Lynis:Linux 的安全审计工具

什么是林尼斯?

Lynis 是一个众所周知的、经验丰富的安全工具,适用于基于 Linux 的系统(包括 macOS 和/或其他基于 Unix 的操作系统。它对您的系统执行广泛的健康扫描以支持系统强化和合规性测试。该项目是开源软件使用 GPL 许可,自 2007 年起可用。

林尼斯有什么用?

  • 安全审查
  • 合规性评估(例如 HIPAA、PCI、SOx)
  • 渗透评估
  • 漏洞诊断
  • 系统完整性

谁在使用 Lynis?

  • 审计员
  • 系统管理员
  • 开发商
  • 渗透测试员

林尼斯安装

安装选项

操作系统

CentOS/红帽/Fedora

先决条件:确保 cURL、NSS、OpenSSL 和 CA 证书是最新的。

[email protected]:~# yum update ca-certificates curl nss openssl

接下来,我们创建 /etc/yum.repos.d/cisofy-lynis.repo 文件。

[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2

现在,我们可以安装lynis。

[email protected]:~# yum makecache fast && yum install lynis

要启动 Lynis,请使用以下命令。

[email protected]:~# lynis audit system

Debian/Ubuntu

在 Ubuntu 或 Debian 服务器上,我们首先从中央密钥服务器下载密钥。

[email protected]:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

Executing: /tmp/apt-key-gpghome.NZrCKJSpNR/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

gpg: key 366C67DE91CA5D5F: 2 signatures not checked due to missing keys

gpg: key 366C67DE91CA5D5F: public key "CISOfy Software (signed software packages) <[email protected]>" imported

gpg: Total number processed: 1

gpg:               imported: 1

[email protected]:~# 

我们也可以手动导入密钥。

[email protected]:~# wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
[email protected]:~# sudo apt install apt-transport-https
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1692 B of archives.
After this operation, 153 kB of additional disk space will be used.

Get:1 https://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.12 [1692 B]
Fetched 1692 B in 0s (9909 B/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 102038 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.12_all.deb ...
Unpacking apt-transport-https (1.6.12) ...
Setting up apt-transport-https (1.6.12) ...
[email protected]:~# 

接下来,我们要确保安装 Apt 的“HTTPS 安全传输”模块。 此 repo 使用 HTTPS 来安全传输数据。 要安装 APT ‘https’ 方法(如果它尚未安装在您的系统上),请运行以下命令。

[email protected]:~# apt install apt-transport-https
[email protected]:~# sudo apt install apt-transport-https
Reading package lists... Done
Building dependency tree       
Reading state information... Done
apt-transport-https is already the newest version (1.6.12).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[email protected]:~#

然后,我们可以添加 repo。

echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
deb https://packages.cisofy.com/community/lynis/deb/ stable main
[email protected]:~# 

现在,运行更新并安装 Lynis。

[email protected]:~# apt update && apt install lynis

让我们检查一下版本。

[email protected]:~# lynis show version
2.7.5
[email protected]:~# 

要启动 Lynis,我们运行此命令。

[email protected]:~# lynis audit system

初始运行

基本的 CentOS 服务器审计

下面列出的是在新安装的 CentOS 7 服务器上使用基础 Lynis 软件扫描的所有部分(减去付费合规性、插件、界面和其他工具选项)。

[email protected]:~# lynis audit system
[ Lynis 2.7.5 ]
#####################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2019, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
#####################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                 [ DONE ]
  - Checking profiles...                            [ DONE ]
  ---------------------------------------------------
  Program version:           2.7.5
  Operating system:          Linux
  Operating system name:     Ubuntu Linux
  Operating system version:  18.04
  Kernel version:            4.15.0
  Hardware platform:         x86_64
  Hostname:                  host
  ---------------------------------------------------
  Profiles:                  /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/share/lynis/plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Language:                  en
  Test category:             all
  Test group:                all
  ---------------------------------------------------
  - Program update status...                        [ NO UPDATE ]
=====================================================================
        Lynis update available
=====================================================================
        Current version is more than 4 months old
        Current version : 275   Latest version : 275
        Please update to the latest version.
        New releases include additional features, bug fixes, tests, and baselines.

