search

Audit Server With Lynis


Install

Download

wget https://cisofy.com/files/lynis-2.4.0.tar.gz


Extract

tar xvf lynis-2.4.0.tar.gz -C /opt

Change Owner to root

cd /opt/lynis
chown root:root -R ../lynis

Scan Audit

./lynis audit system

After audit CCE, we have information status and recommendation for fixing hole.

Output :

[+] Networking
————————————
– Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
– Checking configured nameservers
– Testing nameservers
Nameserver: 10.32.16.238 [ OK ]
Nameserver: 10.32.16.237 [ OK ]
– Minimal of 2 responsive nameservers [ OK ]
– Checking default gateway [ DONE ]
– Getting listening ports (TCP/UDP) [ DONE ]
* Found 9 ports
– Checking promiscuous interfaces [ OK ]
warning, got bogus unix line.
– Checking waiting connections [ OK ]
– Checking status DHCP client [ NOT ACTIVE ]
– Checking for ARP monitoring software [ NOT FOUND ]

[+] Printers and Spools
————————————
– Checking cups daemon [ NOT FOUND ]
– Checking lp daemon [ NOT RUNNING ]

[+] Software: e-mail and messaging
————————————
– Checking Exim status [ NOT FOUND ]
– Checking Postfix status [ NOT FOUND ]
– Checking Dovecot status [ NOT FOUND ]
– Checking Qmail status [ NOT FOUND ]
– Checking Sendmail status [ NOT FOUND ]

[+] Software: firewalls
————————————
– Checking iptables kernel module [ FOUND ]
– Checking iptables policies of chains [ FOUND ]
– Checking chain INPUT (table: filter) policy [ ACCEPT ]
– Checking for empty ruleset [ WARNING ]
– Checking for unused rules [ OK ]
– Checking host based firewall [ ACTIVE ]

[+] Software: webserver
————————————
– Checking Apache [ NOT FOUND ]
– Checking nginx [ NOT FOUND ]

[+] SSH Support
————————————
– Checking running SSH daemon [ FOUND ]
– Searching SSH configuration [ FOUND ]
– SSH option: AllowTcpForwarding [ OK ]
– SSH option: ClientAliveCountMax [ OK ]
– SSH option: ClientAliveInterval [ OK ]
– SSH option: Compression [ OK ]
– SSH option: FingerprintHash [ NOT FOUND ]
– SSH option: GatewayPorts [ OK ]
– SSH option: IgnoreRhosts [ OK ]
– SSH option: LoginGraceTime [ OK ]
– SSH option: LogLevel [ OK ]
– SSH option: MaxAuthTries [ SUGGESTION ]
– SSH option: MaxSessions [ OK ]
– SSH option: PermitRootLogin [ OK ]
– SSH option: PermitUserEnvironment [ OK ]
– SSH option: PermitTunnel [ OK ]
– SSH option: Port [ OK ]
– SSH option: PrintLastLog [ OK ]
– SSH option: Protocol [ OK ]
– SSH option: StrictModes [ OK ]
– SSH option: TCPKeepAlive [ OK ]
– SSH option: UseDNS [ SUGGESTION ]
– SSH option: UsePrivilegeSeparation [ SUGGESTION ]
– SSH option: VerifyReverseMapping [ NOT FOUND ]
– SSH option: X11Forwarding [ OK ]
– SSH option: AllowAgentForwarding [ NOT FOUND ]
– SSH option: AllowUsers [ NOT FOUND ]
– SSH option: AllowGroups [ NOT FOUND ]

[+] SNMP Support
————————————
– Checking running SNMP daemon [ NOT FOUND ]

[+] Databases
————————————
No database engines found

[+] LDAP Services
————————————
– Checking OpenLDAP instance [ NOT FOUND ]

[+] PHP
————————————
– Checking PHP [ FOUND ]
– Checking PHP disabled functions [ FOUND ]
– Checking expose_php option [ OFF ]
– Checking enable_dl option [ OFF ]
– Checking allow_url_fopen option [ ON ]
– Checking allow_url_include option [ OFF ]

[+] Squid Support
————————————
– Checking running Squid daemon [ NOT FOUND ]

[+] Logging and files
————————————
– Checking for a running log daemon [ OK ]
– Checking Syslog-NG status [ NOT FOUND ]
– Checking systemd journal status [ NOT FOUND ]
– Checking Metalog status [ NOT FOUND ]
– Checking RSyslog status [ FOUND ]
– Checking RFC 3195 daemon status [ NOT FOUND ]
– Checking minilogd instances [ NOT FOUND ]
– Checking logrotate presence [ OK ]
– Checking log directories (static list) [ DONE ]
– Checking open log files [ DONE ]
– Checking deleted files in use [ FILES FOUND ]

[+] Insecure services
————————————
– Checking inetd status [ NOT ACTIVE ]

[+] Banners and identification
————————————
– /etc/issue [ FOUND ]
– /etc/issue contents [ WEAK ]
– /etc/issue.net [ FOUND ]
– /etc/issue.net contents [ WEAK ]

[+] Scheduled tasks
————————————
– Checking crontab/cronjob [ DONE ]

[+] Accounting
————————————
– Checking accounting information [ NOT FOUND ]
– Checking sysstat accounting data [ DISABLED ]
– Checking auditd [ NOT FOUND ]

[+] Time and Synchronization
————————————
– Checking event based ntpdate (if-up) [ FOUND ]
– Checking for a running NTP daemon or client [ OK ]

[+] Cryptography
————————————
– Checking for expired SSL certificates [ NONE ]

[+] Virtualization
————————————

[+] Containers
————————————
– Docker info output (warnings) [ 1 ]

[+] Security frameworks
————————————
– Checking presence AppArmor [ FOUND ]
– Checking AppArmor status [ UNKNOWN ]
– Checking presence SELinux [ NOT FOUND ]
– Checking presence grsecurity [ NOT FOUND ]
– Checking for implemented MAC framework [ NONE ]

[+] Software: file integrity
————————————
– Checking file integrity tools
– Checking presence integrity tool [ NOT FOUND ]

[+] Software: System tooling
————————————
– Checking automation tooling
– Automation tooling [ NOT FOUND ]
– Checking for IDS/IPS tooling [ NONE ]

[+] Software: Malware
————————————
– Checking LMD (Linux Malware Detect) [ FOUND ]
– Checking ClamAV scanner [ FOUND ]
– Checking ClamAV daemon [ FOUND ]
– Checking freshclam [ FOUND ]

[+] File Permissions
————————————
– Starting file permissions check
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ OK ]

[+] Home directories
————————————
– Checking shell history files [ OK ]

[+] Kernel Hardening
————————————
– Comparing sysctl key pairs with scan profile
– kernel.core_uses_pid (exp: 1) [ OK ]
– kernel.ctrl-alt-del (exp: 0) [ OK ]
– kernel.kptr_restrict (exp: 2) [ OK ]
– kernel.randomize_va_space (exp: 2) [ OK ]
– kernel.sysrq (exp: 0) [ OK ]
– net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
– net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
– net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
– net.ipv4.conf.all.forwarding (exp: 0) [ DIFFERENT ]
– net.ipv4.conf.all.log_martians (exp: 1) [ OK ]
– net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
– net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
– net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
– net.ipv4.conf.all.send_redirects (exp: 0) [ OK ]
– net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
– net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
– net.ipv4.conf.default.log_martians (exp: 1) [ OK ]
– net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
– net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
– net.ipv4.tcp_syncookies (exp: 1) [ OK ]
– net.ipv4.tcp_timestamps (exp: 0) [ OK ]
– net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
– net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
– net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
– net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
————————————
– Installed compiler(s) [ FOUND ]
– Installed malware scanner [ FOUND ]

[+] Custom Tests
————————————
– Running custom tests… [ NONE ]

[+] Plugins (phase 2)
————————————

================================================================================

-[ Lynis 2.4.0 Results ]-

Warnings (2):
—————————-
! grpck binary found errors in one or more group files [AUTH-9216]
https://cisofy.com/controls/AUTH-9216/

! iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/controls/FIRE-4512/

Suggestions (29):
—————————-
* Version of Lynis outdated, consider upgrading to the latest version [LYNIS]
https://cisofy.com/controls/LYNIS/

* Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
https://cisofy.com/controls/BOOT-5122/

* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
https://cisofy.com/controls/AUTH-9262/

* Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/

* Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/

* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/

* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/controls/STRG-1840/

* Check DNS configuration for the dns domain name [NAME-4028]
https://cisofy.com/controls/NAME-4028/

* Check RPM database as RPM binary available but does not reveal any packages [PKGS-7308]
https://cisofy.com/controls/PKGS-7308/

* Purge old/removed packages (94 found) with aptitude purge or dpkg –purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346]
https://cisofy.com/controls/PKGS-7346/

* Install debsums utility for the verification of packages with known good database. [PKGS-7370]
https://cisofy.com/controls/PKGS-7370/

* Install package apt-show-versions for patch management purposes [PKGS-7394]
https://cisofy.com/controls/PKGS-7394/

* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
https://cisofy.com/controls/NETW-3032/

* Consider hardening SSH configuration [SSH-7408]
– Details : MaxAuthTries (2 –> 1)
https://cisofy.com/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
– Details : UseDNS (YES –> NO)
https://cisofy.com/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
– Details : UsePrivilegeSeparation (YES –> SANDBOX)
https://cisofy.com/controls/SSH-7408/

* Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
https://cisofy.com/controls/PHP-2376/

* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/controls/LOGG-2190/

* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/controls/BANN-7126/

* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/controls/BANN-7130/

* Enable process accounting [ACCT-9622]
https://cisofy.com/controls/ACCT-9622/

* Enable sysstat to collect accounting (disabled) [ACCT-9626]
https://cisofy.com/controls/ACCT-9626/

* Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/controls/ACCT-9628/

* Run ‘docker info’ to see warnings applicable to Docker daemon [CONT-8104]
https://cisofy.com/controls/CONT-8104/

* Check output of aa-status [MACF-6208]
– Details : /sys/kernel/security/apparmor/profiles
– Solution : Run aa-status
https://cisofy.com/controls/MACF-6208/

* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/controls/FINT-4350/

* Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/controls/TOOL-5002/

* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
https://cisofy.com/controls/KRNL-6000/

* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/controls/HRDN-7222/

Follow-up:
—————————-
– Show details of a test (lynis show details TEST-ID)
– Check the logfile for all details (less /var/log/lynis.log)
– Read security controls texts (https://cisofy.com)
– Use –upload to upload data to central system (Lynis Enterprise users)

================================================================================

Lynis security scan details:

Hardening index : 81 [################ ]
Tests performed : 206
Plugins enabled : 0

Components:
– Firewall [V]
– Malware scanner [V]

Lynis Modules:
– Compliance Status [?]
– Security Audit [V]
– Vulnerability Scan [V]

Files:
– Test and debug information : /var/log/lynis.log
– Report data : /var/log/lynis-report.dat

================================================================================
Notice: Lynis update available
Current version : 240 Latest version : 242
================================================================================

Lynis 2.4.0

Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)

2007-2016, CISOfy – https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)

================================================================================

[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /opt/lynis/default.prf for all settings)

close
Visit Us On TwitterVisit Us On GooglePlusVisit Us On Linkedin

Hi, guest!

settings

menu