在CentOS 8上安裝和設置Lynis安全審核工具

在本教程中,您將學習如何在CentOS 8上安裝和設置Lynis安全審核工具。 萊尼斯 是一種開源安全工具,可以執行深入的系統安全掃描,以評估系統的安全配置文件。由於其簡單性和靈活性,Lynis可用於實現以下目的;

  • 自動化安全審核
  • 符合性測試(例如PCI,HIPAA,SOx)
  • 滲透測試
  • 漏洞檢測
  • 系統強化
  • 配置和資產管理
  • 軟件補丁管理
  • 入侵檢測

但是,Lynis不會自動提供系統強化功能,而是提供有關如何強化系統的提示。

它是一個跨平台工具,專為運行Linux,macOS或基於Unix操作系統的系統而設計。

在CentOS 8上安裝和設置Lynis安全審核工具

Lynis可以通過使用源tarball克隆其Github存儲庫,或通過使用軟件包管理器從軟件包存儲庫中簡單地將其克隆來安裝在CentOS系統上。

從軟件存儲庫在CentOS 8上安裝Lynis

在本教程中,我們將從軟件包存儲庫在CentOS 8上安裝和設置Lynis安全審核工具。

您可以使用CentOS的EPEL倉庫或Lynis軟件社區倉庫來在CentOS 8上安裝Lynis。

在CentOS 8上從EPEL Repos安裝Lynis

通過運行以下命令安裝EPEL倉庫;

dnf install epel-release

檢查什麼可以提供Lynis;

dnf provides lynis
lynis-3.0.0-1.el8.noarch : Security and system auditing tool
Repo        : epel
Matched from:
Provide    : lynis = 3.0.0-1.el8

好了,繼續在CentOS 8上安裝Lynis

dnf install lynis

在CentOS上安裝Lynis CentOS的Lynis軟件社區存儲庫

在CentOS 8上為Lynis安裝Lynis軟件社區存儲庫;

cat << 'EOL' > /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
EOL

運行軟件包更新;

dnf update

更新cURL,NSS,openssl和CA證書包;

dnf update curl nss openssl ca-certificates

安裝Lynis;

dnf install lynis
Dependencies resolved.
============================================================================================================================================================================
 Package                                 Architecture                             Version                                     Repository                               Size
============================================================================================================================================================================
Installing:
 lynis                                   noarch                                   3.0.0-100                                   lynis                                   312 k

Transaction Summary
============================================================================================================================================================================
Install  1 Package

Total download size: 312 k
Installed size: 1.5 M
Is this ok [y/N]: y

檢查已安裝的Lynis的版本;

lynis show version
3.0.0

Lynis命令行語法和選項

Lynis命令語法為

lynis [scan mode] [other options]

要顯示Lynis命令,請運行;

lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only

顯示Lynis設置運行;

lynis show settings

顯示發現的審核配置文件;

lynis show profiles
/etc/lynis/default.prf

在CentOS 8上使用Lynis執行系統審核

Lynis安全審核工具檢查系統和軟件配置,以查看是否有任何改進安全防禦措施的空間。

Lynis測試和調試信息已登錄 /var/log/lynis.log 審核報告數據存儲在: /var/log/lynis-report.dat

/var/log/lynis.log 是審核員檢查並解釋結果的文件,它解釋了所發現問題的原因以及有關如何解決這些問題的建議。

Lynis可能檢查以下系統區域:

  • 引導加載程序文件
  • 配置文件
  • 軟體套件
  • 與日誌記錄和審核有關的目錄和文件

在CentOS 8上使用Lynis執行系統審核

Lynis可以交互式運行或作為cronjob。不需要根權限(例如sudo),但是它們在審核期間提供了更多詳細信息。

要使用Lynis運行基本的系統審核,請執行以下命令;

lynis audit system

運行時,它會顯示各種檢查和結果到標準輸出,以及寫入日誌和報告文件。

...
+] Software: e-mail and messaging
------------------------------------

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ FOUND ]
    - Checking iptables policies of chains                    [ FOUND ]
    - Checking for empty ruleset                              [ WARNING ]
    - Checking for unused rules                               [ OK ]
  - Checking host based firewall                              [ ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/httpd)                  [ FOUND ]
      Info: Configuration file found (/etc/httpd/conf/httpd.conf)
      Info: No virtual hosts found
    * Loadable modules                                        [ FOUND (106) ]
        - Found 106 loadable modules
          mod_evasive: anti-DoS/brute force                   [ NOT FOUND ]
          mod_reqtimeout/mod_qos                              [ FOUND ]
          ModSecurity: web application firewall               [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - OpenSSH option: AllowTcpForwarding                      [ SUGGESTION ]
    - OpenSSH option: ClientAliveCountMax                     [ SUGGESTION ]
    - OpenSSH option: ClientAliveInterval                     [ OK ]
    - OpenSSH option: Compression                             [ SUGGESTION ]
    - OpenSSH option: FingerprintHash                         [ OK ]
...

Lynis的輸出可能顯示OK(正常)或WARNING(警告),並帶有OK(正常),表示檢查正常,而WARNING(警告)則顯示系統中已識別的問題,需要引起注意。

系統審核檢查摘要;

...
================================================================================

  -[ Lynis 3.0.0 Results ]-

  Warnings (2):
  ----------------------------
  ! Reboot of system is most likely needed [KRNL-5830] 
    - Solution : reboot
      https://cisofy.com/lynis/controls/KRNL-5830/

  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

  Suggestions (46):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] 
      https://cisofy.com/lynis/controls/KRNL-5820/
...

如您所見,我們有兩個警告和其他46條建議。

查看建議的解決方案以找到如何實施各種系統強化。

Lynis安全掃描詳細信息

從本節中,您將看到;

  • 您的系統強化百分比
  • 針對系統運行的測試數量
  • Lynis插件已啟用(如果有)
  • Lynis模塊已啟用
  • 日誌/報告文件
================================================================================

  Lynis security scan details:

  Hardening index : 63 [############        ]
  Tests performed : 241
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

檢查來自Lynis審核報告的強化警告和建議

除了寫入標準輸出外,Lynis掃描報告還寫入 /var/log/lynis-report.dat 報告。

從此報告中,您可以閱讀給出的警告和建議

grep -i "^warning" /var/log/lynis-report.dat
warning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot|
warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-|

檢查建議;

grep -i "^suggestion" /var/log/lynis-report.dat
...
suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|
suggestion[]=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
...

顯示特定測試的詳細信息

每個Lynis系統檢查都有一個關聯的測試ID。要查找有關特定檢查的更多信息,可以使用以下命令顯示詳細信息。

lynis show details TEST-ID

例如,讓我們檢查更多有關上述系統重新啟動警告的信息;

lynis show details KRNL-5830
2020-08-05 22:28:05 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-08-05 22:28:05 Test: Checking presence /var/run/reboot-required.pkgs
2020-08-05 22:28:05 Result: file /var/run/reboot-required.pkgs not found
2020-08-05 22:28:05 Result: /boot exists, performing more tests from here
2020-08-05 22:28:05 Result: found /boot/vmlinuz-4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Test: checking kernel version on disk
2020-08-05 22:28:05 Result: found version 4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-08-05 22:28:05 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-08-05 22:28:05 Result: /var/cache/apt/archives/ does not exist
2020-08-05 22:28:05 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-08-05 22:28:05 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)
2020-08-05 22:28:05 Security check: file is normal
2020-08-05 22:28:05 Checking permissions of /usr/share/lynis/include/tests_memory_processes
2020-08-05 22:28:05 File permissions are OK
2020-08-05 22:28:05 ====

Lynis審核掃描配置文件

Lynis使用配置文件為您的操作系統和首選項提供了一組預定義的選項。默認配置文件存儲在 /etc/lynis 目錄。

ls /etc/lynis
default.prf

如果要使用自定義配置文件,請使用 –profile  與選項 lynis audit system 命令。

lynis audit system --profile /path/to/custom/profile.prf

要創建自己的自定義配置文件,您可以複製默認配置文件並對其進行編輯以定義您的自定義測試選項。

在未定義其他選項的情況下運行時,默認配置文件 /etc/lynis/default.prf 將會被使用。

禁用特定檢查

如果您認為某些檢查為誤報,則可以創建一個自定義配置文件,您可以在其中定義Lynis在運行系統掃描時應跳過的測試ID。

例如,跳過以下建議;

suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|

創建一個自定義配置文件,並放置以下內容。

vim /etc/lynis/custom.prf
# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore Vulnerable packages Warnings
skip-test=KRNL-5820

下次運行Lynis審核掃描時,將跳過指定的檢查。

Lynis是有用的工具。仔細閱讀所提供的所有修復程序和建議,以強化您的系統。

這標誌着本教程有關如何在CentOS 8上安裝和設置Lynis Security Auditing工具的結尾。

進一步閱讀

Lynis入門

Lynis –用於Linux,macOS和基於UNIX的系統的安全審核工具

Sidebar