CentOS 7
 

Lynis : セキュリティ監査ツール
2016/09/27
 
セキュリティ監査ツール Lynis のインストールと設定です。
[1] Lynis をインストールします。
# EPEL からインストール

[root@dlp ~]#
yum --enablerepo=epel -y install lynis
[2] Lynis の主な利用方法です。
# 初回実行時は以下のように指定してシステムをスキャン

[root@dlp ~]#
lynis audit system

.....
.....
================================================================================

  Lynis security scan details:

  Hardening index : 65 [#############       ]
  Tests performed : 200
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Lynis Modules:
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Lynis 2.3.2

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2016, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
[3] レポートはチェック結果の最後の方に示されている通り、/var/log/lynis-report.dat に保存されています。warning や suggestion で検索すると、推奨される対応が確認できますので、可能な限り対応しておいた方がよいでしょう。
[root@dlp ~]#
grep -E "^warning|^suggestion" /var/log/lynis-report.dat

suggestion[]=BOOT-5122|Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot 
suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9328|Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 
suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separated partit
suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separated partitio
suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separated partitio
suggestion[]=STRG-1840|Disable drivers like USB storage when not used, to prevent unauthorized storage or da
suggestion[]=STRG-1846|Disable drivers like firewire storage when not used, to prevent unauthorized storage 
suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-|
suggestion[]=PKGS-7384|Install package 'yum-utils' for better consistency checking of the package database|-
suggestion[]=NETW-3032|Consider running ARP monitoring software (arpwatch)|-|-|
warning[]=MAIL-8818|Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'|-|-|
suggestion[]=MAIL-8818|You are advised to hide the mail_name (option: smtpd_banner) from your postfix config 
suggestion[]=FIRE-4513|Check iptables rules to see which rules are currently not used|-|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (YES --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (3 --> 2)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|Compression (DELAYED --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|LogLevel (INFO --> VERBOSE)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxAuthTries (6 --> 1)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (10 --> 2)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|PermitRootLogin (YES --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (22 --> )|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (YES --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|UseDNS (YES --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|X11Forwarding (YES --> NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (YES --> NO)|-|
suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-|
suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-|
suggestion[]=ACCT-9622|Enable process accounting|-|-|
suggestion[]=ACCT-9626|Enable sysstat to collect accounting (no results)|-|-|
suggestion[]=ACCT-9630|Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules|-|-
suggestion[]=TIME-3160|Some time servers missing in step-tickers file|-|-|
suggestion[]=FINT-4350|Install a file integrity tool to monitor changes to critical and sensitive files|-|-|
suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-|
suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked|-|-|
suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-|
suggestion[]=HRDN-7230|Harden the system by installing at least one malware scanner, to perform periodic fil
 
Tweet