千家信息网

如何使用Lynis扫描Linux 安全性

发表于:2025-01-19 作者:千家信息网编辑
千家信息网最后更新 2025年01月19日,这篇文章给大家介绍如何使用Lynis扫描Linux 安全性,内容非常详细,感兴趣的小伙伴们可以参考借鉴,希望对大家能有所帮助。Lynis是一个非常流行的开源安全审计工具能够强化基于Linux和unix
千家信息网最后更新 2025年01月19日如何使用Lynis扫描Linux 安全性

这篇文章给大家介绍如何使用Lynis扫描Linux 安全性,内容非常详细,感兴趣的小伙伴们可以参考借鉴,希望对大家能有所帮助。

Lynis是一个非常流行的开源安全审计工具能够强化基于Linux和unix的系统,自动生成一份关于机器安全的报。

安装 Lynis

你的 Linux 软件仓库中可能有 Lynis。如果有的话,你可以用以下方法安装它:

  1. dnf install lynis

  1. apt install lynis

然而,如果你的仓库中的版本不是最新的,你最好从 GitHub 上安装它。(我使用的是 Red Hat Linux 系统,但你可以在任何 Linux 发行版上运行它)。就像所有的工具一样,先在虚拟机上试一试是有意义的。要从 GitHub 上安装它:

  1. $ cat /etc/redhat-release

  2. Red Hat Enterprise Linux Server release 7.8 (Maipo)

  3. $

  4. $ uname -r

  5. 3.10.0-1127.el7.x86_64

  6. $

  7. $ git clone https://github.com/CISOfy/lynis.git

  8. Cloning into 'lynis'...

  9. remote: Enumerating objects: 30, done.

  10. remote: Counting objects: 100% (30/30), done.

  11. remote: Compressing objects: 100% (30/30), done.

  12. remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536

  13. Receiving objects: 100% (12566/12566), 6.36 MiB | 911.00 KiB/s, done.

  14. Resolving deltas: 100% (9264/9264), done.

  15. $

一旦你克隆了这个版本库,那么进入该目录,看看里面有什么可用的。主要的工具在一个叫 lynis 的文件里。它实际上是一个 shell 脚本,所以你可以打开它看看它在做什么。事实上,Lynis 主要是用 shell 脚本来实现的:

  1. $ cd lynis/

  2. $ ls

  3. CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md

  4. CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md

  5. $

  6. $ file lynis

  7. lynis: POSIX shell script, ASCII text executable, with very long lines

  8. $

运行 Lynis

通过给 Lynis 一个 -h 选项来查看帮助部分,以便有个大概了解:

  1. $ ./lynis -h

你会看到一个简短的信息屏幕,然后是 Lynis 支持的所有子命令。

接下来,尝试一些测试命令以大致熟悉一下。要查看你正在使用的 Lynis 版本,请运行:

  1. $ ./lynis show version

  2. 3.0.0

  3. $

要查看 Lynis 中所有可用的命令:

  1. $ ./lynis show commands


  2. Commands:

  3. lynis audit

  4. lynis configure

  5. lynis generate

  6. lynis show

  7. lynis update

  8. lynis upload-only


  9. $

审计 Linux 系统

要审计你的系统的安全态势,运行以下命令:

  1. $ ./lynis audit system

这个命令运行得很快,并会返回一份详细的报告,输出结果可能一开始看起来很吓人,但我将在下面引导你来阅读它。这个命令的输出也会被保存到一个日志文件中,所以你可以随时回过头来检查任何可能感兴趣的东西。

Lynis 将日志保存在这里:

  1. Files:

  2. - Test and debug information : /var/log/lynis.log

  3. - Report data : /var/log/lynis-report.dat

你可以验证是否创建了日志文件。它确实创建了:

  1. $ ls -l /var/log/lynis.log

  2. -rw-r-----. 1 root root 341489 Apr 30 05:52 /var/log/lynis.log

  3. $

  4. $ ls -l /var/log/lynis-report.dat

  5. -rw-r-----. 1 root root 638 Apr 30 05:55 /var/log/lynis-report.dat

  6. $

探索报告

Lynis 提供了相当全面的报告,所以我将介绍一些重要的部分。作为初始化的一部分,Lynis 做的第一件事就是找出机器上运行的操作系统的完整信息。之后是检查是否安装了什么系统工具和插件:

  1. [+] Initializing program

  2. ------------------------------------

  3. - Detecting OS... [ DONE ]

  4. - Checking profiles... [ DONE ]


  5. ---------------------------------------------------

  6. Program version: 3.0.0

  7. Operating system: Linux

  8. Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo)

  9. Operating system version: 7.8

  10. Kernel version: 3.10.0

  11. Hardware platform: x86_64

  12. Hostname: example

  13. ---------------------------------------------------

  14. >


  15. [+] System Tools

  16. ------------------------------------

  17. - Scanning available tools...

