19
使用 Lynis 扫描 Linux 安全性
source link: http://netsecurity.51cto.com/art/202010/627844.htm
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
你有没有想过你的 Linux 机器到底安全不安全?Linux 发行版众多,每个发行版都有自己的默认设置,你在上面运行着几十个版本各异的软件包,还有众多的服务在后台运行,而我们几乎不知道或不关心这些。
要想确定安全态势(指你的 Linux 机器上运行的软件、网络和服务的整体安全状态),你可以运行几个命令,得到一些零碎的相关信息,但你需要解析的数据量是巨大的。
如果能运行一个工具,生成一份关于机器安全状况的报告,那就好得多了。而幸运的是,有一个这样的软件: Lynis 。它是一个非常流行的开源安全审计工具,可以帮助强化基于 Linux 和 Unix 的系统。根据该项目的介绍:
“它运行在系统本身,可以进行深入的安全扫描。主要目标是测试安全防御措施,并提供进一步强化系统的提示。它还将扫描一般系统信息、易受攻击的软件包和可能的配置问题。Lynis 常被系统管理员和审计人员用来评估其系统的安全防御。”
安装 Lynis
你的 Linux 软件仓库中可能有 Lynis。如果有的话,你可以用以下方法安装它:
dnf install lynis
或
apt install lynis
然而,如果你的仓库中的版本不是最新的,你最好从 GitHub 上安装它。(我使用的是 Red Hat Linux 系统,但你可以在任何 Linux 发行版上运行它)。就像所有的工具一样,先在虚拟机上试一试是有意义的。要从 GitHub 上安装它:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.8 (Maipo) $ $ uname -r 3.10.0-1127.el7.x86_64 $ $ git clone https://github.com/CISOfy/lynis.git Cloning into 'lynis'... remote: Enumerating objects: 30, done. remote: Counting objects: 100% (30/30), done. remote: Compressing objects: 100% (30/30), done. remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536 Receiving objects: 100% (12566/12566), 6.36 MiB | 911.00 KiB/s, done. Resolving deltas: 100% (9264/9264), done. $
一旦你克隆了这个版本库,那么进入该目录,看看里面有什么可用的。主要的工具在一个叫 lynis 的文件里。它实际上是一个 shell 脚本,所以你可以打开它看看它在做什么。事实上,Lynis 主要是用 shell 脚本来实现的:
$ cd lynis/ $ ls CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md $ $ file lynis lynis: POSIX shell script, ASCII text executable, with very long lines $
运行 Lynis
通过给 Lynis 一个 -h 选项来查看帮助部分,以便有个大概了解:
$ ./lynis -h
你会看到一个简短的信息屏幕,然后是 Lynis 支持的所有子命令。
接下来,尝试一些测试命令以大致熟悉一下。要查看你正在使用的 Lynis 版本,请运行:
$ ./lynis show version 3.0.0 $
要查看 Lynis 中所有可用的命令:
$ ./lynis show commands Commands: lynis audit lynis configure lynis generate lynis show lynis update lynis upload-only $
审计 Linux 系统
要审计你的系统的安全态势,运行以下命令:
$ ./lynis audit system
这个命令运行得很快,并会返回一份详细的报告,输出结果可能一开始看起来很吓人,但我将在下面引导你来阅读它。这个命令的输出也会被保存到一个日志文件中,所以你可以随时回过头来检查任何可能感兴趣的东西。
Lynis 将日志保存在这里:
Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat
你可以验证是否创建了日志文件。它确实创建了:
$ ls -l /var/log/lynis.log -rw-r-----. 1 root root 341489 Apr 30 05:52 /var/log/lynis.log $ $ ls -l /var/log/lynis-report.dat -rw-r-----. 1 root root 638 Apr 30 05:55 /var/log/lynis-report.dat $
探索报告
Lynis 提供了相当全面的报告,所以我将介绍一些重要的部分。作为初始化的一部分,Lynis 做的第一件事就是找出机器上运行的操作系统的完整信息。之后是检查是否安装了什么系统工具和插件:
[+] Initializing program ------------------------------------ - Detecting OS... [ DONE ] - Checking profiles... [ DONE ] --------------------------------------------------- Program version: 3.0.0 Operating system: Linux Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo) Operating system version: 7.8 Kernel version: 3.10.0 Hardware platform: x86_64 Hostname: example --------------------------------------------------- <<截断>> [+] System Tools ------------------------------------ - Scanning available tools... - Checking system binaries... [+] Plugins (phase 1) ------------------------------------ Note: plugins have more extensive tests and may take several minutes to complete - Plugin: pam [..] - Plugin: systemd [................]
接下来,该报告被分为不同的部分,每个部分都以 [+] 符号开头。下面可以看到部分章节。(哇,要审核的地方有这么多,Lynis 是最合适的工具!)
[+] Boot and services [+] Kernel [+] Memory and Processes [+] Users, Groups and Authentication [+] Shells [+] File systems [+] USB Devices [+] Storage [+] NFS [+] Name services [+] Ports and packages [+] Networking [+] Printers and Spools [+] Software: e-mail and messaging [+] Software: firewalls [+] Software: webserver [+] SSH Support [+] SNMP Support [+] Databases [+] LDAP Services [+] PHP [+] Squid Support [+] Logging and files [+] Insecure services [+] Banners and identification [+] Scheduled tasks [+] Accounting [+] Time and Synchronization [+] Cryptography [+] Virtualization [+] Containers [+] Security frameworks [+] Software: file integrity [+] Software: System tooling [+] Software: Malware [+] File Permissions [+] Home directories [+] Kernel Hardening [+] Hardening [+] Custom tests
Lynis 使用颜色编码使报告更容易解读。
- 绿色。一切正常
- 黄色。跳过、未找到,可能有个建议
- 红色。你可能需要仔细看看这个
在我的案例中,大部分的红色标记都是在 “Kernel Hardening” 部分找到的。内核有各种可调整的设置,它们定义了内核的功能,其中一些可调整的设置可能有其安全场景。发行版可能因为各种原因没有默认设置这些,但是你应该检查每一项,看看你是否需要根据你的安全态势来改变它的值:
[+] Kernel Hardening ------------------------------------ - Comparing sysctl key pairs with scan profile - fs.protected_hardlinks (exp: 1) [ OK ] - fs.protected_symlinks (exp: 1) [ OK ] - fs.suid_dumpable (exp: 0) [ OK ] - kernel.core_uses_pid (exp: 1) [ OK ] - kernel.ctrl-alt-del (exp: 0) [ OK ] - kernel.dmesg_restrict (exp: 1) [ DIFFERENT ] - kernel.kptr_restrict (exp: 2) [ DIFFERENT ] - kernel.randomize_va_space (exp: 2) [ OK ] - kernel.sysrq (exp: 0) [ DIFFERENT ] - kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ] - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] - net.ipv4.conf.all.forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] - net.ipv4.conf.all.rp_filter (exp: 1) [ OK ] - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] - net.ipv4.tcp_syncookies (exp: 1) [ OK ] - net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
看看 SSH 这个例子,因为它是一个需要保证安全的关键领域。这里没有什么红色的东西,但是 Lynis 对我的环境给出了很多强化 SSH 服务的建议:
[+] SSH Support ------------------------------------ - Checking running SSH daemon [ FOUND ] - Searching SSH configuration [ FOUND ] - OpenSSH option: AllowTcpForwarding [ SUGGESTION ] - OpenSSH option: ClientAliveCountMax [ SUGGESTION ] - OpenSSH option: ClientAliveInterval [ OK ] - OpenSSH option: Compression [ SUGGESTION ] - OpenSSH option: FingerprintHash [ OK ] - OpenSSH option: GatewayPorts [ OK ] - OpenSSH option: IgnoreRhosts [ OK ] - OpenSSH option: LoginGraceTime [ OK ] - OpenSSH option: LogLevel [ SUGGESTION ] - OpenSSH option: MaxAuthTries [ SUGGESTION ] - OpenSSH option: MaxSessions [ SUGGESTION ] - OpenSSH option: PermitRootLogin [ SUGGESTION ] - OpenSSH option: PermitUserEnvironment [ OK ] - OpenSSH option: PermitTunnel [ OK ] - OpenSSH option: Port [ SUGGESTION ] - OpenSSH option: PrintLastLog [ OK ] - OpenSSH option: StrictModes [ OK ] - OpenSSH option: TCPKeepAlive [ SUGGESTION ] - OpenSSH option: UseDNS [ SUGGESTION ] - OpenSSH option: X11Forwarding [ SUGGESTION ] - OpenSSH option: AllowAgentForwarding [ SUGGESTION ] - OpenSSH option: UsePrivilegeSeparation [ OK ] - OpenSSH option: AllowUsers [ NOT FOUND ] - OpenSSH option: AllowGroups [ NOT FOUND ]
我的系统上没有运行虚拟机或容器,所以这些显示的结果是空的:
[+] Virtualization ------------------------------------ [+] Containers ------------------------------------
Lynis 会检查一些从安全角度看很重要的文件的文件权限:
[+] File Permissions ------------------------------------ - Starting file permissions check File: /boot/grub2/grub.cfg [ SUGGESTION ] File: /etc/cron.deny [ OK ] File: /etc/crontab [ SUGGESTION ] File: /etc/group [ OK ] File: /etc/group- [ OK ] File: /etc/hosts.allow [ OK ] File: /etc/hosts.deny [ OK ] File: /etc/issue [ OK ] File: /etc/issue.net [ OK ] File: /etc/motd [ OK ] File: /etc/passwd [ OK ] File: /etc/passwd- [ OK ] File: /etc/ssh/sshd_config [ OK ] Directory: /root/.ssh [ SUGGESTION ] Directory: /etc/cron.d [ SUGGESTION ] Directory: /etc/cron.daily [ SUGGESTION ] Directory: /etc/cron.hourly [ SUGGESTION ] Directory: /etc/cron.weekly [ SUGGESTION ] Directory: /etc/cron.monthly [ SUGGESTION ]
在报告的底部,Lynis 根据报告的发现提出了建议。每项建议后面都有一个 “TEST-ID”(为了下一部分方便,请将其保存起来)。
Suggestions (47): ---------------------------- * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] https://cisofy.com/lynis/controls/KRNL-5820/ * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229] https://cisofy.com/lynis/controls/AUTH-9229/
Lynis 提供了一个选项来查找关于每个建议的更多信息,你可以使用 show details 命令和 TEST-ID 号来访问:
./lynis show details TEST-ID
这将显示该测试的其他信息。例如,我检查了 SSH-7408 的详细信息:
$ ./lynis show details SSH-7408 2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options) 2020-04-30 05:52:23 Test: Checking specific defined options in /tmp/lynis.k8JwazmKc6 2020-04-30 05:52:23 Result: added additional options for OpenSSH < 7.5 2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in /tmp/lynis.k8JwazmKc6 2020-04-30 05:52:23 Result: Option AllowTcpForwarding found 2020-04-30 05:52:23 Result: Option AllowTcpForwarding value is YES 2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed 2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]
试试吧
如果你想更多地了解你的 Linux 机器的安全性,请试试 Lynis。如果你想了解 Lynis 是如何工作的,可以研究一下它的 shell 脚本,看看它是如何收集这些信息的。
【责任编辑:赵宁宁 TEL:(010)68476606】
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK