# lynis



## Anonymous (Oct 18, 2009)

Hi!

I ran lynis -c on my system (no server FreeBSD 7.2) and I got:

```
Tests performed: 109
  Warnings:
  ----------------------------
   - [15:38:31] Warning: Multiple users with UID 0 found in passwd file [test:AUTH-9204] [impact]
   - [15:38:31] Warning: Multiple accounts found with same UID [test:AUTH-9208] [impact]
   - [15:38:31] Warning: Possible harmful shell found (for passwordless account!) [test:AUTH-9218] [impact]
   - [15:38:31] Warning: Found multiple groups with same group ID [test:AUTH-9222] [impact]
   - [15:38:34] Warning: Found unprotected console in /etc/ttys [test:SHLL-6202] [impact]
   - [15:41:45] Warning: Found one or more vulnerable packages. [test:PKGS-7382] [impact]
   - [15:41:59] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact]
   - [15:41:59] Warning: Found promiscuous interface (pflog0) [test:NETW-3014] [impact]
   - [15:45:26] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact]

  Suggestions:
  ----------------------------
   - [15:38:31] Suggestion: Use vipw to delete the 'toor' user if not used. [test:AUTH-9204]
   - [15:38:31] Suggestion: Check your /etc/group file and correct inconsistencies [test:AUTH-9222]
   - [15:38:34] Suggestion: Change the console line from 'secure' to 'insecure'. [test:SHLL-6202]
   - [15:41:32] Suggestion: Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD. [test:PKGS-7348]
   - [15:41:45] Suggestion: Update your system with portupgrade or other tools [test:PKGS-7382]
   - [15:41:59] Suggestion: Check your resolv.conf file and connectivity to your nameservers [test:NETW-2705]
   - [15:45:18] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]
   - [15:45:26] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid 
problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
   - [15:45:34] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors 
and rootkits to be compiled and installed [test:HRDN-7220]
================================================================================
  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat
================================================================================
  Hardening index : [63]     [############        ]
```
I don't understand first four warnings. I have default shell  for root and tcsh for user, in login.conf I have also 
	
	



```
:passwd_format=blf:\
```

Thanks.


----------



## SirDice (Oct 19, 2009)

The first two messages are about root and toor (both have uid 0).

As for the others you will need to have a look at /etc/passwd and /etc/group.


----------



## Anonymous (Oct 19, 2009)

SirDice said:
			
		

> The first two messages are about root and toor (both have uid 0).
> 
> As for the others you will need to have a look at /etc/passwd and /etc/group.



In /etc/passwd I have:

```
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
```

and in /etc/group:

```
wheel:*:0:root
```
 and user is in the wheel group too.

but there are no duplicate UIDs in group or passwd.


----------



## DutchDaemon (Oct 19, 2009)

Use 
	
	



```
tags, lumiwa. They've been around for a while now.
```


----------



## SirDice (Oct 19, 2009)

lumiwa said:
			
		

> but there are no duplicate UIDs in group or passwd.


Yes there are. Both root and toor have uid 0. Hence a duplicate uid.


----------



## DutchDaemon (Oct 19, 2009)

BTW: root/toor is a feature, not a bug.


----------