        Download the latest version:
        Packages (DEB/RPM) -  https://packages.cisofy.com
        Website (TAR)      -  https://cisofy.com/downloads/
        GitHub (source)    -  https://github.com/CISOfy/lynis
=====================================================================

系统工具

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests and may take several minutes to complete
  
  - Plugins enabled                                 [ NONE ]

引导和服务选项

[+] Boot and services
------------------------------------
  - Service Manager                                 [ systemd ]
  - Checking UEFI boot                              [ DISABLED ]
  - Checking presence GRUB                          [ OK ]
  - Checking presence GRUB2                         [ FOUND ]
  - Checking for password protection                [ NONE ]
  - Check running services (systemctl)              [ DONE ]
Result: found 24 running services Check enabled services at boot (systemctl)                                             [ DONE ]
Result: found 43 enabled services
  - Check startup files (permissions)               [ OK ]

内核检查

 [+] Kernel
------------------------------------
  - Checking default run level                      [ RUNLEVEL 5 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported     [ FOUND ]
  - Checking kernel version and release             [ DONE ]
  - Checking kernel type                            [ DONE ]
  - Checking loaded kernel modules                  [ DONE ]
      Found 62 active modules   
  - Checking Linux kernel configuration file        [ FOUND ]
  - Checking default I/O kernel scheduler           [ FOUND ]
  - Checking for available kernel update            [ OK ]
  - Checking core dumps configuration               [ DISABLED ]
    - Checking setuid core dumps configuration      [ PROTECTED ]
  - Check if reboot is needed                       [ NO ]

内存/进程检查

[+] Memory and Processes
------------------------------------
  - Checking /proc/meminfo                          [ FOUND ]
  - Searching for dead/zombie processes             [ OK ]
  - Searching for IO waiting processes              [ OK ]

用户、组和身份验证审查

[+] Users, Groups and Authentication
------------------------------------
  - Administrator accounts                          [ OK ]
  - Unique UIDs                                     [ OK ]
  - Consistency of group files (grpck)              [ OK ]
  - Unique group IDs                                [ OK ]
  - Unique group names                              [ OK ]
  - Password file consistency                       [ OK ]
  - Query system users (non daemons)                [ DONE ]
  - NIS+ authentication support                     [ NOT ENABLED ]
  - NIS authentication support                      [ NOT ENABLED ]
  - sudoers file                                    [ FOUND ]
    - Permissions for directory: /etc/sudoers.d     [ WARNING ]
    - Permissions for: /etc/sudoers                 [ OK ]
    - Permissions for: /etc/sudoers.d/README        [ OK ]
  - PAM password strength tools                     [ SUGGESTION ]
  - PAM configuration files (pam.conf)              [ FOUND ]
  - PAM configuration files (pam.d)                 [ FOUND ]
  - PAM modules                                     [ FOUND ]
  - LDAP module in PAM                              [ NOT FOUND ]
  - Accounts without expire date                    [ OK ]
  - Accounts without password                       [ OK ]
  - Checking user password aging (minimum)          [ DISABLED ]
  - User password aging (maximum)                   [ DISABLED ]
  - Checking expired passwords                      [ OK ]
  - Checking Linux single user mode authentication  [ OK ]
  - Determining default umask
    - umask (/etc/profile)                          [ NOT FOUND ]
    - umask (/etc/login.defs)                       [ SUGGESTION ]
  - LDAP authentication support                     [ NOT ENABLED ]
  - Logging failed login attempts                   [ ENABLED ]

外壳评估

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 6 shells (valid shells: 6).
    - Session timeout settings/tools                [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc    [ NONE ]
    - Checking default umask in /etc/profile        [ NONE ]

壳牌评测

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 6 shells (valid shells: 6).
    - Session timeout settings/tools                [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc    [ NONE ]
    - Checking default umask in /etc/profile        [ NONE ]

文件系统分析

[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                    [ SUGGESTION ]
    - Checking /tmp mount point                     [ SUGGESTION ]
    - Checking /var mount point                     [ SUGGESTION ]
  - Query swap partitions (fstab)                   [ OK ]
  - Testing swap partitions                         [ OK ]
  - Testing /proc mount (hidepid)                   [ SUGGESTION ]
  - Checking for old files in /tmp                  [ OK ]
  - Checking /tmp sticky bit                        [ OK ]
  - Checking /var/tmp sticky bit                    [ OK ]
  - ACL support root file system                    [ ENABLED ]
  - Mount options of /                              [ NON DEFAULT ]
  - Checking Locate database                        [ FOUND ]
  - Disable kernel support of some filesystems
    - Discovered kernel modules: udf 

