SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


lynis
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

lynis [2015/01/28 16:52] (current)
sjoerd created
Line 1: Line 1:
 += Lynix Security Baseline with Lynis =
 +
 += Introduction =
 +Securing a Linux system can take a lot of time. For this purpose there is a tool called Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. This page describes how to install and use it on a Red Hat system.
 +
 += EPEL Repository =
 +Lynis is part of the epel repository for Red Hat, so as long as you have the EPEL repository you can use yum to install the package.
 +
 +In case you don't have EPEL (yet), follow these steps to add EPEL to your repositories:​
 +* Download the EPEL repo package and key from http://​mirror.serverbeheren.nl/​epel/​6/​i386/​repoview/​epel-release.html
 +* Then install the package and import the key like this:
 +** rpm -i epel-release-6-8.noarch.rpm
 +** rpm –import RPM-GPG-KEY-EPEL-6
 +* Configure yum to be able to use a proxy by adding this line to the /​etc/​yum.conf file:
 +** {{{proxy=http://​proxy.getshifting.com:​8080}}}
 +
 += Install =
 +You can install lynis now using yum, currently this package is available:
 +
 +<​code>​
 +[sjoerd@rhmgmtsrv ~]$ sudo yum info lynis
 +Loaded plugins: product-id, refresh-packagekit,​ subscription-manager
 +Available Packages
 +Name        : lynis
 +Arch        : noarch
 +Version ​    : 1.6.4
 +Release ​    : 1.el6
 +Size        : 160 k
 +Repo        : epel
 +Summary ​    : Security and system auditing tool
 +URL         : http://​cisofy.com/​lynis/​
 +License ​    : GPLv3
 +Description : Lynis is an auditing and hardening tool for Unix/Linux and you might even call
 +            : it a compliance tool. It scans the system and installed software. Then it
 +            : performs many individual security control checks. It determines the hardening
 +            : state of the machine, detects security issues and provides suggestions to
 +            : improve the security defense of the system.
 +</​code>​
 +
 +Now install the package:
 +<​code>​
 +[sjoerd@rhmgmtsrv ~]$ sudo yum install lynis
 +Loaded plugins: product-id, refresh-packagekit,​ subscription-manager
 +This system is receiving updates from Red Hat Subscription Management.
 +Setting up Install Process
 +rhel-6-server-eus-rpms ​                                                                                                                                | 3.2 kB     00:00
 +rhel-6-server-optional-rpms ​                                                                                                                           | 3.5 kB     00:00
 +rhel-6-server-rpms ​                                                                                                                                    | 3.7 kB     00:00
 +rhel-server-dts-6-rpms ​                                                                                                                                | 2.9 kB     00:00
 +rhel-server-dts2-6-rpms ​                                                                                                                               | 2.9 kB     00:00
 +Resolving Dependencies
 +--> Running transaction check
 +---> Package lynis.noarch 0:​1.6.4-1.el6 will be installed
 +--> Finished Dependency Resolution
 +
 +Dependencies Resolved
 +
 +==============================================================================================================================================================================
 +Package ​                                ​Arch ​                                    ​Version ​                                       Repository ​                             Size
 +==============================================================================================================================================================================
 +Installing:
 +lynis                                   ​noarch ​                                  ​1.6.4-1.el6 ​                                   epel                                   160 k
 +
 +Transaction Summary
 +==============================================================================================================================================================================
 +Install ​      1 Package(s)
 +
 +Total download size: 160 k
 +Installed size: 862 k
 +Is this ok [y/N]: y
 +Downloading Packages:
 +lynis-1.6.4-1.el6.noarch.rpm ​                                                                                                                          | 160 kB     00:00
 +Running rpm_check_debug
 +Running Transaction Test
 +Transaction Test Succeeded
 +Running Transaction
 +  Installing : lynis-1.6.4-1.el6.noarch ​                                                                                                                                  1/1
 +rhel-6-server-eus-rpms/​productid ​                                                                                                                      | 1.7 kB     00:00
 +rhel-6-server-rpms/​productid ​                                                                                                                          | 1.7 kB     00:00
 +  Verifying ​ : lynis-1.6.4-1.el6.noarch ​                                                                                                                                  1/1
 +
 +Installed:
 +  lynis.noarch 0:​1.6.4-1.el6
 +
 +Complete!
 +</​code>​
 +
 += First Time Use =
 +For the first time it is recommended to run Lynis manually. You can do this in two ways, with confirming every check or without:
 +
 +* Manually:
 +** sudo lynis -c
 +* Manually without confirming every check:
 +** sudo lynis -c -Q
 +
 +This will either way trigger an output like this (somewhat trimmed):
 +<​code>​
 +[sjoerd@rhmgmtsrv ~]$ sudo lynis -c
 +
 +[ Lynis 1.6.4 ]
 +
 +################################################################################​
 +Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 +welcome to redistribute it under the terms of the GNU General Public License.
 +See the LICENSE file for details about using this software.
 +
 +Copyright 2007-2014 - CISOfy & Michael Boelen, http://​cisofy.com
 +Enterprise support and plugins available via CISOfy - http://​cisofy.com
 +################################################################################​
 +
 +[+] Initializing program
 +------------------------------------
 +  - Detecting OS...                                           [ DONE ]
 +  - Clearing log file (/​var/​log/​lynis.log)... ​                [ DONE ]
 +
 +  ---------------------------------------------------
 +  Program version: ​          1.6.4
 +  Operating system: ​         Linux
 +  Operating system name:     Red Hat
 +  Operating system version: ​ Red Hat Enterprise Linux Server release 6.5 (Santiago)
 +  Kernel version: ​           2.6.32
 +  Hardware platform: ​        ​x86_64
 +  Hostname: ​                 rhmgmtsrv
 +  Auditor: ​                  ​[Unknown]
 +  Profile: ​                  /​etc/​lynis/​default.prf
 +  Log file:                  /​var/​log/​lynis.log
 +  Report file:               /​var/​log/​lynis-report.dat
 +  Report version: ​           1.0
 +  Plugin directory: ​         /​usr/​share/​lynis/​plugins
 +  ---------------------------------------------------
 +
 +[ Press [ENTER] to continue, or [CTRL]+C to stop ]
 +
 +  - Checking profile file (/​etc/​lynis/​default.prf)...
 +  - Program update status... ​                                 [ UNKNOWN ]
 +
 +[+] System Tools
 +------------------------------------
 +  - Scanning available tools...
 +  - Checking system binaries...
 +    - /bin                                                    [ FOUND ]
 +    - /sbin                                                   [ FOUND ]
 +    - /​usr/​bin ​                                               [ FOUND ]
 +    - /​usr/​sbin ​                                              [ FOUND ]
 +    - /​usr/​local/​bin ​                                         [ FOUND ]
 +    - /​usr/​local/​sbin ​                                        [ FOUND ]
 +    - /​usr/​local/​libexec ​                                     [ FOUND ]
 +    - /​usr/​libexec ​                                           [ FOUND ]
 +
 +...<​cut>​...
 +
 +================================================================================
 +
 +  -[ Lynis 1.6.4 Results ]-
 +
 +  Warnings:
 +  ----------------------------
 +  - Nameserver 172.18.10.11 does not respond [NETW-2704]
 +      http://​cisofy.com/​controls/​NETW-2704/​
 +
 +  - Nameserver 172.16.110.1 does not respond [NETW-2704]
 +      http://​cisofy.com/​controls/​NETW-2704/​
 +
 +  - Couldn'​t find 2 responsive nameservers [NETW-2705]
 +      http://​cisofy.com/​controls/​NETW-2705/​
 +
 +  Suggestions:​
 +  ----------------------------
 +  - Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
 +      http://​cisofy.com/​controls/​BOOT-5122/​
 +...<​cut>​...
 +  - Harden the system by installing one or malware scanners to perform periodic file system scans [HRDN-7230]
 +      http://​cisofy.com/​controls/​HRDN-7230/​
 +
 +  Follow-up:
 +  ----------------------------
 +  - Check the logfile (less /​var/​log/​lynis.log)
 +  - Read security controls texts (http://​cisofy.com)
 +  - Use --upload to upload data (Lynis Enterprise users)
 +
 +================================================================================
 +  Lynis Scanner (details):
 +
 +  Hardening index : 54 [########## ​         ]
 +  Tests performed : 194
 +  Plugins enabled : 0
 +
 +  Lynis Modules:
 +  - Heuristics Check [NA] - Security Audit [V] - Vulnerability Scan [V]
 +
 +  Compliance Checks:
 +  - HIPAA [NA] - PCI [NA] - SOx [NA]
 +
 +  Files:
 +  - Test and debug information ​     : /​var/​log/​lynis.log
 +  - Report data                     : /​var/​log/​lynis-report.dat
 +================================================================================
 +  Tip: Disable all tests which are not relevant or are too strict for the
 +       ​purpose of this particular machine. This will remove unwanted suggestions
 +       and also boost the hardening index. Each test should be properly analyzed
 +       to see if the related risks can be accepted, before disabling the test.
 +================================================================================
 +  Lynis 1.6.4
 +  Copyright 2007-2014 - CISOfy & Michael Boelen, http://​cisofy.com
 +  Enterprise support and plugins available via CISOfy - http://​cisofy.com
 +================================================================================
 +
 +</​code>​
 +
 +There are a few warnings and suggestions that will have to be solved, or excluded from testing. Either way, you should work with your security department to get it right. Solving the issues is out of scope of this page, but for excluding test see below. ​
 +
 += How to Exclude a Test =
 +
 +...
 +
 +
 += Run Lynis Periodically =
 +I want to run the Lynis test weekly so I can check weekly for things that have been changed over the week. Also, I want to create a monthly report of just the warnings to sent to the security department. ​
 +
 +One requirement anyway is to be able to use the screen output as an report. For this I downloaded the ansi2html.sh script from [[http://​www.pixelbeat.org/​scripts/​ansi2html.sh|here]] and placed it in /​adminscripts. Don't forget to make it executable with {{{sudo chmod 750 ansi2html.sh}}}. ​
 +
 +== Run Lynis Weekly ==
 +Then in /​adminscripts create a script using {{{sudo vi lynisrun}}} with these lines:
 +<code bash>
 +#!/bin/bash
 +MAILTO="​sjoerd_ @_ getshifting.com,​it-department _@_ getshifting.com"​
 +
 +TMPFILE=/​tmp/​lynisupdate.`hostname`.`date +%Y%m%d%H%M`
 +LYNISFILE=${TMPFILE}.lynis
 +HTMLFILE=${TMPFILE}.html
 +
 +trap "rm -f /​tmp/​lynisupdate.*"​ 0 2 3 15
 +
 +(cd /usr/bin; ./lynis -c -Q --auditor "​automated"​ ) > ${LYNISFILE}
 +/​adminscripts/​ansi2html.sh --bg=dark < ${LYNISFILE} > ${HTMLFILE}
 +
 +# Mail report
 +echo "See attachment"​ | mailx -s "​Weekly Lynis security check `date` for `hostname`"​ -a ${HTMLFILE} $MAILTO
 +</​code>​
 +
 +Then make the file executable using {{{sudo chmod 750 lynisrun}}} and schedule it using {{{sudo crontab -e}}}:
 +<​code>​
 +# Run lynis every monday on 05:00
 +0 5 * * 1 /​adminscripts/​lynisrun
 +</​code>​
 +
 += Run Lynis Monthly with only a Summary for Multiple Servers =
 +
 +....
 +
 += Resources =
 +http://​linux-audit.com/​securing-linux-audit-lynis/​
 +http://​cisofy.com
 +
 +{{tag>​scripts redhat linux security}}
  
lynis.txt · Last modified: 2015/01/28 16:52 by sjoerd