Any Potential Conflict Between Lynis Needs & ISPConfig?

Discussion in 'ISPConfig 3 Priority Support' started by yupthatguy, Apr 21, 2021.

  1. yupthatguy

    yupthatguy Member HowtoForge Supporter

    I discovered Lynis via this thread [3 security tools]. I installed it and fell in love:cool:. Lynis conducts a wide range of security tests and provides convenient suggestions to resolve whatever warnings. My question is this: Are there any known warnings from Lynis that, if resolved, conflicts with ISPConfig? (directory/file permissions, hardening php, removing old kernels, & so on... )

    Are there any test that ISPConfig would recommend I disable in Lynis?

    Or am I free to eliminate all the warnings as recommended?

    My goal is Hardening index of 100

    Thanks
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It's good practice to secure your system, but most hacks occur through hacked websites because of a outdated CMS. So you should focus on that ;)
     
  3. yupthatguy

    yupthatguy Member HowtoForge Supporter

    So I am free to eliminate lynis warnings without worry of breaking ISPConfig?
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The settings set by ISPConfig are set as they are for good reasons, so I would not change too much, especially if you don't know what it is.
     
  5. yupthatguy

    yupthatguy Member HowtoForge Supporter

    I am good about reading tutoials and documentation.. If I run into specific Lynis / ISPConfig issues... I'll post... thanx.
     
  6. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Ok.. so I am back with a couple of "nitty-gritty" questions regarding Lynis 3.0.3 & ISPConfig. I am aware that I can simply execute these changes on my test server and see what happens. However, these changes involve a much longer testing cycle as to detect possible negative impacts, so I would highly appreciate it if one you gurus could save me a substantial bit of time with your knowledge.

    Lynis [HOME-9304] suggests:
    Code:
    chmod 750 /home/administrator \
    chmod 750 /var/lib/spamassassin \
    chmod 750 /var/vmail \
    chmod 750 /var/www/apps \
    chmod 750 /usr/local/ispconfig \
    
    All of the above seem like harmless hardening measures, but I would appreciate a confirmation of their harmlessness... or if I am about to step on a landmine.

    Also there is one Lynis suggestion that seems very, very substantive:
    Code:
    # chown ispconfig /usr/local/ispconfig
    
    Lynis warns that /usr/local/ispconfig is owned by root rather than ispconfig user and makes the above suggestion.

    Can you provide a little affirmation / clarity for the noob?
    thx
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    This might be ok doing it without breaking something, so you can try that. If something does not works afterwards.

    This would open up a security hole, don't do that.
     
  8. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Thanks... avoiding creating a security hole and other headaches is exactly why I asked. :)
     

Share This Page