  18. - Checking system binaries...


  19. [+] Plugins (phase 1)

  20. ------------------------------------

  21. Note: plugins have more extensive tests and may take several minutes to complete


  22. - Plugin: pam

  23. [..]

  24. - Plugin: systemd

  25. [................]

接下来,该报告被分为不同的部分,每个部分都以 [+] 符号开头。下面可以看到部分章节。(哇,要审核的地方有这么多,Lynis 是最合适的工具!)

  1. [+] Boot and services

  2. [+] Kernel

  3. [+] Memory and Processes

  4. [+] Users, Groups and Authentication

  5. [+] Shells

  6. [+] File systems

  7. [+] USB Devices

  8. [+] Storage

  9. [+] NFS

  10. [+] Name services

  11. [+] Ports and packages

  12. [+] Networking

  13. [+] Printers and Spools

  14. [+] Software: e-mail and messaging

  15. [+] Software: firewalls

  16. [+] Software: webserver

  17. [+] SSH Support

  18. [+] SNMP Support

  19. [+] Databases

  20. [+] LDAP Services

  21. [+] PHP

  22. [+] Squid Support

  23. [+] Logging and files

  24. [+] Insecure services

  25. [+] Banners and identification

  26. [+] Scheduled tasks

  27. [+] Accounting

  28. [+] Time and Synchronization

  29. [+] Cryptography

  30. [+] Virtualization

  31. [+] Containers

  32. [+] Security frameworks

  33. [+] Software: file integrity

  34. [+] Software: System tooling

  35. [+] Software: Malware

  36. [+] File Permissions

  37. [+] Home directories

  38. [+] Kernel Hardening

  39. [+] Hardening

  40. [+] Custom tests

Lynis 使用颜色编码使报告更容易解读。

  • 绿色。一切正常

  • 黄色。跳过、未找到,可能有个建议

  • 红色。你可能需要仔细看看这个

在我的案例中,大部分的红色标记都是在 "Kernel Hardening" 部分找到的。内核有各种可调整的设置,它们定义了内核的功能,其中一些可调整的设置可能有其安全场景。发行版可能因为各种原因没有默认设置这些,但是你应该检查每一项,看看你是否需要根据你的安全态势来改变它的值:

  1. [+] Kernel Hardening

  2. ------------------------------------

  3. - Comparing sysctl key pairs with scan profile

  4. - fs.protected_hardlinks (exp: 1) [ OK ]

  5. - fs.protected_symlinks (exp: 1) [ OK ]

  6. - fs.suid_dumpable (exp: 0) [ OK ]

  7. - kernel.core_uses_pid (exp: 1) [ OK ]

  8. - kernel.ctrl-alt-del (exp: 0) [ OK ]

  9. - kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]

  10. - kernel.kptr_restrict (exp: 2) [ DIFFERENT ]

  11. - kernel.randomize_va_space (exp: 2) [ OK ]

  12. - kernel.sysrq (exp: 0) [ DIFFERENT ]

  13. - kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]

  14. - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]

  15. - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]

  16. - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]

  17. - net.ipv4.conf.all.forwarding (exp: 0) [ OK ]

  18. - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]

  19. - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]

  20. - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]

  21. - net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]

  22. - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]

  23. - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]

  24. - net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]

  25. - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]

  26. - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]

  27. - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]

  28. - net.ipv4.tcp_syncookies (exp: 1) [ OK ]

  29. - net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]

  30. - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]

  31. - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]

  32. - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]

  33. - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

看看 SSH 这个例子,因为它是一个需要保证安全的关键领域。这里没有什么红色的东西,但是 Lynis 对我的环境给出了很多强化 SSH 服务的建议:

  1. [+] SSH Support

  2. ------------------------------------

  3. - Checking running SSH daemon [ FOUND ]

  4. - Searching SSH configuration [ FOUND ]

  5. - OpenSSH option: AllowTcpForwarding [ SUGGESTION ]

  6. - OpenSSH option: ClientAliveCountMax [ SUGGESTION ]

  7. - OpenSSH option: ClientAliveInterval [ OK ]

  8. - OpenSSH option: Compression [ SUGGESTION ]

  9. - OpenSSH option: FingerprintHash [ OK ]

  10. - OpenSSH option: GatewayPorts [ OK ]

  11. - OpenSSH option: IgnoreRhosts [ OK ]

  12. - OpenSSH option: LoginGraceTime [ OK ]

  13. - OpenSSH option: LogLevel [ SUGGESTION ]

  14. - OpenSSH option: MaxAuthTries [ SUGGESTION ]

  15. - OpenSSH option: MaxSessions [ SUGGESTION ]

  16. - OpenSSH option: PermitRootLogin [ SUGGESTION ]

  17. - OpenSSH option: PermitUserEnvironment [ OK ]

  18. - OpenSSH option: PermitTunnel [ OK ]

  19. - OpenSSH option: Port [ SUGGESTION ]

  20. - OpenSSH option: PrintLastLog [ OK ]

  21. - OpenSSH option: StrictModes [ OK ]

  22. - OpenSSH option: TCPKeepAlive [ SUGGESTION ]

  23. - OpenSSH option: UseDNS [ SUGGESTION ]

  24. - OpenSSH option: X11Forwarding [ SUGGESTION ]

  25. - OpenSSH option: AllowAgentForwarding [ SUGGESTION ]

  26. - OpenSSH option: UsePrivilegeSeparation [ OK ]

  27. - OpenSSH option: AllowUsers [ NOT FOUND ]

  28. - OpenSSH option: AllowGroups [ NOT FOUND ]

我的系统上没有运行虚拟机或容器,所以这些显示的结果是空的:

  1. [+] Virtualization

  2. ------------------------------------


  3. [+] Containers

  4. ------------------------------------

Lynis 会检查一些从安全角度看很重要的文件的文件权限:

  1. [+] File Permissions

  2. ------------------------------------

  3. - Starting file permissions check

  4. File: /boot/grub2/grub.cfg [ SUGGESTION ]

  5. File: /etc/cron.deny [ OK ]

  6. File: /etc/crontab [ SUGGESTION ]

  7. File: /etc/group [ OK ]

  8. File: /etc/group- [ OK ]

  9. File: /etc/hosts.allow [ OK ]

  10. File: /etc/hosts.deny [ OK ]

  11. File: /etc/issue [ OK ]

  12. File: /etc/issue.net [ OK ]

  13. File: /etc/motd [ OK ]

  14. File: /etc/passwd [ OK ]

  15. File: /etc/passwd- [ OK ]

  16. File: /etc/ssh/sshd_config [ OK ]

  17. Directory: /root/.ssh [ SUGGESTION ]

  18. Directory: /etc/cron.d [ SUGGESTION ]

  19. Directory: /etc/cron.daily [ SUGGESTION ]

  20. Directory: /etc/cron.hourly [ SUGGESTION ]

  21. Directory: /etc/cron.weekly [ SUGGESTION ]

  22. Directory: /etc/cron.monthly [ SUGGESTION ]

在报告的底部,Lynis 根据报告的发现提出了建议。每项建议后面都有一个 "TEST-ID"(为了下一部分方便,请将其保存起来)。

  1. Suggestions (47):

  2. ----------------------------

  3. * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]

  4. https://cisofy.com/lynis/controls/KRNL-5820/


  5. * Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]

  6. https://cisofy.com/lynis/controls/AUTH-9229/

Lynis 提供了一个选项来查找关于每个建议的更多信息,你可以使用 show details 命令和 TEST-ID 号来访问:

  1. ./lynis show details TEST-ID

这将显示该测试的其他信息。例如,我检查了 SSH-7408 的详细信息:

  1. $ ./lynis show details SSH-7408

  2. 2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options)

  3. 2020-04-30 05:52:23 Test: Checking specific defined options in /tmp/lynis.k8JwazmKc6

  4. 2020-04-30 05:52:23 Result: added additional options for OpenSSH < 7.5

  5. 2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in /tmp/lynis.k8JwazmKc6

  6. 2020-04-30 05:52:23 Result: Option AllowTcpForwarding found

  7. 2020-04-30 05:52:23 Result: Option AllowTcpForwarding value is YES

  8. 2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed

  9. 2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]

什么是Linux系统

Linux是一种免费使用和自由传播的类UNIX操作系统,是一个基于POSIX的多用户、多任务、支持多线程和多CPU的操作系统,使用Linux能运行主要的Unix工具软件、应用程序和网络协议。

关于如何使用Lynis扫描Linux 安全性就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。

0