Skip to main content

How to Configure Security Event Audit on FreeBSD?

The FreeBSD operating system supports the auditing of security events. Event auditing facilitates the dependable, granular, and flexible recording of several security-relevant system events, including configuration changes, logins, and file and network access. These log data are useful for live system monitoring, intrusion detection, and postmortem examination. FreeBSD incorporates Sun's Basic Security Module (BSM) Application Programming Interface (API) and file format and is compatible with Solaris and Mac OS X audit implementations.

In this article, we focus on event auditing installation and setup. It describes audit rules and presents an example audit setup. After completing this document, you will understand:

  • Event auditing definition and operation.

  • How to set up event auditing for users and processes on FreeBSD.

  • How to do an audit trail review utilizing audit reduction and review tools.

warning

The audit facility is recognized to have several restrictions. Some login systems, such as Xorg-based display managers and third-party daemons, do not correctly set up auditing for user login sessions. The auditing function for security events is able to provide very thorough records of system activity. When set for high detail, trail file data on a busy system may surpass terabytes per week in certain configurations. Administrators must consider the disk space requirements for audit settings with a large volume. For instance, it is beneficial to devote a file system to /var/audit so that other file systems are not impacted if /var/audit fills up.

What are the Audit Terms?

The words listed below are associated with security event auditing:

  • Event: An auditable event is any event that can be recorded by the audit subsystem. Security-relevant events include the creation of a file, the establishment of a network connection, and the login of a user. Events are "attributable" if they can be traced back to an authorized user, or "non-attributable" if they cannot. Non-attributable events include those that occur prior to authentication in the login procedure, such as incorrect password attempts.

  • Class: Class is a designated collection of linked events used in selection expressions. "file creation" (fc), "exec" (ex), and "login logout" (lo) are classes of events that are often used.

  • Trail: A trail is a log file containing audit information documenting security occurrences. Trails are arranged approximately in chronological order according to the completion of events. Only approved procedures are permitted to add data to the audit trail.

  • Record: A record is a log entry that describes a security incident. Records include a record event type, information on the subject (user doing the action), date and time information, details on any objects or arguments, and a success or failure state.

  • Reduction: Reduction is the process of selecting records for preservation, printing, or analysis from existing audit trails. Similarly, the process of removing unwanted audit records from the audit trail. Administrators create procedures for the preservation of audit data using reduction. For instance, comprehensive audit trails are maintained for one month, but after that, they are streamlined to save merely login information for archive reasons.

  • Selection Expression: The selection expression is a string holding a list of audit event prefixes and class names that are used to match events.

  • Preselection: Preselection is the method through which the system determines which occurrences are of interest to the administrator. The preselection setup employs a number of selection expressions to determine which event classes to audit for which users, as well as global settings that apply to both authorized and unauthenticated processes.

How to Enable and Configure Audit?

User space support for event auditing is included as part of the base FreeBSD operating system. By default, kernel support is included in the GENERIC kernel. FreeBSD provides an audit management utility that controls the state of the audit system. audit utility requires one of the following flags as an argument:

  • -e: Compels the audit system to instantly delete audit log files that fulfill the expiry conditions given in the audit control file, without performing log rotation.

  • -i: Initializes and begins auditing. This option is only available on Mac OS X at now and needs auditd to be set up to operate under launchd.

  • -n: Compels the audit system to close the current audit log file and create a new log file at the location provided in the audit control file. Additionally, audit log files that fulfill the expiry conditions provided in the audit control file are deleted.

  • -s: Specifies that the audit system's configuration should be [re]synchronized with the audit control file. A fresh log file will be generated.

  • -t: Indicates that the auditing system should end. The log files are closed and renamed to reflect the shutdown time.

The auditd service must already be active. It may optionally be configured to be launched on demand by launchd (Mac OS X only). For proper functioning, the audit utility needs audit administrator credentials.

auditd is an audit log management daemon that responds to requests from the audit tool and kernel notifications. It maintains the resultant audit log files and the locations given for log files. The options are as follows:

  • -d: Starts the daemon in debug mode; it will not become a daemon.

  • -l: This option is applicable when auditd is set to start on-demand using launchd.

The audit review group "audit" may be formed optionally. Members of this group who do not possess privileges may access audit trail log files.

You may enable auditd by following the steps given below.

  1. Add the following line to /etc/rc.conf:
auditd_enable="YES"
  1. Run the next command to start the audit demon:
service auditd start

Users who want to develop a custom kernel must add the following line in the configuration file for their own kernel:

options  AUDIT

What are Event Selection Expressions?

Multiple locations in the audit settings employ selection expressions to decide which events should be audited. Expressions contain a list of matching event classes. Expressions for selection are assessed from left to right, and two expressions are joined by adding them together.

The following table highlights the default audit event classes:

Class NameDescriptionAction
allallMatch all event classes.
aaauthentication and authorization
adadministrativeAdministrative actions performed on the system as a whole.
apapplicationApplication-defined action.
clfile closeAudit calls to the close system call.
exexecAudit program execution. Auditing of command line arguments and environmental variables is controlled via audit_control using the argv and envv parameters to the policy setting.
fafile attribute accessAudit the access of object attributes such as stat and pathconf.
fcfile createAudit events where a file is created as a result.
fdfile deleteAudit events where file deletion occurs.
fmfile attribute modifyAudit events where file attribute modification occurs, such as by chown, chflags, and flock.
frfile readAudit events in which data is read or files are opened for reading.
fwfile writeAudit events in which data is written or files are written or modified.
ioioctlAudit use of the ioctl system call.
ipipcAudit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations.
lologin_logoutAudit login and logout events.
nanon attributableAudit non-attributable events.
noinvalid classMatch no audit events.
ntnetworkAudit events related to network actions such as connect and accept.
ototherAudit miscellaneous events.
pcprocessAudit process operations such as exec and exit.
Table 1. Default audit event classes

You may alter these audit event classes by editing the audit_class and audit_event configuration files.

Each audit event class may be paired with a prefix that indicates if successful/failed operations are matched and whether the entry adds or removes matching for the class and type. Prefixes for Audit Event Classes are listed in the next table:

PrefixAction
+Audit successful events in this class.
-Audit failed events in this class.
^Audit neither successful nor failed events in this class.
^+Do not audit successful events in this class.
^-Do not audit failed events in this class.
Table 2. Prefixes for Audit Event Classes

In the absence of a prefix, both successful and unsuccessful occurrences of the event will be audited.

The selection string example below picks both successful and unsuccessful login/logout events, but only successful execution events:

lo,+ex

What are the Configuration Files?

/etc/security directory contains the following configuration files for security event auditing:

  • audit_class: holds the audit classes' definitions.

  • audit_control: regulates features of the audit subsystem, including the default audit classes, the minimum disk space to leave on the audit log volume, and the maximum audit trail size.

  • audit_event: contains the textual names and descriptions of system audit events, as well as a list of the classes each event belongs to.

  • audit_user: combines user-specific audit criteria with global defaults upon login.

  • audit_warn: This file is a configurable shell script used by auditd to create warning messages in extreme circumstances, such as when space for audit records is running out or the audit trail file has been rotated.

In the majority of instances, just audit_control and audit_user need to be modified. The first file handles auditing attributes and rules for the whole system, while the second file is used to fine-tune auditing per user.

warning

Audit configuration files should be modified and maintained with care since configuration mistakes might result in erroneous event recordings.

How to Configure audit_control File?

audit_control file specifies a set of default options for the audit subsystem. A sample of audit_control file is described below:

dir:/var/audit
dist:off
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M

  • dir: The dir element is used to specify one or more audit log storage directories. If several directory entries exist, they are used in the order in which they are filled. Commonly, the audit is configured such that audit logs are saved on a dedicated file system to minimize interference between the audit subsystem and other subsystems if the file system becomes full.

  • dist: If the dist parameter is set to on or yes, hard links to all trail files in /var/audit/dist are established.

  • flags: The flags field establishes the global default preselection mask for traceable events. All users' successful and unsuccessful login/logout events, as well as their authentication and authorization, are audited in the preceding example.

  • minfree: The minfree entry specifies the minimum percentage of free space required for the audit trail file system.

  • naflags: The naflags item defines audit classes for non-attributed events, such as the login/logout procedure and authentication and authorization.

  • policy: The policy item provides a comma-separated set of policy flags that regulate different audit behavior characteristics. The cnt specifies that the operation of the system should continue notwithstanding an audit failure (this flag is highly recommended). The other flag, argv, permits the execve system call's command line arguments to be audited as part of command execution.

  • filesz: The filesz entry sets the maximum file size for an audit trail prior to its automated termination and rotation. A value of 0 disables auto-rotation of logs. If the requested file size is less than 512k, the request will be disregarded and a log notice will be created.

  • expire-after: The expire-after parameter indicates when audit log files will become obsolete and be deleted.

How to Configure audit_user File?

audit_user file allows the administrator to establish additional audit criteria for certain users. Each line configures auditing for a user via the use of two fields:

  • alwaysaudit: the alwaysaudit field indicates a collection of events that should always be audited for the user.

  • neveraudit: the neveraudit field specifies a range of events that should never be audited for the user.

The following sample entries audit login/logout events and command execution success for root, as well as file creation and command execution success for nginx. If audit_control is set to its default value, the lo item for root is redundant, and login/logout events will also be audited for nginx.

root:lo,+ex:no
nginx:fc,+ex:no

How to Utilize Audit Trails?

Since audit trails are saved in the BSM binary format, a number of built-in tools are available for modifying or converting them to text. You may use praudit to convert trail files to a simple text format. To dump the whole contents of a particular audit log in plain text, you may run the next command:

praudit /var/audit/AUDITFILE

Where AUDITFILE represents the audit log to be dumped.

Audit trails consist of a sequence of token-based audit records that are successively printed by praudit, one per line. Each token has a defined kind, such as header (the header of an audit report) or route (a file path from a name lookup). This is an instance of an execve event:

header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
exec arg,finger,doug
path,/usr/bin/finger
attribute,555,root,wheel,90,24918,104944
subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100
return,success,0
trailer,133

This audit reflects a successful execve call where the finger doug command was executed.

  • The exec arg token represents the processed command line that the shell presents to the kernel.

  • The path token stores the executable's path as determined by the kernel.

  • The attribute token contains the file mode in its description of the binary.

  • The subject token in holds the audit user ID, the effective user ID and group ID, the genuine user ID and group ID, the process ID, the session ID, the port ID, and the login URL. Observe that the audit user ID and actual user ID are different since the user robert converted to the root account before executing this command, but it is audited using the originally authenticated user.

  • The return token indicates that the execution was successful.

  • The trailer finishes the record.

XML output format is available and may be specified with the -x option.

You may use auditreduce to reduction the audit trail file for reasons of analysis, archiving, or printing. This program offers a number of selection options, including event type, event class, user, event date or time, and file path or object acted upon.

auditreduce may be used to choose a subset of records from audit logs, which can be rather big. This example retrieves all audit records created for user john and saved in AUDITFILE:

auditreduce -u john /var/audit/AUDITFILE | praudit

Members of the audit group have access to the audit logs located in /var/audit. This group is empty by default, thus only the root user may access audit logs. Users may be added to the audit group so that audit review permissions may be delegated. As the ability to follow audit log information gives important insight into the behavior of people and processes, it is advised to delegate audit review privileges with care.

How to Monitor in Real-Time Using Audit Pipes?

