FreeBSD 14
Sponsored Link

Lynis : セキュリティ監査2024/09/09

 

セキュリティ監査ツール Lynis のインストールと設定です。

[1] Lynis をインストールします。
root@dlp:~ #
pkg install -y lynis
[2] Lynis の主な利用方法です。
# 初回実行時は以下のように指定してシステムをスキャン

root@dlp:~ #
lynis audit system


[ Lynis 3.1.1 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2021, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Checking profiles...                                      [ DONE ]

  ---------------------------------------------------
  Program version:           3.1.1
  Operating system:          FreeBSD
  Operating system name:     FreeBSD
  Operating system version:  14.1-RELEASE
  Kernel version:            GENERIC
  Hardware platform:         amd64
  Hostname:                  dlp
  ---------------------------------------------------
  Profiles:                  /usr/local/etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/local/share/lynis/plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Language:                  en
  Test category:             all
  Test group:                all
  ---------------------------------------------------
  - Program update status...                                  [ NO UPDATE ]

[+] System tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
usage: grep [-abcDEFGHhIiLlmnOopqRSsUVvwxz] [-A num] [-B num] [-C num]
        [-e pattern] [-f file] [--binary-files=value] [--color=when]
        [--context=num] [--directories=action] [--label] [--line-buffered]
        [--null] [pattern] [file ...]

[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests and may take several minutes to complete

  - Plugins enabled                                           [ NONE ]

[+] Boot and services
------------------------------------
  - Service Manager                                           [ bsdrc ]
  - Checking presence FreeBSD loader                          [ FOUND ]
  - Checking services at startup (service/rc.conf)            [ DONE ]
      Result: found 30 services/options set

[+] Kernel
------------------------------------
  - Checking active kernel modules
    Found 9 kernel modules                                    [ DONE ]

.....
.....

================================================================================

  Lynis security scan details:

  Hardening index : 61 [############        ]
  Tests performed : 192
  Plugins enabled : 0

  Components:
  - Firewall               [X]
  - Malware scanner        [V]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Lynis 3.1.1

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2021, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /usr/local/etc/lynis/default.prf for all settings)
[3] レポートはチェック結果の最後の方に示されている通り、[/var/log/lynis-report.dat[ に保存されています。
[warning] や [suggestion] で検索すると、推奨される対応が確認できますので、可能な限り対応しておいた方がよいでしょう。
root@dlp:~ #
grep -E "^warning|^suggestion" /var/log/lynis-report.dat

suggestion[]=LYNIS|This release is more than 4 months old. Check the website or GitHub to see if there is an update available.|-|-|
warning[]=AUTH-9204|Multiple users with UID 0 found in passwd file|-|-|
warning[]=AUTH-9208|Multiple accounts found with same UID|-|-|
suggestion[]=AUTH-9218|Determine if account is needed, as shell /usr/local/libexec/uucp/uucico does not exist|-|-|
suggestion[]=AUTH-9328|Umask in /etc/login.conf could be more strict like 027|-|-|
warning[]=SHLL-6202|Found unprotected console in /etc/ttys|-|-|
suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-|
suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-|
warning[]=PKGS-7381|No vulnerability database available|pkg audit|text:Run pkg audit -F|
suggestion[]=FIRE-4590|Configure a firewall/packet filter to filter incoming and outgoing traffic|-|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (set YES to NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (set 3 to 2)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|LogLevel (set INFO to VERBOSE)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxAuthTries (set 6 to 3)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (set 10 to 2)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (set 22 to )|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (set YES to NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|UseDNS (set YES to NO)|-|
suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (set YES to NO)|-|
suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-|
suggestion[]=ACCT-2754|Enable process accounting|-|-|
suggestion[]=TIME-3104|Use NTP daemon or NTP client to prevent time issues.|-|-|
warning[]=FINT-4316|No AIDE database was found, needed for AIDE functionality|-|-|
suggestion[]=FINT-4402|Use SHA256 or SHA512 to create checksums in AIDE|-|-|
suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-|
suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions|
suggestion[]=HOME-9304|Double check the permissions of home directories as some might be not strict enough.|-|-|
suggestion[]=HOME-9306|Double check the ownership of home directories as some might be incorrect.|-|-|
suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)|
suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-|
関連コンテンツ