Linuxでセキュリティに問題のある箇所を教えてくれる監査ツール『LYNIS』
Pocket

今回は、Linuxのセキュリティに問題のある設定、状態を指摘してくれるツール『LYNIS』を紹介する。
セキュリティに問題がある設定とは、パスワードの無いユーザが存在していたり、パーティションの設定で問題のあるファイルの有無などが該当する。

Lynis – Security auditing tool for Unix/Linux systems

http://rootkit.nl/projects/lynis.html

さて、早速インストールして使ってみよう。

1.インストール

以下のコマンドを実行し、インストールを行う。

$ sudo apt-get install lynis (Debian/Ubuntuの場合)
$ sudo yum install lynis (RHEL系の場合)
Sponsored Links

2.コマンドの実行

さて、それでは実際にコマンドを実行してみよう。
注意したい点として、このコマンドはroot権限が必要となるため、rootユーザもしくはsudoをつけて実行を行う必要がある。
オプション無しで実行すると、ヘルプ情報が表示される。

[root@test-centos ~]# lynis

[ Lynis 1.5.9 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2014 - Michael Boelen, http://cisofy.com
 Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################

[+] Initializing program
------------------------------------
  Scan options:
    --auditor "<name>"            : Auditor name
    --check-all (-c)              : Check system
    --no-log                      : Don't create a log file
    --profile <profile>           : Scan the system with the given profile file
    --quick (-Q)                  : Quick mode, don't wait for user input
    --tests "<tests>"             : Run only tests defined by <tests>
    --tests-category "<category>" : Run only tests defined by <category>

  Layout options:
    --no-colors                   : Don't use colors in output
    --quiet (-q)                  : No output, except warnings
    --reverse-colors              : Optimize color display for light backgrounds

  Misc options:
    --check-update                : Check for updates
    --debug                       : Debug logging to screen
    --view-manpage (--man)        : View man page
    --version (-V)                : Display version number and quit

  Enterprise options:
    --plugin-dir "<path">         : Define path of available plugins
    --upload                      : Upload data to central node

  Error: No parameters specified!
  See man page and documentation for all available options.

Exiting..

スクリーンショット 2014-09-28 01.39.46

Scan optionsの箇所を見ると、フルチェックは「-c」オプションで実行できるようだ。

それでは、実際にやってみよう。

[root@test-centos ~]# lynis -c

[ Lynis 1.5.9 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2014 - Michael Boelen, http://cisofy.com
 Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.5.9
  Operating system:          Linux
  Operating system name:     CentOS
  Operating system version:  CentOS release 6.5 (Final)
  Kernel version:            2.6.32-431.11.2.el6.x86_64
  Hardware platform:         x86_64
  Hostname:                  test-centos
  Auditor:                   [Unknown]
  Profile:                   /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/share/lynis/plugins
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

スクリーンショット 2014-09-28 01.46.24

まずはOSの基本的な情報が表示される。
それ以降の情報を表示させるにはEnterキー、途中でキャンセルするならばCtrl + Cキーを押下する。

以下、それ以降の情報のサンプル

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
    - Checking /bin...                                        [ FOUND ]
    - Checking /sbin...                                       [ FOUND ]
    - Checking /usr/bin...                                    [ FOUND ]
    - Checking /usr/sbin...                                   [ FOUND ]
    - Checking /usr/local/bin...                              [ FOUND ]
    - Checking /usr/local/sbin...                             [ FOUND ]
    - Checking /usr/local/libexec...                          [ FOUND ]
    - Checking /usr/libexec...                                [ FOUND ]
    - Checking /usr/sfw/bin...                                [ NOT FOUND ]
    - Checking /usr/sfw/sbin...                               [ NOT FOUND ]
    - Checking /usr/sfw/libexec...                            [ NOT FOUND ]
    - Checking /opt/sfw/bin...                                [ NOT FOUND ]
    - Checking /opt/sfw/sbin...                               [ NOT FOUND ]
    - Checking /opt/sfw/libexec...                            [ NOT FOUND ]
    - Checking /usr/xpg4/bin...                               [ NOT FOUND ]
    - Checking /usr/css/bin...                                [ NOT FOUND ]
    - Checking /usr/ucb...                                    [ NOT FOUND ]
    - Checking /usr/X11R6/bin...                              [ NOT FOUND ]
    - Checking /usr/X11R7/bin...                              [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

(省略)