USB

 [+] USB Devices
------------------------------------
  - Checking usb-storage driver (modprobe config)   [ NOT DISABLED ]
  - Checking USB devices authorization              [ ENABLED ]
  - Checking USBGuard                               [ NOT FOUND ]

存储选项

[+] Storage
------------------------------------
  - Checking firewire ohci driver (modprobe config) [ DISABLED ]

NFS

NFS
[+] NFS
------------------------------------
  - Check running NFS daemon                        [ NOT FOUND ]

DNS 审查

[+] Name services
------------------------------------
  - Checking /etc/resolv.conf options               [ FOUND ]
  - Searching DNS domain name                       [ FOUND ]
      Domain name: lwkb.com
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)              [ OK ]
    - Checking /etc/hosts (hostname)                [ OK ]
    - Checking /etc/hosts (localhost)               [ OK ]
    - Checking /etc/hosts (localhost to IP)         [ OK ]

端口和包管理器

[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                [ FOUND ]
      - Querying package manager
    - Query unpurged packages                       [ NONE ]
  - Checking security repository in sources.list file [ OK ]
  - Checking APT package database                   [ OK ]
  - Checking vulnerable packages                    [ OK ]
  - Checking upgradeable packages                   [ SKIPPED ]
  - Checking package audit tool                     [ INSTALLED ]
    Found: apt-check
 - Toolkit for automatic upgrades (unattended-upgrade)[ FOUND ] 

联网

[+] Networking
------------------------------------
  - Checking IPv6 configuration                     [ ENABLED ]
      Configuration method                          [ AUTO ]
      IPv6 only                                     [ NO ]
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 127.0.0.53                      [ OK ]
  - Checking default gateway                        [ DONE ]
  - Getting listening ports (TCP/UDP)               [ DONE ]
  - Checking promiscuous interfaces                 [ OK ]
  - Checking waiting connections                    [ OK ]
  - Checking status DHCP client                     [ NOT ACTIVE ]
  - Checking for ARP monitoring software            [ NOT FOUND ]

打印机

[+] Printers and Spools
------------------------------------
  - Checking cups daemon                            [ NOT FOUND ]
  - Checking lp daemon                              [ NOT RUNNING ]

电子邮件软件

[+] Software: e-mail and messaging
------------------------------------

防火墙信息

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                 [ FOUND ]
    - Checking iptables policies of chains          [ FOUND ]
    - Checking for empty ruleset                    [ WARNING ]
    - Checking for unused rules                     [ OK ]
  - Checking host based firewall                    [ ACTIVE ]

网络服务器软件

 [+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/apache2)      [ FOUND ]
      Info: Configuration file found (/etc/apache2/apache2.conf)
      Info: No virtual hosts found
    * Loadable modules                              [ FOUND (114) ]
        - Found 114 loadable modules
          mod_evasive: anti-DoS/brute force         [ NOT FOUND ]
          mod_reqtimeout/mod_qos                    [ FOUND ]
          ModSecurity: web application firewall     [ NOT FOUND ]
  - Checking nginx                                  [ NOT FOUND ]

SSH 检查

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                     [ FOUND ]
    - Searching SSH configuration                   [ FOUND ]
    - SSH option: AllowTcpForwarding                [ SUGGESTION ]
    - SSH option: ClientAliveCountMax               [ SUGGESTION ]
    - SSH option: ClientAliveInterval               [ OK ]
    - SSH option: Compression                       [ SUGGESTION ]
    - SSH option: FingerprintHash                   [ OK ]
    - SSH option: GatewayPorts                      [ OK ]
    - SSH option: IgnoreRhosts                      [ OK ]
    - SSH option: LoginGraceTime                    [ OK ]
    - SSH option: LogLevel                          [ SUGGESTION ]
    - SSH option: MaxAuthTries                      [ SUGGESTION ]
    - SSH option: MaxSessions                       [ SUGGESTION ]
    - SSH option: PermitRootLogin                   [ SUGGESTION ]
    - SSH option: PermitUserEnvironment             [ OK ]
    - SSH option: PermitTunnel                      [ OK ]
    - SSH option: Port                              [ SUGGESTION ]
    - SSH option: PrintLastLog                      [ OK ]
    - SSH option: StrictModes                       [ OK ]
    - SSH option: TCPKeepAlive                      [ SUGGESTION ]
    - SSH option: UseDNS                            [ OK ]
    - SSH option: VerifyReverseMapping              [ NOT FOUND ]
    - SSH option: X11Forwarding                     [ SUGGESTION ]
    - SSH option: AllowAgentForwarding              [ SUGGESTION ]
    - SSH option: AllowUsers                        [ NOT FOUND ]
    - SSH option: AllowGroups                       [ NOT FOUND ]

