0x00 概述

Lynis是一款Unix系統(tǒng)的安全審計(jì)以及加固工具，能夠進(jìn)行深層次的安全掃描，其目的是檢測(cè)潛在的時(shí)間并對(duì)未來的系統(tǒng)加固提供建議。這款軟件會(huì)掃描一般系統(tǒng)信息，脆弱軟件包以及潛在的錯(cuò)誤配置。

該軟件面向系統(tǒng)admin，審計(jì)人員，安全官，安全專家。

特征：

1. 漏洞掃描
2. 系統(tǒng)加固
3. 入侵檢測(cè)
4. 中心管理
5. 自定義行為規(guī)劃
6. 報(bào)告
7. 安全面板
8. 持續(xù)監(jiān)測(cè)
9. 技術(shù)支持

目標(biāo)：

1. 自動(dòng)安全審計(jì)
2. 符合性測(cè)試
3. 漏洞偵測(cè)

有助于：

1. 配置管理
2. 軟件補(bǔ)丁管理
3. 系統(tǒng)加固
4. 滲透測(cè)試
5. 惡意軟件掃描
6. 入侵檢測(cè)

0x01 安裝

直接查看其操作手冊(cè):安裝

0x02 試用

進(jìn)入lynis的目錄，輸入./lynis即可

我們一般試用./lynis audit system來進(jìn)行對(duì)系統(tǒng)的全盤掃描，這種掃描方式會(huì)產(chǎn)生一系列人機(jī)交互，無法自動(dòng)化掃描。

故我們?cè)谄浜蠹由蠀?shù)-Q即快速掃描，從而自動(dòng)化掃描。

以下是常用的lynis的參數(shù)：

如果要進(jìn)行深層次的檢查的話，可能需要讓lynis處于root權(quán)限運(yùn)行，那么我們只要

sudo cp -R /path/to/lynis /usr/local/lynis

即可將lynis置于root權(quán)限中，如此一來就可以進(jìn)行深層次的檢查了。

0x03 審計(jì)報(bào)告&日志

lynis將會(huì)進(jìn)行深層次的審計(jì)，并將報(bào)告呈現(xiàn)在標(biāo)準(zhǔn)輸出、日志文件以及審計(jì)報(bào)告文件中。

標(biāo)準(zhǔn)輸出

我們執(zhí)行l(wèi)ynis時(shí)將會(huì)在屏幕上打印出本次審計(jì)的結(jié)果，測(cè)試的結(jié)果包括[OK or WARNING] [Found or Not Found] [Value]。如下圖：

日志文件

掃描完畢后我們會(huì)生成一個(gè)日志文件以及一個(gè)掃描報(bào)告。日志文件中對(duì)比標(biāo)準(zhǔn)輸出，會(huì)有更多的信息，這些信息適用于更深層次的檢查。

日志里會(huì)有事件操作的執(zhí)行時(shí)間，測(cè)試失敗或跳過的原因，內(nèi)部測(cè)試的輸出，對(duì)于配置選項(xiàng)不恰當(dāng)該如何修改的建議，威脅指數(shù)。

我們對(duì)該文件進(jìn)行輸出，查看其中的告警（WARNING）以及建議（SUGGESTION）

# grep Warning /var/log/lynis.log
[11:12:37] Warning: apt-get check returned a non successful exit code. [test:PKGS-7390] [details:M] [solution:-]
[11:13:41] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [details:L] [solution:-]
[11:13:43] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [details:M] [solution:-]

