Release security options

This post documents the security options incompatible with the debug mode:

  1. Add password for the root user
  2. Secure passwords (add a password testing module, set min and max password age)
  3. Remove debug-tweaks
  4. Run a security scanner like lynis
  5. Scan your sources for pending CVEs

Running a security scanner

We recommend to run a security scanner like Lynis, which we include in the distribution packages (meta-security layer). You can enable the scanner in your conf/local.conf the following way:

IMAGE_INSTALL_append = " lynis"

The build your image as usual. Start it and log to the system, then run:

root@qemux86-64:~# lynis audit system

You will get the output with the hardening index and suggestions for improvements.

An example, from allscenarios-image-base with a development build (results are very similar between development images)

  -[ Lynis 2.7.5 Results ]-

  Great, no warnings

  Suggestions (24):
  * This release is more than 4 months old. Consider upgrading [LYNIS]

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]

  * Configure minimum password age in /etc/login.defs [AUTH-9286]

  * Configure maximum password age in /etc/login.defs [AUTH-9286]

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]

  * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]

  * Check DNS configuration for the dns domain name [NAME-4028]

  * Install a package audit tool to determine vulnerable packages [PKGS-7398]

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]

  * Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]

  * Check if log files are properly rotated [LOGG-2146]

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]

  * Add legal banner to /etc/, to warn unauthorized users [BANN-7130]

  * Enable process accounting [ACCT-9622]

  * Enable sysstat to collect accounting (no results) [ACCT-9626]

  * Enable auditd to collect audit information [ACCT-9628]

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]

  * Determine if automation tools are present for system management [TOOL-5002]

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC

  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (
  - Use --upload to upload data to central system (Lynis Enterprise users)


  Lynis security scan details:

  Hardening index : 69 [#############       ]
  Tests performed : 188
  Plugins enabled : 0

  - Firewall               [X]
  - Malware scanner        [X]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat


Scan your sources for pending CVEs
A CVE scan allows to check if there are pending unresolved vulnerabilities in the sources.

To enable it, add the following to your conf/local.conf:

INHERIT += "cve-check"

Then run your build normally. If there are critical CVEs, they will be shown in red; non-critical one in yellow. At the end the system will show you the paths to the complete report files in lines:

Image CVE report stored in: <path>
Image CVE status stored in: <path>

Note: please be aware that results may be incomplete. If you have added any packages to the distribution, pay special attention to checking their updates manually.