您有没有想过您的 Linux 机器到底有多安全?有许多 Linux 发行版,每个发行版都有其自己的默认设置,您可以在这些发行版上运行具有不同版本号的数十个软件包,并且在后台运行着许多服务,我们几乎不了解或不在意它们。
要找到安全态势 - 运行在您的 Linux 机器上的软件、网络和服务的总体安全状态 - 您可以运行一些命令并获得相关的零碎信息,但是您需要解析的数据量非常大。
如果您可以运行一个工具来生成有关机器安全态势的报告,那将会好得多。幸运的是,有一个工具:Lynis。它是一个非常流行的开源安全审计工具,可帮助强化基于 Linux 和 Unix 的系统。根据该项目
“它执行深入的安全扫描并在系统本身上运行。主要目标是测试安全防御并提供进一步系统强化的技巧。它还将扫描常规系统信息、易受攻击的软件包以及可能的配置问题。Lynis 通常被系统管理员和审计员用来评估其系统的安全防御。”
安装 Lynis
Lynis 可能在您的 Linux 软件存储库中可用。如果是这样,您可以使用以下命令安装它
dnf install lynis或者
apt install lynis但是,如果您的存储库中的版本不是最新版本,那么最好从 GitHub 安装它。(我正在使用 Red Hat Linux 系统,但是您可以在任何 Linux 发行版上运行它。)与所有工具一样,最好先在虚拟机上试用它。要从 GitHub 安装它
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)
$
$ uname -r
3.10.0-1127.el7.x86_64
$
$ git clone https://github.com/CISOfy/lynis.git
Cloning into 'lynis'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (30/30), done.
remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536
Receiving objects: 100% (12566/12566), 6.36 MiB | 911.00 KiB/s, done.
Resolving deltas: 100% (9264/9264), done.
$克隆存储库后,进入该存储库并查看有哪些可用内容。主工具位于名为 lynis 的文件中。实际上,这是一个 shell 脚本,因此您可以打开它并阅读它在做什么。实际上,Lynis 主要是使用 shell 脚本实现的
$ cd lynis/
$ ls
CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md
CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md
$
$ file lynis
lynis: POSIX shell script, ASCII text executable, with very long lines
$ 运行 Lynis
通过给 Lynis 一个 -h 选项来运行它,以查看“帮助”部分
$ ./lynis -h您将看到一个简短的信息屏幕,后跟 Lynis 支持的所有命令。
接下来,尝试一些测试命令以了解情况并感到舒适。要查看您正在使用的 Lynis 版本,请运行
$ ./lynis show version
3.0.0
$要查看 Lynis 中可用的所有命令
$ ./lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only
$审计 Linux 系统
要审计系统的安全态势,请运行以下命令
$ ./lynis audit system这运行速度很快,并返回一个详细的报告 - 该输出起初可能看起来令人生畏,但我将在下面引导您完成它。该命令的输出也保存到日志文件中,因此您可以随时返回并在以后检查任何可能感兴趣的内容。
Lynis 将日志保存在这里
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat您可以验证是否创建了日志文件,并且确实创建了
$ ls -l /var/log/lynis.log
-rw-r-----. 1 root root 341489 Apr 30 05:52 /var/log/lynis.log
$
$ ls -l /var/log/lynis-report.dat
-rw-r-----. 1 root root 638 Apr 30 05:55 /var/log/lynis-report.dat
$ 浏览报告
Lynis 提供了非常全面的报告,因此我将介绍一些重要的部分。Lynis 作为初始化的一部分所做的第一件事是找出有关在机器上运行的操作系统的完整信息。接下来是检查以查看安装了哪些系统工具和插件
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.0.0
Operating system: Linux
Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo)
Operating system version: 7.8
Kernel version: 3.10.0
Hardware platform: x86_64
Hostname: example
---------------------------------------------------
<<snip>>
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugin: pam
[..]
- Plugin: systemd
[................]接下来,该报告分为各个部分,每个部分都以 [+] 符号开头。可以在下面看到一些部分。(哇,有很多领域需要审计,而 Lynis 是适合这项工作的工具!)
[+] Boot and services
[+] Kernel
[+] Memory and Processes
[+] Users, Groups and Authentication
[+] Shells
[+] File systems
[+] USB Devices
[+] Storage
[+] NFS
[+] Name services
[+] Ports and packages
[+] Networking
[+] Printers and Spools
[+] Software: e-mail and messaging
[+] Software: firewalls
[+] Software: webserver
[+] SSH Support
[+] SNMP Support
[+] Databases
[+] LDAP Services
[+] PHP
[+] Squid Support
[+] Logging and files
[+] Insecure services
[+] Banners and identification
[+] Scheduled tasks
[+] Accounting
[+] Time and Synchronization
[+] Cryptography
[+] Virtualization
[+] Containers
[+] Security frameworks
[+] Software: file integrity
[+] Software: System tooling
[+] Software: Malware
[+] File Permissions
[+] Home directories
[+] Kernel Hardening
[+] Hardening
[+] Custom testsLynis 使用颜色编码使报告更易于解析
- 绿色:一切都很好
- 黄色:已跳过,未找到,或者可能有一个建议
- 红色:您可能需要仔细查看一下
就我而言,大多数红色标记都在内核强化部分中找到。内核具有各种可调设置,这些设置定义了内核的功能方式,并且其中一些可调参数可能具有安全上下文。出于各种原因,发行版可能默认情况下未设置这些设置,但是您应该检查每个设置,并根据您的安全态势查看是否需要更改其值
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]看一下 SSH,这是一个示例,因为它是一个关键领域,需要保护。这里没有任何红色,但是 Lynis 对我设置中强化 SSH 服务有很多建议
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: Compression [ SUGGESTION ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ SUGGESTION ]
- OpenSSH option: MaxAuthTries [ SUGGESTION ]
- OpenSSH option: MaxSessions [ SUGGESTION ]
- OpenSSH option: PermitRootLogin [ SUGGESTION ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ SUGGESTION ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ SUGGESTION ]
- OpenSSH option: UseDNS [ SUGGESTION ]
- OpenSSH option: X11Forwarding [ SUGGESTION ]
- OpenSSH option: AllowAgentForwarding [ SUGGESTION ]
- OpenSSH option: UsePrivilegeSeparation [ OK ]
- OpenSSH option: AllowUsers [ NOT FOUND ]
- OpenSSH option: AllowGroups [ NOT FOUND ]我的系统上没有运行虚拟机或容器,因此它们显示为空结果
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------Lynis 检查从安全角度来看重要的一些文件的文件权限
[+] File Permissions
------------------------------------
- Starting file permissions check
File: /boot/grub2/grub.cfg [ SUGGESTION ]
File: /etc/cron.deny [ OK ]
File: /etc/crontab [ SUGGESTION ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /root/.ssh [ SUGGESTION ]
Directory: /etc/cron.d [ SUGGESTION ]
Directory: /etc/cron.daily [ SUGGESTION ]
Directory: /etc/cron.hourly [ SUGGESTION ]
Directory: /etc/cron.weekly [ SUGGESTION ]
Directory: /etc/cron.monthly [ SUGGESTION ]在报告的底部,Lynis 根据报告的发现提供建议。每个建议都后跟一个 TEST-ID(为下一部分做好准备)
Suggestions (47):
----------------------------
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
* Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
https://cisofy.com/lynis/controls/AUTH-9229/Lynis 提供了一个选项来查找有关每个建议的更多信息,您可以使用 show details 命令以及测试 ID 号来访问该选项
./lynis show details TEST-ID这将显示有关该测试的其他信息。例如,我检查了 SSH-7408 的详细信息
$ ./lynis show details SSH-7408
2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options)
2020-04-30 05:52:23 Test: Checking specific defined options in /tmp/lynis.k8JwazmKc6
2020-04-30 05:52:23 Result: added additional options for OpenSSH < 7.5
2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in /tmp/lynis.k8JwazmKc6
2020-04-30 05:52:23 Result: Option AllowTcpForwarding found
2020-04-30 05:52:23 Result: Option AllowTcpForwarding value is YES
2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed
2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-] 尝试一下
如果您想了解有关 Linux 机器安全性的更多信息,请查看 Lynis。而且,如果您想了解 Lynis 的工作方式,请深入研究其 shell 脚本,以查看它是如何收集所有这些信息的。
3 条评论