It would be nice if lynis would gather (and report in the portal/reports) information about user-accounts:

• Expired or soon to expire passwords (passwd -e)
• Locked accounts (passwd -S )
• Expired accounts (chage -E / chage -l )

It'd be helpful if there was a check for ELB and ALBs that have either no listeners or no instances in their target pool. The check is similar to an unused security group although their are more financial penalties for having idle ELB and ALBs.

Describe the bug
Modifying /etc/pam.d/system-auth-ac as seen here is wrong as it "breaks" the authconfig way. Apparently a symptom was also witnessed in #23.

Normally the file begins with:

#%PAM-1.0
# This file is auto-generated.
# User changes will be dest

Description of problem:

I have never written SCAP content before, and am looking at how to get started. I would like to write SCAP content to test compliance on Photon OS against DISA SRGs. I have been all over the wiki pages, but I am still not sure how to get started. The main page makes it look super easy for writing OVAL and XCCDF files using YAML, but I am not sure where to build those

https://github.com/0xmachos/mOSL is a good replacement until this is updated.

Basically, we should remove all settings that are no longer relevant, and add ones that are newly added.

We'd like to support CentOS8!

Ideally we'd have testing for:

• kitchen with vagrant (https://github.com/dev-sec/ansible-ssh-hardening/blob/master/.kitchen.vagrant.yml)
• kitchen with docker (https://github.com/dev-sec/ansible-ssh-hardening/blob/master/.kitchen.yml)
• travis (https://github.com/dev-sec/ansible-ssh-hardening/blob/master/.travis.yml)

Docker-Image that should be used: https

It would be nice if each module had a short description of why it's recommending a specific change. For example, automatically logging out idle users is intuitive and easy to understand. But what does enabling TCP SYN cookie protection do? Why is it a good idea?

Yes, these things are probably easy to search for on the internet, but it would be nice to get even just a short description.

As per this inline comment[1], there's a mismatch between the title/description and the actual test for systcl-17[2], martian logging.

The title says we're testing to ensure martian logging is disabled, but the actual test verifies that the logging is enabled. If I'm understanding correctly it's possible, even likely, that this is just a simple oversight in commit bb7c532f where the test

It seems you log full IP addresses at jvoisin/snuffleupagus@b1a4af5

I'm not sure if this logs directly to logfiles or if filter are applied by syslog like it is done at many hosting platforms for accesslog files.

Full IP addresses are not helpful and are GDPR relevant under the jurisdication that an IP address can be connected to a s

aws-gate should have type annotations, so we can do more linting and discover design issues.

We'd like to support CentOS8!

Ideally we'd have testing for:

• kitchen with vagrant (https://github.com/dev-sec/ansible-nginx-hardening/blob/master/.kitchen.vagrant.yml)
• kitchen with docker (https://github.com/dev-sec/ansible-nginx-hardening/blob/master/.kitchen.yml)
• travis (https://github.com/dev-sec/ansible-nginx-hardening/blob/master/.travis.yml)

Docker-Image that should be used:

Describe the bug
Protocol sftp is disabled by default. This enforces using scp. Described in README:

This role by default deactivates SFTP.

Expected behavior
Today I have read release notes of OpenSSH 8.0 when they say: