在CentOS 8上安装和设置Lynis安全审核工具

在本教程中,您将学习如何在CentOS 8上安装和设置Lynis安全审核工具。 莱尼斯 是一种开源安全工具,可以执行深入的系统安全扫描,以评估系统的安全配置文件。由于其简单性和灵活性,Lynis可用于实现以下目的;

  • 自动化安全审核
  • 符合性测试(例如PCI,HIPAA,SOx)
  • 渗透测试
  • 漏洞检测
  • 系统强化
  • 配置和资产管理
  • 软件补丁管理
  • 入侵检测

但是,Lynis不会自动提供系统强化功能,而是提供有关如何强化系统的提示。

它是一个跨平台工具,专为运行Linux,macOS或基于Unix操作系统的系统而设计。

在CentOS 8上安装和设置Lynis安全审核工具

Lynis可以通过使用源tarball克隆其Github存储库,或通过使用软件包管理器从软件包存储库中简单地将其克隆来安装在CentOS系统上。

从软件存储库在CentOS 8上安装Lynis

在本教程中,我们将从软件包存储库在CentOS 8上安装和设置Lynis安全审核工具。

您可以使用CentOS的EPEL仓库或Lynis软件社区仓库来在CentOS 8上安装Lynis。

在CentOS 8上从EPEL Repos安装Lynis

通过运行以下命令安装EPEL仓库;

dnf install epel-release

检查什么可以提供Lynis;

dnf provides lynis
lynis-3.0.0-1.el8.noarch : Security and system auditing tool
Repo        : epel
Matched from:
Provide    : lynis = 3.0.0-1.el8

好了,继续在CentOS 8上安装Lynis

dnf install lynis

在CentOS上安装Lynis CentOS的Lynis软件社区存储库

在CentOS 8上为Lynis安装Lynis软件社区存储库;

cat << 'EOL' > /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
EOL

运行软件包更新;

dnf update

更新cURL,NSS,openssl和CA证书包;

dnf update curl nss openssl ca-certificates

安装Lynis;

dnf install lynis
Dependencies resolved.
============================================================================================================================================================================
 Package                                 Architecture                             Version                                     Repository                               Size
============================================================================================================================================================================
Installing:
 lynis                                   noarch                                   3.0.0-100                                   lynis                                   312 k

Transaction Summary
============================================================================================================================================================================
Install  1 Package

Total download size: 312 k
Installed size: 1.5 M
Is this ok [y/N]: y

检查已安装的Lynis的版本;

lynis show version
3.0.0

Lynis命令行语法和选项

Lynis命令语法为

lynis [scan mode] [other options]

要显示Lynis命令,请运行;

lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only

显示Lynis设置运行;

lynis show settings

显示发现的审核配置文件;

lynis show profiles
/etc/lynis/default.prf

在CentOS 8上使用Lynis执行系统审核

Lynis安全审核工具检查系统和软件配置,以查看是否有任何改进安全防御措施的空间。

Lynis测试和调试信息已登录 /var/log/lynis.log 审核报告数据存储在: /var/log/lynis-report.dat

/var/log/lynis.log 是审核员检查并解释结果的文件,它解释了所发现问题的原因以及有关如何解决这些问题的建议。

Lynis可能检查以下系统区域:

  • 引导加载程序文件
  • 配置文件
  • 软体套件
  • 与日志记录和审核有关的目录和文件

在CentOS 8上使用Lynis执行系统审核

Lynis可以交互式运行或作为cronjob。不需要根权限(例如sudo),但是它们在审核期间提供了更多详细信息。

要使用Lynis运行基本的系统审核,请执行以下命令;

lynis audit system

运行时,它会显示各种检查和结果到标准输出,以及写入日志和报告文件。

...
+] Software: e-mail and messaging
------------------------------------

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ FOUND ]
    - Checking iptables policies of chains                    [ FOUND ]
    - Checking for empty ruleset                              [ WARNING ]
    - Checking for unused rules                               [ OK ]
  - Checking host based firewall                              [ ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/httpd)                  [ FOUND ]
      Info: Configuration file found (/etc/httpd/conf/httpd.conf)
      Info: No virtual hosts found
    * Loadable modules                                        [ FOUND (106) ]
        - Found 106 loadable modules
          mod_evasive: anti-DoS/brute force                   [ NOT FOUND ]
          mod_reqtimeout/mod_qos                              [ FOUND ]
          ModSecurity: web application firewall               [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - OpenSSH option: AllowTcpForwarding                      [ SUGGESTION ]
    - OpenSSH option: ClientAliveCountMax                     [ SUGGESTION ]
    - OpenSSH option: ClientAliveInterval                     [ OK ]
    - OpenSSH option: Compression                             [ SUGGESTION ]
    - OpenSSH option: FingerprintHash                         [ OK ]
...

