Lynis1.6.1简易使用
早上上班看到freebuf更新了一篇文章http://www.freebuf.com/tools/43185.html,说是Lynis1.6.1发布了,据说是加了新的测试选项-pentest,能够在低权限下安全扫描,相对于传统的扫描器,这个扫描器还是很好用的,简单介绍下如何使用。
首先是安装该工具,虽然freebuf给了下载地址,但是其实我们在linux下可以更加便捷的安装,apt-get install Lynis就OK了
然后我们可以直接开始扫描,扫描命令:lynis –check-all -Q,其实这个工具扫描速度还是很快,所以我一直是使用全部扫描的(强烈建议加上-Q的参数,这个事快速扫描的参数),真整个过程大约也就3分钟左右,非常便捷
扫描完成后会给你出具一份报告
截图有限,附上完整的扫描报告:
root@MyServer:~# lynis –check-all -Q
[ Lynis 1.4.1 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
Copyright 2007-2014 – Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy – http://cisofy.com
################################################################################
[+] Initializing program
————————————
– Detecting OS… [ DONE ]
– Clearing log file (/var/log/lynis.log)… [ DONE ]
—————————————————
Program version: 1.4.1
Operating system: Linux
Operating system name: Debian
Operating system version: Kali Linux 1.0.9
Kernel version: 2.6.32-5-686-bigmem
Hardware platform: i686
Hostname: MyServer
Auditor: [Unknown]
Profile: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /etc/lynis/plugins
—————————————————
– Checking profile file (/etc/lynis/default.prf)…
– Program update status… [ WARNING ]
===============================================================================
Notice: Lynis update available
Current version : 141 Latest version : 161
Please update to the latest version for new features, bug fixes, tests
and baselines.
===============================================================================
[+] Plugins
————————————
– Plugins enabled [ NONE ]
[+] System Tools
————————————
– Scanning available tools…
– Checking system binaries…
– Checking /bin… [ FOUND ]
– Checking /sbin… [ FOUND ]
– Checking /usr/bin… [ FOUND ]
– Checking /usr/sbin… [ FOUND ]
– Checking /usr/local/bin… [ FOUND ]
– Checking /usr/local/sbin… [ FOUND ]
– Checking /usr/local/libexec… [ NOT FOUND ]
– Checking /usr/libexec… [ NOT FOUND ]
– Checking /usr/sfw/bin… [ NOT FOUND ]
– Checking /usr/sfw/sbin… [ NOT FOUND ]
– Checking /usr/sfw/libexec… [ NOT FOUND ]
– Checking /opt/sfw/bin… [ NOT FOUND ]
– Checking /opt/sfw/sbin… [ NOT FOUND ]
– Checking /opt/sfw/libexec… [ NOT FOUND ]
– Checking /usr/xpg4/bin… [ NOT FOUND ]
– Checking /usr/css/bin… [ NOT FOUND ]
– Checking /usr/ucb… [ NOT FOUND ]
– Checking /usr/X11R6/bin… [ NOT FOUND ]
[+] Boot and services
————————————
– Checking boot loaders
– Checking presence GRUB2… [ FOUND ]
– Checking presence LILO… [ NOT FOUND ]
– Checking boot loader SILO [ NOT FOUND ]
– Checking boot loader YABOOT [ NOT FOUND ]
– Check services at startup (rc2.d)… [ DONE ]
Result: found 33 services
– Check startup files (permissions)… [ OK ]
[+] Kernel
————————————
– Checking default run level… [ 2 ]
– Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
– Checking kernel version and release [ DONE ]
– Checking kernel type [ DONE ]
– Checking loaded kernel modules [ DONE ]
Found 17 active modules
– Checking Linux kernel configuration file… [ FOUND ]
– Checking for available kernel update… [ OK ]
– Checking core dumps configuration… [ DISABLED ]
– Checking setuid core dumps configuration… [ DEFAULT ]
[+] Memory and processes
————————————
– Checking /proc/meminfo… [ FOUND ]
– Searching for dead/zombie processes… [ OK ]
– Searching for IO waiting processes… [ OK ]
[+] Users, Groups and Authentication
————————————
– Search administrator accounts… [ OK ]
– Checking consistency of group files (grpck)… [ WARNING ]
– Checking non unique group ID\’s… [ OK ]
– Checking non unique group names… [ OK ]
– Checking password file consistency… [ WARNING ]
– Query system users (non daemons)… [ DONE ]
– Checking NIS+ authentication support [ NOT ENABLED ]
– Checking NIS authentication support [ NOT ENABLED ]
– Checking sudoers file [ FOUND ]
– Check sudoers file permissions [ OK ]
– Checking PAM password strength tools [ SUGGESTION ]
– Checking PAM configuration files (pam.conf) [ FOUND ]
– Checking PAM configuration files (pam.d) [ FOUND ]
– Checking PAM modules [ FOUND ]
– Checking LDAP module in PAM [ NOT FOUND ]
