Shulou(Shulou.com)06/01 Report--

This article introduces you how to use Lynis to scan Linux security, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Lynis is a very popular open source security audit tool that strengthens Linux and unix-based systems and automatically generates a report on machine security.

Install Lynis

You may have Lynis in your Linux software repository. If so, you can install it in the following ways:

Dnf install lynis

Or

Apt install lynis

However, if the version in your repository is not up to date, you'd better install it from GitHub. I use the Red Hat Linux system, but you can run it on any Linux distribution. Like all tools, it makes sense to try it on a virtual machine first. To install it from GitHub:

$cat / etc/redhat-release

Red Hat Enterprise Linux Server release 7.8 (Maipo)

$

$uname-r

3.10.0-1127.el7.x86_64

$

$git clone https://github.com/CISOfy/lynis.git

Cloning into 'lynis'...

Remote: Enumerating objects: 30, done.

Remote: Counting objects: 100% (30 amp 30), done.

Remote: Compressing objects: 100% (30 amp 30), done.

Remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536

Receiving objects: 100% (12566 MiB), 6.36 MiB | 911.00 KiB/s, done.

Resolving deltas: 100% (9264 Compact 9264), done.

$

Once you have cloned the version library, go to the directory and see what is available. The main tool is in a file called lynis. It's actually a shell script, so you can open it and see what it's doing. In fact, Lynis is mainly implemented in shell scripts:

$cd lynis/

$ls

CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md

CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md

$

$file lynis

Lynis: POSIX shell script, ASCII text executable, with very long lines

$

Run Lynis

Check the help section by giving Lynis a-h option to get a general idea:

. / lynis-h

You will see a short information screen, followed by all the subcommands supported by Lynis.

Next, try some test commands to get familiar with it. To see the version of Lynis you are using, run:

$. / lynis show version

3.0.0

$

To view all the commands available in Lynis:

$. / lynis show commands

Commands:

Lynis audit

Lynis configure

Lynis generate

Lynis show

Lynis update

Lynis upload-only

$

Audit Linux system

To audit the security posture of your system, run the following command:

$. / lynis audit system

This command runs quickly and returns a detailed report, and the output may look scary at first, but I'll guide you to read it below. The output of this command is also saved to a log file, so you can go back and check anything you might be interested in at any time.

Lynis saves the log here:

Files:

-Test and debug information: / var/log/lynis.log

-Report data: / var/log/lynis-report.dat

You can verify that the log file has been created. It does create:

$ls-l / var/log/lynis.log

-rw-r-. 1 root root 341489 Apr 30 05:52 / var/log/lynis.log

$

$ls-l / var/log/lynis-report.dat

-rw-r-. 1 root root 638 Apr 30 05:55 / var/log/lynis-report.dat

$

Exploration report

Lynis provides a fairly comprehensive report, so I'll introduce some important parts. As part of the initialization, the first thing Lynis does is to find out the complete information about the operating system running on the machine. Then check to see if any system tools and plug-ins are installed:

[+] Initializing program

-

-Detecting OS... [DONE]

-Checking profiles... [DONE]

Program version: 3.0.0

Operating system: Linux

Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo)

Operating system version: 7.8

Kernel version: 3.10.0

Hardware platform: x86_64

Hostname: example

>

[+] System Tools

-

-Scanning available tools...

-Checking system binaries...

[+] Plugins (phase 1)

-

Note: plugins have more extensive tests and may take several minutes to complete

-Plugin: pam

[..]

-Plugin: systemd

[.]

Next, the report is divided into different sections, each beginning with the [+] symbol. You can see some of the chapters below. Wow, there are so many places to review, Lynis is the most appropriate tool! )

[+] Boot and services

[+] Kernel

[+] Memory and Processes

Users, Groups and Authentication

[+] Shells

[+] File systems

[+] USB Devices

[+] Storage

[+] NFS

[+] Name services

[+] Ports and packages

[+] Networking

[+] Printers and Spools

[+] Software: e-mail and messaging

[+] Software: firewalls

[+] Software: webserver

[+] SSH Support

[+] SNMP Support

[+] Databases

[+] LDAP Services

[+] PHP

[+] Squid Support

[+] Logging and files

[+] Insecure services

[+] Banners and identification

[+] Scheduled tasks

[+] Accounting

[+] Time and Synchronization

[+] Cryptography

[+] Virtualization

[+] Containers

[+] Security frameworks

[+] Software: file integrity

[+] Software: System tooling

[+] Software: Malware

[+] File Permissions

[+] Home directories

[+] Kernel Hardening

[+] Hardening

[+] Custom tests

Lynis uses color coding to make the report easier to read.

Green. Everything's fine.

Yellow. Skip, not found, there may be a suggestion

Red. You may need to take a closer look at this

In my case, most of the red marks are found in the "Kernel Hardening" section. The kernel has a variety of adjustable settings that define the kernel's functions, some of which may have their own security scenarios. Distributions may not set these by default for a variety of reasons, but you should check each item to see if you need to change its value according to your security situation:

[+] Kernel Hardening

-

-Comparing sysctl key pairs with scan profile

-fs.protected_hardlinks (exp: 1) [OK]

-fs.protected_symlinks (exp: 1) [OK]

-fs.suid_dumpable (exp: 0) [OK]

-kernel.core_uses_pid (exp: 1) [OK]

-kernel.ctrl-alt-del (exp: 0) [OK]

-kernel.dmesg_restrict (exp: 1) [DIFFERENT]

-kernel.kptr_restrict (exp: 2) [DIFFERENT]

-kernel.randomize_va_space (exp: 2) [OK]

-kernel.sysrq (exp: 0) [DIFFERENT]

-kernel.yama.ptrace_scope (exp: 1 2 3) [DIFFERENT]

-net.ipv4.conf.all.accept_redirects (exp: 0) [DIFFERENT]

-net.ipv4.conf.all.accept_source_route (exp: 0) [OK]

-net.ipv4.conf.all.bootp_relay (exp: 0) [OK]

-net.ipv4.conf.all.forwarding (exp: 0) [OK]

-net.ipv4.conf.all.log_martians (exp: 1) [DIFFERENT]

-net.ipv4.conf.all.mc_forwarding (exp: 0) [OK]

-net.ipv4.conf.all.proxy_arp (exp: 0) [OK]

-net.ipv4.conf.all.rp_filter (exp: 1) [OK]

-net.ipv4.conf.all.send_redirects (exp: 0) [DIFFERENT]

-net.ipv4.conf.default.accept_redirects (exp: 0) [DIFFERENT]

-net.ipv4.conf.default.accept_source_route (exp: 0) [OK]

-net.ipv4.conf.default.log_martians (exp: 1) [DIFFERENT]

-net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [OK]

-net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [OK]

-net.ipv4.tcp_syncookies (exp: 1) [OK]

-net.ipv4.tcp_timestamps (exp: 0 1) [OK]

-net.ipv6.conf.all.accept_redirects (exp: 0) [DIFFERENT]

-net.ipv6.conf.all.accept_source_route (exp: 0) [OK]

-net.ipv6.conf.default.accept_redirects (exp: 0) [DIFFERENT]

-net.ipv6.conf.default.accept_source_route (exp: 0) [OK]

Take a look at the example of SSH, because it is a key area that requires security. There's nothing red here, but Lynis gives a lot of advice on how to enhance SSH services for my environment:

[+] SSH Support

-

-Checking running SSH daemon [FOUND]

-Searching SSH configuration [FOUND]

-OpenSSH option: AllowTcpForwarding [SUGGESTION]

-OpenSSH option: ClientAliveCountMax [SUGGESTION]

-OpenSSH option: ClientAliveInterval [OK]

-OpenSSH option: Compression [SUGGESTION]

-OpenSSH option: FingerprintHash [OK]

-OpenSSH option: GatewayPorts [OK]

-OpenSSH option: IgnoreRhosts [OK]

-OpenSSH option: LoginGraceTime [OK]

-OpenSSH option: LogLevel [SUGGESTION]

-OpenSSH option: MaxAuthTries [SUGGESTION]

-OpenSSH option: MaxSessions [SUGGESTION]

-OpenSSH option: PermitRootLogin [SUGGESTION]

-OpenSSH option: PermitUserEnvironment [OK]

-OpenSSH option: PermitTunnel [OK]

-OpenSSH option: Port [SUGGESTION]

-OpenSSH option: PrintLastLog [OK]

-OpenSSH option: StrictModes [OK]

-OpenSSH option: TCPKeepAlive [SUGGESTION]

-OpenSSH option: UseDNS [SUGGESTION]

-OpenSSH option: X11Forwarding [SUGGESTION]

-OpenSSH option: AllowAgentForwarding [SUGGESTION]

-OpenSSH option: UsePrivilegeSeparation [OK]

-OpenSSH option: AllowUsers [NOT FOUND]

-OpenSSH option: AllowGroups [NOT FOUND]

There are no virtual machines or containers running on my system, so the results shown are empty:

[+] Virtualization

-

[+] Containers

-

Lynis checks the file permissions of some files that are important from a security perspective:

[+] File Permissions

-

-Starting file permissions check

File: / boot/grub2/grub.cfg [SUGGESTION]

File: / etc/cron.deny [OK]

File: / etc/crontab [SUGGESTION]

File: / etc/group [OK]

File: / etc/group- [OK]

File: / etc/hosts.allow [OK]

File: / etc/hosts.deny [OK]

File: / etc/issue [OK]

File: / etc/issue.net [OK]

File: / etc/motd [OK]

File: / etc/passwd [OK]

File: / etc/passwd- [OK]

File: / etc/ssh/sshd_config [OK]

Directory: / root/.ssh [SUGGESTION]

Directory: / etc/cron.d [SUGGESTION]

Directory: / etc/cron.daily [SUGGESTION]

Directory: / etc/cron.hourly [SUGGESTION]

Directory: / etc/cron.weekly [SUGGESTION]

Directory: / etc/cron.monthly [SUGGESTION]

At the bottom of the report, Lynis made recommendations based on the report's findings. Each suggestion is followed by a "TEST-ID" (save it for the convenience of the next section).

Suggestions (47):

-

* If not required, consider explicit disabling of core dump in / etc/security/limits.conf file [KRNL-5820]

Https://cisofy.com/lynis/controls/KRNL-5820/

* Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]

Https://cisofy.com/lynis/controls/AUTH-9229/

Lynis provides an option to find more information about each suggestion, which you can access using the show details command and the TEST-ID number:

. / lynis show details TEST-ID

This displays additional information about the test. For example, I checked the details of SSH-7408:

$. / lynis show details SSH-7408

2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options)

2020-04-30 05:52:23 Test: Checking specific defined options in / tmp/lynis.k8JwazmKc6

2020-04-30 05:52:23 Result: added additional options for OpenSSH & lt; 7.5

2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in / tmp/lynis.k8JwazmKc6

2020-04-30 05:52:23 Result: Option AllowTcpForwarding found

2020-04-30 05:52:23 Result: Option AllowTcpForwarding value is YES

2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed

2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

On how to use Lynis to scan Linux security to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.