Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to use Lynis to scan Linux security". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Have you ever wondered whether your Linux machine is secure? there are many Linux distributions, each with its own default settings, dozens of different software packages running on it, and many services running in the background, which we barely know or care about.

To determine the security posture (the overall security status of the software, networks, and services running on your Linux machine), you can run a few commands to get bits and pieces of relevant information, but the amount of data you need to parse is huge.

It would be much better if you could run a tool to generate a report on the safety of the machine. Fortunately, there is one such software: Lynis. It is a very popular open source security audit tool that can help strengthen Linux and Unix-based systems. According to the introduction of the project:

"it runs on the system itself and allows for in-depth security scanning. the main goal is to test security defenses and provide tips to further strengthen the system. It will also scan general system information, vulnerable software packages, and possible configuration problems. Lynis is often used by system administrators and auditors to evaluate the security defenses of their systems."

Install Lynis

You may have Lynis in your Linux software repository. If so, you can install it in the following ways:

Dnf install lynis

Or

Apt install lynis

However, if the version in your repository is not up to date, you'd better install it from GitHub. I use the Red Hat Linux system, but you can run it on any Linux distribution. Like all tools, it makes sense to try it on a virtual machine first. To install it from GitHub:

$cat / etc/redhat-release Red Hat Enterprise Linux Server release 7.8 (Maipo) $$uname-r 3.10.0-1127.el7.x86_64 $$git clone https://github.com/CISOfy/lynis.git Cloning into 'lynis'... Remote: Enumerating objects: 30, done. Remote: Counting objects: 100% (30 amp 30), done. Remote: Compressing objects: 100% (30 amp 30), done. Remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536 Receiving objects: 100% (12566 MiB), 6.36 MiB | 911.00 KiB/s, done. Resolving deltas: 100% (9264 Compact 9264), done. $

Once you have cloned the version library, go to the directory and see what is available. The main tool is in a file called lynis. It's actually a shell script, so you can open it and see what it's doing. In fact, Lynis is mainly implemented in shell scripts:

$cd lynis/ $ls CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md $$file lynis lynis: POSIX shell script, ASCII text executable, with very long lines $

Run Lynis

Check the help section by giving Lynis a-h option to get a general idea:

. / lynis-h

You will see a short information screen, followed by all the subcommands supported by Lynis.

Next, try some test commands to get familiar with it. To see the version of Lynis you are using, run:

$. / lynis show version 3.0.0 $

To view all the commands available in Lynis:

. / lynis show commands Commands: lynis audit lynis configure lynis generate lynis show lynis update lynis upload-only $

Audit Linux system

To audit the security posture of your system, run the following command:

$. / lynis audit system

This command runs quickly and returns a detailed report, and the output may look scary at first, but I'll guide you to read it below. The output of this command is also saved to a log file, so you can go back and check anything you might be interested in at any time.

Lynis saves the log here:

Files:-Test and debug information: / var/log/lynis.log-Report data: / var/log/lynis-report.dat

You can verify that the log file has been created. It does create:

$ls-l / var/log/lynis.log-rw-r-. 1 root root 341489 Apr 30 05:52 / var/log/lynis.log $$ls-l / var/log/lynis-report.dat-rw-r-. 1 root root 638 Apr 30 05:55 / var/log/lynis-report.dat $

Exploration report

Lynis provides a fairly comprehensive report, so I'll introduce some important parts. As part of the initialization, the first thing Lynis does is to find out the complete information about the operating system running on the machine. Then check to see if any system tools and plug-ins are installed:

[+] Initializing program-Detecting OS... [DONE]-Checking profiles... [DONE]-Program version: 3.0.0 Operating system: Linux Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo) Operating system version: 7.8 Kernel version: 3.10 .0 Hardware platform: x8664 Hostname: example-[+] System Tools-Scanning available tools... -Checking system binaries... [+] Plugins (phase 1)-- Note: plugins have more extensive tests and may take several minutes to complete-Plugin: pam [..]-Plugin: systemd [.]

Next, the report is divided into different sections, each beginning with the [+] symbol. You can see some of the chapters below. Wow, there are so many places to audit, Lynis is the most appropriate tool!

[+] Boot and services [+] Kernel [+] Memory and Processes [+] Users Groups and Authentication [+] Shells [+] File systems [+] Storage [+] NFS [+] Ports and packages [+] Networking [+] Printers and Spools [+] Software: e-mail and messaging [+] Software: firewalls [+] Software: webserver [+] SSH Support [+] SNMP Support [+] Databases [+] LDAP Services [+] PHP [+] Squid Support [+] Logging and files [+] Insecure services [+] Banners and identification [+] Scheduled tasks [+ Accounting [+] Time and Synchronization [+] Cryptography [+] Virtualization [+] Containers [+] Security frameworks [+] Software: file integrity [+] Software: System tooling [+] Software: Malware [+] File Permissions [+] Home directories [+] Kernel Hardening [+] Hardening [+] Custom tests

Lynis uses color coding to make the report easier to read.

Green. Everything's fine.

