Lynis：Unix系统安全审计与加固工具，具备多特征及目标，附安装试用方法

0x00概述

Lynis是一款Unix系统的安全审计以及加固工具，才能进行深层次的安全扫描，其目的是检查潜在的时间并对未来的系统加固提供建议。这款软件会扫描通常系统信息，脆弱软件包以及潜在的错误配置。

该软件面向系统admin，审计人员，安全官，安全专家。

特点：

漏洞扫描系统加固入侵监测中心管理自定义行为规划报告安全面板持续检测技术支持

目标：

手动安全审计符合性测试漏洞探测

有助于：

配置管理软件补丁管理系统加固渗透测试恶意软件扫描入侵检查0x01安装

详尽查看其操作指南:

形式1git下载使用

git clone https://github.com/CISOfy/lynis

形式2直接下载tar包，解压使用

wget https://github.com/CISOfy/lynis/archive/2.7.5.tar.gz
tar -zxvf 2.7.5.tar.gz

0x02试用

步入lynis的目录linux服务器系统漏洞扫描报告，输入./lynis即可

我们通常试用./lynisauditsystem来进行对系统的全盘扫描linux虚拟主机，这些扫描方法会形成一系列人机交互，难以手动化扫描。

故我们在其后加上参数-Q即快速扫描，因而手动化扫描。

以下是常用的lynis的参数：

ParameterAbbreviatedDescription

--auditor”GivennameSurname”

配发审计人员的名子

--checkall

-c

开始检测

--check-update

更新

--cronjob

计划任务(includes-c-Q)

--help

-h

帮助

--manpage

用户指南

--nocolors

无配色

--pentest

低权限渗透测试扫描

--quick

-Q

手动模式

--quiet

沉静且手动模式

--reverse-colors

黑色背景配色模式

--version

-V

版本号

假如要进行深层次的检测的话，可能须要让lynis处于root权限运行，这么我们只要

sudo cp -R /path/to/lynis /usr/local/lynis

即可将lynis放在root权限中，这么一来就可以进行深层次的检测了。

0x03审计报告&日志

lynis将会进行深层次的审计linux服务器系统漏洞扫描报告，并将报告呈现在标准输出、日志文件以及审计报告文件中。

标准输出

我们执行lynis时将会在屏幕上复印出本次审计的结果，测试的结果包括[OKorWARNING][FoundorNotFound][Value]。如右图：

日志文件

扫描完毕后我们会生成一个日志文件以及一个扫描报告。日志文件中对比标准输出，会有更多的信息，这种信息适用于更深层次的检测。

日志里会有风波操作的执行时间，测试失败或跳过的缘由，内部测试的输出，对于配置选项不恰当该怎么更改的建议，恐吓指数。

我们对该文件进行输出永久免费linux服务器，查看其中的告警（WARNING）以及建议（SUGGESTION）

# grep Warning /var/log/lynis.log
[11:12:37] Warning: apt-get check returned a non successful exit code. [test:PKGS-7390] [details:M] [solution:-]
[11:13:41] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [details:L] [solution:-]
[11:13:43] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [details:M] [solution:-]

# grep Suggestion /var/log/lynis.log
[11:12:26] Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]
[11:12:27] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [details:-] [solution:-]
[11:12:27] Suggestion: Configure minimum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
[11:12:27] Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
[11:12:28] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]
[11:12:28] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]
[11:12:28] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310] [details:-] [solution:-]
[11:12:28] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [details:-] [solution:-]
[11:12:28] Suggestion: To decrease the impact of a full /var file system, place /var on a separated partition [test:FILE-6310] [details:-] [solution:-]
[11:12:28] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-]
[11:12:28] Suggestion: Disable USB devices authorization, to prevent unauthorized storage or data theft [test:STRG-1840] [details:-] [solution:-]
[11:12:36] Suggestion: Purge old/removed packages (5 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346] [details:-] [solution:-]
[11:12:36] Suggestion: Install debsums utility for the verification of packages with known good database. [test:PKGS-7370] [details:-] [solution:-]
[11:12:37] Suggestion: Run apt-get to perform a manual package database consistency check. [test:PKGS-7390] [details:-] [solution:-]
[11:13:40] Suggestion: Check if system is up-to-date, security updates test (apt-check) gives an unexpected result [test:PKGS-7392] [details:-] [solution:-]
[11:13:40] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394] [details:-] [solution:-]
[11:13:41] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705] [details:-] [solution:-]
[11:13:41] Suggestion: Install ARP monitoring software like arpwatch [test:NETW-3032] [details:-] [solution:-]
[11:13:41] Suggestion: Access to CUPS configuration could be more strict. [test:PRNT-2307] [details:-] [solution:-]
[11:13:41] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache mod_evasive to guard webserver against DoS/brute force attempts [test:HTTP-6640] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache mod_qos to guard webserver against Slowloris attacks [test:HTTP-6641] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache mod_spamhaus to guard webserver against spammers [test:HTTP-6642] [details:-] [solution:-]
[11:13:42] Suggestion: Install Apache modsecurity to guard webserver against web application attacks [test:HTTP-6643] [details:-] [solution:-]
[11:13:43] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372] [details:-] [solution:-]
[11:13:43] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376] [details:-] [solution:-]
[11:13:44] Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]
[11:13:44] Suggestion: Although inetd is not running, make sure no services are enabled in /etc/inetd.conf [test:INSE-8006] [details:-] [solution:-]
[11:13:44] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]
[11:13:44] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-]
[11:13:44] Suggestion: Enable process accounting [test:ACCT-9622] [details:-] [solution:-]
[11:13:44] Suggestion: Enable sysstat to collect accounting (no results) [test:ACCT-9626] [details:-] [solution:-]
[11:13:44] Suggestion: Enable auditd to collect audit information [test:ACCT-9628] [details:-] [solution:-]
[11:13:45] Suggestion: Determine if automation tools are present for system management [test:TOOL-5002] [details:-] [solution:-]
[11:13:45] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000] [details:-] [solution:-]

[11:13:45] Suggestion: Harden compilers like restricting access to root user only [test:HRDN-7222] [details:-] [solution:-]

审计报告

执行审计程序以后，lynis会对其发觉进行搜集并获得其他数据点，数据会被储存在报告文件中。不过这个文件读上去比较费力，采用的是数据名=值的方法，要是一个数据有多个值，则在其后加个[]。如右图：

若是使用lynis企业版，可以形成更多的报告格式。

0x04配置文件

我们可以针对不同的操作系统、系统定位以及安全等级订制不同的配置文件。若果不通过--profile来指定配置文件的话，还会使用默认的配置文件default.prf。我们可以通过更改这个默认配置文件来满足我们的需求。

0x05插件

正常lynis控制器进行独立测试并共享输出时，插件会获取信息。随即信息会被搜集和处理，随即安全智能才能适用于数据搜集并与中心节点相关联。

lynis才能使用插件模块化支持拓展其功能。

阶段1：

阶段1是插件初始化，该插件能hook进已有的测试，搜集信息。

阶段2：

测试结束后，插件才能获取最后一次机会去完成其工作。插件也能独立使用，仅仅在阶段1执行。

启用插件

在profile里启用插件，plugin=

0x06Lynis企业版

须要订购Key。用了企业版以后可以拥有其他功能了，如插件功能，中心系统功能，订制报告功能以及安全面板功能。其用户界面是基于web的。

0x07好坏优势开源多平台才能形成告警和建议整合大量审计模块，对操作系统进行多元化审计支持模块，可以进行自定义扫描企业版有web界面劣势每位审计项都不深入，须要具体的扩充许多功能须要使用企业版，收费暂时未能体验