# ============================================================ # OSS SafeNet - Lynis Security Audit Report # Server: oss-safenet-va-01 (108.181.56.209) # Generated: 2026-04-26 08:30:01 UTC # ============================================================ # What is Lynis? # Lynis is an open-source security auditing tool. It performs # a deep scan of system configuration, installed software, and # security settings, then produces a hardening index score. # # A score of 70+ is considered good for a production server. # We publish this report publicly so you can verify our # security posture yourself - no trust required. # ============================================================ # ============================================================ # LYNIS REPORT DATA (machine-readable) # ============================================================ lynis_version=3.0.9 os_name=Ubuntu os_version=24.04 suggestion[]=LYNIS|This release is more than 4 months old. Check the website or GitHub to see if there is an update available.|-|-| suggestion[]=DEB-0810|Install apt-listbugs to display a list of critical bugs prior to each APT installation.|-|-| suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-| suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-| suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-| suggestion[]=AUTH-9230|Configure password hashing rounds in /etc/login.defs|-|-| suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-| suggestion[]=NAME-4028|Check DNS configuration for the dns domain name|-|-| suggestion[]=PKGS-7346|Purge old/removed packages (6 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts.|-|-| warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-| suggestion[]=FIRE-4513|Check iptables rules to see which rules are currently not used|-|-| suggestion[]=HTTP-6710|Disable weak protocol in nginx configuration|-|-| suggestion[]=HTTP-6710|Change the HTTPS and SSL settings for enhanced protection of sensitive data and privacy|-|-| suggestion[]=HTTP-6712|Check your nginx access log for proper functioning|-|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (set 3 to 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (set 10 to 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (set 22 to )|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (set YES to NO)|-| suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-| suggestion[]=LOGG-2190|Check what deleted files are still in use and why.|-|-| suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-| suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-| suggestion[]=ACCT-9628|Enable auditd to collect audit information|-|-| suggestion[]=FINT-4402|Use SHA256 or SHA512 to create checksums in AIDE|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:)| suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-| hardening_index=75