Versions Compared

Old Version 11

changes.mady.by.user Colin Peters

Saved on

compared with

New Version 12

changes.mady.by.user Colin Peters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3

...

CVE-IDCVSSNVDFix/Notes
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

Ubuntu CVE record

TODO: File exception request

CVE-2021-202239.8https://nvd.nist.gov/vuln/detail/CVE-2021-20223

Fix released in libsqlite 3.31.1-4ubuntu0.4

Ubuntu CVE record

TODO: Check libsqlite3-0 version, update if possible and re-run.

CVE-2022-03189.8https://nvd.nist.gov/vuln/detail/CVE-2022-0318

Fix not yet available

Ubuntu CVE record

TODO: Check for recent updates to vim, update if possible and re-run. If no updates available, file exception request.

CVE-2022-19279.8https://nvd.nist.gov/vuln/detail/CVE-2022-1927

Fix not yet available

Ubuntu CVE record

TODO: Same as CVE-2022-0318

CVE-2022-374349.8https://nvd.nist.gov/vuln/detail/CVE-2022-37434

No fix available (for zlib1g, zlib1g-dev)

Ubuntu CVE record

TODO: File exception request

CVE-2022-10129.1https://nvd.nist.gov/vuln/detail/CVE-2022-1012

Fix released in linux-image 5.4.0-126.142

Ubuntu CVE record

TODO: Check kernel version (linux-image-5.4.0-109-generic?) and check for updates. Update if possible and re-run.

CVE-2022-15869.1https://nvd.nist.gov/vuln/detail/CVE-2022-1586

Fix released in libpcre 10.34-7ubuntu0.1

Ubuntu CVE record

TODO: Check for updates to libpcre. Update if possible and re-run.

CVE-2022-15879.1https://nvd.nist.gov/vuln/detail/CVE-2022-1587

Fix released in libpcre 10.34-7ubuntu0.1

Ubuntu CVE record

TODO: Same as CVE-2022-1586

Lynis

Nexus URL (run via Bluval, without fixes): 

...

The Lynis Program Update test MUST pass with no errors.
2022-0309-0414 1516:3319:2849 Test: Checking for program update...

2022-0309-0414 1516:3319:3149 CurrentResult: installedUpdate versioncheck failed. :No 301network connection?
2022-0309-0414 1516:3319:3149 LatestInfo: stableto versionperform an automatic update check, outbound :DNS 307
2022-03-04 15:33:31 Minimum required version   : 297
2022-03-04 15:33:31 Result: newer Lynis release available!
2022-03-04 15:33:31 Suggestion: Version of Lynis outdated, consider upgrading to the latest versionconnections should be allowed (TXT record).
2022-09-14 16:19:49 Suggestion: This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [test:LYNIS] [details:-] [solution:-]

TODO Fix: Download and run the latest Lynis directly on SUT. See the link below:

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1

Test: Checking PASS_MAX_

DAYS option in /etc/login.defs

Result: password minimum age is not configured

Suggestion: Configure minimum password age DAYS option in /etc/login.defs [test:AUTH-9286]

2022-09-14 16:20:32 Result: password aging limits are not configured

TODO: Set PASS_MAX_DAYS 180 in /etc/login.defs and rerun.
2

Performing test ID AUTH-9328 (Default umask values)

2022-09-14 16:20:32 Result: found umask 022, which could be improved

Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]

TODO: Set UMASK 027 in /etc/login.defs
3

Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups

)

)

2022-09-14 16:20:44 Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.

Hardening: assigned partial number of hardening points (0 of 1).

TODO: Configure AllowUsers in /etc/ssh/sshd_config (allow only the admin account).
4

Test: checking for file /etc/network/if-up.d/ntpdateTest: checking for

2022-09-14 16:20:46 Result: file /etc/network/if-up.d/ntpdate does not exist
2022-09-14 16:20:46 Result: file /etc/network/if-up.d/ntpdate does not exist

...

Found a time syncing daemon/client.
2022-09-14 16:20:46 Hardening: assigned maximum number of hardening points for this item (3).

OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)

2022-09-14 16:20:58 Result: sysctl key fs.suid_dumpable

has a different value than expected in scan profile. Expected=0, Real=2

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf and disable apport in /etc/default/apportcontains equal expected and current value (0)

OK

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)1)

2022-09-14 16:20:58 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

Set recommended value in TODO: Add kernel.dmesg_restrict=1 to /etc/sysctl.d/90-lynis-hardening.conf
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)

2022-09-14 16:20:58 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1

Set recommended value in TODO: Add net.ipv4.conf.default.accept_source_route=0 to /etc/sysctl.d/90-lynis-hardening.conf
6Test: Check if one or more compilers can be found on the system

2022-09-14 16:20:59 Result: found installed compiler. See top of logfile which compilers have been found or use /usr/bin/grep to filter on 'compiler'

Hardening: assigned partial number of hardening points (1 of 3).

TODO: Uninstall gcc and remove /usr/bin/as (installed with binutils)

...