Article by Dan Nanni first published on xmodulo.com

As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.

One such vulnerability scanner on Linux is lynis . This tool is actually supported on multiple platforms including CentOS, Debian, Fedora, FreeBSD, Mac OS and Ubuntu.







To install lynis on Linux, open a terminal and run the following commands:

$ wget http: // www.rootkit.nl / files / lynis-1.3.0.tar.gz $ sudo tar xvfvz lynis-1.3.0.tar.gz -C / opt $ wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz $ sudo tar xvfvz lynis-1.3.0.tar.gz -C /opt

To scan Linux for vulnerabilities with lynis , run the following.

$ cd / opt / lynis-1.3.0 / $ sudo / opt / lynis-1.3.0 / lynis --check-all -Q $ cd /opt/lynis-1.3.0/ $ sudo /opt/lynis-1.3.0/lynis --check-all -Q

Once lynis starts scanning your system, it will perform auditing in a number of categories:

System tools: system binaries

system binaries Boot and services: boot loaders, startup services

boot loaders, startup services Kernel: run level, loaded modules, kernel configuration, core dumps

run level, loaded modules, kernel configuration, core dumps Memory and processes: zombie processes, IO waiting processes

zombie processes, IO waiting processes Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask

group IDs, sudoers, PAM configuration, password aging, default mask Shells

File systems: mount points, /tmp files, root file system

mount points, /tmp files, root file system Storage: usb-storage, firewire ohci

usb-storage, firewire ohci NFS

Software: name services: DNS search domain, BIND

DNS search domain, BIND Ports and packages: vulnerable/upgradable packages, security repository

vulnerable/upgradable packages, security repository Networking: nameservers, promiscuous interfaces, connections

nameservers, promiscuous interfaces, connections Printers and spools: cups configuration

cups configuration Software: e-mail and messaging

Software: firewalls: iptables, pf

iptables, pf Software: webserver: Apache, nginx

Apache, nginx SSH support: SSH configuration

SSH configuration SNMP support

Databases: MySQL root password

MySQL root password LDAP services

Software: php: php options

php options Squid support

Logging and files: syslog daemon, log directories

syslog daemon, log directories Insecure services: inetd

inetd Banners and identification

Scheduled tasks: crontab/cronjob, atd

crontab/cronjob, atd Accounting: sysstat data, auditd

sysstat data, auditd Time and synchronization: ntp daemon

ntp daemon Cryptography: SSL certificate expiration

SSL certificate expiration Virtualization

Security frameworks: AppArmor, SELinux, grsecurity status

AppArmor, SELinux, grsecurity status Software: file integrity

Software: malware scanners

Home directories: shell history files

The screenshot of lynis in action is shown below:

Once scanning is completed, the auditing report of your system is generated and stored in /var/log/lynis.log.

The audit report contains warnings for potential vulnerabilities detected by the tool. For example:

$ sudo grep Warning / var / log / lynis.log $ sudo grep Warning /var/log/lynis.log

[20:20:04] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M] [20:20:04] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M] [20:20:06] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

The audit report also contains a number of suggestions that can help harden your Linux system. For example:

$ sudo grep Suggestion / var / log / lynis.log $ sudo grep Suggestion /var/log/lynis.log

[20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282] [20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286] [20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328] [20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328] [20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846] [20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394] . . . .

So what are you waiting for ?

One run can give you some good suggestion on how to improve the security of your system, a regular scan can help you in notice changes and malware.





Popular Posts:

None Found