# grep Suggestion /var/log/lynis.log
[11:12:26] Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]
[11:12:27] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [details:-] [solution:-]
[11:12:27] Suggestion: Configure minimum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
[11:12:27] Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
[11:12:28] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]
[11:12:28] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]
[11:12:28] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310] [details:-] [solution:-]
[11:12:28] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [details:-] [solution:-]
[11:12:28] Suggestion: To decrease the impact of a full /var file system, place /var on a separated partition [test:FILE-6310] [details:-] [solution:-]
[11:12:28] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-]
[11:12:28] Suggestion: Disable USB devices authorization, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-]
[11:12:36] Suggestion: Purge old/removed packages (5 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346] [details:-] [solution:-]
[11:12:36] Suggestion: Install debsums utility for the verification of packages with known good database. [test:PKGS-7370] [details:-] [solution:-]
[11:12:37] Suggestion: Run apt-get to perform a manual package database consistency check. [test:PKGS-7390] [details:-] [solution:-]
[11:13:40] Suggestion: Check if system is up-to-date, security updates test (apt-check) gives an unexpected result [test:PKGS-7392] [details:-] [solution:-]
[11:13:40] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394] [details:-] [solution:-]
[11:13:41] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705] [details:-] [solution:-]
[11:13:41] Suggestion: Install ARP monitoring software like arpwatch [test:NETW-3032] [details:-] [solution:-]
[11:13:41] Suggestion: Access to CUPS configuration could be more strict. [test:PRNT-2307] [details:-] [solution:-]
[11:13:41] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache mod_evasive to guard webserver against DoS/brute force attempts [test:HTTP-6640] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache mod_qos to guard webserver against Slowloris attacks [test:HTTP-6641] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache mod_spamhaus to guard webserver against spammers [test:HTTP-6642] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache modsecurity to guard webserver against web application attacks [test:HTTP-6643] [details:-] [solution:-]
[11:13:43] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372] [details:-] [solution:-]
[11:13:43] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376] [details:-] [solution:-]
[11:13:44] Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]
[11:13:44] Suggestion: Although inetd is not running, make sure no services are enabled in /etc/inetd.conf [test:INSE-8006] [details:-] [solution:-]
[11:13:44] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]
[11:13:44] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-]
[11:13:44] Suggestion: Enable process accounting [test:ACCT-9622] [details:-] [solution:-]
[11:13:44] Suggestion: Enable sysstat to collect accounting (no results) [test:ACCT-9626] [details:-] [solution:-]
[11:13:44] Suggestion: Enable auditd to collect audit information [test:ACCT-9628] [details:-] [solution:-]
[11:13:45] Suggestion: Determine if automation tools are present for system management [test:TOOL-5002] [details:-] [solution:-]
[11:13:45] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:-] [solution:-]
[11:13:45] Suggestion: Harden compilers like restricting access to root user only [test:HRDN-7222] [details:-] [solution:-]

審計(jì)報(bào)告

執(zhí)行審計(jì)程序之后，lynis會(huì)對(duì)其發(fā)現(xiàn)進(jìn)行收集并獲得其他數(shù)據(jù)點(diǎn)，數(shù)據(jù)會(huì)被存儲(chǔ)在報(bào)告文件中。不過這個(gè)文件讀起來比較吃力，采用的是 數(shù)據(jù)名=值 的方式，要是一個(gè)數(shù)據(jù)有多個(gè)值，則在其后加個(gè)[]。如下圖：

若是使用lynis企業(yè)版，可以產(chǎn)生更多的報(bào)告格式。

0x04 配置文件

我們可以針對(duì)不同的操作系統(tǒng)、系統(tǒng)定位以及安全等級(jí)定制不同的配置文件。如果不通過--profile來指定配置文件的話，就會(huì)使用默認(rèn)的配置文件default.prf。我們可以通過修改這個(gè)默認(rèn)配置文件來滿足我們的需求。

0x05 插件

正常lynis控制器進(jìn)行獨(dú)立測(cè)試并共享輸出時(shí)，插件會(huì)獲取信息。隨后信息會(huì)被收集和處理，隨后安全智能能夠適用于數(shù)據(jù)收集并與中心節(jié)點(diǎn)相關(guān)聯(lián)。

lynis能夠使用插件模塊化支持拓展其功能。

階段1：

階段1是插件初始化，該插件能hook進(jìn)已有的測(cè)試，收集信息。

階段2：

測(cè)試結(jié)束后，插件能夠獲取最后一次機(jī)會(huì)去完成其工作。插件也能獨(dú)立使用，僅僅在階段1執(zhí)行。

啟用插件

在profile里啟用插件，plugin=<plugin_name>

0x06 Lynis企業(yè)版

需要購買Key。用了企業(yè)版之后可以擁有其他功能了，如插件功能，中心系統(tǒng)功能，定制報(bào)告功能以及安全面板功能。其用戶界面是基于web的。

0x07 優(yōu)劣

優(yōu)勢(shì)

1. 開源
2. 多平臺(tái)
3. 能夠產(chǎn)生告警和建議
4. 整合大量審計(jì)模塊，對(duì)操作系統(tǒng)進(jìn)行多樣化審計(jì)
5. 支持模塊，可以進(jìn)行自定義掃描
6. 企業(yè)版有web界面

劣勢(shì)

1. 每個(gè)審計(jì)項(xiàng)都不深入，需要具體的擴(kuò)展
2. 許多功能需要使用企業(yè)版，收費(fèi)暫時(shí)無法體驗(yàn)