前言
lynis 是一款運(yùn)行在 Unix/Linux 平臺(tái)上的基于主機(jī)的、開(kāi)源的安全審計(jì)軟件。Lynis是針對(duì)Unix/Linux的安全檢查工具,可以發(fā)現(xiàn)潛在的安全威脅。這個(gè)工具覆蓋可疑文件監(jiān)測(cè)、漏洞、惡意程序掃描、配置錯(cuò)誤等。下面一起來(lái)看看使用lynis進(jìn)行l(wèi)inux漏洞掃描的相關(guān)內(nèi)容吧
安裝lynis
在 archlinux 上可以直接通過(guò) pacman 來(lái)安裝
sudo pacman -S lynis --noconfirm
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
使用lynis進(jìn)行主機(jī)掃描
首先讓我們不帶任何參數(shù)運(yùn)行 lynis, 這會(huì)列出 lynis 支持的那些參數(shù)
[lujun9972@T520 linux和它的小伙伴]$ lynis
[ Lynis 2.6.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
Usage: lynis command [options]
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
Options:
--no-log : Don't create a log file
--pentest : Non-privileged scan (useful for pentest)
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
Layout options
--no-colors : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
Misc options
--debug : Debug logging to screen
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
Enterprise options
--plugindir <path> : Define path of available plugins
--upload : Upload data to central node
More options available. Run '/usr/bin/lynis show options', or use the man page.
No command provided. Exiting..
從上面可以看出,使用 lynis 進(jìn)行主機(jī)掃描很簡(jiǎn)單,只需要帶上參數(shù) audit system 即可。 Lynis在審計(jì)的過(guò)程中,會(huì)進(jìn)行多種類(lèi)似的測(cè)試,在審計(jì)過(guò)程中會(huì)將各種測(cè)試結(jié)果、調(diào)試信息、和對(duì)系統(tǒng)的加固建議都被寫(xiě)到 stdin 。 我們可以執(zhí)行下面命令來(lái)跳過(guò)檢查過(guò)程,直接截取最后的掃描建議來(lái)看。
sudo lynis audit system |sed '1,/Results/d'
lynis將掃描的內(nèi)容分成幾大類(lèi),可以通過(guò) show groups 參數(shù)來(lái)獲取類(lèi)別
accounting
authentication
banners
boot_services
containers
crypto
databases
dns
file_integrity
file_permissions
filesystems
firewalls
hardening
homedirs
insecure_services
kernel
kernel_hardening
ldap
logging
mac_frameworks
mail_messaging
malware
memory_processes
nameservices
networking
php
ports_packages
printers_spools
scheduling
shells
snmp
squid
ssh
storage
storage_nfs
system_integrity
time
tooling
usb
virtualization
webservers
若指向掃描某幾類(lèi)的內(nèi)容,則可以通過(guò) –tests-from-group 參數(shù)來(lái)指定。
比如我只想掃描 shells 和 networking 方面的內(nèi)容,則可以執(zhí)行
sudo lynis --tests-from-group "shells networking" --no-colors
[ Lynis 2.6.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
�[2C- Detecting OS... �[41C [ DONE ]
�[2C- Checking profiles...�[37C [ DONE ]
�[2C- Detecting language and localization�[22C [ zh ]
�[4CNotice: no language file found for 'zh' (tried: /usr/share/lynis/db/languages/zh)�[0C
---------------------------------------------------
Program version: 2.6.4
Operating system: Linux
Operating system name: Arch Linux
Operating system version: Rolling release
Kernel version: 4.16.13
Hardware platform: x86_64
Hostname: T520
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: zh
Test category: all
Test group: shells networking
---------------------------------------------------
�[2C- Program update status... �[32C [ NO UPDATE ]
[+] System Tools
------------------------------------
�[2C- Scanning available tools...�[30C
�[2C- Checking system binaries...�[30C
[+] Plugins (phase 1)
------------------------------------
�[0CNote: plugins have more extensive tests and may take several minutes to complete�[0C
�[0C �[0C
�[2C- Plugins enabled�[42C [ NONE ]
[+] Shells
------------------------------------
�[2C- Checking shells from /etc/shells�[25C
�[4CResult: found 5 shells (valid shells: 5).�[16C
�[4C- Session timeout settings/tools�[25C [ NONE ]
�[2C- Checking default umask values�[28C
�[4C- Checking default umask in /etc/bash.bashrc�[13C [ NONE ]
�[4C- Checking default umask in /etc/profile�[17C [ WEAK ]
[+] Networking
------------------------------------
�[2C- Checking IPv6 configuration�[30C [ ENABLED ]
�[6CConfiguration method�[35C [ AUTO ]
�[6CIPv6 only�[46C [ NO ]
�[2C- Checking configured nameservers�[26C
�[4C- Testing nameservers�[36C
�[6CNameserver: 202.96.134.33�[30C [ SKIPPED ]
�[6CNameserver: 202.96.128.86�[30C [ SKIPPED ]
�[4C- Minimal of 2 responsive nameservers�[20C [ SKIPPED ]
�[2C- Getting listening ports (TCP/UDP)�[24C [ DONE ]
�[6C* Found 11 ports�[39C
�[2C- Checking status DHCP client�[30C [ RUNNING ]
�[2C- Checking for ARP monitoring software�[21C [ NOT FOUND ]
[+] Custom Tests
------------------------------------
�[2C- Running custom tests... �[33C [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ Lynis 2.6.4 Results ]-
Great, no warnings
Suggestions (1):
----------------------------
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
https://cisofy.com/controls/NETW-3032/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 33 [###### ]
Tests performed : 13
Plugins enabled : 0
Components:
- Firewall [X]
- Malware scanner [X]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 2.6.4
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
查看詳細(xì)說(shuō)明
在查看審計(jì)結(jié)果時(shí),你可以通過(guò) show details 參數(shù)來(lái)獲取關(guān)于某條警告/建議的詳細(xì)說(shuō)明。其對(duì)應(yīng)的命令形式為:
lynis show details ${test_id}
比如,上面圖中有一個(gè)建議
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
我們可以運(yùn)行命令:
sudo lynis show details NETW-3032
2018-06-08 18:18:01 Performing test ID NETW-3032 (Checking for ARP monitoring software)
2018-06-08 18:18:01 IsRunning: process 'arpwatch' not found
2018-06-08 18:18:01 IsRunning: process 'arpon' not found
2018-06-08 18:18:01 Suggestion: Consider running ARP monitoring software (arpwatch,arpon) [test:NETW-3032] [details:-] [solution:-]
2018-06-08 18:18:01 Checking permissions of /usr/share/lynis/include/tests_printers_spools
2018-06-08 18:18:01 File permissions are OK
2018-06-08 18:18:01 ===---------------------------------------------------------------===
查看日志文件
lynis在審計(jì)完成后會(huì)將詳細(xì)的信息記錄在 /var/log/lynis.log 中.
sudo tail /var/log/lynis.log
2018-06-08 17:59:46 ================================================================================
2018-06-08 17:59:46 Lynis 2.6.4
2018-06-08 17:59:46 2007-2018, CISOfy - https://cisofy.com/lynis/
2018-06-08 17:59:46 Enterprise support available (compliance, plugins, interface and tools)
2018-06-08 17:59:46 Program ended successfully
2018-06-08 17:59:46 ================================================================================
2018-06-08 17:59:46 PID file removed (/var/run/lynis.pid)
2018-06-08 17:59:46 Temporary files: /tmp/lynis.sGxCR0hSPz
2018-06-08 17:59:46 Action: removing temporary file /tmp/lynis.sGxCR0hSPz
2018-06-08 17:59:46 Lynis ended successfully.
同時(shí)將報(bào)告數(shù)據(jù)被保存到 /var/log/lynis-report.dat 中.
sudo tail /var/log/lynis-report.dat
另外需要注意的是,每次審計(jì)都會(huì)覆蓋原日志文件.
檢查更新
審計(jì)軟件需要隨時(shí)進(jìn)行更新從而得到最新的建議和信息,我們可以使用 update info 參數(shù)來(lái)檢查更新:
lynis update info --no-colors
== �[1;37mLynis�[0m ==
Version : 2.6.4
Status : �[1;32mUp-to-date�[0m
Release date : 2018-05-02
Update location : https://cisofy.com/lynis/
2007-2018, CISOfy - https://cisofy.com/lynis/
自定義lynis安全審計(jì)策略
lynis的配置信息以 .prf 文件的格式保存在 /etc/lynis 目錄中。 其中,默認(rèn)lynis自帶一個(gè)名為 default.prf 的默認(rèn)配置文件。
不過(guò)我們無(wú)需直接修改這個(gè)默認(rèn)的配置文件,只需要新增一個(gè) custom.prf 文件將自定義的信息加入其中就可以了。
關(guān)于配置文件中各配置項(xiàng)的意義,在 default.prf 中都有相應(yīng)的注釋說(shuō)明,這里就不詳述了。
想了解lynis的更多信息,可以訪問(wèn)它的官網(wǎng).
總結(jié)
以上就是這篇文章的全部?jī)?nèi)容了,希望本文的內(nèi)容對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,如果有疑問(wèn)大家可以留言交流,謝謝大家對(duì)腳本之家的支持。
