Lynis auditando la seguridad de tu sistema *NIX, en la instalación de cualquier sistema, ya sea basado en *NIX, Windows, MAC OS X, si va a estar en producción ofreciendo algún servicio, es bueno que se le pasen algunos checks de seguridad para saber como estamos en materia de seguridad. Estas revisiones también se pueden mirar en sistemas que ya estén en producción para ver si nos hemos dejado algo de configurar.
Tabla de Contenido
Lynis auditando la seguridad de tu sistema *NIX descargar Lynis
Primero de todo nos bajamos Lynis, lo podemos descargar de la web de Packet Storm
wget https://packetstorm.interhost.co.il/UNIX/scanners/lynis-1.3.3.tar.gz
Lo tenemos que ejecutar con permisos de súper usuario.
Primeramente obtenemos un resumen del sistema que vamos a analizar.
Ahora chequeará los binarios del sistema.
En este caso lo que hará será hacer un check de que se usa para el sistema de arranque y también si los archivos de startup son correctos
También hace checks a nivel de kernel.
Lynis también comprobará cosas como la memoria, usuarios y grupos del sistema.
Lynis mirará que shells hay en el sistema además de mirar a nivel de file system si hay algún error.
Lynis comprobará cosas como las impresoras, sistema de correo, si lo tenemos, la parte de Networking.. EN mi caso me ha sacado un Warning porque no tengo DNS secundario.
ESta herramienta hace otros checks, pero para no ponerlos todos os pongo el report que saca la herramienta. Ya que podremos ver incluso que la herramienta nos da recomendaciones
-[ Lynis 1.3.3 Results ]-
Tests performed: 151
Warnings:
—————————-
– [16:41:23] Warning: Couldn’t find 2 responsive nameservers [test:NETW-2705] [impact:L]
– [16:41:47] Warning: iptables module(s) loaded, but no rules active [test:FIRE-4512] [impact:L]
– [16:43:03] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
– [16:43:08] Warning: PHP option register_globals option is turned on, which can be a risk for variable value overwriting [test:PHP-2368] [impact:M]
– [16:43:08] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
– [16:43:17] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]Suggestions:
—————————-
– [16:39:26] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
– [16:39:26] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
– [16:39:26] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
– [16:39:26] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
– [16:39:26] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
– [16:40:09] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
– [16:40:09] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
– [16:40:59] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
– [16:40:59] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
– [16:41:19] Suggestion: Purge old/removed packages (6 found) with aptitude purge or dpkg –purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346]
– [16:41:23] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
– [16:41:47] Suggestion: Disable iptables kernel module if not used or make sure rules are being used [test:FIRE-4512]
– [16:41:47] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
– [16:43:08] Suggestion: Change the register_globals line to: register_globals = Off [test:PHP-2368]
– [16:43:08] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
– [16:43:08] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
– [16:43:15] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
– [16:43:15] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
– [16:43:15] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
– [16:43:16] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
– [16:43:17] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
– [16:43:20] Suggestion: Install a file integrity tool [test:FINT-4350]
– [16:43:28] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
– [16:43:33] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
– [16:43:33] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]
– [16:43:33] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
– Test and debug information : /var/log/lynis.log
– Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [50] [########## ]
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 1.3.3
Copyright 2007-2013 – Michael Boelen, https://www.rootkit.nl/
================================================================================Una buena herramienta para incluir en checks
Lynis auditando la seguridad de tu sistema *NIX, como veis, es una buena herramienta para incluir en nuestros checks de seguridad de nuestros servidores.