Audit pipes are pseudo-device clones that enable programs to access the live audit record stream. This is of particular importance to intrusion detection and system monitoring program developers. However, the audit pipe device is a practical approach for the administrator to provide live monitoring without interruption from audit trail file ownership conflicts or log rotation. To monitor the stream of live auditing events you may run the next command::

praudit /dev/auditpipe

By default, only the root user has access to audit pipe device nodes. To make them visible to the audit group members, add the following devfs rule to /etc/devfs.rules:

add path 'auditpipe*' mode 0440 group audit

It is simple to generate audit event feedback cycles in which the viewing of each audit event generates other audit events. For instance, if all network I/O is audited and praudit is executed from an SSH connection, a continuous stream of audit events will be created at a rapid pace, since each printed event will generate another event. It is thus recommended to execute praudit on an audit pipe device from sessions without fine-grained I/O auditing.

How to Compress and Rotate Audit Trail Files?

Audit logs are created by the kernel and maintained by auditd. Administrators should not directly rotate audit logs using newsyslog.conf or equivalent tools. Instead, audit should be used to terminate auditing, modify the audit system, and rotate logs.

The following command instructs the audit daemon to generate a new audit log and notifies the kernel to begin utilizing the new log. The old log will be ended and renamed, at which time the administrator will be able to alter it:

audit -n

If auditd is not presently operating, this command fails and provides an error message.

To schedule this rotation to occur every twelve hours add the next line below to /etc/crontab

0 */12 * * * root /usr/sbin/audit -n

The modification takes effect after /etc/crontab has been saved.

It is possible to automatically rotate the audit trail file depending on file size using filesz in audit control, as detailed in the audit_control file.

As audit trail files may get rather big, it is typically desired to compress or otherwise archive them once the audit daemon has closed them. The audit_warn script is used to execute customized actions for a number of audit-related events, such as the clean termination of audit trails when they are rotated.

To condense audit trails on closing, you may add the following lines to the /etc/security/audit_warn file:

# Compress audit trail files on close.
if [ "$1" = closefile ]; then
gzip -9 $2
fi

Other archiving tasks might include uploading trail files to a centralized server, deleting outdated trail files, or minimizing the audit trail by removing unnecessary information. This script will only be executed after audit trail files are properly closed. It will not be run on trails that were left unfinished due to an erroneous shutdown.

How to Perform Audit Using Lynis?

Lynis is a security auditing tool for UNIX-based systems such as Linux, macOS, and BSD. It operates on the machine itself and does a comprehensive security check. The main objective is to evaluate security defenses and make recommendations for further system hardening. In addition, it examines general system information, susceptible software packages, and any configuration concerns. System administrators and auditors often utilized Lynis to evaluate the security defenses of their systems. In addition to the "blue team", modern penetration testers have Lynis in their arsenal.

The key objectives of Lynis are as follows:

  • Automated auditing of security

  • Detection of Vulnerabilities

  • Compliance testing (e.g. ISO27001, PCI-DSS, HIPAA)

The Lynis utility also facilitates the following functions:

  • Software patch administration

  • System hardening

  • Asset and configuration management

  • Intrusion detection

  • Penetration testing (privilege escalation)

You may install and run the Lynis for security auditing on your FreeBSD server by following the steps given below:

  1. Change your directory where Lynis will be installed by running the next command:
cd /usr/local
  1. Run the next command to clone or download the Lynis project files:
git clone https://github.com/CISOfy/lynis
  1. Execute the next command to start auditing:
cd lynis && ./lynis audit system

You should see the output similar to the given below:

[ Lynis 3.0.8 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.0.8
Operating system: FreeBSD
Operating system name: FreeBSD
Operating system version: 13.1-RELEASE-p5
Kernel version: GENERIC
Hardware platform: amd64
Hostname: alp
---------------------------------------------------
Profiles: /usr/local/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/local/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
[+] System tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
PHP Warning: Module "mysqli" is already loaded in Unknown on line 0
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugin: pam
[..]
- Plugin: systemd
[................]
[+] Boot and services
------------------------------------
- Service Manager [ bsdrc ]
- Checking presence FreeBSD loader [ FOUND ]
- Checking services at startup (service/rc.conf) [ DONE ]
Result: found 32 services/options set
[+] Kernel
------------------------------------
- Checking active kernel modules
Found 8 kernel modules [ DONE ]
[+] Memory and Processes
------------------------------------
- Searching for dead/zombie processes [ NOT FOUND ]
- Searching for IO waiting processes [ NOT FOUND ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ WARNING ]
- Unique UIDs [ WARNING ]
- Checking chkgrp tool [ FOUND ]
- Checking consistency of /etc/group file [ OK ]
- Login shells [ WARNING ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password hashing methods [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ ENABLED ]
- Sudoers file [ NOT FOUND ]
- PAM password strength tools [ OK ]
- PAM configuration file (pam.conf) [ NOT FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ NOT FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Determining default umask
- umask (/etc/profile and /etc/profile.d) [ OK ]
- umask (/etc/login.conf) [ WEAK ]
- LDAP authentication support [ NOT ENABLED ]
[+] Shells
------------------------------------
- Checking console TTYs [ WARNING ]
- Checking shells from /etc/shells
Result: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/csh.cshrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[+] File systems
-----------------------------------
- Checking mount points
- Checking /home mount point [ SYMLINK ]
- Checking /tmp mount point [ OK ]
- Checking /var mount point [ SUGGESTION ]
- Querying ZFS mount points (mount -p) [ FOUND ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
[+] USB Devices
------------------------------------
[+] Storage
------------------------------------
[+] NFS
------------------------------------
- Query rpc registered programs [ DONE ]
- Query NFS versions [ DONE ]
- Query NFS protocols [ DONE ]
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Searching DNS domain name [ UNKNOWN ]
- Checking /etc/hosts
- Duplicate entries in hosts file [ NONE ]
- Presence of configured hostname in /etc/hosts [ NOT FOUND ]
- Hostname mapped to localhost [ NOT FOUND ]
- Localhost mapping to IP address [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
[Reading data from pkg(8) ... - 185 packages found - done]
- Checking presence old distfiles [ WARNING ]
[WARNING]: Test PKGS-7348 had a long execution: 15 seconds
- Checking portmaster for updates [ NONE ]
[WARNING]: Test PKGS-7378 had a long execution: 13 seconds
- Checking pkg audit to obtain vulnerable packages [ FOUND ]
- Checking package audit tool [ INSTALLED ]
Found: pkg audit

[+] Networking
------------------------------------
- Checking configured nameservers
- Testing nameservers
Nameserver: 46.96.25.35 [ SKIPPED ]
Nameserver: 46.97.5.60 [ SKIPPED ]
Nameserver: 178.233.140.110 [ SKIPPED ]
- Minimal of 2 responsive nameservers [ SKIPPED ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]

[+] Printers and Spools
------------------------------------
- Integrity check of printcap file [ OK ]
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
  
