无论是功能强大的生产服务器,还是卑鄙的托管ARM板,面向Internet的系统都要求我们非常重视安全性。
但 安全很难 。无论我们试图保护系统多少安全,我们监督的任何小细节都可能破坏我们的所有努力。
与入侵者利用自动扫描工具检测漏洞的方式相同,我们手头上还提供了一些工具来帮助保护我们的系统并尝试验证我们没有遗漏任何东西。
莱尼斯 是一种开源安全审核工具。它确实非常易于使用,并允许我们执行全面的安全性分析。
安装
不仅安装 莱尼斯 包,还有其他一些有用的工具
# apt-get install 莱尼斯 Debian -goodies needrestart debsums debsecan
对于ARM板来说可能太多了,但是在生产服务器中,我们也可以负担得起
# apt-get install apt-listbugs samhain tripwire
我们将在另一篇文章中介绍其他工具。
用法
只是
# 莱尼斯 audit system
您可以运行非特权扫描以进行渗透测试
# 莱尼斯 audit --pentest
这些示例使用默认配置文件运行,您可以在其中找到 /etc/lynis/default.prf。建议将您的修改添加到 custom.prf 而不是修改 default.prf 直。
您对的修改 custom.prf 将被自动提取。如果要从另一个自定义配置文件运行,可以使用
# 莱尼斯 audit system --profile /myprofile.prf
警告将带有说明和代码,例如 ACCT-9628 。此外,在我们的示例中,我们将收到有关如何解决的建议以及指向其大量文档的链接。 这个连结 .
在尝试解决问题时,可以很方便地看到Lynis如何检查要发出的特定警告。我们可以通过检查日志来做到这一点 /var/log/lynis.log ,或使用命令
# 莱尼斯 show details ACCT-9628 2017-12-23 11:42:10 Performing test ID ACCT-9628 (Check for auditd) 2017-12-23 11:42:10 Test: Check auditd status 2017-12-23 11:42:10 IsRunning: process 'auditd' not found 2017-12-23 11:42:10 Result: auditd not active 2017-12-23 11:42:10 Suggestion: Enable auditd to collect audit information [test:ACCT-9628] [details:-] [solution:-] 2017-12-23 11:42:10 Hardening: assigned partial number of hardening points (0 of 1). Currently having 139 points (out of 227) 2017-12-23 11:42:10 ===---------------------------------------------------------------===
莱尼斯 在ARM板上
以上命令的输出将为我们提供非常有价值的信息,以提高我们的安全性和系统配置。
例如,这是在纯Raspbian上安装后的输出
[ 莱尼斯 2.4.0 ]
################################################################################
莱尼斯 comes with ABSOLUTELY NO WARRANTY. This is free 软件 , and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this 软件 .
2007-2016, CISOfy - //cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 2.4.0
Operating system: Linux
Operating system name: Debian
Operating system version: 9.1
Kernel version: 4.9.59
Hardware platform: armv7l
Hostname: 树莓
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /etc/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ WARNING ]
===============================================================================
莱尼斯 update available
===============================================================================
Current version is more than 4 months old
Current version : 240 Latest version : 257
Please update to the latest version.
New releases include additional features, bug fixes, tests and baselines.
Download the latest version:
Packages (DEB/RPM) - //packages.cisofy.com
网站 - //cisofy.com/downloads/
GitHub - //github.com/CISOfy/lynis
===============================================================================
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugin: Debian
[
[+] Debian Tests
------------------------------------
- Checking for system binaries that are required 通过 Debian Tests...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Authentication:
- PAM (Pluggable Authentication Modules):
- libpam-tmpdir [ Not Installed ]
- libpam-usb [ Not Installed ]
- File System Checks:
- DM-Crypt, Cryptsetup & Cryptmount:
- Software:
- apt-listbugs [ Not Installed ]
- apt-listchanges [ Installed and enabled for apt ]
- checkrestart [ Not Installed ]
- needrestart [ Not Installed ]
- debsecan [ Not Installed ]
- debsums [ Not Installed ]
- fail2ban [ Not Installed ]
]
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Boot loader [ NONE FOUND ]
- Check running services (systemctl) [ DONE ]
Result: found 15 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 23 enabled services
- Check startup files (permissions) [ OK ]
[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
CPU support: No PAE or NoeXecute supported [ NONE ]
- Checking 核心 version and release [ DONE ]
- Checking 核心 type [ DONE ]
- Checking loaded 核心 modules [ DONE ]
Found 20 active modules
- Checking Linux 核心 configuration file [ NOT FOUND ]
- Checking for available 核心 update [ UNKNOWN ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ DEFAULT ]
- Check if reboot is needed [ UNKNOWN ]
[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ FOUND ]
- Check sudoers file permissions [ OK ]
- PAM password strength tools [ SUGGESTION ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ NOT FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ DISABLED ]
- User password aging (maximum) [ DISABLED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]
[+] Shells
------------------------------------
- Checking 贝壳 s from /etc/shells
Result: found 4 贝壳 s (valid 贝壳 s: 4).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /boot [ NON DEFAULT ]
- Disable 核心 support of some filesystems
- Discovered 核心 modules: hfs hfsplus jffs2 squashfs udf
[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]
[+] NFS
------------------------------------
- Query rpc registered programs [ DONE ]
- Query NFS versions [ DONE ]
- Query NFS protocols [ DONE ]
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Checking default DNS search domain [ FOUND ]
- Searching DNS domain name [ FOUND ]
Domain name: 家
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- Checking 安全 repository in sources.list file or directory [ WARNING ]
- Checking vulnerable packages (apt-get only) [ DONE ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 192.168.0.5 [ SKIPPED ]
- Minimal of 2 responsive nameservers [ SKIPPED ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 7 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ NOT ACTIVE ]
- Checking for ARP monitoring 软件 [ NOT FOUND ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
- Checking Exim status [ NOT FOUND ]
- Checking Postfix status [ NOT FOUND ]
- Checking Dovecot status [ NOT FOUND ]
- Checking Qmail status [ NOT FOUND ]
- Checking Sendmail status [ NOT FOUND ]
[+] Software: firewalls
------------------------------------
- Checking iptables 核心 module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
INVALID OPTION (Display): YELLOW
- Checking for empty ruleset [ WARNING ]
- Checking for unused rules [ OK ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ SUGGESTION ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ OK ]
- SSH option: Protocol [ NOT FOUND ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ OK ]
- SSH option: UsePrivilegeSeparation [ OK ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
No database engines found
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ SKIPPED ]
[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]
[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ WEAK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: systemd (timesyncd) [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [ NONE ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking for IDS/IPS tooling [ NONE ]
[+] Software: Malware
------------------------------------
[+] File Permissions
------------------------------------
- Starting file permissions check
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ NOT FOUND ]
[+] 家 directories
------------------------------------
- Checking 贝壳 history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- 核心 .core_uses_pid (exp: 1) [ DIFFERENT ]
- 核心 .ctrl-alt-del (exp: 0) [ OK ]
- 核心 .kptr_restrict (exp: 2) [ DIFFERENT ]
- 核心 .randomize_va_space (exp: 2) [ OK ]
- 核心 .sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ NOT FOUND ]
- Installed malware scanner [ NOT FOUND ]
[+] Custom Tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ 莱尼斯 2.4.0 Results ]-
Warnings (3):
----------------------------
! Version of 莱尼斯 is very old and should be updated [LYNIS]
//cisofy.com/controls/LYNIS/
! Can't find any 安全 repository in /etc/apt/sources.list or sources.list.d directory [PKGS-7388]
//cisofy.com/controls/PKGS-7388/
! iptables module(s) loaded, but no rules active [FIRE-4512]
//cisofy.com/controls/FIRE-4512/
Suggestions (43):
----------------------------
* Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280]
//your-domain.example.org/controls/CUST-0280/
* Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285]
