Authentication security controls
Control : AUTH-9204
While allowed, usually configuration of multiple users with an ID of zero (0) is bad practice. Better is to create separated accounts and use proper group membership.
Control : AUTH-9208
Lynis checks for any duplicates by checking the passwd file and count them. Any ID which shows up more than a single time is reported as a finding. Accounts and user IDs should be unique to enable proper accounting. Using several accounts with the same ID may result in data loss.
Control : AUTH-9216
The password and group files (and their shadow equivalents) are an important part in the authentication process. Also the security controls like access control and file permissions are impacted by proper authentication and accounting of users. Inconsistencies in the password file can be caused by malicious activities or in some cases due to improper usage of tools, like a file editor. Inconsistencies should therefore be checked and fixed.
Control : AUTH-9218
Lynis checks for users accounts and which ones do not have a password. Accounts without a password are considered to be a bad practice, as each user should prove he or she is the rightful owner of the account. Lacking a password may give more than 1 authorized user access to the account and therefore seriously impact proper accounting. Loss of data or impact to the integrity of data may be the result of lacking passwords.
Control : AUTH-9222
Groups should be unique to ensure each user has the appropriate permissions.
Control : AUTH-9228
Password files like /etc/passwd and /etc/shadow should be checked on a regular basis to see if any errors are present.
Control : AUTH-9262
Several modules within the PAM framework can help restricting access to facilities to only authorized people, including limitations as a strong password, the right console, or the right software.Passwords should be protected and strengthened where possible. On Unix and Linux based systems this is usually done via PAM modules and the related configuration files. Examples include tools like passwdqc (password quality control) and cracklib (password cracking library).
Control : AUTH-9282
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found passwords without an expire date. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.
Control : AUTH-9283
Passwords are the main key to access an account, related services and information. Therefore they need to be protected via means of a strong password and password expiry. This particular test found accounts without a password. Depending on the sensitivity of the information on this machine, check if this appropriate and according to the security policy.
Control : AUTH-9286
Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people.
Control : AUTH-9288
Some accounts have been found with an expired password.
Control : AUTH-9308
Physical access to the machine can be used to load alternative software or a different operating system, during the boot phase. Configure a password in the boot loader to prevent this risk. This test applies to Linux based systems only.
Control : AUTH-9328
The umask defines what default file permissions will be applied on a file or directory. Usually servers can have a more strict umask like 027, where desktops may be less strict (022).
Control : BOOT-5260
Systemd has a single user mode, named rescue.service. Similar to normal single user mode, it allows access to the system and bypass several levels of authorization. To protect against this, reconfigure the service with the sulogin option.