[+] Software: e-mail and messaging
------------------------------------
- Sendmail status [ RUNNING ]
[+] Software: firewalls
------------------------------------
- Checking host based firewall
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/local/sbin/httpd) [ FOUND ]
Info: Configuration file found (/usr/local/etc/apache24/httpd.conf)
sed: 1: "s/\s*ServerAlias //g": RE error: trailing backslash (\)
Info: Found 3 virtual hosts
* Loadable modules [ FOUND (112) ]
- Found 112 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_reqtimeout/mod_qos [ FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
- MySQL process status [ FOUND ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ ON ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]
- Checking listen option [ OK ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ NOT FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ NOT FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking remote logging [ NOT ENABLED ]
- Checking /etc/newsyslog.conf [ FOUND ]
- Checking log directories (newsyslog.conf) [ DONE ]
- Checking log files (newsyslog.conf) [ DONE ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Checking enabled inetd services [ OK ]
- Installed xinetd package [ OK ]
- xinetd status
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NOT FOUND ]
- Checking NIS client installation [ OK ]
- Checking NIS server installation [ OK ]
- Checking TFTP client installation [ OK ]
- Checking TFTP server installation [ OK ]
[+] Banners and identification
------------------------------------
- /COPYRIGHT [ FOUND ]
- /etc/COPYRIGHT [ NOT FOUND ]
- /etc/issue [ NOT FOUND ]
- /etc/issue.net [ NOT FOUND ]
[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
[+] Time and Synchronization
------------------------------------
- Checking for a running NTP daemon or client [ WARNING ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/1] [ NONE ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- mtree [ FOUND ]
- Checking presence integrity tool [ FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking for IDS/IPS tooling [ NONE ]
[+] Software: Malware
------------------------------------
- Checking Rootkit Hunter [ FOUND ]
- Malware software components [ FOUND ]
- Active agent [ NOT FOUND ]
- Rootkit scanner [ FOUND ]
[+] File Permissions
------------------------------------
- Starting file permissions check
File: /etc/crontab [ SUGGESTION ]
File: /etc/group [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/passwd [ OK ]
File: /etc/ssh/sshd_config [ SUGGESTION ]
File: /etc/hosts.equiv [ OK ]
Directory: /root/.ssh [ OK ]
Directory: /etc/cron.d [ SUGGESTION ]
[+] Home directories
------------------------------------
- Permissions of home directories [ WARNING ]
- Ownership of home directories [ WARNING ]
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- hw.kbd.keymap_restrict_change (exp: 4) [ DIFFERENT ]
- kern.sugid_coredump (exp: 0) [ OK ]
- net.inet.icmp.bmcastecho (exp: 0) [ OK ]
- net.inet.icmp.drop_redirect (exp: 1) [ DIFFERENT ]
- net.inet.ip.accept_sourceroute (exp: 0) [ OK ]
- net.inet.ip.check_interface (exp: 1) [ DIFFERENT ]
- net.inet.ip.forwarding (exp: 0) [ OK ]
- net.inet.ip.process_options (exp: 0) [ DIFFERENT ]
- net.inet.ip.random_id (exp: 1) [ DIFFERENT ]
- net.inet.ip.redirect (exp: 0) [ DIFFERENT ]
- net.inet.ip.sourceroute (exp: 0) [ OK ]
- net.inet.tcp.always_keepalive (exp: 0) [ DIFFERENT ]
- net.inet.tcp.blackhole (exp: 2) [ DIFFERENT ]
- net.inet.tcp.drop_synfin (exp: 1) [ DIFFERENT ]
- net.inet.tcp.icmp_may_rst (exp: 0) [ DIFFERENT ]
- net.inet.tcp.nolocaltimewait (exp: 1) [ DIFFERENT ]
- net.inet.tcp.path_mtu_discovery (exp: 0) [ DIFFERENT ]
- net.inet.udp.blackhole (exp: 1) [ DIFFERENT ]
- net.inet6.icmp6.rediraccept (exp: 0) [ DIFFERENT ]
- net.inet6.ip6.forwarding (exp: 0) [ OK ]
- net.inet6.ip6.redirect (exp: 0) [ DIFFERENT ]
- security.bsd.hardlink_check_gid (exp: 1) [ DIFFERENT ]
- security.bsd.hardlink_check_uid (exp: 1) [ DIFFERENT ]
- security.bsd.see_other_gids (exp: 0) [ DIFFERENT ]
- security.bsd.see_other_uids (exp: 0) [ DIFFERENT ]
- security.bsd.stack_guard_page (exp: 1) [ OK ]
- security.bsd.unprivileged_proc_debug (exp: 0) [ DIFFERENT ]
- security.bsd.unprivileged_read_msgbuf (exp: 0) [ DIFFERENT ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
[+] Custom tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
- Plugins (phase 2) [ DONE ]
===============================================================================
 
-[ Lynis 3.0.8 Results ]-
  
Warnings (5):
----------------------------
! Multiple users with UID 0 found in passwd file [AUTH-9204]
https://cisofy.com/lynis/controls/AUTH-9204/
! Multiple accounts found with same UID [AUTH-9208]
https://cisofy.com/lynis/controls/AUTH-9208/
! Possible harmful shell found (for passwordless account!) [AUTH-9218]
https://cisofy.com/lynis/controls/AUTH-9218/
! Found unprotected console in /etc/ttys [SHLL-6202]
https://cisofy.com/lynis/controls/SHLL-6202/
! Found vulnerable packages [PKGS-7381]
- Details : 1 vulnerable packages
- Solution : Run pkg audit
https://cisofy.com/lynis/controls/PKGS-7381/
Suggestions (22):
----------------------------
* This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS]
https://cisofy.com/lynis/controls/LYNIS/
 
* Determine if account is needed, as shell /usr/local/libexec/uucp/uucico does not exist [AUTH-9218]
https://cisofy.com/lynis/controls/AUTH-9218/

* Umask in /etc/login.conf could be more strict like 027 [AUTH-9328]
https://cisofy.com/lynis/controls/AUTH-9328/

* Symlinked mount point needs to be checked manually [FILE-6310]
- Details : /home
- Solution :
https://cisofy.com/lynis/controls/FILE-6310/

* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/

* Check DNS configuration for the dns domain name [NAME-4028]
https://cisofy.com/lynis/controls/NAME-4028/

* Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
https://cisofy.com/lynis/controls/NAME-4404/

* Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD. [PKGS-7348]
https://cisofy.com/lynis/controls/PKGS-7348/

* Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
https://cisofy.com/lynis/controls/FIRE-4590/

* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
https://cisofy.com/lynis/controls/HTTP-6640/

* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
https://cisofy.com/lynis/controls/HTTP-6643/

* Turn off PHP information exposure [PHP-2372]
- Details : expose_php = Off
https://cisofy.com/lynis/controls/PHP-2372/
  
* Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
https://cisofy.com/lynis/controls/PHP-2376/

* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
https://cisofy.com/lynis/controls/LOGG-2154/

* Enable process accounting [ACCT-2754]
https://cisofy.com/lynis/controls/ACCT-2754/

* Use NTP daemon or NTP client to prevent time issues. [TIME-3104]
https://cisofy.com/lynis/controls/TIME-3104/

* Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/lynis/controls/TOOL-5002/
* Consider restricting file permissions [FILE-7524]
- Details : See screen output or log file
- Solution : Use chmod to change file permissions
https://cisofy.com/lynis/controls/FILE-7524/

* Double check the permissions of home directories as some might be not strict enough. [HOME-9304]
https://cisofy.com/lynis/controls/HOME-9304/


* Double check the ownership of home directories as some might be incorrect. [HOME-9306]
https://cisofy.com/lynis/controls/HOME-9306/

* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/lynis/controls/KRNL-6000/

* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/

Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================

Lynis security scan details:
Hardening index : 62 [############ ]
Tests performed : 198
Plugins enabled : 2
Components:
- Firewall [X]
- Malware scanner [V]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]

Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 3.0.8
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /usr/local/lynis/default.prf for all settings)

Lynis conducts a comprehensive audit and delivers its results to the following outputs:

  • Screen: Lynis examines the system and conducts several tests. The majority of these tests will show a result on-screen. Possible testing findings include:

    • OK or Warning
    • Found or Not found
    • A value

  • Logging: The results of the system scan are presented on the screen. Additional information is reported in a separate file (default: /var/log/lynis.log). Advanced testers may utilize this information to determine what the software performed in the background or where abnormalities occurred. Details included in the log file are as follows:

    • Time of an occurrence or action
    • Reason(s) why a test was skipped or failed
    • Results of (internal) testing
    • Suggestions on configuration choices or how to fix/enhance the situation
    • Threat/impact ranking

  • Report: Lynis collects results and other data during the auditing process. This data is recorded in the report file, which is /var/log/lynis-report.dat by default. Lynis provides a single report type that is used to collect findings and show them in a customized or (more) user-friendly way. The report file is used to compare historical scan findings with current scan results as well. Contents of report file are as follows:

    • Remarks = #<remark>
    • Section =[<section name>]
    • Option/value = <option name>=<value of option>
Last updated on by Zenarmor