021-459569.8https://nvd.nist.gov/vuln/detail/CVE-2021-45956No fix available (vendor disputed)
CVE-2021-459579.8https://nvd.nist.gov/vuln/detail/CVE-2021-45957No fix available (vendor disputed)
CVE-2022-232189.8https://nvd.nist.gov/vuln/detail/CVE-2022-23218Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls
CVE-2022-232199.8https://nvd.nist.gov/vuln/detail/CVE-2022-23219Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls
CVE-2016-91809.1https://nvd.nist.gov/vuln/detail/CVE-2016-9180No fix available
CVE-2021-359429.1https://nvd.nist.gov/vuln/detail/CVE-2021-35942Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls

...

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defs

Result: password minimum age is not configured

Suggestion: Configure minimum password age in /etc/login.defs [test:AUTH-9286]

Set PASS_MAX_DAYS 180 in /etc/login.defs
2Performing test ID AUTH-9328 (Default umask values)

Result: found umask 022, which could be improved

Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]

Set UMASK 027 in /etc/login.defs
3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.

Hardening: assigned partial number of hardening points (0 of 1).

Configure AllowUsers in /etc/ssh/sshd_config
4Test: checking for file /etc/network/if-up.d/ntpdate

Test: checking for file /etc/network/if-up.d/ntpdate

Result: file /etc/network/if-up.d/ntpdate does not exist

...

Hardening: assigned maximum number of hardening points for this item (3).

OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf and disable apport in /etc/default/apport

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)

Result: key net.inet.ip.sourceroute does not exist on this machine

...

Hardening: assigned maximum number of hardening points for this item (1)

OK
6Test: Check if one or more compilers can be found on the system

Result: found installed compiler. See top of logfile which compilers have been found or use /usr/bin/grep to filter on 'compiler'

Hardening: assigned partial number of hardening points (1 of 3).

Uninstall gcc

...

and remove /usr/bin/as (installed with binutils)

Results after the above fixes are as follows:

The Lynis Program Update test MUST pass with no errors.
2022-03-07 15:19:07 Test: Checking for program update...
2022-03-07 15:19:10 Current installed version : 308
2022-03-07 15:19:10 Latest stable version : 307
2022-03-07 15:19:10 No Lynis update available.
The following list of tests MUST complete as passing
No.TestResult
1Test: Checking PASS_MAX_DAYS option in /etc/login.defs

Result: max password age is 180 days
Hardening: assigned maximum number of hardening points for this item (3).

2Performing test ID AUTH-9328 (Default umask values)

Result: umask is 027, which is fine
Hardening: assigned maximum number of hardening points for this item (2).

3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: SSH is limited to a specific set of users, which is good
Hardening: assigned maximum number of hardening points for this item (2).

5asysctl key fs.suid_dumpable contains equal expected and current value (0)Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)
Hardening: assigned maximum number of hardening points for this item (1).
5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)
Hardening: assigned maximum number of hardening points for this item (1).
6Test: Check if one or more compilers can be found on the system

Result: no compilers found
Hardening: assigned maximum number of hardening points for this item (3).

The post-fix manual logs can be found at insert nexus link here.

Kube-Hunter

There are 5 Vulnerabilities.

...