在Ubuntu 20.04上安装和设置Lynis安全审核工具

在本教程中,您将学习如何在Ubuntu 20.04上安装和设置Lynis安全审核工具。 莱尼斯 是一种开源安全工具,可以执行深入的系统安全扫描,以评估系统的安全配置文件。由于其简单性和灵活性,Lynis可用于实现以下目的;

  • 自动化安全审核
  • 符合性测试(例如PCI,HIPAA,SOx)
  • 渗透测试
  • 漏洞检测
  • 系统强化
  • 配置和资产管理
  • 软件补丁管理
  • 入侵检测

但是,Lynis不会自动提供系统强化功能,而是提供有关如何强化系统的提示。

它是一个跨平台工具,专为运行Linux,macOS或基于Unix操作系统的系统而设计。

在Ubuntu 20.04上安装和设置Lynis安全审核工具

在Ubuntu 20.04上安装Lynis

Lynis可以通过多种方法安装在Ubuntu 20.04系统或任何其他系统上。这些包括;

  • 克隆他们的Github存储库
  • 通过源压缩包
  • 通过软件包管理器使用其软件仓库

在本教程中,我们将从官方安装Lynis的免费版本 社区软件库

尽管默认的Ubuntu 20.04 Universe存储库上有Lynis可用,但它不是最新的。

apt-cache policy lynis
lynis:
  Installed: (none)
  Candidate: 2.6.2-1
  Version table:
     2.6.2-1 500
        500 http://ke.archive.ubuntu.com/ubuntu focal/universe amd64 Packages

如您所见,Lynis v2.6.2由Universe仓库提供。撰写本文时,Lynis 3.0.0是当前的稳定发行版。

您可以使用Lynis社区软件存储库来获取最新版本。

在Ubuntu 20.04上安装Lynis社区软件存储库

从中央密钥服务器下载并安装Lynis存储库PGP签名密钥;

wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -

安装存储库本身;

echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

仅使用英语版本的软件,禁止下载翻译以节省带宽。

echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations

接下来,将软件包存储库重新同步到最新版本;

apt install apt-transport-https
apt update

在Ubuntu 20.04上安装和设置Lynis安全审核工具

存放库到位后,您可以继续在Ubuntu 20.04上安装和设置Lynis安全审核工具。

apt install lynis

检查已安装的Lynis的版本;

lynis show version
3.0.0

检查是否有可用的更新;

lynis update info

检查输出状态。

 == Lynis ==

  Version            : 3.0.0
  Status             : Up-to-date
  Release date       : 2020-03-20
  Project page       : https://cisofy.com/lynis/
  Source code        : https://github.com/CISOfy/lynis
  Latest package     : https://packages.cisofy.com/


2007-2020, CISOfy - https://cisofy.com/lynis/

Lynis命令行语法和选项

Lynis命令语法为

lynis [scan mode] [other options]

要显示Lynis命令,请运行;

lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only

显示Lynis设置运行;

lynis show settings

显示发现的审核配置文件;

lynis show profiles
/etc/lynis/default.prf

有关选项的完整列表,请检查;

man lynis

在Ubuntu 20.04上使用Lynis执行系统审核

运行时,Lynis检查系统和软件配置是否存在安全漏洞。 Lynis将审核详细信息记录在日志文件和报告文件中。这些报告可用于比较审核之间的差异。

测试和调试信息已登录 /var/log/lynis.log 审核报告数据存储在: /var/log/lynis-report.dat

/var/log/lynis.log 是审核员检查并解释结果的文件,它解释了所发现问题的原因以及有关如何解决这些问题的建议。

Lynis可能检查以下系统区域:

  • 引导加载程序文件
  • 配置文件
  • 软体套件
  • 与日志记录和审核有关的目录和文件

首次运行Lynis

Lynis可以交互式运行或作为cronjob。不需要根权限(例如sudo),但是它们在审核期间提供了更多详细信息。

首次使用Lynis运行基本系统审核。执行以下命令;

lynis audit system

运行时,它会显示各种检查和结果到标准输出,以及写入日志和报告文件。

Lynis的输出可能显示OK(正常)或WARNING(警告),其中OK表示良好,而WARNING(警告)显示系统中已识别的问题,需要引起注意。有时,可能被标记为“好”的东西实际上并不适合最佳实践,而被标记为“警告”的东西实际上可能什么都不是,可以忽略。

样品检查;

...
[+] Printers and Spools
------------------------------------
  - Checking cups daemon                                      [ NOT FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ FOUND ]
    - Checking iptables policies of chains                    [ FOUND ]
    - Checking for empty ruleset                              [ OK ]
    - Checking for unused rules                               [ FOUND ]
  - Checking host based firewall                              [ ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/apache2)                [ FOUND ]
      Info: Configuration file found (/etc/apache2/apache2.conf)
      Info: No virtual hosts found
    * Loadable modules                                        [ FOUND (119) ]
        - Found 119 loadable modules
          mod_evasive: anti-DoS/brute force                   [ NOT FOUND ]
          mod_reqtimeout/mod_qos                              [ FOUND ]
          ModSecurity: web application firewall               [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - OpenSSH option: AllowTcpForwarding                      [ SUGGESTION ]
    - OpenSSH option: ClientAliveCountMax                     [ SUGGESTION ]
...
[+] Home directories
------------------------------------
  - Permissions of home directories                           [ WARNING ]
  - Ownership of home directories                             [ OK ]
  - Checking shell history files                              [ OK ]
...

结果摘要;

...
================================================================================

  -[ Lynis 3.0.0 Results ]-

  Warnings (1):
  ----------------------------
  ! Found one or more vulnerable packages. [PKGS-7392] 
      https://cisofy.com/lynis/controls/PKGS-7392/

  Suggestions (56):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/lynis/controls/BOOT-5122/

  * Consider hardening system services [BOOT-5264] 
    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service
      https://cisofy.com/lynis/controls/BOOT-5264/
...