//your-domain.example.org/controls/CUST-0285/
* Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810]
//your-domain.example.org/controls/CUST-0810/
* Install Debian -goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830]
//your-domain.example.org/controls/CUST-0830/
* Install needrestart, alternatively to Debian -goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [CUST-0831]
//your-domain.example.org/controls/CUST-0831/
* Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870]
//your-domain.example.org/controls/CUST-0870/
* Install debsums for the verification of installed package files against MD5 checksums. [CUST-0875]
//your-domain.example.org/controls/CUST-0875/
* Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880]
//cisofy.com/controls/DEB-0880/
* Use a PAE enabled 核心 when possible to gain native No eXecute/eXecute Disable support [KRNL-5677]
//cisofy.com/controls/KRNL-5677/
* Discover why /vmlinuz is missing. Consider manually re-linking. [KRNL-5788]
//cisofy.com/controls/KRNL-5788/
* Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788]
//cisofy.com/controls/KRNL-5788/
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
//cisofy.com/controls/AUTH-9262/
* Configure minimum password age in /etc/login.defs [AUTH-9286]
//cisofy.com/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286]
//cisofy.com/controls/AUTH-9286/
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
//cisofy.com/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
//cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
//cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
//cisofy.com/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
//cisofy.com/controls/STRG-1840/
* Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
//cisofy.com/controls/STRG-1846/
* Install debsums utility for the verification of packages with known good database. [PKGS-7370]
//cisofy.com/controls/PKGS-7370/
* Consider running ARP monitoring 软件 (arpwatch,arpon) [NETW-3032]
//cisofy.com/controls/NETW-3032/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (YES --> NO)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : ClientAliveCountMax (3 --> 2)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Compression (YES --> NO)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : LogLevel (INFO --> VERBOSE)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxAuthTries (6 --> 1)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxSessions (10 --> 2)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : PermitRootLogin (WITHOUT-PASSWORD --> NO)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Port (22 --> )
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : TCPKeepAlive (YES --> NO)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : X11Forwarding (YES --> NO)
//cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowAgentForwarding (YES --> NO)
//cisofy.com/controls/SSH-7408/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
//cisofy.com/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
//cisofy.com/controls/BANN-7130/
* Enable process accounting [ACCT-9622]
//cisofy.com/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626]
//cisofy.com/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628]
//cisofy.com/controls/ACCT-9628/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
//cisofy.com/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002]
//cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
//cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
//cisofy.com/controls/HRDN-7222/
* Harden the system 通过 installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
- Solution : Install a tool like rkhunter, chkrootkit, OSSEC
//cisofy.com/controls/HRDN-7230/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log )
- Read 安全 controls texts (//cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
莱尼斯 安全 scan details:
Hardening index : 57 [########### ]
Tests performed : 203
Plugins enabled : 1
Components:
- Firewall [V]
- Malware scanner [X]
莱尼斯 Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Notice: 莱尼斯 update available
Current version : 240 Latest version : 257
================================================================================
莱尼斯 2.4.0
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2016, CISOfy - //cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance 莱尼斯 audits 通过 adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
我们可以看到我们被授予了 得分 总分57。我们应该给这分数加一点盐,但是根据经验,分数越高越好,大约80的分数非常不错。
我们可以看到,其中一些警告是针对胖x86服务器的,在我们不使用的家用ARM设置中可能没有意义’没有足够的资源,我们有一些不同的限制和使用案例。
与安全方面的其他任何事情一样,我在安全和不便之间妥协。因此,我将这些规则添加到我的自定义配置文件中
# Won't install apt-listbugs and all its ruby dependencies skip-test=CUST-0810 # Won't install puppet or similar skip-test=TOOL-5002 # Raspbian doesn't have 安全 sources ( //www.raspberrypi.org/forums/viewtopic.php?t=98006&p=680175 ) skip-test=PKGS-7388 # We have a preset partition scheme in the SD card skip-test=FILE-6310 # We don't use firewire skip-test=STRG-1846 # We use USB in NCP skip-test=STRG-1840 # Won't recompile 核心 to support auditd skip-test=ACCT-9628 # Won't be protected against DDOS in self-hosting, will save the resources skip-test=HTTP-6640 skip-test=HTTP-6641 # vmlinuz missing at least in Raspbian skip-test=KRNL-5788 # won't recompile 核心 s for PAE NX skip-test=KRNL-5677
对于 下一个 CloudPi ,系统与普通的Raspbian有所不同,因此您可以检查更自定义的配置文件 这里 .
目前,NextCloudPi的得分为79。
参考文献
//www.digitalocean.com/community/tutorials/how-to-perform-security-audits-with-lynis-on-ubuntu-16-04
如何在ssllabs.com上执行测试?
你好
那只会测试您的HTTP服务器配置。 SSL实验室已经涵盖 这里 。 莱尼斯 将检查内部系统配置。