安云网 - AnYun.ORG | 专注于网络信息收集、网络数据分享、网络安全研究、网络各种猎奇八卦。
当前位置: 安云网 > 技术关注 > 神兵利刃 > lynis—*nix安全审计工具

lynis—*nix安全审计工具

时间:2014-07-19来源: 作者:碳基体点击:
Lynis是一款*nix(我在mac os x10.8.3,ubuntu 10.04, Debian 2.6上都测试过,能正常运行)上的开源的系统安全审计功能工具,该工具由一系列的shell脚本构成,可以在移动硬盘上运行。

一、介绍

Lynis是一款*nix(我在mac os x10.8.3,ubuntu 10.04, Debian 2.6上都测试过,能正常运行)上的开源的系统安全审计功能工具,该工具由一系列的shell脚本构成,可以在移动硬盘上运行(但运行需要root权限)。可以审计如下内容:

//内容来自AnYun.ORG

//ANYUN.ORG

1. 系统上安装的二进制文件(例如/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin目录下的)
2.启动服务(例如GRUB是否有密码保护)
3.系统内核信息(例如默认运行级别,内核加载模块,内核配置文件)
4.内存与进程信息(例如是否有僵尸进程,是否有等待中的I/O操作)
5.账户,群组与身份验证(例如sudoers文件,PAM配置等密码策略,unmask设置等)
6.Shell(/etc/shells)
7.文件系统(例如tmp目录下是否有90天前的文件,root文件系统是否有ACL策略
8.是否禁止外设(usb,fireware)
9.NFS
10.DNS域名服务(/etc/resolv.conf,BIND,PowerDNS, ypbind,nscd)
11.软件包管理(dpkg,rpm)
12.网络信息(网卡,网关,ip,处于waiting状态的连接)
13.打印机(cups)
14.邮件系统(e.g.Postfix,Exim ,Qmail smtpd)
15.防火墙(iptable)
16、web服务器(apache,nignx)安全配置
17.SSH安全配置(例如不运行root远程登录)
18.SNMP安全配置
19.数据库安全配置(MySQL,PostgreSQL,Oracle)
20.LDAP安全配置
21.PHP安全配置
22.Squid安全配置
23.日志文件管理(syslog,logrotate)
24.危险服务 (inetd.conf)
25.系统指纹(/etc/motd /etc/issue /etc/issue.net)
26.定时任务(crontab/cronjob)
27.审计模块是否开启(auditd)
28. 时间同步服务(NTP)
29.加密(例如SSL证书有效期)
30.是否应用安全框架(SELinux,AppArmor ,grsecurity)
31.是否有文件系统完整性检测工具(AFICK,AIDE, Osiris,Samhain,Tripwire
32.是否有恶意程序检测工具(chkrootkit,Rootkit Hunter,ClamAV scanner)
33.特定文件的权限是否合理(例如/root/.ssh是否为rwx------)
34.home目录下是否有敏感文件(例如shell history文件内容是否可疑)
35.是否做过内核加固(扫描sysctl内容) 
//ANYUN.ORG
二、安装及运行

//copyright AnYun.ORG

很简单,如下所示:

//安云网,anyun.org

//安云网咨询系统

安装

//内容来自AnYun.ORG

//copyright AnYun.ORG

wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
tar zxvf lynis-1.3.0.tar.gz
cd lynis-1.3.0/ //copyright AnYun.ORG 

//内容来自安云网

查看帮助 //内容来自AnYun.ORG

sudo ./lynis --man 
//ANYUN.ORG

全部检查(最常用) //copyright AnYun.ORG

sudo ./lynis --check-all -Q //copyright AnYun.ORG 

采用crontab自动检查

//本文来自安云网

sudo ./lynis -c --auditor "automated" --cronjob > /var/log/lynis/report.txt //内容来自安云网 

