安全 lynis_使用Lynis扫描Linux安全性
陆飞鸿
安全 lynis
您是否考虑过Linux计算机的真正安全性? 有许多Linux发行版,每个发行版都有其自己的默认设置,在这些发行版上您可以运行数十个具有不同版本号的软件包,以及在后台运行的许多服务,我们几乎不知道或不在乎。
如果您只运行一个可以生成有关计算机安全状态报告的工具,那就更好了。 幸运的是,有一个: Lynis 。 它是一种非常流行的开源安全审核工具,可帮助强化基于Linux和Unix的系统。 根据项目:
“它执行了深入的安全扫描,并在系统本身上运行。主要目标是测试安全防御并提供进一步加强系统的技巧。它还将扫描常规系统信息,易受攻击的软件包以及可能的配置问题。系统管理员和审核员通常使用Lynis来评估其系统的安全防护。”
安装Lynis
Lynis可能在Linux软件存储库中可用。 如果是这样,则可以使用以下命令进行安装:
dnf install lynis 要么
apt install lynis 但是,如果仓库中的版本不是最新版本,则最好从GitHub安装。 (我使用的是Red Hat Linux系统,但是您可以在任何Linux发行版上运行它。)与所有工具一样,首先在虚拟机上进行尝试是有意义的。 要从GitHub安装:
$
cat
/ etc
/ redhat-release
Red Hat Enterprise Linux Server release
7.8
( Maipo
)
$
$
uname
-r
3.10.0-
1127 .el7.x86_64
$
$
git clone https:
// github.com
/ CISOfy
/ lynis.git
Cloning into
'lynis' ...
remote: Enumerating objects:
30 , done.
remote: Counting objects:
100
%
(
30
/
30
) , done.
remote: Compressing objects:
100
%
(
30
/
30
) , done.
remote: Total
12566
( delta
15
) , reused
8
( delta
0
) , pack-reused
12536
Receiving objects:
100
%
(
12566
/
12566
) ,
6.36 MiB
|
911.00 KiB
/ s, done.
Resolving deltas:
100
%
(
9264
/
9264
) , done.
$
克隆存储库后,请移至该存储库并查看可用资源。 主要工具位于名为lynis的文件中。 它实际上是一个shell脚本,因此您可以打开它并阅读它的作用。 实际上,Lynis主要是使用Shell脚本实现的:
$
cd lynis
/
$
ls
CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md
CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md
$
$
file lynis
lynis: POSIX shell script, ASCII text executable, with very long lines
$
运行Lynis
通过给它提供-h选项来查看“帮助”部分,以使Lynis成为可能。
$ . / lynis -h 您将看到一个简短的信息屏幕,其后是Lynis支持的所有命令。
接下来,尝试一些测试命令,以使事物感觉舒适。 要查看您正在使用哪个版本的Lynis,请运行:
$ .
/ lynis show version
3.0.0
$
要查看Lynis中所有可用的命令:
$ .
/ lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only
$
审核Linux系统
要审核系统的安全状态,请运行以下命令:
$ . / lynis audit system 这样可以快速运行并返回详细的报告-乍一看输出似乎令人生畏,但我将在下面逐步介绍。 该命令的输出也保存到日志文件中,因此您以后总是可以返回并检查任何可能感兴趣的内容。
Lynis将日志保存在此处:
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
您可以验证是否创建了日志文件,并且确实是:
$
ls
-l
/ var
/ log
/ lynis.log
-rw-r-----.
1 root root
341489 Apr
30 05:
52
/ var
/ log
/ lynis.log
$
$
ls
-l
/ var
/ log
/ lynis-report.dat
-rw-r-----.
1 root root
638 Apr
30 05:
55
/ var
/ log
/ lynis-report.dat
$
浏览报告
Lynis提供了非常全面的报告,因此我将介绍一些重要的部分。 Lynis作为初始化的一部分,要做的第一件事就是找出有关计算机上运行的操作系统的完整信息。 接下来是检查以查看安装了哪些系统工具和插件:
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.0.0
Operating system: Linux
Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo)
Operating system version: 7.8
Kernel version: 3.10.0
Hardware platform: x86_64
Hostname: example
---------------------------------------------------
<<snip>>
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugin: pam
[..]
- Plugin: systemd
[................]
接下来,报告分为多个部分,每个部分都以[+]符号开头。 一些部分可以在下面看到。 (哇,要审核的领域太多了,Lynis是完成这项工作的正确工具!)
