Lynis audit questions

I run Lynis once a year as an audit–usually as a standalone but I was surprised our extra repo had it!. The audit in Lynis (unlike Clam) is entirely sober, sensible, with no alarming red flags. I’m pleased to say Endeavour by default is a great pre-hardened OS.

Review over.
Now on to the questions.
1)

l1965×226 256 KB

the only instance of “exposed” I got for the whole audit was networkmanager.service. I could find no info for this except Lynis controls are exposed, medium or protected. Anyone have an opinion how a service becomes exposed? FirewallD setting?

l21173×156 193 KB

“unexpeceted” is ok. I was just wondering why it’s unexpected. everyone has kernel files in /boot but Endeavour?

thanks for opinions! happy Sunday to all

If you use systemd-boot, they are under /efi.

EndeavourOS isn’t the only distro with kernels in the ESP, but most of the big distros keep the kernels in /boot

I believe “Exposed” is a rating based on scoring the level of sandboxing the systemd unit has. It has nothing to do with your firewall settings.

You can see the specifics if you run systemd-analyze security NetworkManager.service

that’s where I thought they were! thanks

very interesting. it’s their in-house rating system. I figured that setting was rated EXP because that’s a heavily-relied upon service.
that command you gave me was basically a list of permissions of that service, so it makes sense they weren’t thrilled with some (as it pertains to their version of protected.
thank you

Fedora had plans to tighten security for default systemd services to better isolate and sandbox them. They had. Looks like they have dropped it

From your link: "Since Fedora already has the reputation of being security focused (SELinux enabled by default, system wide compiler flags that enable a number of security features etc), it is in a good position to act as a coordination and integration point. "

When I used Fedora (37-38) SELinux was a chatty false positive machine as far as what was writing to what. I thought it shoulda known better about some things…most seemed to adore it (I felt like a minority user re: my views on a busy/chatty app etc), though and it’s always been evident SELinux is where Fedora hung their hat for security.

I hoped that they would go ahead with this plan and perhaps upstream those changes or pass it on to other distros (don’t know how in practice these kind of things are done). It’s a pity they dropped the plan. It’s always good to make sure that the nuts and bolts of the machinery are tightened.

By the way, what was your score? If you don’t mind sharing. I’m a cat …

I remember it distinctly because I ran it twice: 65

I have to think this is baseline and optimal (don’t tell me otherwise!) because I trusted Endeavour with the security and I trust me with the common sense.

On Alpine I’m sure I would be in the 80s/90s with the tiny attack vector of MUSL..

I get this on an Arch system as well.

I won’t be saying anything. I know a little too little about how the score is extrapolated from the test and what it means in practice for the security of a system. What is the optimal score? I don’t know but I am going, time permitting, to look at some of the suggestions it has made to see if there is anything, not that technically complicated, that I can implement.

exactly. they sure had..I don’t know..like 40 suggestions they wanted me to take for self-hardening..but then I figured eh, ‘that’s just their thing’ it’s ok

I like the consistency of this app.

You may say that EOS is a pre-configured, (somewhat) customized Arch. Security-wise it should be the same as the base Arch. Don’t think EOS devs do anything or much in that regard.

I have a Fedora install, somewhere. I see if I can run Lynis on it and see what it scores.

The biggest thing we do from a security perspective is install a firewall and enable it by default.

That’s right! I should have been more explicit about what I had in mind, that is in regard to systemd service hardening.

I just finished hardening all my systemd services that were rated as “exposed” or “unsafe”; now they are all “medium” or “OK”.

