hngopher.com

       [HN Gopher] Lynis - Security auditing and hardening tool, for Un...
       ___________________________________________________________________
        
       Lynis - Security auditing and hardening tool, for Unix-based
       systems
        
       Author : Qision
       Score  : 43 points
       Date   : 2024-11-07 10:39 UTC (2 days ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | kosolam wrote:
       | Seems like a good thing. Anyone here has experience with this
       | tool?
        
         | Timber-6539 wrote:
         | Doesn't offer much utility IMO as most distributions come with
         | secure defaults ootb these days. Unfortunately it's checklist
         | is not thorough enough to keep you ahead of the security curve.
        
           | lmeyerov wrote:
           | We are looking for something to run as part of our ami/docker
           | testing and as you say, stays fresh on standards (whatever
           | soc2/iso, but ideally also FIPS) , any prefs?
        
             | e1g wrote:
             | This is great https://github.com/ComplianceAsCode/content
             | 
             | I use it for regular scanning, flagging potential issues,
             | automatically making changes, aligning images to CIS Level
             | 2, and for ongoing scanning to satisfy SOC2 auditors.
        
         | mcsniff wrote:
         | Useful if you walk in to an unknown environment, however if
         | standing up your own infra, any competent sysadmin doesn't need
         | this.
        
           | grayhatter wrote:
           | If auditors are going to use this, it would benefit even the
           | most competent sysadmin to know what it's gonna say. The
           | average compliance analyst isn't going to understand why some
           | enumerable risk isn't actually a threat because; your threat
           | model makes said issue actually impossible. Even if you can
           | prove it, they're still gonna include it in their needless
           | risk findings. I'd postulate (for fun) that most competent
           | sysadmins would be more likely to have that problem, because
           | they've already identified it, and are using it as a
           | makeshift 'honeypot'.
        
         | INTPenis wrote:
         | I just heard about this tool but someone else said it simply
         | enumerates defaults already present in most distros.
         | 
         | I can tell you one thing that makes real changes to RHEL at
         | least, CIS Benchmark. It hardens your system by tightening up
         | file permissions, user logins, disables old protocols, sets
         | partition flags and more.
         | 
         | But the best hardening imho doesn't follow any set standard,
         | rather application dependent isolation using containers and
         | MACs like SElinux and MCS (multi-category security).
         | 
         | https://docs.redhat.com/en/documentation/red_hat_enterprise_...
        
       | josephcsible wrote:
       | Rules like https://cisofy.com/lynis/controls/HRDN-7222/ make me
       | think the whole thing is snake oil. There is _zero_ security
       | benefit to making publicly-available compilers not be world-
       | readable.
        
       ___________________________________________________________________
       (page generated 2024-11-09 23:01 UTC)