用使用lynis进行linux系统安全审计
lynis就是Linux平台上的这样一款安全漏洞扫描工具。这款工具是开源工具(采用GPLv3许可证),实际上在包括Linux、FreeBSD和Mac OS在内的多个平台上得到支持
执行许多类别的审查工作:
•系统工具:系统二进制代码
•引导和服务:引导装入程序和启动服务。
•内核:运行级别、已装入模块、内核配置和核心转储
•内存和进程:僵尸进程和输入输出等待进程
•用户、用户组和验证:用户组编号、sudoers文件、可插拔验证模块(PAM)配置、密码老化和默认掩码
•外壳
•文件系统:挂载点、临时文件和根文件系统
•存储:USB存储(usb-storage)和火线开放式主机控制器接口(firewire ohci)
•NFS
•软件:名称服务:DNS搜索域和BIND
•端口和程序包:容易受到攻击/可以升级的程序包和安全存储库
•网络:名称服务器、混杂接口和连接。
•打印机和假脱机:通用Unix打印系统(CUPS)配置
•软件:电子邮件和消息传送
•软件:防火墙:iptables和pf
•软件:网站服务器:Apache和nginx
•SSH支持:SSH配置
•SNMP支持
•数据库:MySQL根密码
•LDAP服务
•软件:php:php选项
•Squid支持
•日志和文件:syslog守护程序和日志目录
•不安全服务:inetd
•banner信息和身份证明
•调度任务:crontab/cronjob和atd
•审计:sysstat数据和auditd
•时间和同步:ntp守护程序
•密码:SSL证书到期
•虚拟化
•安全框架:AppArmor、SELinux和grsecurity状态
•软件:文件完整性
•软件:恶意软件扫描工具
•主目录:外壳历史文件
一旦扫描完毕,你系统的审查报告就会自动生成,并保存在/var/log/lynis.log中。
审查报告含有该工具检测到的潜在安全漏洞方面的警告信息
重点查看日志的Warning和Suggestion的内容。wget https://cisofy.com/files/lynis-2.1.1.tar.gz
[root@localhost opt]# wget https://cisofy.com/files/lynis-2.1.1.tar.gz
--2016-01-14 13:35:06-- https://cisofy.com/files/lynis-2.1.1.tar.gz
正在解析主机 cisofy.com (cisofy.com)... 149.210.134.182, 2a01:7c8:aab2:209::1
正在连接 cisofy.com (cisofy.com)|149.210.134.182|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:181099 (177K) [application/octet-stream]
正在保存至: “lynis-2.1.1.tar.gz”
100%[=============================================================================================================================================================>] 181,099 51.6KB/s 用时 3.4s
2016-01-14 13:35:13 (51.6 KB/s) - 已保存 “lynis-2.1.1.tar.gz” [181099/181099])
[root@localhost opt]# ls
lynis-1.6.3.tar.gz lynis-2.1.1.tar.gz rh
[root@localhost opt]# tar -xzvf lynis-2.1.1.tar.gz
[root@localhost opt]# ls
lynis lynis-1.6.3.tar.gz lynis-2.1.1.tar.gz rh
[root@localhost opt]# cd lynis/
[root@localhost lynis]# ./lynis audit system -Q
[ Lynis 2.1.1 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
Copyright 2007-2015 - CISOfy, https://cisofy.com
Enterprise support and plugins available via CISOfy
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
---------------------------------------------------
Program version: 2.1.1
Operating system: Linux
Operating system name: CentOS
Operating system version: CentOS Linux release 7.2.1511 (Core)
Kernel version: 3.10.0
Hardware platform: x86_64
Hostname: localhost
Auditor: [Unknown]
Profile: ./default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: ./plugins
---------------------------------------------------
- Checking profile file (./default.prf)...
