Bonjour à tous,
Je viens d’effectuer un scan sous lynis, celui-ci m’a affiché pas mal de messages d’erreurs en route, donc un qui s’y, j’en crois le descriptifs concerne le dns, si j’ai bien compris, je dois mettre un dns secondaire au fichier resolv.conf, sauf qu’après quelques recherches apparemment sous linux, c’est impossible
?https://www.developpez.net/forums/d507521/systemes/autres-systemes/unix/ajout-plusieurs-dns-etc-resolv-conf/
Autre questions beaucoup de “Différents” entres autres messages d’erreurs sont à déplorer par lynis, les lignes concernent mon script iptables, est ce grave selon vous ?? Je me doute qu’il doit y avoir des faux positifs, mais si je pouvais identifier lesquelles sont véridiques et ceux ne l’étant pas ça me rassurerait.
Ci joint le rapport en question
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DÉSACTIVÉ ]
- Checking presence GRUB2 [ TROUVÉ ]
- Checking for password protection [ ATTENTION ]
- Check running services (systemctl) [ FAIT ]
Result: found 26 running services
- Check enabled services at boot (systemctl) [ FAIT ]
Result: found 27 enabled services
- Check startup files (permissions) [ OK ]
[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ TROUVÉ ]
- Checking kernel version and release [ FAIT ]
- Checking kernel type [ FAIT ]
- Checking loaded kernel modules [ FAIT ]
Found 138 active modules
- Checking Linux kernel configuration file [ TROUVÉ ]
- Checking default I/O kernel scheduler [ TROUVÉ ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration [ DÉSACTIVÉ ]
- Checking setuid core dumps configuration [ DEFAULT ]
- Check if reboot is needed [ NON ]
[+] Mémoire et Processus
------------------------------------
- Checking /proc/meminfo [ TROUVÉ ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ TROUVÉ ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ FAIT ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ TROUVÉ ]
- Check sudoers file permissions [ OK ]
- PAM password strength tools [ SUGGESTION ]
- PAM configuration files (pam.conf) [ TROUVÉ ]
- PAM configuration files (pam.d) [ TROUVÉ ]
- PAM modules [ TROUVÉ ]
- LDAP module in PAM [ NON TROUVÉ ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ DÉSACTIVÉ ]
- User password aging (maximum) [ DÉSACTIVÉ ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NON TROUVÉ ]
- umask (/etc/login.defs) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ACTIVÉ ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 11 shells (valid shells: 11).
- Session timeout settings/tools [ AUCUN ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ AUCUN ]
- Checking default umask in /etc/profile [ AUCUN ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ OK ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ACTIVÉ ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /boot [ NON DEFAULT ]
- Mount options of /home [ NON DEFAULT ]
- Checking Locate database [ TROUVÉ ]
- Disable kernel support of some filesystems
- Discovered kernel modules: freevxfs hfs hfsplus jffs2 squashfs udf
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ACTIVÉ ]
- Checking USBGuard [ NON TROUVÉ ]
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NON TROUVÉ ]
[+] Name services
------------------------------------
- Searching DNS domain name [ INCONNU ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ TROUVÉ ]
- Querying package manager
- Query unpurged packages [ TROUVÉ ]
- Checking security repository in sources.list file or directory [ ATTENTION ]
- Checking vulnerable packages (apt-get only) [ FAIT ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ACTIVÉ ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 192.168.0.254 [ OK ]
- Minimal of 2 responsive nameservers [ ATTENTION ]
- Checking default gateway [ FAIT ]
- Getting listening ports (TCP/UDP) [ FAIT ]
* Found 1 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ EN COURS: ]
- Checking for ARP monitoring software [ NON TROUVÉ ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NON TROUVÉ ]
- Checking lp daemon [ NON LANCÉ ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ TROUVÉ ]
- Checking iptables policies of chains [ TROUVÉ ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ TROUVÉ ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2) [ TROUVÉ ]
Info: Configuration file found (/etc/apache2/apache2.conf)
Info: No virtual hosts found
* Loadable modules [ TROUVÉ (118) ]
- Found 118 loadable modules
mod_evasive: anti-DoS/brute force [ NON TROUVÉ ]
mod_reqtimeout/mod_qos [ TROUVÉ ]
ModSecurity: web application firewall [ NON TROUVÉ ]
- Checking nginx [ NON TROUVÉ ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ NON TROUVÉ ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NON TROUVÉ ]
[+] Databases
------------------------------------
No database engines found
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NON TROUVÉ ]
[+] PHP
------------------------------------
- Checking PHP [ TROUVÉ ]
- Checking PHP disabled functions [ TROUVÉ ]
- Checking expose_php option [ ON ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NON TROUVÉ ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NON TROUVÉ ]
- Checking systemd journal status [ TROUVÉ ]
- Checking Metalog status [ NON TROUVÉ ]
- Checking RSyslog status [ TROUVÉ ]
- Checking RFC 3195 daemon status [ NON TROUVÉ ]
- Checking minilogd instances [ NON TROUVÉ ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ FAIT ]
- Checking open log files [ FAIT ]
- Checking deleted files in use [ FILES FOUND ]
[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]
[+] Banners and identification
------------------------------------
- /etc/issue [ TROUVÉ ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ TROUVÉ ]
- /etc/issue.net contents [ WEAK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ FAIT ]
[+] Accounting
------------------------------------
- Checking accounting information [ NON TROUVÉ ]
- Checking sysstat accounting data [ DÉSACTIVÉ ]
- Checking auditd [ NON TROUVÉ ]
[+] Time and Synchronization
------------------------------------
- Checking for a running NTP daemon or client [ ATTENTION ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/4] [ AUCUN ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ TROUVÉ ]
- Checking AppArmor status [ DÉSACTIVÉ ]
- Checking presence SELinux [ NON TROUVÉ ]
- Checking presence TOMOYO Linux [ NON TROUVÉ ]
- Checking presence grsecurity [ NON TROUVÉ ]
- Checking for implemented MAC framework [ AUCUN ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NON TROUVÉ ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NON TROUVÉ ]
- Checking for IDS/IPS tooling [ AUCUN ]
[+] Software: Malware
------------------------------------
- Vérification chkrootkit [ TROUVÉ ]
[+] File Permissions
------------------------------------
- Starting file permissions check
[+] Home directories
------------------------------------
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ OK ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ TROUVÉ ]
- Installed malware scanner [ TROUVÉ ]
[+] Tests Personnalisés
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
- Plugins (phase 2) [ DONE ]
Merci d’avance