Lynis的输出可能显示OK(正常)或WARNING(警告),并带有OK(正常),表示检查正常,而WARNING(警告)则显示系统中已识别的问题,需要引起注意。

系统审核检查摘要;

...
================================================================================

  -[ Lynis 3.0.0 Results ]-

  Warnings (2):
  ----------------------------
  ! Reboot of system is most likely needed [KRNL-5830] 
    - Solution : reboot
      https://cisofy.com/lynis/controls/KRNL-5830/

  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

  Suggestions (46):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] 
      https://cisofy.com/lynis/controls/KRNL-5820/
...

如您所见,我们有两个警告和其他46条建议。

查看建议的解决方案以找到如何实施各种系统强化。

Lynis安全扫描详细信息

从本节中,您将看到;

  • 您的系统强化百分比
  • 针对系统运行的测试数量
  • Lynis插件已启用(如果有)
  • Lynis模块已启用
  • 日志/报告文件
================================================================================

  Lynis security scan details:

  Hardening index : 63 [############        ]
  Tests performed : 241
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

检查来自Lynis审核报告的强化警告和建议

除了写入标准输出外,Lynis扫描报告还写入 /var/log/lynis-report.dat 报告。

从此报告中,您可以阅读给出的警告和建议

grep -i "^warning" /var/log/lynis-report.dat
warning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot|
warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-|

检查建议;

grep -i "^suggestion" /var/log/lynis-report.dat
...
suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|
suggestion[]=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
...

显示特定测试的详细信息

每个Lynis系统检查都有一个关联的测试ID。要查找有关特定检查的更多信息,可以使用以下命令显示详细信息。

lynis show details TEST-ID

例如,让我们检查更多有关上述系统重新启动警告的信息;

lynis show details KRNL-5830
2020-08-05 22:28:05 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-08-05 22:28:05 Test: Checking presence /var/run/reboot-required.pkgs
2020-08-05 22:28:05 Result: file /var/run/reboot-required.pkgs not found
2020-08-05 22:28:05 Result: /boot exists, performing more tests from here
2020-08-05 22:28:05 Result: found /boot/vmlinuz-4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Test: checking kernel version on disk
2020-08-05 22:28:05 Result: found version 4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-08-05 22:28:05 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-08-05 22:28:05 Result: /var/cache/apt/archives/ does not exist
2020-08-05 22:28:05 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-08-05 22:28:05 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)
2020-08-05 22:28:05 Security check: file is normal
2020-08-05 22:28:05 Checking permissions of /usr/share/lynis/include/tests_memory_processes
2020-08-05 22:28:05 File permissions are OK
2020-08-05 22:28:05 ====

Lynis审核扫描配置文件

Lynis使用配置文件为您的操作系统和首选项提供了一组预定义的选项。默认配置文件存储在 /etc/lynis 目录。

ls /etc/lynis
default.prf

如果要使用自定义配置文件,请使用 –profile  与选项 lynis audit system 命令。

lynis audit system --profile /path/to/custom/profile.prf

要创建自己的自定义配置文件,您可以复制默认配置文件并对其进行编辑以定义您的自定义测试选项。

在未定义其他选项的情况下运行时,默认配置文件 /etc/lynis/default.prf 将会被使用。

禁用特定检查

如果您认为某些检查为误报,则可以创建一个自定义配置文件,您可以在其中定义Lynis在运行系统扫描时应跳过的测试ID。

例如,跳过以下建议;

suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|

创建一个自定义配置文件,并放置以下内容。

vim /etc/lynis/custom.prf
# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore Vulnerable packages Warnings
skip-test=KRNL-5820

下次运行Lynis审核扫描时,将跳过指定的检查。

Lynis是有用的工具。仔细阅读所提供的所有修复程序和建议,以强化您的系统。

这标志着本教程有关如何在CentOS 8上安装和设置Lynis Security Auditing工具的结尾。

进一步阅读

Lynis入门

Lynis –用于Linux,macOS和基于UNIX的系统的安全审核工具

Sidebar