Lynis : セキュリティ監査ツール2016/09/27 |
セキュリティ監査ツール Lynis のインストールと設定です。
|
|
[1] | Lynis をインストールします。 |
# EPEL からインストール [root@dlp ~]# yum --enablerepo=epel -y install lynis
|
[2] | Lynis の主な利用方法です。 |
# 初回実行時は以下のように指定してシステムをスキャン [root@dlp ~]# lynis audit system ..... ..... ================================================================================ Lynis security scan details: Hardening index : 65 [############# ] Tests performed : 200 Plugins enabled : 0 Components: - Firewall [V] - Malware scanner [X] Lynis Modules: - Compliance Status [?] - Security Audit [V] - Vulnerability Scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat ================================================================================ Lynis 2.3.2 Auditing, system hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others) 2007-2016, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ================================================================================ [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) |
[3] | レポートはチェック結果の最後の方に示されている通り、/var/log/lynis-report.dat に保存されています。warning や suggestion で検索すると、推奨される対応が確認できますので、可能な限り対応しておいた方がよいでしょう。 |
[root@dlp ~]# grep -E "^warning|^suggestion" /var/log/lynis-report.dat suggestion[]=BOOT-5122|Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9328|Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separated partit suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separated partitio suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separated partitio suggestion[]=STRG-1840|Disable drivers like USB storage when not used, to prevent unauthorized storage or da suggestion[]=STRG-1846|Disable drivers like firewire storage when not used, to prevent unauthorized storage suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-| suggestion[]=PKGS-7384|Install package 'yum-utils' for better consistency checking of the package database|- suggestion[]=NETW-3032|Consider running ARP monitoring software (arpwatch)|-|-| warning[]=MAIL-8818|Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'|-|-| suggestion[]=MAIL-8818|You are advised to hide the mail_name (option: smtpd_banner) from your postfix config suggestion[]=FIRE-4513|Check iptables rules to see which rules are currently not used|-|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (3 --> 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Compression (DELAYED --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|LogLevel (INFO --> VERBOSE)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxAuthTries (6 --> 1)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (10 --> 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|PermitRootLogin (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (22 --> )|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|UseDNS (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|X11Forwarding (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (YES --> NO)|-| suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-| suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-| suggestion[]=ACCT-9622|Enable process accounting|-|-| suggestion[]=ACCT-9626|Enable sysstat to collect accounting (no results)|-|-| suggestion[]=ACCT-9630|Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules|-|- suggestion[]=TIME-3160|Some time servers missing in step-tickers file|-|-| suggestion[]=FINT-4350|Install a file integrity tool to monitor changes to critical and sensitive files|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked|-|-| suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-| suggestion[]=HRDN-7230|Harden the system by installing at least one malware scanner, to perform periodic fil |
Sponsored Link |
|