SNMP 检查

[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                    [ NOT FOUND ]

数据库信息

[+] Databases
------------------------------------
  - MySQL process status                            [ FOUND ]

LDAP 检查

[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                      [ NOT FOUND ]

PHP 评测

[+] PHP
------------------------------------
  - Checking PHP                                    [ FOUND ]
    - Checking PHP disabled functions               [ FOUND ]
    - Checking expose_php option                    [ ON ]
    - Checking enable_dl option                     [ OFF ]
    - Checking allow_url_fopen option               [ ON ]
    - Checking allow_url_include option             [ OFF ]

乌贼

[+] Squid Support
------------------------------------
  - Checking running Squid daemon                   [ NOT FOUND ]

日志信息


[+] Logging and files
------------------------------------
  - Checking for a running log daemon               [ OK ]
    - Checking Syslog-NG status                     [ NOT FOUND ]
    - Checking systemd journal status               [ FOUND ]
    - Checking Metalog status                       [ NOT FOUND ]
    - Checking RSyslog status                       [ FOUND ]
    - Checking RFC 3195 daemon status               [ NOT FOUND ]
    - Checking minilogd instances                   [ NOT FOUND ]
  - Checking logrotate presence                     [ OK ]
  - Checking log directories (static list)          [ DONE ]
  - Checking open log files                         [ DONE ]
  - Checking deleted files in use                   [ FILES FOUND ]

不安全

[+] Insecure services
------------------------------------
  - Installed inetd package                         [ NOT FOUND ]
  - Installed xinetd package                        [ OK ]
    - xinetd status                                 [ NOT ACTIVE ]
  - Installed rsh client package                    [ OK ]
  - Installed rsh server package                    [ OK ]
  - Installed telnet client package                 [ OK ]
  - Installed telnet server package                 [ NOT FOUND ]

横幅

------------------------------------
  - /etc/issue                                      [ FOUND ]
    - /etc/issue contents                           [ WEAK ]
  - /etc/issue.net                                  [ FOUND ]
    - /etc/issue.net contents                       [ WEAK ]

任务

[+] Scheduled tasks
------------------------------------
  - Checking crontab and cronjob files              [ DONE ]
  - Checking atd status                             [ RUNNING ]
    - Checking at users                             [ DONE ]
    - Checking at jobs                              [ NONE ]

审计

[+] Accounting
------------------------------------
  - Checking accounting information                 [ NOT FOUND ]
  - Checking sysstat accounting data                [ NOT FOUND ]
  - Checking auditd                                 [ NOT FOUND ]

NTP

[+] Time and Synchronization
------------------------------------
  - NTP daemon found: systemd (timesyncd)           [ FOUND ]
  - Checking for a running NTP daemon or client     [ OK ]

密码学


[+] Cryptography
------------------------------------
  - Checking for expired SSL certificates [0/2]     [ NONE ]

虚拟化


[+] Virtualization
------------------------------------

容器


[+] Containers
------------------------------------

安全框架

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                      [ FOUND ]
    - Checking AppArmor status                      [ ENABLED ]
  - Checking presence SELinux                       [ NOT FOUND ]
  - Checking presence TOMOYO Linux                  [ NOT FOUND ]
  - Checking presence grsecurity                    [ NOT FOUND ]
  - Checking for implemented MAC framework          [ OK ]

软件:文件完整性


[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
  - Checking presence integrity tool                [ NOT FOUND ]

软件:系统工具

[+] Software: System tooling

------------------------------------

  - Checking automation tooling

  - Automation tooling                              [ NOT FOUND ]

  - Checking for IDS/IPS tooling                    [ NONE ]

软件:恶意软件

[+] Software: Malware

------------------------------------

文件权限

[+] File Permissions

------------------------------------

  - Starting file permissions check

    /root/.ssh                                      [ WARNING ]

主目录

[+] Home directories

------------------------------------

  - Checking shell history files                    [ OK ]

