lynis—*nix安全审计工具

一、介绍

Lynis是一款*nix（我在mac os x10.8.3，ubuntu 10.04, Debian 2.6上都测试过，能正常运行）上的开源的系统安全审计功能工具，该工具由一系列的shell脚本构成，可以在移动硬盘上运行（但运行需要root权限）。可以审计如下内容:

1. 系统上安装的二进制文件（例如/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin目录下的）2.启动服务（例如GRUB是否有密码保护)3.系统内核信息（例如默认运行级别，内核加载模块，内核配置文件）4.内存与进程信息（例如是否有僵尸进程，是否有等待中的I/O操作）5.账户，群组与身份验证（例如sudoers文件，PAM配置等密码策略，unmask设置等）6.Shell（/etc/shells）7.文件系统（例如tmp目录下是否有90天前的文件，root文件系统是否有ACL策略8.是否禁止外设（usb，fireware）9.NFS10.DNS域名服务（/etc/resolv.conf，BIND，PowerDNS， ypbind，nscd）11.软件包管理（dpkg，rpm）12.网络信息（网卡，网关，ip，处于waiting状态的连接）13.打印机（cups）14.邮件系统（e.g.Postfix，Exim ，Qmail smtpd）15.防火墙（iptable）16、web服务器（apache，nignx）安全配置17.SSH安全配置（例如不运行root远程登录）18.SNMP安全配置19.数据库安全配置（MySQL，PostgreSQL，Oracle）20.LDAP安全配置21.PHP安全配置22.Squid安全配置23.日志文件管理（syslog，logrotate）24.危险服务 （inetd.conf)25.系统指纹（/etc/motd /etc/issue /etc/issue.net）26.定时任务（crontab/cronjob）27.审计模块是否开启（auditd）28. 时间同步服务（NTP）29.加密（例如SSL证书有效期）30.是否应用安全框架（SELinux，AppArmor ，grsecurity）31.是否有文件系统完整性检测工具（AFICK，AIDE， Osiris，Samhain，Tripwire32.是否有恶意程序检测工具（chkrootkit，Rootkit Hunter，ClamAV scanner）33.特定文件的权限是否合理（例如/root/.ssh是否为rwx------）34.home目录下是否有敏感文件（例如shell history文件内容是否可疑）35.是否做过内核加固（扫描sysctl内容）

二、安装及运行

很简单，如下所示：

安装

wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gztar zxvf lynis-1.3.0.tar.gzcd lynis-1.3.0/

查看帮助

sudo ./lynis --man

全部检查（最常用）

sudo ./lynis --check-all -Q

采用crontab自动检查

sudo ./lynis -c --auditor "automated" --cronjob > /var/log/lynis/report.txt

三、查看日志中的敏感信息

grep Warning /var/log/lynis.log
grep Suggestingon /var/log/lynis.log

结果如下（以一台debian操作系统为例）

dani@10:~/lynis-1.3.0$ sudo grep Warning /var/log/lynis.log[sudo] password for dani: [14:40:54] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M][14:42:33] Warning: Found 8 files in /tmp which are older than 90 days [test:FILE-6354] [impact:L][14:42:41] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L][14:42:41] Warning: Found promiscuous interface (peth0) [test:NETW-3015] [impact:H][14:52:27] Warning: iptables module(s) loaded, but no rules active [test:FIRE-4512] [impact:L][14:52:49] Warning: Found SSL certificate expiration (/etc/ssl/certs/ca-certificates.crt) [test:CRYP-7902] [impact:M]dani@10:~/lynis-1.3.0$ sudo grep Suggestion /var/log/lynis.log[14:40:54] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> [test:BOOT-5121][14:42:29] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282][14:42:29] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328][14:42:29] Suggestion: Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [test:AUTH-9328][14:42:29] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328][14:42:33] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310][14:42:33] Suggestion: Clean up unused files in /tmp [test:FILE-6354][14:42:34] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410][14:42:34] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840][14:42:34] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846][14:42:40] Suggestion: Purge removed packages (2 found) with aptitude purge command, to cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346][14:42:41] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705][14:52:27] Suggestion: Disable iptables kernel module if not used or make sure rules are being used [test:FIRE-4512][14:52:27] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590][14:52:42] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126][14:52:42] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130][14:52:48] Suggestion: Enable auditd to collect audit information [test:ACCT-9628][14:52:51] Suggestion: Renew SSL expired certificates. [test:CRYP-7902][14:52:53] Suggestion: Install a file integrity tool [test:FINT-4350][14:53:03] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000][14:53:03] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220][14:53:03] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222][14:53:03] Suggestion: Harden the system by installing one or malware scanners to perform periodic 

结果如下（以一台debian操作系统为例）

四、小结
该款工具比较全面的涵盖了系统安全的审计内容，但每个审计项都不深入，需要具体的扩展，例如PHP、Apache，MySQL的安全配置，就需要细化。

五、附录
安全加固列表
（1）OS加固：debian（真机/虚拟机）
（2）DB加固：mysql3306，PostgreSQL5432，Oracle2483-2484，SQLServer1433-1434
（3）web服务器加固：apache，nignx，lighthttpd
（4）应用程序服务器加固：php
（5）LDAP服务器：OpenLDAP(ldap 389)
（6）DNS服务器，BIND (dns 53)
（7）电子邮件服务器，SendMail(Postfix)：SMTP (smtp 25）
（8）FTP服务器：VSFTPD，Server-U （ftp 21 tftp 69)
（9）Samba服务器：smb协议 (smb445)
（10）NFS服务器(nfs 2049)
（11）Squid服务器
（12）SSH服务器：OpenSSH (ssh 22 telnet23)
（13）Linux防火墙：iptables
（14）VPN服务：OpenVPN (ipsec 500, PPTP 1723, L2TP 1701)
（15）IDS：snort
（16）网络监控：Nagios
（17）网络监控策略：snmp服务 (snmp 161)
（18）SVN服务
（19）RTX
（20）kerberos
（21）SSL：OpenSSL
（22）PAM
（23）DHCP服务器
（24）数据备份
（25）远程桌面VNC (VNC 5900)
（26）NTP(network time protocol) 123
参考：

http://xmodulo.com/2013/04/how-to-scan-linux-for-vulnerabilities.html