I cannot seem to resolve these Lynis warnings, should I ignore them?

December 18, 2018 712 views
Security

I’m using this tutorial:
https://www.digitalocean.com/community/tutorials/how-to-perform-security-audits-with-lynis-on-ubuntu-16-04

But I cannot resolve these warnings:

! No password set for single mode [AUTH-9308]
https://cisofy.com/controls/AUTH-9308/

(I ran passwd as root and set a root password, so it should prevent single user mode login without that password. So do I configure Lynis to ignore this?)

! Couldn’t find 2 responsive nameservers [NETW-2705]
https://cisofy.com/controls/NETW-2705/

(/etc/resolv.conf on all Ubuntu systems I have ever used only have nameserver 127.0.0.53. I can see two nameservers when I run systemd-resolve –status, and both are responsive. So do I configure Lynis to ignore this?)

! No MySQL root password set [DBS-1816]
https://cisofy.com/controls/DBS-1816/

(Can’t figure this one out. I cannot seem to prevent the root user from logging in as root to the database. The password has indeed been set and I flushed privileges. The /root/.digitaloceanpassword file contains rootmysql_pass. So that’s why Lynis is flagging on this, right? Wrong. If I rename that file and even restart the daemon, flush privileges, etc., it still allows login. At least it is only accessible by root. So do I configure Lynis to ignore this?)

2 Answers

Thought it might be good for others to know that these issues were resolved by simply upgrading Lynis to the latest :-)

Lynis author here.

Sure, if you can’t resolve a particular item and you feel you can accept the risk or took other measures, then it is totally fine to skip a particular test.

To skip a test: add ‘skip-test=AAAA-1234’ (without quotes) to custom.prf (lynis show profiles). Replace the ID with the one you see between the brackets.

  • Great software! Way better than some other packages I’ve used.

    Should I submit a bug report for AUTH-9308? I believe I am currently meeting this condition but it is flagging. I see the NETW-2705 nameserver issue already has a bug report, but not sure if it was ever implemented or if I just have a stale database.

    Also, I would like to know from you or anyone if you know why MySQL allows login as root from the root Linux account without a password – even though a password is set, and it’s not getting it from /root/.digitalocean_password.

Have another answer? Share your knowledge.