# ============================================================ # OSS SafeNet - Lynis Security Audit Report # Server: oss-safenet-chi-01 (108.181.62.67) # Generated: 2026-03-15 07:35:01 UTC # ============================================================ # What is Lynis? # Lynis is an open-source security auditing tool. It performs # a deep scan of system configuration, installed software, and # security settings, then produces a hardening index score. # # A score of 70+ is considered good for a production server. # We publish this report publicly so you can verify our # security posture yourself - no trust required. # ============================================================ [WARNING]: Test DEB-0001 had a long execution: 10.996020 seconds [WARNING]: Test CRYP-7902 had a long execution: 10.048620 seconds # ============================================================ # LYNIS REPORT DATA (machine-readable) # ============================================================ lynis_version=3.0.9 os_name=Ubuntu os_version=24.04 suggestion[]=LYNIS|This release is more than 4 months old. Check the website or GitHub to see if there is an update available.|-|-| suggestion[]=DEB-0280|Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions|-|-| suggestion[]=DEB-0810|Install apt-listbugs to display a list of critical bugs prior to each APT installation.|-|-| suggestion[]=DEB-0811|Install apt-listchanges to display any significant changes prior to any upgrade via APT.|-|-| suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-| suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-| suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-| warning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot| suggestion[]=PROC-3612|Check the output of ps for dead or zombie processes|-|-| suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-| suggestion[]=AUTH-9230|Configure password hashing rounds in /etc/login.defs|-|-| suggestion[]=AUTH-9262|Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc|-|-| suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-| suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9328|Default umask in /etc/login.defs could be more strict like 027|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-| suggestion[]=USB-1000|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|-|-| suggestion[]=NAME-4028|Check DNS configuration for the dns domain name|-|-| suggestion[]=PKGS-7346|Purge old/removed packages (19 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts.|-|-| suggestion[]=PKGS-7370|Install debsums utility for the verification of packages with known good database.|-|-| suggestion[]=PKGS-7394|Install package apt-show-versions for patch management purposes|-|-| suggestion[]=PKGS-7410|Remove any unneeded kernel packages|7 kernels|text:validate dpkg -l output and perform cleanup with apt autoremove| suggestion[]=NETW-3200|Determine if protocol 'dccp' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'sctp' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'rds' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'tipc' is really needed on this system|-|-| suggestion[]=FIRE-4513|Check iptables rules to see which rules are currently not used|-|-| suggestion[]=HTTP-6710|Disable weak protocol in nginx configuration|-|-| suggestion[]=HTTP-6710|Change the HTTPS and SSL settings for enhanced protection of sensitive data and privacy|-|-| suggestion[]=HTTP-6712|Check your nginx access log for proper functioning|-|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (set 22 to )|-| suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-| suggestion[]=LOGG-2190|Check what deleted files are still in use and why.|-|-| suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-| suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-| suggestion[]=ACCT-9622|Enable process accounting|-|-| suggestion[]=ACCT-9626|Enable sysstat to collect accounting (disabled)|-|-| suggestion[]=ACCT-9628|Enable auditd to collect audit information|-|-| suggestion[]=FINT-4402|Use SHA256 or SHA512 to create checksums in AIDE|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:)| suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-| hardening_index=72