スクリーンショット 2014-09-28 01.46.47

最終的に、以下のように対応策を表示してくれる。

================================================================================

  -[ Lynis 1.5.9 Results ]-

  Warnings:
  ----------------------------
  - No password set on GRUB bootloader [BOOT-5121]
      http://cisofy.com/controls/BOOT-5121/

  - No password set for single mode [AUTH-9308]
      http://cisofy.com/controls/AUTH-9308/

  - Possible incorrect mount options used for swap parition (/dev/mapper/vg_testcentos-lv_swap) [FILE-6336]
      http://cisofy.com/controls/FILE-6336/

  - Couldn't find 2 responsive nameservers [NETW-2705]
      http://cisofy.com/controls/NETW-2705/

  - No MySQL root password set [DBS-1816]
      http://cisofy.com/controls/DBS-1816/

  Suggestions:
  ----------------------------
  - Run chkconfig --list to see all services and disable unneeded services
      http://cisofy.com/controls/[01:58:54 Suggestion: Run chkconfig --list to see all services and disable unneeded services/
  - Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
      http://cisofy.com/controls/AUTH-9286/
  - Set password for single user mode to minimize physical access attack surface [AUTH-9308]
      http://cisofy.com/controls/AUTH-9308/
  - Default umask in /etc/profile could be more strict like 027 [AUTH-9328]
      http://cisofy.com/controls/AUTH-9328/
  - To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
      http://cisofy.com/controls/FILE-6310/
  - Check your /etc/fstab file. Swap parition usually have 'sw' in the options field (4th). [FILE-6336]
      http://cisofy.com/controls/FILE-6336/
  - Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
      http://cisofy.com/controls/STRG-1840/
  - Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
      http://cisofy.com/controls/STRG-1846/
  - Check DNS configuration for the dns domain name [NAME-4028]
      http://cisofy.com/controls/NAME-4028/
  - Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
      http://cisofy.com/controls/NAME-4404/
  - Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
      http://cisofy.com/controls/NETW-2705/
  - Access to CUPS configuration could be more strict. [PRNT-2307]
      http://cisofy.com/controls/PRNT-2307/
  - Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
      http://cisofy.com/controls/FIRE-4590/
  - Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
      http://cisofy.com/controls/HTTP-6640/
  - Install Apache mod_qos to guard webserver against Slowloris attacks [HTTP-6641]
      http://cisofy.com/controls/HTTP-6641/
  - Install Apache mod_spamhaus to guard webserver against spammers [HTTP-6642]
      http://cisofy.com/controls/HTTP-6642/
  - Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
      http://cisofy.com/controls/HTTP-6643/
  - Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [DBS-1816]
      http://cisofy.com/controls/DBS-1816/
  - Check what deleted files are still in use and why. [LOGG-2190]
      http://cisofy.com/controls/LOGG-2190/
  - Add legal banner to /etc/motd, to warn unauthorized users [BANN-7122]
      http://cisofy.com/controls/BANN-7122/
  - Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
      http://cisofy.com/controls/BANN-7126/
  - Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
      http://cisofy.com/controls/BANN-7130/
  - Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
      http://cisofy.com/controls/ACCT-9630/
  - Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120]
      http://cisofy.com/controls/TIME-3120/
  - Some time servers missing in step-tickers file [TIME-3160]
      http://cisofy.com/controls/TIME-3160/
  - Install a file integrity tool [FINT-4350]
      http://cisofy.com/controls/FINT-4350/
  - One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
      http://cisofy.com/controls/KRNL-6000/
  - Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [HRDN-7220]
      http://cisofy.com/controls/HRDN-7220/
  - Harden compilers and restrict access to world [HRDN-7222]
      http://cisofy.com/controls/HRDN-7222/
  - Harden the system by installing one or malware scanners to perform periodic file system scans [HRDN-7230]
      http://cisofy.com/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Check the logfile (less /var/log/lynis.log)
  - Read security controls texts (http://cisofy.com)
  - Use --upload to upload data (Lynis Enterprise users)

================================================================================

スクリーンショット 2014-09-28 02.02.50

なお、「-Q」オプションを付与することでユーザ入力を省略できるようだ。
実行結果のログは「/var/log/lynis-report.dat」に格納されている。

うーん、結構便利な感じ?

なお、より細かく知りたい場合はこちらのブログを参考にすると良いだろう。

Pocket

Written by blacknon

インフラ系のSE。一時期はプログラマ。 仮想化とオープンソースに興味あり。一日中寝てたい今日このごろ。 スペインとかで働きたいなぁ…(シエスタがあるので)

Leave a Comment

メールアドレスが公開されることはありません。