Yellow. Skip, not found, there may be a suggestion

Red. You may need to take a closer look at this

In my case, most of the red marks are found in the "Kernel Hardening" section. The kernel has a variety of adjustable settings that define the kernel's functions, some of which may have their own security scenarios. Distributions may not set these by default for a variety of reasons, but you should check each item to see if you need to change its value according to your security situation:

[+] Kernel Hardening-Comparing sysctl key pairs with scan profile-fs.protected_hardlinks (exp: 1) [OK]-fs.protected_symlinks (exp: 1) [OK]-fs.suid_dumpable Exp: 0) [OK]-kernel.core_uses_pid (exp: 1) [OK]-kernel.ctrl-alt-del (exp: 0) [OK]-kernel.dmesg_restrict (exp: 1) [DIFFERENT] -kernel.kptr_restrict (exp: 2) [DIFFERENT]-kernel.randomize_va_space (exp: 2) [OK]-kernel.sysrq (exp: 0) [DIFFERENT]-kernel.yama.ptrace_scope (exp: 1 23) [DIFFERENT]-net.ipv4.conf.all.accept_redirects (exp: 0) [DIFFERENT]-net.ipv4.conf.all.accept_source_route (exp: 0) [OK]-net.ipv4.conf.all.bootp_relay (exp: 0) [OK]-net.ipv4.conf.all.forwarding (exp: 0) [OK]-net.ipv4.conf.all.log_martians (exp: 1) [DIFFERENT]-net.ipv4.conf.all.mc_forwarding (exp: 0) [OK]-net.ipv4.conf.all.proxy_arp (exp: 0) [OK]-net.ipv4.conf.all.rp_filter (exp 1) [OK]-net.ipv4.conf.all.send_redirects (exp: 0) [DIFFERENT]-net.ipv4.conf.default.accept_redirects (exp: 0) [DIFFERENT]-net.ipv4.conf.default.accept_source_route (exp: 0) [OK]-net.ipv4.conf.default.log_martians (exp 1) [DIFFERENT]-net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [OK]-net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [OK]-net.ipv4.tcp_syncookies (exp: 1) [OK]-net.ipv4.tcp_timestamps (exp: 0 1) [OK]-net.ipv6.conf.all.accept_redirects (exp: 0) [DIFFERENT]-net.ipv6.conf.all.accept_source_route (exp: 0) [OK]-net.ipv6.conf.default.accept_redirects (exp: 0) [DIFFERENT]-net.ipv6.conf.default.accept_source_route (exp: 0) [OK]

Take a look at the example of SSH, because it is a key area that requires security. There's nothing red here, but Lynis gives a lot of advice on how to enhance SSH services for my environment:

[+] SSH Support-Checking running SSH daemon [FOUND]-Searching SSH configuration [FOUND]-OpenSSH option: AllowTcpForwarding [SUGGESTION]-OpenSSH option: ClientAliveCountMax [SUGGESTION]-OpenSSH option: ClientAliveInterval [OK]-OpenSSH option: Compression [SUGGESTION]-OpenSSH option: FingerprintHash [OK]-OpenSSH option: GatewayPorts [OK]-OpenSSH option: IgnoreRhosts [OK]-OpenSSH option: LoginGraceTime [OK]-OpenSSH option: LogLevel [SUGGESTION]-OpenSSH option: MaxAuthTries [SUGGESTION]-OpenSSH option: MaxSessions [SUGGESTION]-OpenSSH option: PermitRootLogin [SUGGESTION]-OpenSSH option: PermitUserEnvironment [OK]-OpenSSH option: PermitTunnel [OK]-OpenSSH option: Port [SUGGESTION]-OpenSSH option: PrintLastLog [OK]-OpenSSH Option: StrictModes [OK]-OpenSSH option: TCPKeepAlive [SUGGESTION]-OpenSSH option: UseDNS [SUGGESTION]-OpenSSH option: X11Forwarding [SUGGESTION]-OpenSSH option: AllowAgentForwarding [SUGGESTION] -OpenSSH option: UsePrivilegeSeparation [OK]-OpenSSH option: AllowUsers [NOT FOUND]-OpenSSH option: AllowGroups [NOT FOUND]

There are no virtual machines or containers running on my system, so the results shown are empty:

[+] Virtualization-[+] Containers

Lynis checks the file permissions of some files that are important from a security perspective:

[+] File Permissions-Starting file permissions check File: / boot/grub2/grub.cfg [SUGGESTION] File: / etc/cron.deny [OK] File: / etc / crontab [SUGGESTION] File: / etc/group [OK] File: / etc/group- [OK] File: / etc/hosts.allow [OK] File: / etc/hosts.deny [OK] File: / etc/issue [OK] File: / etc/issue.net [OK] File: / etc/motd [OK] File: / etc/passwd [OK] File: / etc/passwd- [OK] File: / etc/ssh/sshd_config [OK] Directory: / root/ .ssh [SUGGESTION] Directory: / etc/cron.d [SUGGESTION] Directory: / etc/cron.daily [SUGGESTION] Directory: / etc/cron.hourly [SUGGESTION] Directory: / Etc/cron.weekly [SUGGESTION] Directory: / etc/cron.monthly [SUGGESTION]

At the bottom of the report, Lynis made recommendations based on the report's findings. Each suggestion is followed by a "TEST-ID" (save it for the convenience of the next section).

Suggestions (47):-* If not required, consider explicit disabling of core dump in / etc/security/limits.conf file [KRNL-5820] https://cisofy.com/lynis/controls/KRNL-5820/ * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] https://cisofy.com/lynis/controls/AUTH-9229/

Lynis provides an option to find more information about each suggestion, which you can access using the show details command and the TEST-ID number:

. / lynis show details TEST-ID

This displays additional information about the test. For example, I checked the details of SSH-7408:

/ lynis show details SSH-7408 2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options) 2020-04-30 05:52:23 Test: Checking specific defined options in / tmp/lynis.k8JwazmKc6 2020-04-30 05:52:23 Result: added additional options for OpenSSH < 7.5 2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in / tmp/lynis.k8JwazmKc6 2020-04-30 05:52:23 Result: Option AllowTcpForwarding found 2020-04-30 05:52 23 Result: Option AllowTcpForwarding value is YES 2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed 2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]

Try it

If you want to know more about the security of your Linux machine, please try Lynis. If you want to understand how Lynis works, take a look at its shell script and see how it collects this information.

That's all for "how to use Lynis to scan Linux Security". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.