- Program update status... [ NO UPDATE ]
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests, which may take a few minutes to complete
- Plugins enabled [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ UNKNOWN ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ OK ]
- Check running services (systemctl) [ DONE ]
Result: found 25 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 32 enabled services
- Check startup files (permissions) [ OK ]
[+] Kernel
------------------------------------
- Checking default runlevel [ runlevel 3 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 51 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ DEFAULT ]
- Check if reboot is needed [ NO ]
[+] Memory and processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]
[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts [ OK ]
- Checking for non-unique UIDs [ OK ]
- Checking consistency of group files (grpck) [ OK ]
- Checking non unique group ID's [ OK ]
- Checking non unique group names [ OK ]
- Checking password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- Checking NIS+ authentication support [ NOT ENABLED ]
- Checking NIS authentication support [ NOT ENABLED ]
- Checking sudoers file [ FOUND ]
- Check sudoers file permissions [ OK ]
- Checking PAM password strength tools [ OK ]
- Checking PAM configuration file (pam.conf) [ NOT FOUND ]
- Checking PAM configuration files (pam.d) [ FOUND ]
- Checking PAM modules [ FOUND ]
- Checking user password aging [ DISABLED ]
- Checking Linux single user mode authentication [ WARNING ]
- Determining default umask
- Checking umask (/etc/profile) [ SUGGESTION ]
- Checking umask (/etc/login.defs) [ OK ]
- Checking umask (/etc/init.d/functions) [ SUGGESTION ]
- Checking LDAP authentication support [ NOT ENABLED ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 8 shells (valid shells: 8).
- Session timeout settings/tools [ NONE ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ OK ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Checking LVM volume groups [ FOUND ]
- Checking LVM volumes [ FOUND ]
- Querying FFS/UFS mount points (fstab) [ NONE ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ DISABLED ]
- Checking Locate database [ FOUND ]
[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Checking default DNS search domain [ NONE ]
- Checking /etc/resolv.conf options [ NONE ]
- Searching DNS domain name [ FOUND ]
Domain name: localhost
- Checking nscd status [ NOT FOUND ]
- Checking BIND status [ NOT FOUND ]
- Checking PowerDNS status [ NOT FOUND ]
- Checking ypbind status [ NOT FOUND ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ SUGGESTION ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching RPM package manager [ FOUND ]
- Querying RPM package manager
- Checking YUM package management consistency [ OK ]
- Checking package database duplicates [ OK ]
- Checking package database for problems [ OK ]
- Checking missing security packages [ OK ]
- Checking GPG checks (yum.conf) [ OK ]
- Checking package audit tool [ INSTALLED ]
Found: yum-security
[+] Networking
------------------------------------
- Checking configured nameservers
- Testing nameservers
Nameserver: 202.101.172.35 [ OK ]
- Minimal of 2 responsive nameservers [ WARNING ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 10 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ NOT ACTIVE ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
- Checking Exim status [ NOT FOUND ]
- Checking Postfix status [ RUNNING ]
- Checking Postfix configuration [ FOUND ]
- Checking Postfix banner [ WARNING ]
- Checking Dovecot status [ NOT FOUND ]
- Checking Qmail status [ NOT FOUND ]
- Checking Sendmail status [ NOT FOUND ]
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking for empty ruleset [ WARNING ]
- Checking for unused rules [ OK ]
- Checking pflogd status [ NOT FOUND ]
- Checking pf [ NOT FOUND ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/httpd) [ FOUND ]
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
Info: Configuration file found (/etc/httpd/conf/httpd.conf)4C
Info: No virtual hosts found
* Loadable modules [ FOUND ]
- Found 103 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_qos: anti-Slowloris [ NOT FOUND ]
mod_spamhaus: anti-spam (spamhaus) [ NOT FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- Checking defined SSH options [ DONE ]
- SSH option: PermitRootLogin [ DEFAULT ]
- SSH option: Protocol [ DEFAULT ]
- SSH option: StrictModes [ DEFAULT ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
- MySQL process status [ FOUND ]
- Checking MySQL root password [ OK ]
- PostgreSQL processes status [ NOT FOUND ]
- Oracle processes status [ NOT FOUND ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ ON ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ FILES FOUND ]
[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]
[+] Banners and identification
------------------------------------
- /etc/motd [ FOUND ]
- /etc/motd permissions [ OK ]
- /etc/motd contents [ WEAK ]
- /etc/issue [ FOUND ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ WEAK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
