Linux中國

使用 Lynis 掃描 Linux 安全性

你有沒有想過你的 Linux 機器到底安全安全?Linux 發行版眾多,每個發行版都有自己的默認設置,你在上面運行著幾十個版本各異的軟體包,還有眾多的服務在後台運行,而我們幾乎不知道或不關心這些。

要想確定安全態勢(指你的 Linux 機器上運行的軟體、網路和服務的整體安全狀態),你可以運行幾個命令,得到一些零碎的相關信息,但你需要解析的數據量是巨大的。

如果能運行一個工具,生成一份關於機器安全狀況的報告,那就好得多了。而幸運的是,有一個這樣的軟體:Lynis。它是一個非常流行的開源安全審計工具,可以幫助強化基於 Linux 和 Unix 的系統。根據該項目的介紹:

「它運行在系統本身,可以進行深入的安全掃描。主要目標是測試安全防禦措施,並提供進一步強化系統的提示。它還將掃描一般系統信息、易受攻擊的軟體包和可能的配置問題。Lynis 常被系統管理員和審計人員用來評估其系統的安全防禦。」

安裝 Lynis

你的 Linux 軟體倉庫中可能有 Lynis。如果有的話,你可以用以下方法安裝它:

dnf install lynis

apt install lynis

然而,如果你的倉庫中的版本不是最新的,你最好從 GitHub 上安裝它。(我使用的是 Red Hat Linux 系統,但你可以在任何 Linux 發行版上運行它)。就像所有的工具一樣,先在虛擬機上試一試是有意義的。要從 GitHub 上安裝它:

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)
$
$ uname  -r
3.10.0-1127.el7.x86_64
$
$ git clone https://github.com/CISOfy/lynis.git
Cloning into 'lynis'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (30/30), done.
remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536
Receiving objects: 100% (12566/12566), 6.36 MiB | 911.00 KiB/s, done.
Resolving deltas: 100% (9264/9264), done.
$

一旦你克隆了這個版本庫,那麼進入該目錄,看看裡面有什麼可用的。主要的工具在一個叫 lynis 的文件里。它實際上是一個 shell 腳本,所以你可以打開它看看它在做什麼。事實上,Lynis 主要是用 shell 腳本來實現的:

$ cd lynis/
$ ls
CHANGELOG.md        CONTRIBUTING.md  db           developer.prf  FAQ             include  LICENSE  lynis.8  README     SECURITY.md
CODE_OF_CONDUCT.md  CONTRIBUTORS.md  default.prf  extras         HAPPY_USERS.md  INSTALL  lynis    plugins  README.md
$
$ file lynis
lynis: POSIX shell script, ASCII text executable, with very long lines
$

運行 Lynis

通過給 Lynis 一個 -h 選項來查看幫助部分,以便有個大概了解:

$ ./lynis -h

你會看到一個簡短的信息屏幕,然後是 Lynis 支持的所有子命令。

接下來,嘗試一些測試命令以大致熟悉一下。要查看你正在使用的 Lynis 版本,請運行:

$ ./lynis show version
3.0.0
$

要查看 Lynis 中所有可用的命令:

$ ./lynis show commands

Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only

$

審計 Linux 系統

要審計你的系統的安全態勢,運行以下命令:

$ ./lynis audit system

這個命令運行得很快,並會返回一份詳細的報告,輸出結果可能一開始看起來很嚇人,但我將在下面引導你來閱讀它。這個命令的輸出也會被保存到一個日誌文件中,所以你可以隨時回過頭來檢查任何可能感興趣的東西。

Lynis 將日誌保存在這裡:

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

你可以驗證是否創建了日誌文件。它確實創建了:

$ ls -l /var/log/lynis.log
-rw-r-----. 1 root root 341489 Apr 30 05:52 /var/log/lynis.log
$
$ ls -l /var/log/lynis-report.dat
-rw-r-----. 1 root root 638 Apr 30 05:55 /var/log/lynis-report.dat
$

探索報告

Lynis 提供了相當全面的報告,所以我將介紹一些重要的部分。作為初始化的一部分,Lynis 做的第一件事就是找出機器上運行的操作系統的完整信息。之後是檢查是否安裝了什麼系統工具和插件:

[+] Initializing program
---------------------------------  - Detecting OS...                                           [ DONE ]
  - Checking profiles...                                      [ DONE ]

  ------------------------------------------------  Program version:           3.0.0
  Operating system:          Linux
  Operating system name:     Red Hat Enterprise Linux Server 7.8 (Maipo)
  Operating system version:  7.8
  Kernel version:            3.10.0
  Hardware platform:         x86_64
  Hostname:                  example
  ------------------------------------------------<<截斷>>

[+] System Tools
---------------------------------  - Scanning available tools...
  - Checking system binaries...

[+] Plugins (phase 1)
--------------------------------- Note: plugins have more extensive tests and may take several minutes to complete

  - Plugin: pam
    [..]
  - Plugin: systemd
    [................]

接下來,該報告被分為不同的部分,每個部分都以 [+] 符號開頭。下面可以看到部分章節。(哇,要審核的地方有這麼多,Lynis 是最合適的工具!)

[+] Boot and services
[+] Kernel
[+] Memory and Processes
[+] Users, Groups and Authentication
[+] Shells
[+] File systems
[+] USB Devices
[+] Storage
[+] NFS
[+] Name services
[+] Ports and packages
[+] Networking
[+] Printers and Spools
[+] Software: e-mail and messaging
[+] Software: firewalls
[+] Software: webserver
[+] SSH Support
[+] SNMP Support
[+] Databases
[+] LDAP Services
[+] PHP
[+] Squid Support
[+] Logging and files
[+] Insecure services
[+] Banners and identification
[+] Scheduled tasks
[+] Accounting
[+] Time and Synchronization
[+] Cryptography
[+] Virtualization
[+] Containers
[+] Security frameworks
[+] Software: file integrity
[+] Software: System tooling
[+] Software: Malware
[+] File Permissions
[+] Home directories
[+] Kernel Hardening
[+] Hardening
[+] Custom tests

Lynis 使用顏色編碼使報告更容易解讀。

  • 綠色。一切正常
  • 黃色。跳過、未找到,可能有個建議
  • 紅色。你可能需要仔細看看這個

在我的案例中,大部分的紅色標記都是在 「Kernel Hardening」 部分找到的。內核有各種可調整的設置,它們定義了內核的功能,其中一些可調整的設置可能有其安全場景。發行版可能因為各種原因沒有默認設置這些,但是你應該檢查每一項,看看你是否需要根據你的安全態勢來改變它的值:

[+] Kernel Hardening
---------------------------------  - Comparing sysctl key pairs with scan profile
    - fs.protected_hardlinks (exp: 1)                         [ OK ]
    - fs.protected_symlinks (exp: 1)                          [ OK ]
    - fs.suid_dumpable (exp: 0)                               [ OK ]
    - kernel.core_uses_pid (exp: 1)                           [ OK ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.dmesg_restrict (exp: 1)                          [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)                      [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)                   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ OK ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ OK ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)                      [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]

看看 SSH 這個例子,因為它是一個需要保證安全的關鍵領域。這裡沒有什麼紅色的東西,但是 Lynis 對我的環境給出了很多強化 SSH 服務的建議:

[+] SSH Support
---------------------------------  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - OpenSSH option: AllowTcpForwarding                      [ SUGGESTION ]
    - OpenSSH option: ClientAliveCountMax                     [ SUGGESTION ]
    - OpenSSH option: ClientAliveInterval                     [ OK ]
    - OpenSSH option: Compression                             [ SUGGESTION ]
    - OpenSSH option: FingerprintHash                         [ OK ]
    - OpenSSH option: GatewayPorts                            [ OK ]
    - OpenSSH option: IgnoreRhosts                            [ OK ]
    - OpenSSH option: LoginGraceTime                          [ OK ]
    - OpenSSH option: LogLevel                                [ SUGGESTION ]
    - OpenSSH option: MaxAuthTries                            [ SUGGESTION ]
    - OpenSSH option: MaxSessions                             [ SUGGESTION ]
    - OpenSSH option: PermitRootLogin                         [ SUGGESTION ]
    - OpenSSH option: PermitUserEnvironment                   [ OK ]
    - OpenSSH option: PermitTunnel                            [ OK ]
    - OpenSSH option: Port                                    [ SUGGESTION ]
    - OpenSSH option: PrintLastLog                            [ OK ]
    - OpenSSH option: StrictModes                             [ OK ]
    - OpenSSH option: TCPKeepAlive                            [ SUGGESTION ]
    - OpenSSH option: UseDNS                                  [ SUGGESTION ]
    - OpenSSH option: X11Forwarding                           [ SUGGESTION ]
    - OpenSSH option: AllowAgentForwarding                    [ SUGGESTION ]
    - OpenSSH option: UsePrivilegeSeparation                  [ OK ]
    - OpenSSH option: AllowUsers                              [ NOT FOUND ]
    - OpenSSH option: AllowGroups                             [ NOT FOUND ]

我的系統上沒有運行虛擬機或容器,所以這些顯示的結果是空的:

[+] Virtualization
---------------------------------
[+] Containers
---------------------------------

Lynis 會檢查一些從安全形度看很重要的文件的文件許可權:

[+] File Permissions
---------------------------------  - Starting file permissions check
    File: /boot/grub2/grub.cfg                                [ SUGGESTION ]
    File: /etc/cron.deny                                      [ OK ]
    File: /etc/crontab                                        [ SUGGESTION ]
    File: /etc/group                                          [ OK ]
    File: /etc/group-                                         [ OK ]
    File: /etc/hosts.allow                                    [ OK ]
    File: /etc/hosts.deny                                     [ OK ]
    File: /etc/issue                                          [ OK ]
    File: /etc/issue.net                                      [ OK ]
    File: /etc/motd                                           [ OK ]
    File: /etc/passwd                                         [ OK ]
    File: /etc/passwd-                                        [ OK ]
    File: /etc/ssh/sshd_config                                [ OK ]
    Directory: /root/.ssh                                     [ SUGGESTION ]
    Directory: /etc/cron.d                                    [ SUGGESTION ]
    Directory: /etc/cron.daily                                [ SUGGESTION ]
    Directory: /etc/cron.hourly                               [ SUGGESTION ]
    Directory: /etc/cron.weekly                               [ SUGGESTION ]
    Directory: /etc/cron.monthly                              [ SUGGESTION ]

在報告的底部,Lynis 根據報告的發現提出了建議。每項建議後面都有一個 「TEST-ID」(為了下一部分方便,請將其保存起來)。

 Suggestions (47):
  -------------------------  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
      https://cisofy.com/lynis/controls/KRNL-5820/

  * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
      https://cisofy.com/lynis/controls/AUTH-9229/

Lynis 提供了一個選項來查找關於每個建議的更多信息,你可以使用 show details 命令和 TEST-ID 號來訪問:

./lynis show details TEST-ID

這將顯示該測試的其他信息。例如,我檢查了 SSH-7408 的詳細信息:

$ ./lynis show details SSH-7408
2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options)
2020-04-30 05:52:23 Test: Checking specific defined options in /tmp/lynis.k8JwazmKc6
2020-04-30 05:52:23 Result: added additional options for OpenSSH < 7.5
2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in /tmp/lynis.k8JwazmKc6
2020-04-30 05:52:23 Result: Option AllowTcpForwarding found
2020-04-30 05:52:23 Result: Option AllowTcpForwarding value is YES
2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed
2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]

試試吧

如果你想更多地了解你的 Linux 機器的安全性,請試試 Lynis。如果你想了解 Lynis 是如何工作的,可以研究一下它的 shell 腳本,看看它是如何收集這些信息的。

via: https://opensource.com/article/20/5/linux-security-lynis

作者:Gaurav Kamathe 選題:lujun9972 譯者:wxy 校對:wxy

本文由 LCTT 原創編譯,Linux中國 榮譽推出


本文轉載來自 Linux 中國: https://github.com/Linux-CN/archive

對這篇文章感覺如何?

太棒了
0
不錯
0
愛死了
0
不太好
0
感覺很糟
0
雨落清風。心向陽

    You may also like

    Leave a reply

    您的電子郵箱地址不會被公開。 必填項已用 * 標註

    此站點使用Akismet來減少垃圾評論。了解我們如何處理您的評論數據

    More in:Linux中國