Lynis : セキュリティ監査2024/06/19 |
セキュリティ監査ツール Lynis のインストールと設定です。 |
|
[1] | Lynis をインストールします。 |
root@dlp:~# apt -y install lynis
|
[2] | Lynis の主な利用方法です。 |
# 初回実行時は以下のように指定してシステムをスキャン root@dlp:~# lynis audit system [ Lynis 3.0.9 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software. 2007-2021, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ################################################################################ [+] Initializing program ------------------------------------ - Detecting OS... [ DONE ] - Checking profiles... [ DONE ] --------------------------------------------------- Program version: 3.0.9 Operating system: Linux Operating system name: Ubuntu Operating system version: 24.04 Kernel version: 6.8.0 Hardware platform: x86_64 Hostname: dlp --------------------------------------------------- Profiles: /etc/lynis/default.prf Log file: /var/log/lynis.log Report file: /var/log/lynis-report.dat Report version: 1.0 Plugin directory: /etc/lynis/plugins --------------------------------------------------- Auditor: [Not Specified] Language: en Test category: all Test group: all --------------------------------------------------- - Program update status... [ NO UPDATE ] [+] System tools ------------------------------------ - Scanning available tools... - Checking system binaries... [+] Plugins (phase 1) ------------------------------------ Note: plugins have more extensive tests and may take several minutes to complete - Plugin: debian [ [+] Debian Tests ------------------------------------ - Checking for system binaries that are required by Debian Tests... - Checking /bin... [ FOUND ] - Checking /sbin... [ FOUND ] - Checking /usr/bin... [ FOUND ] - Checking /usr/sbin... [ FOUND ] - Checking /usr/local/bin... [ FOUND ] - Checking /usr/local/sbin... [ FOUND ] - Authentication: - PAM (Pluggable Authentication Modules): - libpam-tmpdir [ Not Installed ] - File System Checks: - DM-Crypt, Cryptsetup & Cryptmount: - Checking / on /dev/vda3 [ NOT ENCRYPTED ] - Checking /boot on /dev/vda2 [ NOT ENCRYPTED ] - Software: - apt-listbugs [ Not Installed ] - apt-listchanges [ Not Installed ] - needrestart [ Installed ] - fail2ban [ Not Installed ] ] ..... ..... ================================================================================ Lynis security scan details: Hardening index : 63 [############ ] Tests performed : 257 Plugins enabled : 1 Components: - Firewall [V] - Malware scanner [V] Scan mode: Normal [V] Forensics [ ] Integration [ ] Pentest [ ] Lynis modules: - Compliance status [?] - Security audit [V] - Vulnerability scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat ================================================================================ Lynis 3.0.9 Auditing, system hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others) 2007-2021, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ================================================================================ [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) |
[3] | レポートはチェック結果の最後の方に示されている通り、[/var/log/lynis-report.dat[ に保存されています。 [warning] や [suggestion] で検索すると、推奨される対応が確認できますので、可能な限り対応しておいた方がよいでしょう。 |
root@dlp:~# grep -E "^warning|^suggestion" /var/log/lynis-report.dat suggestion[]=LYNIS|This release is more than 4 months old. Check the website or GitHub to see if there is an update available.|-|-| suggestion[]=DEB-0280|Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions|-|-| suggestion[]=DEB-0810|Install apt-listbugs to display a list of critical bugs prior to each APT installation.|-|-| suggestion[]=DEB-0811|Install apt-listchanges to display any significant changes prior to any upgrade via APT.|-|-| suggestion[]=DEB-0880|Install fail2ban to automatically ban hosts that commit multiple authentication errors.|-|-| suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-| suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-| suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-| suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-| suggestion[]=AUTH-9230|Configure password hashing rounds in /etc/login.defs|-|-| suggestion[]=AUTH-9262|Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc|-|-| suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-| suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9328|Default umask in /etc/login.defs could be more strict like 027|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-| suggestion[]=USB-1000|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|-|-| suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-| suggestion[]=PKGS-7370|Install debsums utility for the verification of packages with known good database.|-|-| suggestion[]=PKGS-7394|Install package apt-show-versions for patch management purposes|-|-| suggestion[]=NETW-3200|Determine if protocol 'dccp' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'sctp' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'rds' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'tipc' is really needed on this system|-|-| warning[]=MAIL-8818|Found some information disclosure in SMTP banner (OS or software name)|-|-| suggestion[]=MAIL-8818|You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf)|-|-| warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-| suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-| suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-| suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-| suggestion[]=ACCT-9622|Enable process accounting|-|-| suggestion[]=ACCT-9626|Enable sysstat to collect accounting (disabled)|-|-| suggestion[]=ACCT-9628|Enable auditd to collect audit information|-|-| suggestion[]=FINT-4350|Install a file integrity tool to monitor changes to critical and sensitive files|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)| suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-| |
Sponsored Link |
|