msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.018.2026.06.07
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-07 09:11:26 +01:00
parent 9cdcc0a9ec
commit 3fc5003676
3 changed files with 212 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/AUDIT_LYNIS.md
+40 -20
View File
@@ -12,6 +12,8 @@ include_toc: true
# 2. Lynis Audit:
Lynis may report only 127.0.0.53 as a configured nameserver when systemd-resolved stub mode is active. This is expected. The effective hardened upstream resolvers, if opted in, must be verified via resolvectl dns, resolvectl status and networkctl status.
````text
[ Lynis 3.1.6 ]
@@ -36,7 +38,7 @@ include_toc: true
Operating system name: Debian
Operating system version: 13
End-of-life: UNKNOWN
Kernel version: 6.16.3+deb13
Kernel version: 7.0.10+deb13
Hardware platform: x86_64
Hostname: live
---------------------------------------------------
@@ -53,6 +55,24 @@ include_toc: true
---------------------------------------------------
- Program update status... [ NO UPDATE ]
===============================================================================
Lynis might be outdated
===============================================================================
Current version is more than 6 months old
This version might be Please check if there is a more recent version available.
Please check if there is a more recent version available.
Download locations:
Packages (DEB/RPM) - https://packages.cisofy.com/
Website (TAR) - https://cisofy.com/downloads/
GitHub - https://github.com/CISOfy/lynis
===============================================================================
[+] System tools
------------------------------------
- Scanning available tools...
@@ -71,14 +91,15 @@ include_toc: true
- Checking Secure Boot [ DISABLED ]
- Boot loader [ NONE FOUND ]
- Check running services (systemctl) [ DONE ]
Result: found 16 running services
Result: found 18 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 30 enabled services
Result: found 33 enabled services
- Check startup files (permissions) [ OK ]
- Running 'systemd-analyze security'
Unit name (exposure value) and predicate
--------------------------------
- auditd.service (value=8.9) [ EXPOSED ]
- cdi-starter.service (value=9.6) [ UNSAFE ]
- chrony.service (value=3.5) [ PROTECTED ]
- cron.service (value=9.6) [ UNSAFE ]
- dbus.service (value=9.3) [ UNSAFE ]
@@ -86,8 +107,6 @@ include_toc: true
- emergency.service (value=9.5) [ UNSAFE ]
- fail2ban.service (value=6.5) [ MEDIUM ]
- getty@tty1.service (value=9.6) [ UNSAFE ]
- ifup@ens3.service (value=9.5) [ UNSAFE ]
- ifup@ens4.service (value=9.5) [ UNSAFE ]
- jitterentropy.service (value=2.5) [ PROTECTED ]
- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
- rc-local.service (value=9.6) [ UNSAFE ]
@@ -104,6 +123,7 @@ include_toc: true
- systemd-journald.service (value=4.9) [ PROTECTED ]
- systemd-logind.service (value=2.8) [ PROTECTED ]
- systemd-networkd.service (value=2.9) [ PROTECTED ]
- systemd-resolved.service (value=2.2) [ PROTECTED ]
- systemd-rfkill.service (value=9.4) [ UNSAFE ]
- systemd-udevd.service (value=7.1) [ MEDIUM ]
- unattended-upgrades.service (value=9.6) [ UNSAFE ]
@@ -120,7 +140,7 @@ include_toc: true
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 139 active modules
Found 137 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ NOT FOUND ]
- Checking core dumps configuration
@@ -202,7 +222,7 @@ include_toc: true
- Mount options of /dev/shm [ PARTIALLY HARDENED ]
- Mount options of /run [ HARDENED ]
- Mount options of /tmp [ PARTIALLY HARDENED ]
- Total without nodev:8 noexec:11 nosuid:6 ro or noexec (W^X): 8 of total 28
- Total without nodev:8 noexec:11 nosuid:6 ro or noexec (W^X): 7 of total 32
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
@@ -232,6 +252,7 @@ include_toc: true
[+] Name services
------------------------------------
- Checking search domains [ FOUND ]
- Checking /etc/resolv.conf options [ FOUND ]
- Searching DNS domain name [ FOUND ]
Domain name: local
@@ -252,11 +273,7 @@ include_toc: true
- Checking security repository in sources.list file [ OK ]
- Checking security repository in sources.list.d directory [ OK ]
- Checking APT package database [ OK ]
W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will reject signature within a year, see --audit for details
- Checking vulnerable packages (apt-get only) [ DONE ]
[WARNING]: Test PKGS-7392 had a long execution: 21.028694 seconds
- Checking upgradeable packages [ NONE ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
@@ -269,15 +286,13 @@ W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will re
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 135.181.207.105 [ OK ]
Nameserver: 89.58.62.53 [ OK ]
Nameserver: 138.199.237.109 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
Nameserver: 127.0.0.53 [ OK ]
- DNSSEC supported (systemd-resolved) [ UNKNOWN ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]
- Checking status DHCP client [ NOT ACTIVE ]
- Checking for ARP monitoring software [ NOT FOUND ]
- Uncommon network protocols [ NOT FOUND ]
@@ -410,9 +425,9 @@ W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will re
------------------------------------
- Checking for expired SSL certificates [0/151] [ NONE ]
[WARNING]: Test CRYP-7902 had a long execution: 31.463606 seconds
[WARNING]: Test CRYP-7902 had a long execution: 22.283800 seconds
- Found 10 LUKS encrypted block devices. [ OK ]
- Found 11 LUKS encrypted block devices. [ OK ]
- Found 0 encrypted and 0 unencrypted swap devices in use. [ OK ]
- Kernel entropy is sufficient [ YES ]
- HW RNG & rngd [ NO ]
@@ -429,7 +444,7 @@ W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will re
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ ENABLED ]
Found 43 unconfined processes
Found 28 unconfined processes
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
@@ -441,7 +456,8 @@ W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will re
- AIDE [ FOUND ]
- AIDE config file [ FOUND ]
- AIDE database [ FOUND ]
- dm-integrity (status) [ DISABLED ]
- dm-integrity (status) [ FOUND ]
- dm-integrity (status) [ ENABLED ]
- dm-verity (status) [ DISABLED ]
- AIDE config (Checksum) [ OK ]
- Checking presence integrity tool [ FOUND ]
@@ -611,6 +627,10 @@ W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will re
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Notice: This version of Lynis is older than 6 months and might be outdated. Check the project page if a newer version is available.
================================================================================
Notice: No OS entry was found in the end-of-life database
docs/CHANGELOG.md
+1
View File
@@ -23,6 +23,7 @@ include_toc: true
* **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh) Module summary
* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Fixed: ``sysctl -p /etc/sysctl.d/90-ciss-local.hardened``
* **Changed**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Fixed: Signature checksum verification.
* **Changed**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Added: ``ensure_minimal_dev_nodes()``
## V9.14.016.2026.06.06
* **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)