– Checking accounts without expire date [ OK ]
– Checking accounts without password [ OK ]
– Checking user password aging [ DISABLED ]
– Checking Linux single user mode authentication [ OK ]
– Determining default umask
– Checking umask (/etc/profile) [ UNKNOWN ]
– Checking umask (/etc/login.defs) [ SUGGESTION ]
– Checking umask (/etc/init.d/rc) [ SUGGESTION ]
– Checking LDAP authentication support [ NOT ENABLED ]
[+] Shells
————————————
– Checking shells from /etc/shells…
Result: found 14 shells (valid shells: 6).
[+] File systems
————————————
– Checking mount points
– Checking /home mount point… [ SUGGESTION ]
– Checking /tmp mount point… [ SUGGESTION ]
– Checking LVM volume groups… [ FOUND ]
Couldn\’t find device with uuid fKF6I3-JItW-QBTb-GzNn-qahC-gomL-mLROEI.
– Checking LVM volumes… [ FOUND ]
– Checking for old files in /tmp… [ OK ]
– Checking /tmp sticky bit… [ OK ]
– ACL support root file system… [ DISABLED ]
– Checking Locate database… [ FOUND ]
[+] Storage
————————————
– Checking usb-storage driver (modprobe config)… [ NOT DISABLED ]
– Checking firewire ohci driver (modprobe config)… [ NOT DISABLED ]
[+] NFS
————————————
– Query rpc registered programs… [ DONE ]
– Query NFS versions… [ DONE ]
– Query NFS protocols… [ DONE ]
– Check running NFS daemon… [ NOT FOUND ]
[+] Software: name services
————————————
– Checking default DNS search domain… [ NONE ]
– Checking search domains… [ FOUND ]
– Checking /etc/resolv.conf options… [ NONE ]
– Searching DNS domain name… [ UNKNOWN ]
– Checking nscd status… [ NOT FOUND ]
– Checking BIND status… [ NOT FOUND ]
– Checking PowerDNS status… [ NOT FOUND ]
– Checking ypbind status… [ NOT FOUND ]
– Checking /etc/hosts
– Checking /etc/hosts (duplicates) [ OK ]
– Checking /etc/hosts (hostname) [ SUGGESTION ]
– Checking /etc/hosts (localhost) [ OK ]
[+] Ports and packages
————————————
– Searching package managers…
– Searching dpkg package manager… [ FOUND ]
– Querying package manager…
– Query unpurged packages… [ FOUND ]
– Checking security repository in sources.list file… [ OK ]
– Checking vulnerable packages… [ WARNING ]
– Checking vulnerable packages… [ WARNING ]
– Checking package audit tool… [ INSTALLED ]
Found: apt-get
[+] Networking
————————————
– Checking configured nameservers…
– Testing nameservers…
Nameserver: 8.8.8.8… [ OK ]
– Minimal of 2 responsive nameservers… [ WARNING ]
– Checking default gateway… [ DONE ]
– Getting listening ports (TCP/TCP)… [ DONE ]
* Found 16 ports
– Checking promiscuous interfaces… [ OK ]
– Checking waiting connections… [ OK ]
– Checking status DHCP client… [ NOT ACTIVE ]
[+] Printers and Spools
————————————
– Checking cups daemon… [ NOT FOUND ]
[+] Software: e-mail and messaging
————————————
– Checking Exim status… [ RUNNING ]
– Checking Postfix status… [ NOT FOUND ]
– Checking Qmail smtpd status… [ NOT FOUND ]
[+] Software: firewalls
————————————
– Checking iptables kernel module [ NOT FOUND ]
Status pf [ NOT FOUND ]
– Checking host based firewall [ NOT ACTIVE ]
[+] Software: webserver
————————————
– Checking Apache (binary /usr/sbin/apache2)… [ FOUND ]
Info: Configuration file found (/etc/apache2/apache2.conf)
Info: No virtual hosts found
* Loadable modules [ FOUND ]
– Found 67 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_qos: anti-Slowloris [ NOT FOUND ]
mod_spamhaus: anti-spam (spamhaus) [ NOT FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
– Checking nginx… [ NOT FOUND ]
[+] SSH Support
————————————
– Checking running SSH daemon… [ FOUND ]
– Searching SSH configuration… [ FOUND ]
– Checking defined SSH options… [ DONE ]
– SSH option: PermitRootLogin… [ WARNING ]
– SSH option: Protocol… [ OK ]
– SSH option: StrictModes… [ OK ]
– SSH option: AllowUsers… [ NOT FOUND ]
– SSH option: AllowGroups… [ NOT FOUND ]
[+] SNMP Support
————————————
– Checking running SNMP daemon… [ FOUND ]
– Checking SNMP configuration… [ FOUND ]
– Checking SNMP community strings… [ OK ]
[+] Databases
————————————
– MySQL process status… [ FOUND ]
– Checking empty MySQL root password [ WARNING ]
– PostgreSQL processes status… [ FOUND ]
– Oracle processes status… [ NOT FOUND ]
[+] LDAP Services
————————————
– Checking OpenLDAP instance… [ NOT FOUND ]
[+] Software: PHP
————————————
– Checking PHP… [ FOUND ]
– Checking PHP disabled functions… [ NONE ]
– Checking register_globals option… [ OK ]
– Checking expose_php option… [ ON ]
– Checking enable_dl option… [ OFF ]
– Checking allow_url_fopen option… [ ON ]
– Checking allow_url_include option… [ OFF ]
[+] Squid Support
————————————
– Checking running Squid daemon… [ NOT FOUND ]
[+] Logging and files
————————————
– Checking for a running log daemon… [ OK ]
– Checking Syslog-NG status [ NOT FOUND ]
– Checking Metalog status [ NOT FOUND ]
– Checking RSyslog status [ FOUND ]
– Checking RFC 3195 daemon status [ NOT FOUND ]
– Checking minilogd instances [ NONE ]
– Checking logrotate presence [ OK ]
– Checking log directories (static list) [ DONE ]
– Checking open log files [ DONE ]
– Checking deleted files in use [ FILES FOUND ]
[+] Insecure services
————————————
– Checking inetd status… [ ACTIVE ]
– Checking inetd.conf… [ FOUND ]
– Checking inetd (telnet)… [ FOUND ]
[+] Banners and identification
————————————
– /etc/motd… [ FOUND ]
– /etc/motd permissions… [ OK ]
– /etc/motd contents… [ WEAK ]
– /etc/issue… [ FOUND ]
– /etc/issue contents… [ WEAK ]
– /etc/issue.net… [ FOUND ]
– /etc/issue.net contents… [ WEAK ]
[+] Scheduled tasks
————————————
– Checking crontab/cronjob [ DONE ]
– Checking atd status [ RUNNING ]
– Checking at users [ DONE ]
– Checking at jobs [ NONE ]
[+] Accounting
————————————
– Checking accounting information… [ NOT FOUND ]
– Checking sysstat accounting data [ DISABLED ]
– Checking auditd [ NOT FOUND ]
[+] Time and Synchronization
————————————
[+] Cryptography
————————————
– Checking SSL certificate expiration… [ OK ]
[+] Virtualization
————————————
[+] Security frameworks
————————————
– Checking presence AppArmor [ NOT FOUND ]
– Checking presence SELinux [ NOT FOUND ]
– Checking presence grsecurity [ NOT FOUND ]
– Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
————————————
– Checking file integrity tools…
– AFICK… [ NOT FOUND ]
– AIDE… [ NOT FOUND ]
– Osiris… [ NOT FOUND ]
– Samhain… [ NOT FOUND ]
– Tripwire… [ NOT FOUND ]
– OSSEC (syscheck)… [ NOT FOUND ]
– Checking presence integrity tool… [ NOT FOUND ]
[+] Software: Malware scanners
————————————
– Checking chkrootkit… [ NOT FOUND ]
– Checking Rootkit Hunter… [ NOT FOUND ]
– Checking ClamAV scanner… [ NOT FOUND ]
– Checking ClamAV daemon… [ NOT FOUND ]
[+] System Tools
————————————
– Starting file permissions check…
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ OK ]
[+] Home directories
————————————
– Checking shell history files… [ OK ]
[+] Kernel Hardening
————————————
– Comparing sysctl key pairs with scan profile…
– kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
– kernel.ctrl-alt-del (exp: 0) [ OK ]
– kernel.sysrq (exp: 0) [ DIFFERENT ]
– net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
– net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
– net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
– net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
– net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
– net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
– net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
– net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
– net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
– net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
– net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
– net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
– net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
– net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
– net.ipv4.tcp_syncookies (exp: 1) [ DIFFERENT ]
– net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
– net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
– net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
