什么是林尼斯?
Lynis 是一个众所周知的、经验丰富的安全工具,适用于基于 Linux 的系统(包括 macOS 和/或其他基于 Unix 的操作系统。它对您的系统执行广泛的健康扫描,以支持系统强化和合规性测试。该项目是开源软件使用 GPL 许可证,自 2007 年起可用。
莱尼斯是做什么用的?
- 安全审查
- 合规性评估(例如 HIPAA、PCI、SOx)
- 渗透评估
- 漏洞诊断
- 系统完整性
谁使用Lynis?
- 审计师
- 系统管理员
- 开发者
- 笔测试员
莱尼斯安装
安装选项
操作系统
CentOS/红帽/Fedora
先决条件:确保 cURL、NSS、OpenSSL 和 CA 证书是最新的。
root@host:~# yum update ca-certificates curl nss openssl接下来,我们创建 /etc/yum.repos.d/cisofy-lynis.repo 文件。
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2现在,我们可以安装lynis了。
root@host:~# yum makecache fast && yum install lynis要启动 Lynis,请使用以下命令。
root@host:~# lynis audit systemDebian/Ubuntu
在 Ubuntu 或 Debian 服务器上,我们首先从中央密钥服务器下载密钥。
root@host:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
Executing: /tmp/apt-key-gpghome.NZrCKJSpNR/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
gpg: key 366C67DE91CA5D5F: 2 signatures not checked due to missing keys
gpg: key 366C67DE91CA5D5F: public key "CISOfy Software (signed software packages) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@host:~# 我们也可以手动导入密钥。
root@host:~# wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
root@host:~# sudo apt install apt-transport-https
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1692 B of archives.
After this operation, 153 kB of additional disk space will be used.
Get:1 https://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.12 [1692 B]
Fetched 1692 B in 0s (9909 B/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 102038 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.12_all.deb ...
Unpacking apt-transport-https (1.6.12) ...
Setting up apt-transport-https (1.6.12) ...
root@host:~# 接下来,我们要确保安装 Apt 的“HTTPS 安全传输”模块。 此 repo 使用 HTTPS 进行数据的安全传输。 如果系统上尚未安装 APT ‘https’ 方法,请运行以下命令。
root@host:~# apt install apt-transport-https
root@host:~# sudo apt install apt-transport-https
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.6.12).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@host:~#然后,我们可以添加 repo。
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
deb https://packages.cisofy.com/community/lynis/deb/ stable main
root@host:~# 现在,运行更新并安装 Lynis。
root@host:~# apt update && apt install lynis让我们检查一下版本。
root@host:~# lynis show version
2.7.5
root@host:~# 要启动 Lynis,我们运行这个命令。
root@host:~# lynis audit system初始运行
基本 CentOS 服务器审计
下面列出了在新的 CentOS 7 服务器安装上使用基本 Lynis 软件扫描的所有部分(减去付费合规性、插件、界面和其他工具选项)。
root@host:~# lynis audit system
[ Lynis 2.7.5 ]
#####################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2019, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
#####################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 2.7.5
Operating system: Linux
Operating system name: Ubuntu Linux
Operating system version: 18.04
Kernel version: 4.15.0
Hardware platform: x86_64
Hostname: host
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
=====================================================================
Lynis update available
=====================================================================
Current version is more than 4 months old
Current version : 275 Latest version : 275
Please update to the latest version.
New releases include additional features, bug fixes, tests, and baselines.
Download the latest version:
Packages (DEB/RPM) - https://packages.cisofy.com
Website (TAR) - https://cisofy.com/downloads/
GitHub (source) - https://github.com/CISOfy/lynis
=====================================================================系统工具
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugins enabled [ NONE ]引导和服务选项
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB [ OK ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ NONE ]
- Check running services (systemctl) [ DONE ]
Result: found 24 running services Check enabled services at boot (systemctl) [ DONE ]
Result: found 43 enabled services
- Check startup files (permissions) [ OK ]内核检查
[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 62 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ PROTECTED ]
- Check if reboot is needed [ NO ]内存/进程检查
[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]用户、组和身份验证审核
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ FOUND ]
- Permissions for directory: /etc/sudoers.d [ WARNING ]
- Permissions for: /etc/sudoers [ OK ]
- Permissions for: /etc/sudoers.d/README [ OK ]
- PAM password strength tools [ SUGGESTION ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ DISABLED ]
- User password aging (maximum) [ DISABLED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]壳牌评估
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]壳牌评论
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]文件系统分析
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
- Discovered kernel modules: udf USB
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking USBGuard [ NOT FOUND ]存储选项
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ DISABLED ]NFS
NFS
[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]DNS 审查
[+] Name services
------------------------------------
- Checking /etc/resolv.conf options [ FOUND ]
- Searching DNS domain name [ FOUND ]
Domain name: lwkb.com
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]端口和包管理器
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages [ OK ]
- Checking upgradeable packages [ SKIPPED ]
- Checking package audit tool [ INSTALLED ]
Found: apt-check
- Toolkit for automatic upgrades (unattended-upgrade)[ FOUND ] 联网
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 127.0.0.53 [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ NOT ACTIVE ]
- Checking for ARP monitoring software [ NOT FOUND ]打印机
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]电子邮件软件
[+] Software: e-mail and messaging
------------------------------------防火墙信息
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking for empty ruleset [ WARNING ]
- Checking for unused rules [ OK ]
- Checking host based firewall [ ACTIVE ]网络服务器软件
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2) [ FOUND ]
Info: Configuration file found (/etc/apache2/apache2.conf)
Info: No virtual hosts found
* Loadable modules [ FOUND (114) ]
- Found 114 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_reqtimeout/mod_qos [ FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]SSH 检查
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ SUGGESTION ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ OK ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]SNMP 检查
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]数据库信息
[+] Databases
------------------------------------
- MySQL process status [ FOUND ]LDAP 检查
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]PHP 评论
[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ ON ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]乌贼
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]日志信息
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ FILES FOUND ]不安全
[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Installed xinetd package [ OK ]
- xinetd status [ NOT ACTIVE ]
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NOT FOUND ]横幅
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ WEAK ]任务
[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]
- Checking atd status [ RUNNING ]
- Checking at users [ DONE ]
- Checking at jobs [ NONE ]审计
[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]NTP
[+] Time and Synchronization
------------------------------------
- NTP daemon found: systemd (timesyncd) [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]密码学
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/2] [ NONE ]虚拟化
[+] Virtualization
------------------------------------容器
[+] Containers
------------------------------------安全框架
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ ENABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ OK ]软件:文件完整性
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]软件:系统工具
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking for IDS/IPS tooling [ NONE ]软件:恶意软件
[+] Software: Malware
------------------------------------文件权限
[+] File Permissions
------------------------------------
- Starting file permissions check
/root/.ssh [ WARNING ]主目录
[+] Home directories
------------------------------------
- Checking shell history files [ OK ]内核强化
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ DIFFERENT ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0)[ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0)[ OK ]
- net.ipv6.conf.default.accept_redirects [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route [ OK ]硬化
[+] Hardening
------------------------------------
- Installed compiler(s) [ NOT FOUND ]
- Installed malware scanner [ NOT FOUND ]自定义测试
[+] Custom Tests
------------------------------------
- Running custom tests... [ NONE ]插件
[+] Plugins (phase 2)
------------------------------------结果
=====================================================================
-[ Lynis 2.7.5 Results ]-
=====================================================================警告(2):
----------------------------
! iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/lynis/controls/FIRE-4512/
! Incorrect permissions for file /root/.ssh [FILE-7524]
https://cisofy.com/lynis/controls/FILE-7524/建议(38):
----------------------------
* This release is more than 4 months old. Consider upgrading [LYNIS]
https://cisofy.com/lynis/controls/LYNIS/
* Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/lynis/controls/BOOT-5122/
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] https://cisofy.com/lynis/controls/AUTH-9262/
* Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/lynis/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/lynis/controls/STRG-1840/
* Install debsums utility for the verification of packages with known good database. [PKGS-7370]
https://cisofy.com/lynis/controls/PKGS-7370/
* Install package apt-show-versions for patch management purposes [PKGS-7394] https://cisofy.com/lynis/controls/PKGS-7394/
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/lynis/controls/NETW-3032/
* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] https://cisofy.com/lynis/controls/HTTP-6640/
* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
https://cisofy.com/lynis/controls/HTTP-6643/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : ClientAliveCountMax (3 --> 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Compression (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : LogLevel (INFO --> VERBOSE)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxAuthTries (6 --> 3)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxSessions (10 --> 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Port (22 --> )
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : TCPKeepAlive (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : X11Forwarding (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowAgentForwarding (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Turn off PHP information exposure [PHP-2372]
- Details : expose_php = Off
https://cisofy.com/lynis/controls/PHP-2372/
* Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] https://cisofy.com/lynis/controls/PHP-2376/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/lynis/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/lynis/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/lynis/controls/BANN-7130/
* Enable process accounting [ACCT-9622]
https://cisofy.com/lynis/controls/ACCT-9622/
* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/lynis/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/lynis/controls/ACCT-9628/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/lynis/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/lynis/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)https://cisofy.com/lynis/controls/KRNL-6000/
* Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
- Solution : Install a tool like rkhunter, chkrootkit, OSSEC
https://cisofy.com/lynis/controls/HRDN-7230/跟进:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
=====================================================================
Lynis security scan details:
Hardening index : 66 [############# ]
Tests performed : 233
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [X]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
=====================================================================
Lynis 2.7.5
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2019, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
=====================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
root@host:~# 如您所见,这些报告的输出采用关键字的形式,例如:
- [ NONE ] [ WEAK ] [ OK ] [ PROTECTED ]
- [ NON DEFAULT ] [ DIFFERENT ] [ SUGGESTION ] [ WARNING ]
- [ NOT ACTIVE ] [ ACTIVE ] [ RUNNING ]
- [ NOT FOUND ] [ INSTALLED ] [ FOUND ]
- [ DISABLED ] [ ENABLED ] [ NOT DISABLED ]
- [ SKIPPED ] [ RUNLEVEL X ] [ DONE ]
这使您可以更好地定义并根据提供的建议采取行动。
命令示例
以下是一些命令示例,您可以立即使用这些示例来开始快速获取所需信息。
root@host:~# lynis --warnings-only
- Permissions for directory: /etc/sudoers.d [ WARNING ]
- Checking for empty ruleset [ WARNING ]
/root/.ssh [ WARNING ]此命令列出了 Lynis 运行的所有测试。
lynis show tests要显示特定测试的详细信息,请运行此命令。
lynis show details TEST-IDroot@host:~# lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-onlyroot@host:~# lynis show logfile
/var/log/lynis.log
root@host:~#root@host:~# lynis show report
/var/log/lynis-report.dat
root@host:~#您可以通过将设置添加到 custom.prf 来增强 Lynis 审核
(有关所有设置,请参见 /etc/lynis/default.prf 或运行以下命令)。
lynis show settings如您所见,Lynis 是一个出色的工具,可用于审查您的服务器系统,尤其是在您运行符合 HIPAA 的服务器托管时。 欲了解更多信息,请访问 Lynis 主页 或者 Lynis 文档页面.
给我们打电话 800.580.4985,或打开 聊天 或与我们联系,与我们知识渊博的解决方案或经验丰富的托管顾问之一交谈,了解您今天如何利用此软件!
