Lynis: Howto
Intro
Lynis adalah aplikasi audit keamanan open-source berbasis host yang dapat mengevaluasi profil keamanan dan postur Linux dan sistem operasi mirip UNIX lainnya.
Dalam tutorial ini, Anda akan menginstal Lynis dan menggunakannya untuk melakukan audit keamanan pada server Ubuntu 16.04 Anda. Kemudian Anda akan mengeksplorasi hasil audit contoh, dan mengkonfigurasi Lynis untuk melewatkan tes yang tidak sesuai dengan kebutuhan Anda.
Lynis tidak akan melakukan hardening sistem secara otomatis. Tetapi akan menawarkan saran yang menunjukkan bagaimana anda bisa melakukan pengerasan sistem sendiri. Dengan demikian, akan sangat membantu jika anda memiliki pengetahuan dasar tentang keamanan sistem Linux. Anda juga harus terbiasa dengan layanan yang berjalan pada mesin yang akan anda audit, seperti server web, database, dan layanan lain yang mungkin dipindai oleh Lynis secara default. Ini akan membantu anda mengidentifikasi hasil yang dapat anda abaikan dengan aman.
Catatan: Melakukan audit keamanan membutuhkan waktu dan kesabaran. Anda mungkin ingin meluangkan waktu untuk membaca keseluruhan artikel sekali sebelum menginstal Lynis dan menggunakannya untuk mengaudit server Anda.
Prasyarat
Untuk bisa menjalankan artikel ini, Anda memerlukan:
- Sebuah Ubuntu Server 16.04
- user dengan kemampuan sudo
- firewall
Step 1 — Instal Lynis di Server
Ada beberapa cara untuk menginstal Lynis. Anda dapat mengkompilasi dari sumber, mendownload dan menyalin biner ke lokasi yang sesuai pada sistem, atau Anda dapat menginstalnya menggunakan manajer paket. Menggunakan manajer paket adalah cara mudah untuk menginstal Lynis dan memperbaruinya, jadi itulah metode yang akan kita gunakan.
Namun, di Ubuntu 16.04, versi yang tersedia dari repositori bukanlah versi terbaru. Agar memiliki akses ke fitur terbaru, kami akan menginstal Lynis dari repository proyek.
Repositori perangkat lunak Lynis menggunakan protokol HTTPS, jadi kami harus memastikan bahwa dukungan HTTPS untuk pengelola paket telah terinstal. Gunakan perintah berikut untuk memeriksa:
dpkg -s apt-transport-https | grep -i status
Jika di instalasi, keluarnya adalah
Status: install ok installed
Jika belum di install, install menggunakan,
sudo apt-get install apt-transport-https
Sebelum menginstalasi Lynis, jika di perlukan tambahkan repository key
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
Output
Executing: /tmp/tmp.AnVzwb6Mq8/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F gpg: requesting key 91CA5D5F from hkp server keyserver.ubuntu.com gpg: key 91CA5D5F: public key "CISOfy Software (signed software packages) <software@cisofy.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Tambahkan repo Lynis,
sudo add-apt-repository "deb [arch=amd64] https://packages.cisofy.com/community/lynis/deb/ xenial main"
Instal Lynis,
sudo apt-get update sudo apt-get install lynis
Step 2 – Lakukan Audit
Perintah yang bisa dilakukan Lynis,
lynis show commands
Output
Commands: lynis audit lynis configure lynis show lynis update lynis upload-only
Lihat Lynis default profile,
lynis show settings
Output
# Colored screen output colors=1 # Compressed uploads compressed-uploads=0 # Use non-zero exit code if one or more warnings were found error-on-warnings=0 ... # Upload server (ip or hostname) upload-server=[not configured] # Data upload after scanning upload=no # Verbose output verbose=0 # Add --brief to hide descriptions, --configured-only to show configured items only, or --nocolors to remove colors
Cek versi / update info
lynis update info
Output
== Lynis == Version : 2.4.8 Status : Up-to-date Release date : 2017-03-29 Update location : https://cisofy.com/lynis/
2007-2017, CISOfy - https://cisofy.com/lynis/
Alternatif lain,
lynis update check
Output
status=up-to-date
Untuk menjalankan audit sistem anda, gunakan perintah lynis audit system. Anda dapat menjalankan Lynis dengan privilege dan non-privilege (pentest) mode. Dalam mode yang terakhir, beberapa tes yang memerlukan hak akses root dilewati. Untuk itu sebaiknya menjalankan lynis menggunakan sudo
sudo lynis audit system
Ketika Lynis melakukan audit, ia menjalani sejumlah tes, terbagi dalam beberapa kategori. Setelah setiap audit, hasil tes, informasi debug, dan saran untuk pengerasan sistem ditulis ke standar output (layar). Informasi lebih rinci dicatat ke /var/log/lynis.log, sementara data laporan disimpan ke /var/log/lynis-report.dat. Data laporan berisi informasi umum tentang server dan aplikasi itu sendiri, jadi file yang harus anda perhatikan adalah file log. File log dibersihkan (ditimpa) pada setiap audit, jadi hasil dari audit sebelumnya tidak disimpan.
Setelah audit selesai, Anda akan meninjau hasilnya, peringatan, dan saran, dan kemudian menerapkan saran yang relevan.
Mari kita lihat hasil audit Lynis yang dilakukan pada mesin yang digunakan untuk menulis tutorial ini. Hasil yang anda lihat di audit anda mungkin berbeda, namun anda tetap bisa mengikuti.
Bagian penting pertama dari hasil audit Lynis adalah murni informasi. Ini memberitahu anda hasil dari setiap tes, dikelompokkan berdasarkan kategori. Informasi itu berupa kata kunci, seperti NONE, WEAK, DONE, FOUND, NOT_FOUND, OK, dan WARNING.
Output
[+] Boot and services ------------------------------------ - Service Manager [ systemd ] - Checking UEFI boot [ DISABLED ] - Checking presence GRUB [ OK ] - Checking presence GRUB2 [ FOUND ] - Checking for password protection [ WARNING ] .. [+] File systems ------------------------------------ - Checking mount points - Checking /home mount point [ SUGGESTION ] - Checking /tmp mount point [ SUGGESTION ] - Checking /var mount point [ OK ] - Query swap partitions (fstab) [ NONE ] - Testing swap partitions [ OK ] - Testing /proc mount (hidepid) [ SUGGESTION ] - Checking for old files in /tmp [ OK ] - Checking /tmp sticky bit [ OK ] - ACL support root file system [ ENABLED ] - Mount options of / [ OK ] - Checking Locate database [ FOUND ] - Disable kernel support of some filesystems - Discovered kernel modules: udf ... [+] Hardening ------------------------------------ - Installed compiler(s) [ FOUND ] - Installed malware scanner [ NOT FOUND ] - Installed malware scanner [ NOT FOUND ] ... [+] Printers and Spools ------------------------------------ - Checking cups daemon [ NOT FOUND ] - Checking lp daemon [ NOT RUNNING ]
Meskipun Lynis melakukan lebih dari 200 tes di luar kotak, tidak semua diperlukan untuk server Anda. Bagaimana Anda bisa tahu tes mana yang perlu dan mana yang tidak? Di situlah beberapa pengetahuan tentang apa yang seharusnya atau tidak boleh dijalankan di server ikut bermain. Misalnya, jika anda memeriksa bagian hasil audit Lynis, anda akan menemukan dua tes di bawah kategori Printers and Spools:
Output
[+] Printers and Spools ------------------------------------ - Checking cups daemon [ NOT FOUND ] - Checking lp daemon [ NOT RUNNING ]
Apakah anda benar-benar menjalankan server printer di server Ubuntu 16.04? Kecuali anda menjalankan server cetak berbasis cloud, anda tidak perlu Lynis menjalankan tes itu setiap saat.
Sementara itu adalah contoh yang langsung terlihat dari tes yang bisa anda lewatkan, yang lain tidak begitu jelas. Ambil bagian hasil parsial ini, misalnya:
Output
[+] Insecure services ------------------------------------ - Checking inetd status [ NOT ACTIVE ]
Output ini mengatakan bahwa inetd tidak aktif, tapi itu diharapkan pada server Ubuntu 16.04, karena Ubuntu mengganti inetd dengan systemd. Mengetahui hal itu, anda dapat memberi tag pada tes itu sebagai salah satu yang tidak boleh dilakukan Lynis sebagai bagian dari audit di server anda.
Step 3 – Memperbaiki Lynis Audit Warning
Hasil audit Lynis tidak selalu membawa bagian warning, namun bila memang demikian, Anda akan tahu cara memperbaiki masalah yang diangkat setelah membaca bagian ini.
Peringatan dicantumkan setelah bagian hasil. Setiap peringatan dimulai dengan teks peringatan itu sendiri, dengan tes yang menghasilkan peringatan pada baris yang sama dalam tanda kurung. Baris berikutnya akan berisi solusi yang disarankan, jika ada. Baris terakhir adalah URL kontrol keamanan di mana Anda mungkin menemukan beberapa petunjuk tentang peringatan tersebut. Sayangnya, URL tidak selalu menawarkan penjelasan, jadi Anda mungkin perlu melakukan penelitian lebih lanjut.