[+] Boot and services
[+] Kernel
[+] Memory and Processes
[+] Users, Groups and Authentication
[+] Shells
[+] File systems
[+] USB Devices
[+] Storage
[+] NFS
[+] Name services
[+] Ports and packages
[+] Networking
[+] Printers and Spools
[+] Software: e-mail and messaging
[+] Software: firewalls
[+] Software: webserver
[+] SSH Support
[+] SNMP Support
[+] Databases
[+] LDAP Services
[+] PHP
[+] Squid Support
[+] Logging and files
[+] Insecure services
[+] Banners and identification
[+] Scheduled tasks
[+] Accounting
[+] Time and Synchronization
[+] Cryptography
[+] Virtualization
[+] Containers
[+] Security frameworks
[+] Software: file integrity
[+] Software: System tooling
[+] Software: Malware
[+] File Permissions
[+] Home directories
[+] Kernel Hardening
[+] Hardening
[+] Custom tests
Lynis使用颜色编码使报表更易于解析:
- 绿色:一切都很好
- 黄色:已跳过,未找到,或者可能有建议
- 红色:您可能需要仔细看一下
就我而言,大多数红色标记都在“内核硬化”部分中找到。 内核具有各种可调整的设置,这些设置定义了内核的工作方式,其中一些可调整参数可能具有安全性上下文。 发行版可能由于各种原因默认情况下未设置这些设置,但是您应检查每个设置并查看是否需要根据安全状况更改其值:
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
以SSH为例,因为它是关键区域,需要保护。 这里没有红色,但是Lynis对于在我的设置中强化SSH服务有很多建议:
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: Compression [ SUGGESTION ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ SUGGESTION ]
- OpenSSH option: MaxAuthTries [ SUGGESTION ]
- OpenSSH option: MaxSessions [ SUGGESTION ]
- OpenSSH option: PermitRootLogin [ SUGGESTION ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ SUGGESTION ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ SUGGESTION ]
- OpenSSH option: UseDNS [ SUGGESTION ]
- OpenSSH option: X11Forwarding [ SUGGESTION ]
- OpenSSH option: AllowAgentForwarding [ SUGGESTION ]
- OpenSSH option: UsePrivilegeSeparation [ OK ]
- OpenSSH option: AllowUsers [ NOT FOUND ]
- OpenSSH option: AllowGroups [ NOT FOUND ]
我的系统上没有运行虚拟机或容器,因此它们显示为空结果:
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
从安全角度来看,Lynis检查某些文件的文件权限:
[+] File Permissions
------------------------------------
- Starting file permissions check
File: /boot/grub2/grub.cfg [ SUGGESTION ]
File: /etc/cron.deny [ OK ]
File: /etc/crontab [ SUGGESTION ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /root/.ssh [ SUGGESTION ]
Directory: /etc/cron.d [ SUGGESTION ]
Directory: /etc/cron.daily [ SUGGESTION ]
Directory: /etc/cron.hourly [ SUGGESTION ]
Directory: /etc/cron.weekly [ SUGGESTION ]
Directory: /etc/cron.monthly [ SUGGESTION ]
在报告的底部,Lynis根据报告的发现提供建议。 每个建议后都带有一个TEST-ID (请在接下来的部分中保持方便):
Suggestions (47):
----------------------------
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
* Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
https://cisofy.com/lynis/controls/AUTH-9229/
Lynis提供了一个查找有关每个建议的更多信息的选项,您可以使用show details命令及其后的测试ID号访问该信息 :
. / lynis show details TEST-ID 这将显示有关该测试的其他信息。 例如,我检查了SSH-7408的详细信息:
$ .
/ lynis show details SSH-
7408
2020 -04-
30 05:
52 :
23 Performing
test ID SSH-
7408
( Check SSH specific defined options
)
2020 -04-
30 05:
52 :
23 Test: Checking specific defined options
in
/ tmp
/ lynis.k8JwazmKc6
2020 -04-
30 05:
52 :
23 Result: added additional options
for OpenSSH
<
7.5
2020 -04-
30 05:
52 :
23 Test: Checking AllowTcpForwarding
in
/ tmp
/ lynis.k8JwazmKc6
2020 -04-
30 05:
52 :
23 Result: Option AllowTcpForwarding found
2020 -04-
30 05:
52 :
23 Result: Option AllowTcpForwarding value is YES
2020 -04-
30 05:
52 :
23 Result: OpenSSH option AllowTcpForwarding is
in a weak configuration state and should be fixed
2020 -04-
30 05:
52 :
23 Suggestion: Consider hardening SSH configuration
[ test:SSH-
7408
]
[ details:AllowTcpForwarding
(
set YES to NO
)
]
[ solution:-
]
试试看
如果您想了解有关Linux机器安全性的更多信息,请查看Lynis。 而且,如果您想了解Lynis的工作方式,请深入研究其Shell脚本以查看其如何收集所有这些信息。
翻译自: https://opensource.com/article/20/5/linux-security-lynis
安全 lynis
类似资料: