■Squeezeの「lynis」で対策すべきセキュリティ問題を診断する
「最新の」とは言えないが、既知の問題の診断としては良いツールだと思う。
$ apt-cache show lynis | grep -A 7 ^Desc
Description-ja: Unix ベースのシステム向けのセキュリティ診断ツール
Lynis は Unix 向け診断ツールです。システムの設定を走査して
プロの検証者が利用可能なシステム情報やセキュリティ問題の概観を作成
します。自動診断の補助も可能です。
.
Lynis はセキュリティスキャナ、システムベンチマーキングツールや
設定微調整ツールといった他のソフトウェアとの併用も可能です。
Homepage: http://www.rootkit.nl/projects/lynis.html
$ sudo apt-get install -y lynis
■早速実行。
cronでの実行では無いが、逐一EnterかCtrl+Cか聞いて来るのを避ける。
「-Q」でも良い。
$ sudo lynis -c --auditor "automated" --cronjob | tee lynis.log
...
$ cat lynis.log | grep -A 100 "\[ Lynis 1.2.9 Results \]" | sed s/"\]\|)\|\,\|\. "/"&\n"/g
-[ Lynis 1.2.9 Results ]
-
Tests performed: 141
Warnings:
----------------------------
- [04:12:37]
Warning: No password set for single mode [test:AUTH-9308]
[impact:L]
- [04:13:01]
Warning: Couldn’t find 2 responsive nameservers [test:NETW-2705]
[impact:L]
- [04:13:03]
Warning: Root can directly login via SSH [test:SSH-7412]
[impact:M]
- [04:13:06]
Warning: No running NTP daemon or available client found [test:TIME-3104]
[impact:M]
- [04:13:06]
Warning: Found SSL certificate expiration (/etc/ssl/certs/ca-certificates.crt)
[test:CRYP-7902]
[impact:M]
Suggestions:
----------------------------
- [04:12:21]
Suggestion: update to the latest stable release.
- [04:12:37]
Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
- [04:12:37]
Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
- [04:12:37]
Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [04:12:37]
Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
- [04:12:37]
Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
- [04:12:37]
Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
- [04:12:37]
Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
- [04:12:38]
Suggestion: Disable drivers like USB storage when not used,
to prevent unauthorized storage or data theft [test:STRG-1840]
- [04:12:39]
Suggestion: Disable drivers like firewire storage when not used,
to prevent unauthorized storage or data theft [test:STRG-1846]
- [04:13:00]
Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
- [04:13:01]
Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
- [04:13:05]
Suggestion: Add legal banner to /etc/issue,
to warn unauthorized users [test:BANN-7126]
- [04:13:05]
Suggestion: Add legal banner to /etc/issue.net,
to warn unauthorized users [test:BANN-7130]
- [04:13:06]
Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [04:13:06]
Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily,
to prevent big time differences and avoid problems with services like kerberos,
authentication or logging differences.
[test:TIME-3104]
- [04:13:06]
Suggestion: Renew SSL expired certificates.
[test:CRYP-7902]
- [04:13:07]
Suggestion: Install a file integrity tool [test:FINT-4350]
- [04:13:09]
Suggestion: Harden the system by removing unneeded compilers.
This can decrease the chance of customized trojans,
backdoors and rootkits to be compiled and installed [test:HRDN-7220]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Notice: Lynis update available
Current version : 129 Latest version : 130
================================================================================
Hardening index : [53]
[
================================================================================
Lynis 1.2.9
Copyright 2007-2009 - Michael Boelen,
http://www.rootkit.nl/
================================================================================
■lynisは1.3.0がリリースされている。
現状、データベースは最新。ただし、2008年のもの。
$ sudo lynis --check-update
== Lynis ==
Version : 1.2.9 [ Outdated ]
Release date : 15 December 2009
== Databases ==
Current Latest Status
-----------------------------------------------------------------------------
Malware : 2008062700 2008062700 Up-to-date
File perms : 2008053000 2008053000 Up-to-date
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
■chroot環境のwheezy/sidには最新の「1.3.0」がある。
$ sudo chroot /home/labunix/cifs/wheezy/ apt-cache show lynis | grep Version
Version: 1.3.0-1
$ sudo chroot /home/labunix/cifs/sid/ apt-cache show lynis | grep Version
Version: 1.3.0-1
$ sudo chroot /home/labunix/cifs/wheezy/ apt-get install -y lynis
■結果が若干変わったが、
さすがにchroot環境内を走査しても余り意味が無いので、参考程度に。
$ sudo chroot /home/labunix/cifs/wheezy/ lynis -c --auditor "automated" --cronjob | tee lynis.log
$ cat lynis.log | grep -A 100 "\[ Lynis 1.3.0 Results \]" | sed s/"\]\|)\|\,\|\. "/"&\n"/g
-[ Lynis 1.3.0 Results ]
-
Tests performed: 133
Warnings:
----------------------------
- [19:41:05]
Warning: No running NTP daemon or available client found [test:TIME-3104]
[impact:M]
Suggestions:
----------------------------
- [19:40:56]
Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
- [19:40:56]
Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [19:40:56]
Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
- [19:40:56]
Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
- [19:40:56]
Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
- [19:40:56]
Suggestion: To decrease the impact of a full /home file system,
place /home on a separated partition [test:FILE-6310]
- [19:40:57]
Suggestion: The database required for 'locate' could not be found.
Run 'updatedb' or 'locate.updatedb' to create this file.
[test:FILE-6410]
- [19:40:57]
Suggestion: Disable drivers like USB storage when not used,
to prevent unauthorized storage or data theft [test:STRG-1840]
- [19:40:57]
Suggestion: Disable drivers like firewire storage when not used,
to prevent unauthorized storage or data theft [test:STRG-1846]
- [19:41:04]
Suggestion: Add legal banner to /etc/motd,
to warn unauthorized users [test:BANN-7122]
- [19:41:04]
Suggestion: Add legal banner to /etc/issue,
to warn unauthorized users [test:BANN-7126]
- [19:41:04]
Suggestion: Add legal banner to /etc/issue.net,
to warn unauthorized users [test:BANN-7130]
- [19:41:05]
Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [19:41:05]
Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily,
to prevent big time differences and avoid problems with services like kerberos,
authentication or logging differences.
[test:TIME-3104]
- [19:41:06]
Suggestion: Install a file integrity tool [test:FINT-4350]
- [19:41:08]
Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [49]
[
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of the particular machine.
This will remove unwanted suggestions
and also boost the hardening index.
Each test should be properly analyzed
to see if the related risks can be accepted,
before disabling the test.
================================================================================
Lynis 1.3.0
Copyright 2007-2012 - Michael Boelen,
http://www.rootkit.nl/
================================================================================
$ sudo chroot /home/labunix/cifs/wheezy/ lynis --check-update
== Lynis ==
Version : 1.3.0
Release date : 28 April 2011
Update location : http://www.rootkit.nl/
== Databases ==
Current Latest Status
-----------------------------------------------------------------------------
Malware : 0 0 Up-to-date
File perms : 0 0 Up-to-date
Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
