Fli
03-22-2015, 11:02 AM
*** Lynis ***
It is an Linux security auditing tool. Website: https://cisofy.com/lynis/
On redhat system i installed Lynis: yum install lynis
It is in EPEL repository (you may need to install EPEL repo first)
then do command # lynis
to see:
Usage: lynis command [options]
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
update release : Update Lynis release
Options:
--no-log : Don't create a log file
--pentest : Non-privileged scan (useful for pentest)
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
Layout options
--no-colors : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
Misc options
--debug : Debug logging to screen
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
Enterprise options
--plugin-dir "<path>" : Define path of available plugins
--upload : Upload data to central node
More options available. Run '/usr/bin/lynis show options', or use the man page.
Scan the system:
# lynis audit system --quick
outdated command: # lynis -c -q
- Checking for password protection [ WARNING ]
- Checking Linux single user mode authentication [ WARNING ]
- Shellshock: CVE-2014-6277 (segfault, lcamtuf bug #1) [ WARNING ]
- Testing swap partitions [ WARNING ]
- Checking waiting connections [ WARNING ]
- Checking Postfix banner [ WARNING ]
- Checking for empty ruleset [ WARNING ]
- Checking empty MySQL root password [ WARNING ]
so there are Lynis errors/warnings.. what it means?
lynis log file: /var/log/lynis.log
Grep all suggestions and warnings along with line number at beginning:
# cat /var/log/lynis.log | grep "Suggestion:|Warning:" -nE
example output:
1465:[10:11:46] Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)
1518:[10:11:46] Suggestion: Run chkconfig --list to see all services and disable unneeded services
1997:[10:11:48] Suggestion: Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
2015:[10:11:48] Suggestion: Set password for single user mode to minimize physical access attack surface [AUTH-9308]
2026:[10:11:48] Suggestion: Default umask in /etc/profile could be more strict like 027 [AUTH-9328]
2109:[10:11:48] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
2144:[10:11:48] Suggestion: Check your /etc/fstab file for swap partition mount options [FILE-6336]
2179:[10:11:49] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]
2186:[10:11:49] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
2192:[10:11:49] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
2297:[10:11:49] Suggestion: Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
2748:[10:11:58] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [PKGS-7384]
2759:[10:11:58] Suggestion: Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security) [PKGS-7386]
2788:[10:11:59] Suggestion: Install a package audit tool to determine vulnerable packages [PKGS-7398]
2914:[10:11:59] Suggestion: You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818]
2943:[10:11:59] Suggestion: Disable iptables kernel module if not used or make sure rules are being used [FIRE-4512]
3075:[10:12:00] Suggestion: Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
3081:[10:12:00] Suggestion: Install Apache mod_qos to guard webserver against Slowloris attacks [HTTP-6641]
3087:[10:12:00] Suggestion: Install Apache mod_spamhaus to guard webserver against spammers [HTTP-6642]
3093:[10:12:00] Suggestion: Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
3195:[10:12:00] Suggestion: Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [DBS-1816]
3270:[10:12:01] Suggestion: Change the expose_php line to: expose_php = Off [PHP-2372]
3280:[10:12:01] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
3433:[10:12:01] Suggestion: Check what deleted files are still in use and why. [LOGG-2190]
3464:[10:12:02] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [BANN-7122]
3473:[10:12:02] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
3483:[10:12:02] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
3547:[10:12:02] Suggestion: Enable process accounting [ACCT-9622]
3564:[10:12:02] Suggestion: Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
3635:[10:12:02] Suggestion: Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120]
3661:[10:12:02] Suggestion: Some time servers missing in step-tickers file [TIME-3160]
3762:[10:12:03] Suggestion: Install a file integrity tool [FINT-4350]
3770:[10:12:03] Suggestion: Determine if automation tools are present for system management [TOOL-5002]
3922:[10:12:04] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
3929:[10:12:04] Suggestion: Harden the system by removing unneeded compilers. This might decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [HRDN-7220]
3941:[10:12:04] Suggestion: Harden compilers like restricting access to root user only [HRDN-7222]
For example, last entry is "Harden compilers like restricting access to root user only [HRDN-7222]" and is at line 3941
to get more info, open log file /var/log/lynis.log and find that line number (vi /var/log/lynis.log and then ":3941" and then Enter key)
*** RkHunter ***
It is an Linu security auditing tool. Scans for rootkits, backdoors. Website: http://rkhunter.sourceforge.net/
On redhat Linux, i installed by: yum install rkhunter
EPEL repository should be installed probably.