Output
Warnings (3): ---------------------------- ! Version of Lynis is very old and should be updated [LYNIS] https://cisofy.com/controls/LYNIS/ ! Reboot of system is most likely needed [KRNL-5830] - Solution : reboot https://cisofy.com/controls/KRNL-5830/ ! Found one or more vulnerable packages. [PKGS-7392] https://cisofy.com/controls/PKGS-7392/
Peringatan pertama mengatakan bahwa Lynis perlu diperbarui. Itu juga berarti audit ini menggunakan versi Lynis, sehingga hasilnya mungkin tidak lengkap. Ini bisa dihindari jika kami melakukan pemeriksaan versi dasar sebelum menjalankan hasilnya, seperti yang ditunjukkan pada Langkah 3. Perbaikan untuk yang satu ini mudah: update Lynis.
Peringatan kedua menunjukkan bahwa server perlu di-reboot. Itu mungkin karena pembaruan sistem yang melibatkan upgrade kernel dilakukan baru-baru ini. Solusinya disini adalah reboot sistem.
Bila ragu tentang peringatan apapun, atau hampir semua hasil tes, anda bisa mendapatkan lebih banyak informasi tentang tes tersebut dengan mengajukan pertanyaan kepada Lynis untuk test-id. Perintah untuk mencapainya yang mengambil formulir ini:
sudo lynis show details test-id
Jadi untuk peringatan kedua, yang memiliki test id KRNL-5830, kita bisa menjalankan perintah ini:
sudo lynis show details KRNL-5830
Output untuk tes tertentu berikut. Ini memberi anda gambaran tentang proses yang Lynis lakukan selama setiap tes yang dilakukannya. Dari keluaran ini, Lynis bahkan memberikan informasi spesifik tentang item yang menimbulkan peringatan:
Output
2017-03-21 01:50:03 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel) 2017-03-21 01:50:04 Test: Checking presence /var/run/reboot-required.pkgs 2017-03-21 01:50:04 Result: file /var/run/reboot-required.pkgs exists 2017-03-21 01:50:04 Result: reboot is needed, related to 5 packages 2017-03-21 01:50:04 Package: 5 2017-03-21 01:50:04 Result: /boot exists, performing more tests from here 2017-03-21 01:50:04 Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz* 2017-03-21 01:50:04 Result: using 4.4.0.64 as my kernel version (stripped) 2017-03-21 01:50:04 Result: found /boot/vmlinuz-4.4.0-64-generic 2017-03-21 01:50:04 Result: found /boot/vmlinuz-4.4.0-65-generic 2017-03-21 01:50:04 Result: found /boot/vmlinuz-4.4.0-66-generic 2017-03-21 01:50:04 Action: checking relevant kernels 2017-03-21 01:50:04 Output: 4.4.0.64 4.4.0.65 4.4.0.66 2017-03-21 01:50:04 Result: Found 4.4.0.64 (= our kernel) 2017-03-21 01:50:04 Result: found a kernel (4.4.0.65) later than running one (4.4.0.64) 2017-03-21 01:50:04 Result: Found 4.4.0.65 2017-03-21 01:50:04 Result: found a kernel (4.4.0.66) later than running one (4.4.0.64) 2017-03-21 01:50:04 Result: Found 4.4.0.66 2017-03-21 01:50:04 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot] 2017-03-21 01:50:04 Hardening: assigned partial number of hardening points (0 of 5). Currently having 7 points (out of 14) 2017-03-21 01:50:04 Checking permissions of /usr/share/lynis/include/tests_memory_processes 2017-03-21 01:50:04 File permissions are OK 2017-03-21 01:50:04 ===---------------------------------------------------------------===
Untuk peringatan ketiga, PKGS-7392, tentang vulnerable package, kami menjalankan perintah ini:
sudo lynis show details PKGS-7392
Output memberi kami lebih banyak informasi mengenai paket yang perlu diperbarui:
Output
2017-03-21 01:39:53 Performing test ID PKGS-7392 (Check for Debian/Ubuntu security updates) 2017-03-21 01:39:53 Action: updating repository with apt-get 2017-03-21 01:40:03 Result: apt-get finished 2017-03-21 01:40:03 Test: Checking if /usr/lib/update-notifier/apt-check exists 2017-03-21 01:40:03 Result: found /usr/lib/update-notifier/apt-check 2017-03-21 01:40:03 Test: checking if any of the updates contain security updates 2017-03-21 01:40:04 Result: found 7 security updates via apt-check 2017-03-21 01:40:04 Hardening: assigned partial number of hardening points (0 of 25). Currently having 96 points (out of 149) 2017-03-21 01:40:05 Result: found vulnerable package(s) via apt-get (-security channel) 2017-03-21 01:40:05 Found vulnerable package: libc-bin 2017-03-21 01:40:05 Found vulnerable package: libc-dev-bin 2017-03-21 01:40:05 Found vulnerable package: libc6 2017-03-21 01:40:05 Found vulnerable package: libc6-dev 2017-03-21 01:40:05 Found vulnerable package: libfreetype6 2017-03-21 01:40:05 Found vulnerable package: locales 2017-03-21 01:40:05 Found vulnerable package: multiarch-support 2017-03-21 01:40:05 Warning: Found one or more vulnerable packages. [test:PKGS-7392] [details:-] [solution:-] 2017-03-21 01:40:05 Suggestion: Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended- upgrades [test:PKGS-7392] [details:-] [solution:-] 2017-03-21 01:40:05 ===---------------------------------------------------------------===
Solusi untuk ini adalah mengupdate database paket dan mengupdate sistem.
Setelah memperbaiki item yang menyebabkan peringatan, anda harus menjalankan audit lagi. Audit selanjutnya harus bebas dari peringatan yang sama, walaupun peringatan baru bisa muncul. Dalam hal ini, ulangi proses yang ditunjukkan pada langkah ini dan perbaiki peringatannya.
Sekarang setelah anda tahu cara membaca dan memperbaiki peringatan yang dihasilkan oleh Lynis, mari kita lihat bagaimana menerapkan saran yang ditawarkan Lynis.
Step 4 — Implementing Lynis Audit Suggestions
After the warnings section, you'll see a series of suggestions that, if implemented, can make your server less vulnerable to attacks and malware. In this step, you'll learn how to implement some suggestions generated by Lynis after an audit of a test Ubuntu 16.04 server. The process to do this is identical to the steps in the previous section.
A specific suggestion starts with the suggestion itself, followed by the test ID. Then, depending on the test, the next line will tell you exactly what changes to make in the affected service's configuration file. The last line is a security control URL where you can find more information about the subject.
Here, for example, is a partial suggestion section from a Lynis audit, showing suggestions pertaining to the SSH service:
Output
Suggestions (36): ---------------------------- * Consider hardening SSH configuration [SSH-7408] - Details : ClientAliveCountMax (3 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : PermitRootLogin (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Port (22 --> ) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : TCPKeepAlive (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : UsePrivilegeSeparation (YES --> SANDBOX) https://cisofy.com/controls/SSH-7408/ ...
Depending on your environment, all these suggestions are safe to implement. To make that determination, however, you have to know what each directive means. Because these pertain to the SSH server, all changes have to be made in the SSH daemons configuration file,/etc/ssh/sshd_config. If you have any doubt about any suggestion regarding SSH given by Lynis, look up the directive with man sshd_config. That information is also available online.
One of the suggestions calls for changing the default SSH port from 22. If you make that change, and you have the firewall configured, be sure to insert a rule for SSH access through that new port.
As with the warnings section, you can get more detailed information about a suggestion by querying Lynis for the test id using sudo lynis show details test-id.
Other suggestions require that you to install additional software on your server. Take this one, for example:
Output
* Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] - Solution : Install a tool like rkhunter, chkrootkit, OSSEC https://cisofy.com/controls/HRDN-7230/
The suggestion is to install rkhunter, chkrootkit, or OSSEC to satisfy a hardening test (HRDN-7230). OSSEC is a host-based intrusion detection system that can generate and send alerts. It's a very good security application that will help with some of the tests performed by Lynis. You can learn more about this tool in these DigitalOcean tutorials. However, installing OSSEC alone does not cause this particular test to pass. Installing chkrootkit finally gets it passing. This is another case where you'll sometimes have to additional research beyond what Lynis suggests.
Let's look at another example. Here's a suggestion displayed as a result of a file integrity test.
Output
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/controls/FINT-4350/
The suggestion given in the security control URL does not mention the OSSEC program mentioned in the previous suggestion, but installing it was enough to pass the test on a subsequent audit. That's because OSSEC is a pretty good file integrity monitoring tool.
You can ignore some suggestions that don't apply to you. Here's an example:
Output
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/ * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] https://cisofy.com/controls/FILE-6310/
Historically, core Linux file systems like /home, /tmp, /var, and /usr were mounted on a separate partition to minimize the impact on the whole server when they run out of disk space. This isn't something you'll see that often, especially on cloud servers. These file systems are now just mounted as a directory on the same root partition. But if you perform a Lynis audit on such a system, you'll get a couple of suggestions like the ones shown in the preceding output. Unless you're in a position to implement the suggestions, you'll probably want to ignore them and configure Lynis so the test that caused them to be generated is not performed on future audits.
Performing a security audit using Lynis involves more than just fixing warning and implementing suggestions; it also involves identifying superfluous tests. In the next step, you'll learn how to customize the default profile to ignore such tests.
Step 5 – Customizing Lynis Security Audits
In this section, you'll learn how to customize Lynis so that it runs only those tests that are necessary for your server. Profiles, which govern how audits run, are defined in files with the .prf extension in the /etc/lynis directory. The default profile is aptly named default.prf. You don't edit that default profile directly. Instead, you add any changes you want to a custom.prf file in the same directory as the profile definition.
Create a new file called /etc/lynis/custom.prf using your text editor:
sudo nano /etc/lynis/custom.prf
Let's use this file to tell Lynis to skip some tests. Here are the tests we want to skip:
FILE-6310: Used to check for separation of partitions. HTTP-6622: Used to test for Nginx web server installation. HTTP-6702: Used to check for Apache web server installation. This test and the Nginx test above are performed by default. So if you have Nginx installed and not Apache, you'll want to skip the Apache test. PRNT-2307 and PRNT-2308: Used to check for a print server. TOOL-5002: Use to check for automation tools like Puppet and Salt. If you have no need for such tools on your server, it's OK to skip this test. SSH-7408:tcpkeepalive: Several Lynis tests can be grouped under a single test ID. If there's a test within that test id that you wish to skip, this is how to specify it.
To ignore a test, you pass the skip-test directive the test ID you wish to ignore, one per line. Add the following code to your file: /etc/lynis/custom.prf
# Lines starting with "#" are comments # Skip a test (one per line) # This will ignore separation of partitions test skip-test=FILE-6310 # Is Nginx installed? skip-test=HTTP-6622 # Is Apache installed? skip-test=HTTP-6702 # Skip checking print-related services skip-test=PRNT-2307 skip-test=PRNT-2308 # If a test id includes more than one test use this form to ignore a particular test skip-test=SSH-7408:tcpkeepalive
Save and close the file.
The next time you perform an audit, Lynis will skip the tests that match the test IDs you configured in the custom profile. The tests will be omitted from the results section of the audit output, as well as the suggestions section.
The /etc/lynis/custom.prf file also lets you modify any settings in a profile. To do that, copy the setting from /etc/lynis/default.prf into /etc/lynis/custom.prf and modify it there. You'll rarely need to modify these settings, so focus your effort on finding tests you can skip.
Next, let's take a look at what Lynis calls the hardening index.
Step 6 – Interpreting the Hardening Index
In the lower section of every Lynis audit output, just below the suggestions section, you'll find a section that looks like the following:
Output
Lynis security scan details: Hardening index : 64 [############ ] Tests performed : 206 Plugins enabled : 0
This output tells you how many tests were performed, along with a hardening index, a number that Lynis provides to give you a sense of how secure your server is. This number is unique to Lynis. The hardening index will change in relation to the warnings that you fix and the suggestions that you implement. This output, which shows that the system has a hardening index of 64 is from the first Lynis audit on a new Ubuntu 16.04 server.
After fixing the warnings and implementing most of the suggestions, a new audit gave the following output. You can see that the hardening index is slightly higher:
Output
Lynis security scan details: Hardening index : 86 [################# ] Tests performed : 205 Plugins enabled : 0
The hardening index is not an accurate assessment of how secure a server is, but merely a measure of how well the server is securely configured (or hardened) based on the tests performed by Lynis. And as you've seen, the higher the index, the better. The objective of a Lynis security audit is not just to get a high hardening index, but to fix the warnings and suggestions it generates.
Conclusion
In this tutorial, you installed Lynis, used it to perform a security audit of an Ubuntu 16.04 server, explored how to fix the warnings and suggestions it generates, and how to customize the tests that Lynis performs.
It takes a little extra time and effort, but it's worth the investment to make your machine more secure, and Lynis makes that process much easier.
For more information on Lynis, take a look at Get Started with Lynis in the official documentation. Lynis is an open-source project, so if you are interested in contributing, visit the project's GitHub page.