- Checking atd status [ RUNNING ]
- Checking at users [ DONE ]
- Checking at jobs [ NONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ OK ]
- Checking sysstat accounting data [ ENABLED ]
- Checking auditd [ ENABLED ]
- Checking audit rules [ SUGGESTION ]
- Checking audit configuration file [ OK ]
- Checking auditd log file [ FOUND ]
[+] Time and Synchronization
------------------------------------
- Checking for a running NTP daemon or client [ WARNING ]
[+] Cryptography
------------------------------------
- Checking SSL certificate expiration [ OK ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ FOUND ]
- Checking SELinux status [ DISABLED ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
[+] Software: Malware scanners
------------------------------------
[+] File Permissions
------------------------------------
- Starting file permissions check
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ NOT FOUND ]
[+] Home directories
------------------------------------
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.kptr_restrict (exp: 1) [ DIFFERENT ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ NOT FOUND ]
[+] Custom Tests
------------------------------------
- Running custom tests... [ NONE ]
================================================================================
-[ Lynis 2.1.1 Results ]-
Warnings:
----------------------------
- No password set for single mode [AUTH-9308]
https://cisofy.com/controls/AUTH-9308/
- Couldn't find 2 responsive nameservers [NETW-2705]
https://cisofy.com/controls/NETW-2705/
- Found mail_name in SMTP banner, and/or mail_name contains 'Postfix' [MAIL-8818]
https://cisofy.com/controls/MAIL-8818/
- iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/controls/FIRE-4512/
- PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [PHP-2372]
https://cisofy.com/controls/PHP-2372/
Suggestions:
----------------------------
- Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/
- Set password for single user mode to minimize physical access attack surface [AUTH-9308]
https://cisofy.com/controls/AUTH-9308/
- Default umask in /etc/profile could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/
- To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
- To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
- Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/controls/STRG-1840/
- Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
https://cisofy.com/controls/STRG-1846/
- Split resolving between localhost and the hostname of the system [NAME-4406]
https://cisofy.com/controls/NAME-4406/
- Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
https://cisofy.com/controls/NETW-2705/
- You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818]
https://cisofy.com/controls/MAIL-8818/
- Disable iptables kernel module if not used or make sure rules are being used [FIRE-4512]
https://cisofy.com/controls/FIRE-4512/
- Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
https://cisofy.com/controls/HTTP-6640/
- Install Apache mod_qos to guard webserver against Slowloris attacks [HTTP-6641]
https://cisofy.com/controls/HTTP-6641/
- Install Apache mod_spamhaus to guard webserver against spammers [HTTP-6642]
https://cisofy.com/controls/HTTP-6642/
- Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
https://cisofy.com/controls/HTTP-6643/
- Change the expose_php line to: expose_php = Off [PHP-2372]
https://cisofy.com/controls/PHP-2372/
- Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
https://cisofy.com/controls/PHP-2376/
- Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/controls/LOGG-2190/
- Add legal banner to /etc/motd, to warn unauthorized users [BANN-7122]
https://cisofy.com/controls/BANN-7122/
- Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/controls/BANN-7126/
- Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/controls/BANN-7130/
- Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/controls/ACCT-9630/
- Use NTP daemon or NTP client to prevent time issues. [TIME-3104]
https://cisofy.com/controls/TIME-3104/
- Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/controls/FINT-4350/
- Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/controls/TOOL-5002/
- One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
https://cisofy.com/controls/KRNL-6000/
- Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/controls/HRDN-7222/
- Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
https://cisofy.com/controls/HRDN-7230/
Follow-up:
----------------------------
- Check the logfile for more details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 69 [############# ]
Tests performed : 196
Plugins enabled : 0
Quick overview:
- Firewall [V] - Malware scanner [X]
Lynis Modules:
- Heuristics Check [NA] - Security Audit [V]
- Compliance Tests [X] - Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 2.1.1
Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix
Copyright 2007-2015 - CISOfy, https://cisofy.com
Enterprise support and plugins available via CISOfy
================================================================================
[root@localhost lynis]#