内核强化

[+] Kernel Hardening

------------------------------------

  - Comparing sysctl key pairs with scan profile

    - fs.protected_hardlinks (exp: 1)               [ OK ]
    - fs.protected_symlinks (exp: 1)                [ OK ]
    - fs.suid_dumpable (exp: 0)                     [ DIFFERENT ]
    - kernel.core_uses_pid (exp: 1)                 [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                  [ OK ]
    - kernel.dmesg_restrict (exp: 1)                [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                 [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)            [ OK ]
    - kernel.sysrq (exp: 0)                         [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)         [ OK ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)[ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)        [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)         [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)       [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)      [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)          [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)          [ OK ]
    - net.ipv4.conf.all.send_redirects (exp: 0)     [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects        [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route     [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)   [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses    [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)              [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)            [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)   [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)[ OK ]
    - net.ipv6.conf.default.accept_redirects        [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route     [ OK ]

硬化

[+] Hardening

------------------------------------

    - Installed compiler(s)                         [ NOT FOUND ]
    - Installed malware scanner                     [ NOT FOUND ]

自定义测试

[+] Custom Tests
------------------------------------
  - Running custom tests...                         [ NONE ]

插件

[+] Plugins (phase 2)
------------------------------------

结果

=====================================================================
  -[ Lynis 2.7.5 Results ]-
=====================================================================

警告 (2):

  ----------------------------
  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

  ! Incorrect permissions for file /root/.ssh [FILE-7524] 
      https://cisofy.com/lynis/controls/FILE-7524/

建议 (38):

  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/lynis/controls/BOOT-5122/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]      https://cisofy.com/lynis/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/lynis/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310] 
https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/lynis/controls/STRG-1840/

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      https://cisofy.com/lynis/controls/PKGS-7370/

  * Install package apt-show-versions for patch management purposes [PKGS-7394] https://cisofy.com/lynis/controls/PKGS-7394/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/lynis/controls/NETW-3032/

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]  https://cisofy.com/lynis/controls/HTTP-6640/

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
      https://cisofy.com/lynis/controls/HTTP-6643/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 3)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Turn off PHP information exposure [PHP-2372] 
    - Details  : expose_php = Off
      https://cisofy.com/lynis/controls/PHP-2372/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] https://cisofy.com/lynis/controls/PHP-2376/

  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/lynis/controls/LOGG-2190/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/lynis/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/lynis/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/lynis/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/lynis/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/lynis/controls/ACCT-9628/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/lynis/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/lynis/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)https://cisofy.com/lynis/controls/KRNL-6000/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/lynis/controls/HRDN-7230/

跟进:

  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)
=====================================================================

  Lynis security scan details:

  Hardening index : 66 [#############       ]
  Tests performed : 233
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

=====================================================================

  Lynis 2.7.5

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2019, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

=====================================================================

  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

[email protected]:~# 

如您所见,这些报告的输出采用关键字的形式,例如:

  • [ NONE ] [ WEAK ] [ OK ] [ PROTECTED ]
  • [ NON DEFAULT ] [ DIFFERENT ] [ SUGGESTION ] [ WARNING ]
  • [ NOT ACTIVE ] [ ACTIVE ] [ RUNNING ]
  • [ NOT FOUND ] [ INSTALLED ] [ FOUND ]
  • [ DISABLED ] [ ENABLED ] [ NOT DISABLED ]
  • [ SKIPPED ] [ RUNLEVEL X ] [ DONE ]

这使您可以更好地定义所提供的建议并采取行动。

命令示例

以下是一些您可以立即使用的命令示例,以开始快速获取所需的信息。

[email protected]:~# lynis --warnings-only
    - Permissions for directory: /etc/sudoers.d     [ WARNING ]
    - Checking for empty ruleset                    [ WARNING ]
    /root/.ssh                                      [ WARNING ]

此命令列出 Lynis 运行的所有测试。

lynis show tests

要显示特定测试的详细信息,请运行此命令。

lynis show details TEST-ID
[email protected]:~# lynis show commands

Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only
[email protected]:~# lynis show logfile
/var/log/lynis.log
[email protected]:~#
[email protected]:~# lynis show report
/var/log/lynis-report.dat
[email protected]:~#

您可以通过将设置添加到 custom.prf 来增强 Lynis 审核
(有关所有设置,请参阅 /etc/lynis/default.prf 或运行以下命令)。

lynis show settings

如您所见,Lynis 是用于检查服务器系统的出色工具,尤其是在您运行符合 HIPAA 标准的服务器托管时。 欲了解更多信息,请访问 Lynis 主页 或者 Lynis 文档页面.

给我们打电话 800.580.4985,或打开一个 聊天 或与我们联系,与我们知识渊博的解决方案或经验丰富的托管顾问之一交谈,以了解您今天怎样利用该软件!