, 福斯 , 安全

使用Lynis安全审核您的ARM板

无论是功能强大的生产服务器,还是卑鄙的托管ARM板,面向Internet的系统都要求我们非常重视安全性。

安全很难 。无论我们试图保护系统多少安全,我们监督的任何小细节都可能破坏我们的所有努力。

与入侵者利用自动扫描工具检测漏洞的方式相同,我们手头上还提供了一些工具来帮助保护我们的系统并尝试验证我们没有遗漏任何东西。

莱尼斯 是一种开源安全审核工具。它确实非常易于使用,并允许我们执行全面的安全性分析。

安装

不仅安装 莱尼斯 包,还有其他一些有用的工具

# apt-get install  莱尼斯   Debian -goodies needrestart debsums debsecan

对于ARM板来说可能太多了,但是在生产服务器中,我们也可以负担得起

# apt-get install apt-listbugs samhain tripwire

我们将在另一篇文章中介绍其他工具。

用法

只是

#  莱尼斯  audit system

您可以运行非特权扫描以进行渗透测试

#  莱尼斯  audit --pentest

这些示例使用默认配置文件运行,您可以在其中找到 /etc/lynis/default.prf。建议将您的修改添加到 custom.prf 而不是修改 default.prf 直。

您对的修改 custom.prf 将被自动提取。如果要从另一个自定义配置文件运行,可以使用

#  莱尼斯  audit system --profile /myprofile.prf

警告将带有说明和代码,例如 ACCT-9628 。此外,在我们的示例中,我们将收到有关如何解决的建议以及指向其大量文档的链接。 这个连结 .

在尝试解决问题时,可以很方便地看到Lynis如何检查要发出的特定警告。我们可以通过检查日志来做到这一点 /var/log/lynis.log ,或使用命令

#  莱尼斯  show details  ACCT-9628 
2017-12-23 11:42:10 Performing test ID  ACCT-9628  (Check for auditd)
2017-12-23 11:42:10 Test: Check auditd status
2017-12-23 11:42:10 IsRunning: process 'auditd' not found
2017-12-23 11:42:10 Result: auditd not active
2017-12-23 11:42:10 Suggestion: Enable auditd to collect audit information [test:ACCT-9628] [details:-] [solution:-]
2017-12-23 11:42:10 Hardening: assigned partial number of hardening points (0 of 1). Currently having 139 points (out of 227)
2017-12-23 11:42:10 ===---------------------------------------------------------------===

莱尼斯 在ARM板上

以上命令的输出将为我们提供非常有价值的信息,以提高我们的安全性和系统配置。

例如,这是在纯Raspbian上安装后的输出

[  莱尼斯  2.4.0 ]

################################################################################
   莱尼斯  comes with ABSOLUTELY NO WARRANTY. This is free  软件 , and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this  软件 .

  2007-2016, CISOfy - //cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
    - Detecting OS...  [ DONE ]
    - Checking profiles... [ DONE ]

  ---------------------------------------------------
  Program version:           2.4.0
  Operating system:          Linux
  Operating system name:     Debian
  Operating system version:  9.1
  Kernel version:            4.9.59
  Hardware platform:         armv7l
  Hostname:                   树莓 
  ---------------------------------------------------
  Profiles:                  /etc/lynis/default.prf
  Log file:                   /var/log/lynis.log 
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /etc/lynis/plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Test category:             all
  Test group:                all
  ---------------------------------------------------
    - Program update status...  [ WARNING ]

      ===============================================================================
         莱尼斯  update available
      ===============================================================================

        Current version is more than 4 months old

        Current version : 240   Latest version : 257

        Please update to the latest version.
        New releases include additional features, bug fixes, tests and baselines.

        Download the latest version:
        Packages (DEB/RPM) -  //packages.cisofy.com
         网站             -  //cisofy.com/downloads/
        GitHub             -  //github.com/CISOfy/lynis

      ===============================================================================


[+] System Tools
------------------------------------
    - Scanning available tools...
    - Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
 