//copyright AnYun.ORG

//ANYUN.ORG

三、查看日志中的敏感信息 //ANYUN.ORG

grep Warning /var/log/lynis.log
grep Suggestingon /var/log/lynis.log //安云网咨询系统

//安云网咨询系统

结果如下(以一台debian操作系统为例) //copyright AnYun.ORG

//安云网,anyun.org

[email protected]:~/lynis-1.3.0$ sudo grep Warning /var/log/lynis.log
[sudo] password for dani: 
[14:40:54] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
[14:42:33] Warning: Found 8 files in /tmp which are older than 90 days [test:FILE-6354] [impact:L]
[14:42:41] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
[14:42:41] Warning: Found promiscuous interface (peth0) [test:NETW-3015] [impact:H]
[14:52:27] Warning: iptables module(s) loaded, but no rules active [test:FIRE-4512] [impact:L]
[14:52:49] Warning: Found SSL certificate expiration (/etc/ssl/certs/ca-certificates.crt) [test:CRYP-7902] [impact:M]
[email protected]:~/lynis-1.3.0$ sudo grep Suggestion /var/log/lynis.log
[14:40:54] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> [test:BOOT-5121]
[14:42:29] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
[14:42:29] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
[14:42:29] Suggestion: Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [test:AUTH-9328]
[14:42:29] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
[14:42:33] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
[14:42:33] Suggestion: Clean up unused files in /tmp [test:FILE-6354]
[14:42:34] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410]
[14:42:34] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
[14:42:34] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
[14:42:40] Suggestion: Purge removed packages (2 found) with aptitude purge command, to cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346]
[14:42:41] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
[14:52:27] Suggestion: Disable iptables kernel module if not used or make sure rules are being used [test:FIRE-4512]
[14:52:27] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
[14:52:42] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
[14:52:42] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
[14:52:48] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
[14:52:51] Suggestion: Renew SSL expired certificates. [test:CRYP-7902]
[14:52:53] Suggestion: Install a file integrity tool [test:FINT-4350]
[14:53:03] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
[14:53:03] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
[14:53:03] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]
[14:53:03] Suggestion: Harden the system by installing one or malware scanners to perform periodic  
//内容来自安云网

结果如下(以一台debian操作系统为例) //安云网咨询系统

四、小结
该款工具比较全面的涵盖了系统安全的审计内容,但每个审计项都不深入,需要具体的扩展,例如PHP、Apache,MySQL的安全配置,就需要细化。 //本文来自安云网

//内容来自安云网

//安云网咨询系统

五、附录
安全加固列表
(1)OS加固:debian(真机/虚拟机)
(2)DB加固:mysql3306,PostgreSQL5432,Oracle2483-2484,SQLServer1433-1434
(3)web服务器加固:apache,nignx,lighthttpd
(4)应用程序服务器加固:php
(5)LDAP服务器:OpenLDAP(ldap 389)
(6)DNS服务器,BIND (dns 53)
(7)电子邮件服务器,SendMail(Postfix):SMTP (smtp 25)
(8)FTP服务器:VSFTPD,Server-U (ftp 21 tftp 69)
(9)Samba服务器:smb协议 (smb445)
(10)NFS服务器(nfs 2049)
(11)Squid服务器
(12)SSH服务器:OpenSSH (ssh 22 telnet23)
(13)Linux防火墙:iptables
(14)VPN服务:OpenVPN (ipsec 500, PPTP 1723, L2TP 1701)
(15)IDS:snort
(16)网络监控:Nagios
(17)网络监控策略:snmp服务 (snmp 161)
(18)SVN服务
(19)RTX

//安云网咨询系统

(20)kerberos
(21)SSL:OpenSSL
(22)PAM
(23)DHCP服务器
(24)数据备份
(25)远程桌面VNC (VNC 5900)
(26)NTP(network time protocol) 123
参考: //本文来自安云网

http://xmodulo.com/2013/04/how-to-scan-linux-for-vulnerabilities.html //ANYUN.ORG

//安云网咨询系统

顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
验证码: 点击我更换图片
相关内容
推荐内容