❯ systemd-analyze security
UNIT                                 EXPOSURE PREDICATE HAPPY
NetworkManager.service                    4.2 OK        🙂
archlinux-keyring-wkd-sync.service        2.0 OK        🙂
bluetooth.service                         6.0 MEDIUM    😐
dbus-broker.service                       4.2 OK        🙂
dirmngr@etc-pacman.d-gnupg.service        3.7 OK        🙂
dm-event.service                          3.8 OK        🙂
emergency.service                         3.8 OK        🙂
firewalld.service                         7.3 MEDIUM    😐
getty@tty1.service                        4.1 OK        🙂
gpg-agent@etc-pacman.d-gnupg.service      3.7 OK        🙂
greetd.service                            7.1 MEDIUM    😐
keyboxd@etc-pacman.d-gnupg.service        3.7 OK        🙂
polkit.service                            1.2 OK        🙂
rescue.service                            2.2 OK        🙂
rtkit-daemon.service                      3.5 OK        🙂
shadow.service                            1.2 OK        🙂
snapper-cleanup.service                   6.7 MEDIUM    😐
systemd-ask-password-console.service      1.0 OK        🙂
systemd-ask-password-wall.service         1.3 OK        🙂
systemd-bsod.service                      3.8 OK        🙂
systemd-hostnamed.service                 1.7 OK        🙂
systemd-importd.service                   5.0 MEDIUM    😐
systemd-journald.service                  4.9 OK        🙂
systemd-logind.service                    2.8 OK        🙂
systemd-oomd.service                      1.8 OK        🙂
systemd-rfkill.service                    1.0 OK        🙂
systemd-udevd.service                     7.0 MEDIUM    😐
systemd-userdbd.service                   2.3 OK        🙂
tuned-ppd.service                         1.8 OK        🙂
tuned.service                             1.8 OK        🙂
upower.service                            2.4 OK        🙂
user@1000.service                         5.1 MEDIUM    😐
whoogle.service                           3.3 OK        🙂
wpa_supplicant.service                    3.0 OK        🙂

Except for greetd.service and user@.service (which I did make an effort to harden–that’s as far as I could get them without breaking stuff), the “medium” ones I haven’t hardened yet. I may double back and do those, but it’s not going to keep me up at night if I don’t get around to it.

Just to go ahead and say the quiet part out loud: hardening my systemd services is way beyond what I consider necessary for my personal threat model. That’s not to say it is pointless, or people shouldn’t do it, or anything like that…just for me personally, it seems a bit overkill.

It’s also kind of hard! It’s not always obvious what a service should or should not have access to. In a lot of cases I had to double-back and bisect the drop-in because I added something that was breaking the service and I wasn’t sure what. I had to mount the disk from a live ISO a couple times because I broke something and couldn’t get back in (be careful when you harden the dbus-broker service! ).

It has been an interesting little project though! I have learned a lot while doing it.

Getting rid of all the “exposed” and “unsafe” ratings did boost the Lynis score by a whopping two points. It seems a bit stingy given how time consuming it ended up being!

But honestly the Lynis score should not be taken too seriously in my opinion. For example:

  -[ Lynis 3.1.4 Results ]-

  Warnings (3):
  ----------------------------
  ! Reboot of system is most likely needed [KRNL-5830] 
    - Solution : reboot
      https://cisofy.com/lynis/controls/KRNL-5830/

I always get this reboot warning, even if I reboot and run the audit immediately after logging in. Just me?

Also, while a lot of the Lynis suggestions are good and interesting and worthy of research, some of them just seem like they don’t really matter. Like “add a legal banner to /etc/issue, to warn unauthorized users.” I guess I could do that, but it really doesn’t seem like it will make my computer more secure.

One of the suggestions was to install a malware scanner and it listed a couple suggestions. Out of the suggestions I picked rkhunter because it’s in the extra repo and from the ArchWiki article it looked like it was easy to get started. I ran the thing, it didn’t find any rootkits which is good I guess, but the fact that the output has one thousand grep syntax warnings was puzzling. So I took a closer look at the project and discovered it hasn’t had a stable release since 2018. http://rkhunter.sourceforge.net/

Maybe that doesn’t say much for me that I installed that on my computer, but I feel like it really doesn’t say much for Lynis which happily added a point to my score. “Yep, I see you have Rootkit Hunter on there, good job, your computer is safer now.” Is it? It’s probably more of a vulnerability than anything to have this ancient software on here, searching for rootkits that were relevant in 2018.

Anyway, all that to say: I like Lynis, I think the information is generally good and useful, but it ought to be taken with a grain of salt because how relevant it is will vary a good deal from person to person.

nice work.

^^^this^^^ Great reference, and a lot of great-to-know info.

I admire your perseverance and patience! Once, some time ago, I ventured into hardening some of those sad-faced systemd services. It was a minute and tedious work. I broke things, needed to fix them, countless reboot. But was rewarding, I got a score of 72 up from 64 or 65