    - Plugin:  Debian 
    [
[+] Debian Tests
------------------------------------
    - Checking for system binaries that are required  通过  Debian Tests...
      - Checking /bin...  [ FOUND ]
      - Checking /sbin...  [ FOUND ]
      - Checking /usr/bin...  [ FOUND ]
      - Checking /usr/sbin...  [ FOUND ]
      - Checking /usr/local/bin...  [ FOUND ]
      - Checking /usr/local/sbin...  [ FOUND ]
    - Authentication:
      - PAM (Pluggable Authentication Modules):
        - libpam-tmpdir [ Not Installed ]
        - libpam-usb [ Not Installed ]
    - File System Checks:
      - DM-Crypt, Cryptsetup & Cryptmount:
    - Software:
      - apt-listbugs [ Not Installed ]
      - apt-listchanges [ Installed and enabled for apt ]
      - checkrestart [ Not Installed ]
      - needrestart [ Not Installed ]
      - debsecan [ Not Installed ]
      - debsums [ Not Installed ]
      - fail2ban [ Not Installed ]
]

[+] Boot and services
------------------------------------
    - Service Manager [ systemd ]
    - Checking UEFI boot [ DISABLED ]
      - Boot loader [ NONE FOUND ]
    - Check running services (systemctl) [ DONE ]
Result: found 15 running services
    - Check enabled services at boot (systemctl) [ DONE ]
Result: found 23 enabled services
    - Check startup files (permissions) [ OK ]

[+] Kernel
------------------------------------
    - Checking default run level [ RUNLEVEL 5 ]
    - Checking CPU support (NX/PAE)
      CPU support: No PAE or NoeXecute supported [ NONE ]
    - Checking  核心  version and release [ DONE ]
    - Checking  核心  type [ DONE ]
    - Checking loaded  核心  modules [ DONE ]
        Found 20 active modules
    - Checking Linux  核心  configuration file [ NOT FOUND ]
    - Checking for available  核心  update [ UNKNOWN ]
    - Checking core dumps configuration [ DISABLED ]
      - Checking setuid core dumps configuration [ DEFAULT ]
    - Check if reboot is needed [ UNKNOWN ]

[+] Memory and Processes
------------------------------------
    - Checking /proc/meminfo [ FOUND ]
    - Searching for dead/zombie processes [ OK ]
    - Searching for IO waiting processes [ OK ]

[+] Users, Groups and Authentication
------------------------------------
    - Administrator accounts [ OK ]
    - Unique UIDs [ OK ]
    - Consistency of group files (grpck) [ OK ]
    - Unique group IDs [ OK ]
    - Unique group names [ OK ]
    - Password file consistency [ OK ]
    - Query system users (non daemons) [ DONE ]
    - NIS+ authentication support [ NOT ENABLED ]
    - NIS authentication support [ NOT ENABLED ]
    - sudoers file [ FOUND ]
      - Check sudoers file permissions [ OK ]
    - PAM password strength tools [ SUGGESTION ]
    - PAM configuration files (pam.conf) [ FOUND ]
    - PAM configuration files (pam.d) [ FOUND ]
    - PAM modules [ NOT FOUND ]
    - LDAP module in PAM [ NOT FOUND ]
    - Accounts without expire date [ OK ]
    - Accounts without password [ OK ]
    - Checking user password aging (minimum) [ DISABLED ]
    - User password aging (maximum) [ DISABLED ]
    - Checking expired passwords [ OK ]
    - Checking Linux single user mode authentication [ OK ]
    - Determining default umask
      - umask (/etc/profile) [ NOT FOUND ]
      - umask (/etc/login.defs) [ SUGGESTION ]
    - LDAP authentication support [ NOT ENABLED ]
    - Logging failed login attempts [ ENABLED ]

[+] Shells
------------------------------------
    - Checking  贝壳 s from /etc/shells
      Result: found 4  贝壳 s (valid  贝壳 s: 4).
      - Session timeout settings/tools [ NONE ]
    - Checking default umask values
      - Checking default umask in /etc/bash.bashrc [ NONE ]
      - Checking default umask in /etc/profile [ NONE ]

[+] File systems
------------------------------------
    - Checking mount points
      - Checking /home mount point [ SUGGESTION ]
      - Checking /tmp mount point [ SUGGESTION ]
      - Checking /var mount point [ SUGGESTION ]
    - Query swap partitions (fstab) [ NONE ]
    - Testing swap partitions [ OK ]
    - Testing /proc mount (hidepid) [ SUGGESTION ]
    - Checking for old files in /tmp [ OK ]
    - Checking /tmp sticky bit [ OK ]
    - ACL support root file system [ ENABLED ]
    - Mount options of / [ NON DEFAULT ]
    - Mount options of /boot [ NON DEFAULT ]
    - Disable  核心  support of some filesystems
      - Discovered  核心  modules: hfs hfsplus jffs2 squashfs udf 

[+] Storage
------------------------------------
    - Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
    - Checking USB devices authorization [ ENABLED ]
    - Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]

[+] NFS
------------------------------------
    - Query rpc registered programs [ DONE ]
    - Query NFS versions [ DONE ]
    - Query NFS protocols [ DONE ]
    - Check running NFS daemon [ NOT FOUND ]

[+] Name services
------------------------------------
    - Checking default DNS search domain [ FOUND ]
    - Searching DNS domain name [ FOUND ]
        Domain name:  家 
    - Checking /etc/hosts
      - Checking /etc/hosts (duplicates) [ OK ]
      - Checking /etc/hosts (hostname) [ OK ]
      - Checking /etc/hosts (localhost) [ OK ]

[+] Ports and packages
------------------------------------
    - Searching package managers
      - Searching dpkg package manager [ FOUND ]
        - Querying package manager
      - Query unpurged packages [ NONE ]
    - Checking  安全  repository in sources.list file or directory [ WARNING ]
    - Checking vulnerable packages (apt-get only) [ DONE ]
    - Checking package audit tool [ INSTALLED ]
      Found: apt-get

[+] Networking
------------------------------------
    - Checking IPv6 configuration [ ENABLED ]
        Configuration method [ AUTO ]
        IPv6 only [ NO ]
    - Checking configured nameservers
      - Testing nameservers
        Nameserver: 192.168.0.5 [ SKIPPED ]
      - Minimal of 2 responsive nameservers [ SKIPPED ]
    - Checking default gateway [ DONE ]
    - Getting listening ports (TCP/UDP) [ DONE ]
        * Found 7 ports
    - Checking promiscuous interfaces [ OK ]
    - Checking waiting connections [ OK ]
    - Checking status DHCP client [ NOT ACTIVE ]
    - Checking for ARP monitoring  软件  [ NOT FOUND ]

[+] Printers and Spools
------------------------------------
    - Checking cups daemon [ NOT FOUND ]
    - Checking lp daemon [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
    - Checking Exim status [ NOT FOUND ]
    - Checking Postfix status [ NOT FOUND ]
    - Checking Dovecot status [ NOT FOUND ]
    - Checking Qmail status [ NOT FOUND ]
    - Checking Sendmail status [ NOT FOUND ]

[+] Software: firewalls
------------------------------------
    - Checking iptables  核心  module [ FOUND ]
      - Checking iptables policies of chains [ FOUND ]
INVALID OPTION (Display): YELLOW
      - Checking for empty ruleset [ WARNING ]
      - Checking for unused rules [ OK ]
    - Checking host based firewall [ ACTIVE ]

[+] Software: webserver
------------------------------------
    - Checking Apache [ NOT FOUND ]
    - Checking nginx [ NOT FOUND ]

[+] SSH Support
------------------------------------
    - Checking running SSH daemon [ FOUND ]
      - Searching SSH configuration [ FOUND ]
      - SSH option: AllowTcpForwarding [ SUGGESTION ]
      - SSH option: ClientAliveCountMax [ SUGGESTION ]
      - SSH option: ClientAliveInterval [ OK ]
      - SSH option: Compression [ SUGGESTION ]
      - SSH option: FingerprintHash [ OK ]
      - SSH option: GatewayPorts [ OK ]
      - SSH option: IgnoreRhosts [ OK ]
      - SSH option: LoginGraceTime [ OK ]
      - SSH option: LogLevel [ SUGGESTION ]
      - SSH option: MaxAuthTries [ SUGGESTION ]
      - SSH option: MaxSessions [ SUGGESTION ]
      - SSH option: PermitRootLogin [ SUGGESTION ]
      - SSH option: PermitUserEnvironment [ OK ]
      - SSH option: PermitTunnel [ OK ]
      - SSH option: Port [ SUGGESTION ]
      - SSH option: PrintLastLog [ OK ]
      - SSH option: Protocol [ NOT FOUND ]
      - SSH option: StrictModes [ OK ]
      - SSH option: TCPKeepAlive [ SUGGESTION ]
      - SSH option: UseDNS [ OK ]
      - SSH option: UsePrivilegeSeparation [ OK ]
      - SSH option: VerifyReverseMapping [ NOT FOUND ]
      - SSH option: X11Forwarding [ SUGGESTION ]
      - SSH option: AllowAgentForwarding [ SUGGESTION ]
      - SSH option: AllowUsers [ NOT FOUND ]
      - SSH option: AllowGroups [ NOT FOUND ]

[+] SNMP Support
------------------------------------
    - Checking running SNMP daemon [ NOT FOUND ]

[+] Databases
------------------------------------
      No database engines found

[+] LDAP Services
------------------------------------
    - Checking OpenLDAP instance [ NOT FOUND ]

[+] PHP
------------------------------------
    - Checking PHP [ NOT FOUND ]

[+] Squid Support
------------------------------------
    - Checking running Squid daemon [ NOT FOUND ]

[+] Logging and files
------------------------------------
    - Checking for a running log daemon [ OK ]
      - Checking Syslog-NG status [ NOT FOUND ]
      - Checking systemd journal status [ FOUND ]
      - Checking Metalog status [ NOT FOUND ]
      - Checking RSyslog status [ FOUND ]
      - Checking RFC 3195 daemon status [ NOT FOUND ]
      - Checking minilogd instances [ NOT FOUND ]
    - Checking logrotate presence [ OK ]
    - Checking log directories (static list) [ DONE ]
    - Checking open log files [ SKIPPED ]

[+] Insecure services
------------------------------------
    - Checking inetd status [ NOT ACTIVE ]

[+] Banners and identification
------------------------------------
    - /etc/issue [ FOUND ]
      - /etc/issue contents [ WEAK ]
    - /etc/issue.net [ FOUND ]
      - /etc/issue.net contents [ WEAK ]

[+] Scheduled tasks
------------------------------------
    - Checking crontab/cronjob [ DONE ]

[+] Accounting
------------------------------------
    - Checking accounting information [ NOT FOUND ]
    - Checking sysstat accounting data [ NOT FOUND ]
    - Checking auditd [ NOT FOUND ]

[+] Time and Synchronization
------------------------------------
    - NTP daemon found: systemd (timesyncd) [ FOUND ]
    - Checking for a running NTP daemon or client [ OK ]

[+] Cryptography
------------------------------------
    - Checking for expired SSL certificates [ NONE ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
    - Checking presence AppArmor [ NOT FOUND ]
    - Checking presence SELinux [ NOT FOUND ]
    - Checking presence grsecurity [ NOT FOUND ]
    - Checking for implemented MAC framework [ NONE ]

[+] Software: file integrity
------------------------------------
    - Checking file integrity tools
    - Checking presence integrity tool [ NOT FOUND ]

[+] Software: System tooling
------------------------------------
    - Checking automation tooling
    - Automation tooling [ NOT FOUND ]
    - Checking for IDS/IPS tooling [ NONE ]

[+] Software: Malware
------------------------------------

[+] File Permissions
------------------------------------
    - Starting file permissions check
      /etc/lilo.conf [ NOT FOUND ]
      /root/.ssh [ NOT FOUND ]

[+]  家  directories
------------------------------------
    - Checking  贝壳  history files [ OK ]

[+] Kernel Hardening
------------------------------------
    - Comparing sysctl key pairs with scan profile
      -  核心 .core_uses_pid (exp: 1) [ DIFFERENT ]
      -  核心 .ctrl-alt-del (exp: 0) [ OK ]
      -  核心 .kptr_restrict (exp: 2) [ DIFFERENT ]
      -  核心 .randomize_va_space (exp: 2) [ OK ]
      -  核心 .sysrq (exp: 0) [ DIFFERENT ]
      - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
      - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
      - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
      - net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
      - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
      - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
      - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
      - net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
      - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
      - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
      - net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
      - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
      - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
      - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
      - net.ipv4.tcp_syncookies (exp: 1) [ OK ]
      - net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
      - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
      - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
      - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
      - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
------------------------------------
      - Installed compiler(s) [ FOUND ]
      - Installed malware scanner [ NOT FOUND ]
      - Installed malware scanner [ NOT FOUND ]

[+] Custom Tests
------------------------------------
    - Running custom tests...  [ NONE ]

[+] Plugins (phase 2)
------------------------------------

================================================================================

  -[  莱尼斯  2.4.0 Results ]-

  Warnings (3):
  ----------------------------
  ! Version of  莱尼斯  is very old and should be updated [LYNIS] 
      //cisofy.com/controls/LYNIS/

  ! Can't find any  安全  repository in /etc/apt/sources.list or sources.list.d directory [PKGS-7388] 
      //cisofy.com/controls/PKGS-7388/

  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      //cisofy.com/controls/FIRE-4512/

  Suggestions (43):
  ----------------------------
  * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280] 
      //your-domain.example.org/controls/CUST-0280/

  * Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285] 
      //your-domain.example.org/controls/CUST-0285/

  * Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810] 
      //your-domain.example.org/controls/CUST-0810/

  * Install  Debian -goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830] 
      //your-domain.example.org/controls/CUST-0830/

  * Install needrestart, alternatively to  Debian -goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [CUST-0831] 
      //your-domain.example.org/controls/CUST-0831/

  * Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870] 
      //your-domain.example.org/controls/CUST-0870/

  * Install debsums for the verification of installed package files against MD5 checksums. [CUST-0875] 
      //your-domain.example.org/controls/CUST-0875/

  * Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
      //cisofy.com/controls/DEB-0880/

  * Use a PAE enabled  核心  when possible to gain native No eXecute/eXecute Disable support [KRNL-5677] 
      //cisofy.com/controls/KRNL-5677/

  * Discover why /vmlinuz is missing. Consider manually re-linking. [KRNL-5788] 
      //cisofy.com/controls/KRNL-5788/

  * Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788] 
      //cisofy.com/controls/KRNL-5788/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      //cisofy.com/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      //cisofy.com/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      //cisofy.com/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      //cisofy.com/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] 
      //cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] 
      //cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] 
      //cisofy.com/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      //cisofy.com/controls/STRG-1840/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      //cisofy.com/controls/STRG-1846/

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      //cisofy.com/controls/PKGS-7370/

  * Consider running ARP monitoring  软件  (arpwatch,arpon) [NETW-3032] 
      //cisofy.com/controls/NETW-3032/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> NO)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 1)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (WITHOUT-PASSWORD --> NO)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      //cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      //cisofy.com/controls/SSH-7408/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      //cisofy.com/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      //cisofy.com/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      //cisofy.com/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      //cisofy.com/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      //cisofy.com/controls/ACCT-9628/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      //cisofy.com/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      //cisofy.com/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
      //cisofy.com/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222] 
      //cisofy.com/controls/HRDN-7222/

  * Harden the system  通过  installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      //cisofy.com/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less  /var/log/lynis.log )
  - Read  安全  controls texts (//cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

   莱尼斯   安全  scan details:

  Hardening index : 57 [###########         ]
  Tests performed : 203
  Plugins enabled : 1

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

   莱尼斯  Modules:
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]

  Files:
  - Test and debug information      :  /var/log/lynis.log 
  - Report data                     : /var/log/lynis-report.dat

================================================================================
  Notice:  莱尼斯  update available
  Current version : 240    Latest version : 257
================================================================================

   莱尼斯  2.4.0

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2016, CISOfy - //cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP]: Enhance  莱尼斯  audits  通过  adding your settings to  custom.prf  (see /etc/lynis/default.prf for all settings)

我们可以看到我们被授予了 得分 总分57。我们应该给这分数加一点盐,但是根据经验,分数越高越好,大约80的分数非常不错。

我们可以看到,其中一些警告是针对胖x86服务器的,在我们不使用的家用ARM设置中可能没有意义’没有足够的资源,我们有一些不同的限制和使用案例。

与安全方面的其他任何事情一样,我在安全和不便之间妥协。因此,我将这些规则添加到我的自定义配置文件中

# Won't install apt-listbugs and all its ruby dependencies
skip-test=CUST-0810

# Won't install puppet or similar
skip-test=TOOL-5002

# Raspbian doesn't have  安全  sources ( //www.raspberrypi.org/forums/viewtopic.php?t=98006&p=680175 )
skip-test=PKGS-7388

# We have a preset partition scheme in the SD card
skip-test=FILE-6310

# We don't use firewire
skip-test=STRG-1846

# We use USB in NCP
skip-test=STRG-1840

# Won't recompile  核心  to support auditd
skip-test=ACCT-9628

# Won't be protected against DDOS in self-hosting, will save the resources
skip-test=HTTP-6640
skip-test=HTTP-6641

# vmlinuz missing at least in Raspbian
skip-test=KRNL-5788

# won't recompile  核心 s for PAE NX
skip-test=KRNL-5677

对于 下一个 CloudPi ,系统与普通的Raspbian有所不同,因此您可以检查更自定义的配置文件 这里 .

目前,NextCloudPi的得分为79。

参考文献

//www.digitalocean.com/community/tutorials/how-to-perform-security-audits-with-lynis-on-ubuntu-16-04

作者: 纳乔帕克

谦虚地分享我认为有用的东西 [ 的github 码头工人 hub ]

4 评论 s

发表评论

您的电子邮件地址不会被公开。 必需的地方已做标记 *