Shulou(Shulou.com)06/02 Report--

This article is about how to use lynis to scan for linux vulnerabilities. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Preface

Lynis is a host-based, open source security audit software running on the Unix/Linux platform. Lynis is a security check tool for Unix/Linux that can detect potential security threats. This tool covers suspicious file monitoring, vulnerabilities, malicious program scanning, configuration errors, etc. Let's take a look at the content related to linux vulnerability scanning using lynis.

Install lynis

It can be installed directly through pacman on archlinux.

Sudo pacman-S lynis-- noconfirmresolving dependencies...looking for conflicting packages... Packages (1) lynis-2.6.4-1 Total Installed Size: 1.35 MiBNet Upgrade Size: 0.00 MiB:: Proceed with installation? [YBO] (0 amp 1) checking keys in keyring [- -] 0% (1) checking keys in keyring [# #] 100% (0 Accord 1) checking package integrity [-] 0% (1) / 1) checking package integrity [# #] 100% (0) loading package files [-] 0% (1) loading package files [#] 100% (0) checking for file conflicts [ --] 0% (1 amp 1) checking for file conflicts [# #] 100% (0 pm 1) checking available disk space [- -] 0% (1 amp 1) checking available disk space [# #] 100% Reloading system manager configuration...: Processing package changes... (1Accord 1) reinstalling lynis [-] 0% (1Accord 1) reinstalling lynis [# #] 100% reinstalling lynis: Running post-transaction hooks... (1Accord 2) Reloading system manager configuration... (2Accord 2) Arming ConditionNeedsUpdate...

Host scanning using lynis

First let's run lynis without any parameters, which will list the parameters supported by lynis

[lujun9972@T520 linux and its buddies] $lynis [Lynis 2.6.4] # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software. 2007-2018, CISOfy-https://cisofy.com/lynis/ Enterprise support available (compliance, plugins Interface and tools) # [+] Initializing program-- -Usage: lynis command [options] Command: audit audit system: Perform local security scan audit system remote: Remote security scan audit dockerfile: Analyze Dockerfile show show: Show all commands show version: Show Lynis version show help: Show help update update info: Show update details Options:-- no-log: Don't create a log file-- pentest: Non-privileged scan (useful for pentest)-- profile: Scan The system with the given profile file-- quick (- Q): Quick mode Don't wait for user input Layout options-no-colors: Don't use colors in output-quiet (- Q): No output-- reverse-colors: Optimize color display for light backgrounds Misc options-- debug: Debug logging to screen-- view-manpage (--man): View manpage-- verbose: Show more details on screen-- version (- V): Display version number and quit Enterprise options-- plugindir: Define path of Available plugins-upload: Upload data to central node More options available. Run'/ usr/bin/lynis show options', or use the man page. No command provided. Exiting..

As you can see from the above, it is easy to scan the host with lynis, just take the parameter audit system. In the process of audit, Lynis will conduct a variety of similar tests, in the audit process, a variety of test results, debugging information, and recommendations for system reinforcement will be written to stdin. We can execute the following command to skip the inspection process and directly intercept the final scan recommendation.

Sudo lynis audit system | sed '1gamma ResultsCompact d'

Lynis divides the scanned content into several categories, which can be obtained through the show groups parameter.

Lynis show groups

Accounting

Authentication

Banners

Boot_services

Containers

Crypto

Databases

Dns

File_integrity

File_permissions

Filesystems

Firewalls

Hardening

Homedirs

Insecure_services

Kernel

Kernel_hardening

Ldap

Logging

Mac_frameworks

Mail_messaging

Malware

Memory_processes

Nameservices

Networking

Php

Ports_packages

Printers_spools

Scheduling

Shells

Snmp

Squid

Ssh

Storage

Storage_nfs

System_integrity

Time

Tooling

Usb

Virtualization

Webservers

If you point to scanning for certain types of content, you can specify it with the-tests-from-group parameter.

For example, if I only want to scan the contents of shells and networking, I can execute

Sudo lynis-- tests-from-group "shells networking"-- no-colors [Lynis 2.6.4] # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software. 2007-2018, CISOfy-https://cisofy.com/lynis/ Enterprise support available (compliance, plugins Interface and tools) # [+] Initializing program-- -[2C-Detecting OS... [41C [DONE] [2C-Checking profiles... [37C [DONE] [2C-Detecting language and localization [22C [zh] [4CNotice: no language file found for 'zh' (tried: / usr/share/lynis/db/languages/zh)] [0C-Program version: 2.6C .4 Operating system: Linux Operating system name: Arch Linux Operating system version: Rolling release Kernel version: 4.16.13 Hardware platform: x86: 64 Hostname: T520-Profiles: / etc/lynis/default.prf Log file: / var/log/lynis.log Report File: / var/log/lynis-report.dat Report version: 1.0Plugin directory: / usr/share/lynis/plugins-Auditor: [Not Specified] Language: zh Test category: all Test group: shells networking- -[2C-Program update status...] [32C [NO UPDATE] [+] System Tools-- [2C-Scanning available tools... [30C [2C-Checking system binaries... [30C [+] Plugins (phase 1)-- [0CNote: plugins have more] Extensive tests and may take several minutes to complete [0C [0C [2C-Plugins enabled [42C [NONE] [+] Shells-- [2C-Checking shells from / etc/ shells [25C [4CResult: found 5 shells (valid shells: 5). [16C [4C-Session timeout settings/tools [25C [NONE]] [2C-Checking default umask values [28C [4C-Checking default] Umask in / etc/bash.bashrc [13C [NONE] [4C-Checking default umask in / etc/profile [17C [WEAK] [+] Networking-- [2C-Checking IPv6 configuration [30C [ENABLED] [6CConfiguration method [35C [AUTO] [6CIPv6 only [46C [NO]] [2C-Checking configured nameservers [26C [4C-Testing nameserver: 202.96.134] .33 [30C [SKIPPED] [6CNameserver: 202.96.128.86 [SKIPPED] [4C-Minimal of 2 responsive nameservers [20C [SKIPPED] [2C-Getting listening ports (TCP/UDP) [24C [DONE] [6C * Found 11 ports [39C [2C-Checking status DHCP client [30C [RUNNING] [2C-Checking for ARP monitoring software [21C [NOT FOUND] [+] Custom Tests-- -[2C-Running custom tests... [33C [NONE] [+] Plugins (phase 2)-- = =-[Lynis 2.6.4 Results]-Great, no warnings Suggestions (1):-- * Consider running ARP monitoring software (arpwatch) Arpon) [NETW-3032] https://cisofy.com/controls/NETW-3032/ Follow-up:-Show details of a test (lynis show details TEST-ID)-Check the logfile for all details (less / var/log/lynis.log)-Read security controls texts (https://cisofy.com)-Use-upload to upload data to central system (Lynis) Enterprise users) = Lynis security scan details: Hardening index: 33 [#] Tests performed: 13 Plugins enabled: 0 Components:-Firewall [X]-Malware scanner [X] Lynis Modules:-Compliance Status [?]-Security Audit [V]-Vulnerability Scan [V] Files:-Test and debug information: / var/log/lynis.log-Report data: / var/log/lynis-report.dat = Lynis 2.6.4 Auditing System hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others) 2007-2018, CISOfy-https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) = = [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see / etc/lynis/default.prf for all settings)

View detailed description

When viewing the audit results, you can use the show details parameter to get a detailed description of a warning / recommendation. The corresponding command form is:

Lynis show details ${test_id}

For example, there is a suggestion in the picture above.

* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]

We can run the command:

Sudo lynis show details NETW-30322018-06-08 18:18:01 Performing test ID NETW-3032 (Checking for ARP monitoring software) 2018-06-08 18:18:01 IsRunning: process' arpwatch' not found2018-06-08 18:18:01 IsRunning: process' arpon' not found2018-06-08 18:18:01 Suggestion: Consider running ARP monitoring software (arpwatch Arpon) [test:NETW-3032] [details:-] [solution:-] 2018-06-08 18:18:01 Checking permissions of / usr/share/lynis/include/tests_printers_spools2018-06-08 18:18:01 File permissions are OK2018-06-08 18:18:01 = -=

View log files

Lynis records the details in / var/log/lynis.log after the audit is completed.

Sudo tail / var/log/lynis.log2018-06-08 17:59:46 = 2018-06-08 17:59:46 Lynis 2.6.42018-06-08 17:59:46 2007-2018, CISOfy-https://cisofy.com/lynis/2018-06-08 17:59:46 Enterprise support available (compliance, plugins Interface and tools) 2018-06-08 17:59:46 Program ended successfully2018-06-08 17:59:46 = 2018-06-08 17:59:46 PID file removed (/ var/run/lynis.pid) 2018-06-08 17:59:46 Temporary files: / tmp/lynis.sGxCR0hSPz2018-06-08 17:59:46 Action: removing temporary file / tmp/lynis.sGxCR0hSPz2018-06-08 17:59:46 Lynis ended successfully.

At the same time, the report data is saved to / var/log/lynis-report.dat.

Sudo tail / var/log/lynis-report.dat

It is also important to note that each audit will overwrite the original log file.

Check for updates

The audit software needs to be updated at any time to get the latest recommendations and information, and we can use the update info parameter to check for updates:

Lynis update info-- no-colors== [1trans37mLynis [0m = = Version: 2.6.4 Status: [1trans32mUpripto Update location date [0m Release date: 2018-05-02 Update location: https://cisofy.com/lynis/ 2007-2018, CISOfy-https://cisofy.com/lynis/

Customize lynis security audit policy

The configuration information for lynis is saved in the / etc/lynis directory in the .prf file format. Where the default lynis comes with a default configuration file called default.prf.

However, we do not need to modify the default configuration file directly, we just need to add a new custom.prf file to add custom information.

There are corresponding comments on the meaning of each configuration item in the configuration file in default.prf, so I won't go into detail here.

For more information about lynis, you can visit its website.

Thank you for reading! This is the end of the article on "how to scan linux vulnerabilities with lynis". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.