– net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
– net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
————————————
– Installed compiler(s)… [ FOUND ]
– Installed malware scanner… [ NOT FOUND ]
[+] Custom Tests
————————————
– Running custom tests… [ NONE ]
================================================================================
-[ Lynis 1.4.1 Results ]-
Tests performed: 176
Warnings:
—————————-
– Version of Lynis very outdated [test:NONE]
– grpck binary found errors in one or more group files [test:AUTH-9216]
– pwck found one or more errors/warnings in the password file [test:AUTH-9228]
– Found one or more vulnerable packages. [test:PKGS-7392]
– Couldn\’t find 2 responsive nameservers [test:NETW-2705]
– Root can directly login via SSH [test:SSH-7412]
– No MySQL root password set [test:DBS-1816]
– PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372]
Suggestions:
—————————-
– update to the latest stable release.
– Run grpck manually and check your group files [test:AUTH-9216]
– Run pwck manually and correct found issues. [test:AUTH-9228]
– Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
– Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
– Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
– Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
– To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
– To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
– Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
– Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
– Add the IP name and FQDN to /etc/hosts for proper name resolving [test:NAME-4404]
– Purge old/removed packages (4 found) with aptitude purge or dpkg –purge command. This will cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346]
– Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [test:PKGS-7392]
– Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
– Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
– Install Apache mod_evasive to guard webserver against DoS/brute force attempts [test:HTTP-6640]
– Install Apache mod_qos to guard webserver against Slowloris attacks [test:HTTP-6641]
– Install Apache mod_spamhaus to guard webserver against spammers [test:HTTP-6642]
– Install Apache modsecurity to guard webserver against web application attacks [test:HTTP-6643]
– Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [test:DBS-1816]
– Harden PHP by disabling riskful functions (functions of interest: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file(), max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit(), shell_exec, show_source(), system) [test:PHP-2320]
– Change the expose_php line to: expose_php = Off [test:PHP-2372]
– Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
– Check what deleted files are still in use and why. [test:LOGG-2190]
– Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
– Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
– Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
– Enable sysstat to collect accounting (disabled) [test:ACCT-9626]
– Enable auditd to collect audit information [test:ACCT-9628]
– Install a file integrity tool [test:FINT-4350]
– One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
– Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
– Harden compilers and restrict access to world [test:HRDN-7222]
– Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
– Test and debug information : /var/log/lynis.log
– Report data : /var/log/lynis-report.dat
================================================================================
Notice: Lynis update available
Current version : 141 Latest version : 161
================================================================================
Hardening index : [51] [########## ]
Enterprise support and plugins available via CISOfy – http://cisofy.com
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 1.4.1
Copyright 2007-2014 – Michael Boelen, http://cisofy.com
================================================================================
这玩意儿有点高端啊,我也去搞一个玩玩。