Lynis Security扫描详细信息;

从扫描详细信息中,您将看到当前系统强化的百分比得分,已执行的测试数量,已启用的插件,已激活的扫描模式以及已启用的Lynis模块。

...
================================================================================

  Lynis security scan details:

  Hardening index : 60 [############        ]
  Tests performed : 250
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

检查来自Lynis审核报告的强化警告和建议

您可以从以下位置检查Lynis审核扫描的警告或建议: /var/log/lynis-report.dat 报告。

grep -i "^warning" /var/log/lynis-report.dat
warning[]=PKGS-7392|Found one or more vulnerable packages.|-|-|

检查建议;

grep -i "^suggestion" /var/log/lynis-report.dat
suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|
suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-|
suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|
suggestion[]=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9262|Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-|
..

显示特定测试的详细信息

每个系统检查都有一个关联的测试ID。如果需要查找有关特定测试的更多详细信息,可以使用以下命令获取其ID并显示更多信息。

lynis show details TEST-ID

例如,让我们通过上面的警告详细检查易受攻击的软件包

lynis show details PKGS-7392
2020-08-05 15:43:47 Performing test ID PKGS-7392 (Check for Debian/Ubuntu security updates)
2020-08-05 15:43:47 Action: updating package repository with apt-get
2020-08-05 15:44:01 Result: apt-get finished
2020-08-05 15:44:01 Test: Checking if /usr/lib/update-notifier/apt-check exists
2020-08-05 15:44:01 Result: found /usr/lib/update-notifier/apt-check
2020-08-05 15:44:01 Test: checking if any of the updates contain security updates
2020-08-05 15:44:03 Result: found 9 security updates via apt-check
2020-08-05 15:44:03 Hardening: assigned partial number of hardening points (0 of 25). Currently having 109 points (out of 180)
2020-08-05 15:44:04 Result: found vulnerable package(s) via apt-get (-security channel)
2020-08-05 15:44:04 Found vulnerable package: apport
2020-08-05 15:44:04 Found vulnerable package: grub-common
2020-08-05 15:44:04 Found vulnerable package: grub-pc
2020-08-05 15:44:04 Found vulnerable package: grub-pc-bin
2020-08-05 15:44:04 Found vulnerable package: grub2-common
2020-08-05 15:44:04 Found vulnerable package: libmysqlclient21
2020-08-05 15:44:04 Found vulnerable package: libssh-4
2020-08-05 15:44:04 Found vulnerable package: python3-apport
2020-08-05 15:44:04 Found vulnerable package: python3-problem-report
2020-08-05 15:44:04 Warning: Found one or more vulnerable packages. [test:PKGS-7392] [details:-] [solution:-]
2020-08-05 15:44:04 Suggestion: Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [test:PKGS-7392] [details:-] [solution:-]
2020-08-05 15:44:04 ====

禁用特定检查

假设您有一些支票发出警告,并且认为它们是误报,那么您可以创建自定义配置文件,在其中可以指定支票ID,并告诉Lynis跳过针对这些特定ID的支票。

Lynis使用配置文件为您的操作系统和首选项提供了一组预定义的选项。默认配置文件存储在 /etc/lynis 目录。

ls /etc/lynis
default.prf developer.prf

您可以通过以下方式告诉Lynis使用特定的配置文件: –profile 选项。

如果您未指定个人资料,则使用默认个人资料, /etc/lynis/default.prf 将会被使用。您可以打开此文件并阅读其中包含的内容。高度赞扬。

要创建自己的自定义配置文件,您可以复制默认配置文件并对其进行编辑以定义您的自定义测试选项。

例如,要跳过上面Lynis审核报告中显示的有关易受攻击软件包的警告,请创建一个自定义配置文件并放入以下内容。

vim /etc/lynis/custom.prf
# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore Vulnerable packages Warnings
skip-test=PKGS-7392

保存并退出文件。当您重新运行审核扫描时,指定的检查将被跳过;

lynis audit system
================================================================================

  -[ Lynis 3.0.0 Results ]-

  Great, no warnings

  Suggestions (56):
...

使用Lynis审核工具审核Docker文件

也可以使用Lynis审核Docker文件。

lynis audit dockerfile Dockerfile

样品输出;

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...

[+] Helper: audit_dockerfile
------------------------------------
  File to audit = Dockerfile

[+] Image
------------------------------------
  Found image:                                                [ nginx:alpine ]

[+] Basics
------------------------------------

[+] Software
------------------------------------

[+] Downloads
------------------------------------
  No files seems to be downloaded in this Dockerfile

[+] Permissions
------------------------------------

================================================================================

  -[ Lynis 3.0.0 Results ]-

  Warnings (4):
  ----------------------------
  ! No maintainer found. Unclear who created this file. [dockerfile] 
      https://cisofy.com/lynis/controls/dockerfile/

  ! No ENTRYPOINT defined in Dockerfile. [dockerfile] 
      https://cisofy.com/lynis/controls/dockerfile/

  ! No CMD defines in Dockerfile. [dockerfile] 
      https://cisofy.com/lynis/controls/dockerfile/

  ! No user declared in Dockerfile. Container will execute command as root [dockerfile] 
      https://cisofy.com/lynis/controls/dockerfile/

使用Lynis审核远程Linux主机

要审核远程主机,请使用以下命令:

lynis audit system remote 

该命令将基本上为您提供扫描远程主机所需的步骤。

这就是在Ubuntu 20.04上安装和设置Lynis安全审核工具如此简单。愉快的审核和强化审核! !

参考;

Sidebar