I’m using this tutorial: https://www.digitalocean.com/community/tutorials/how-to-perform-security-audits-with-lynis-on-ubuntu-16-04
But I cannot resolve these warnings:
! No password set for single mode [AUTH-9308] https://cisofy.com/controls/AUTH-9308/
(I ran passwd as root and set a root password, so it should prevent single user mode login without that password. So do I configure Lynis to ignore this?)
! Couldn’t find 2 responsive nameservers [NETW-2705] https://cisofy.com/controls/NETW-2705/
(/etc/resolv.conf on all Ubuntu systems I have ever used only have nameserver 127.0.0.53. I can see two nameservers when I run systemd-resolve --status, and both are responsive. So do I configure Lynis to ignore this?)
! No MySQL root password set [DBS-1816] https://cisofy.com/controls/DBS-1816/
(Can’t figure this one out. I cannot seem to prevent the root user from logging in as root to the database. The password has indeed been set and I flushed privileges. The /root/.digitalocean_password file contains root_mysql_pass. So that’s why Lynis is flagging on this, right? Wrong. If I rename that file and even restart the daemon, flush privileges, etc., it still allows login. At least it is only accessible by root. So do I configure Lynis to ignore this?)
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Thought it might be good for others to know that these issues were resolved by simply upgrading Lynis to the latest :-)
Lynis author here.
Sure, if you can’t resolve a particular item and you feel you can accept the risk or took other measures, then it is totally fine to skip a particular test.
To skip a test: add ‘skip-test=AAAA-1234’ (without quotes) to custom.prf (lynis show profiles). Replace the ID with the one you see between the brackets.