Show rkhunter commands:
# rkhunter
Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
--config-check | --version | --help} [options]
Current options are:
--append-log Append to the logfile, do not overwrite
--bindir <directory>... Use the specified command directories
-c, --check Check the local system
-C, --config-check Check the configuration file(s), then exit
--cs2, --color-set2 Use the second color set for output
--configfile <file> Use the specified configuration file
--cronjob Run as a cron job
(implies -c, --sk and --nocolors options)
--dbdir <directory> Use the specified database directory
--debug Debug mode
(Do not use unless asked to do so)
--disable <test>[,<test>...] Disable specific tests
(Default is to disable no tests)
--display-logfile Display the logfile at the end
--enable <test>[,<test>...] Enable specific tests
(Default is to enable all tests)
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | <command>} Use the specified file hash function
(Default is SHA1, then MD5)
-h, --help Display this help menu, then exit
--lang, --language <language> Specify the language to use
(Default is English)
--list [tests | languages | List the available test names, languages,
rootkits | perl | rootkit names, perl module status
propfiles] or file properties database, then exit
-l, --logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
--noappend-log Do not append to the logfile, overwrite it
--nocf Do not use the configuration file entries
for disabled tests (only valid with --disable)
--nocolors Use black and white output
--nolog Do not write to a logfile
--nomow, --no-mail-on-warning Do not send a message if warnings occur
--ns, --nosummary Do not show the summary of check results
--novl, --no-verbose-logging No verbose logging
--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or
SOLARIS | NONE} verify file property values. (Default is NONE)
--propupd [file | directory | Update the entire file properties database,
package]... or just for the specified entries
-q, --quiet Quiet mode (no output at all)
--rwo, --report-warnings-only Show only warning messages
--sk, --skip-keypress Don't wait for a keypress after each test
--summary Show the summary of system check results
(This is the default)
--syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
--tmpdir <directory> Use the specified temporary directory
--unlock Unlock (remove) the lock file
--update Check for updates to database files
--vl, --verbose-logging Use verbose logging (on by default)
-V, --version Display the version number, then exit
--versioncheck Check for latest version of program
-x, --autox Automatically detect if X is in use
-X, --no-autox Do not automatically detect if X is in use
Do checking
# rkhunter -c
RkHunter logfile
a) # vi /var/log/rkhunter/rkhunter.log
b) # vi [B]/var/log/rkhunter.log
List only warnings:
find /var/log -name rkhunter.log -exec cat {} \;|grep Warning|grep -vE "the group file|the passwd file"
*** Chrootkit ***
What is its? Security auditting tool, scan the system for rootkits
Website: http://www.chkrootkit.org/
Installation on Redhat based Linux:
# yum install chkrootkit
If not found, yum install epel-release
then enable it (enabled=1) in /etc/yum.repos.d/epel-bootstrap.repo
yum update?
Run all tests (takes just a minute or couple of them):
# chkrootkit
*** Maldet ***
What is its? Malware detection system with real-time scanning. Website: https://www.rfxn.com/projects/linux-malware-detect/
My installation tutorial and how to run the check: http://internetlifeforum.com/security-protection/2155-maldet-linux-malware-detector-how-install-use/
*** AIDE ***
AIDE - Advanced Intrusion Detection Environment. Monitor system for newly changed system files & folders.
Website: http://aide.sourceforge.net/
My installation and usage tutorial: http://internetlifeforum.com/security-protection/1754-aide-setup-usage-centos/
--------
What do You think? Do you have ideas regarding security auditing software?
It is an Linux security auditing tool. Website: https://cisofy.com/lynis/
On redhat system i installed Lynis: yum install lynis
It is in EPEL repository (you may need to install EPEL repo first)
then do command # lynis
to see:
Usage: lynis command [options]
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
update release : Update Lynis release
Options:
--no-log : Don't create a log file
--pentest : Non-privileged scan (useful for pentest)
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
Layout options
--no-colors : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
Misc options
--debug : Debug logging to screen
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
Enterprise options
--plugin-dir "<path>" : Define path of available plugins
--upload : Upload data to central node
More options available. Run '/usr/bin/lynis show options', or use the man page.
Scan the system:
# lynis audit system --quick
outdated command: # lynis -c -q
- Checking for password protection [ WARNING ]
- Checking Linux single user mode authentication [ WARNING ]
- Shellshock: CVE-2014-6277 (segfault, lcamtuf bug #1) [ WARNING ]
- Testing swap partitions [ WARNING ]
- Checking waiting connections [ WARNING ]
- Checking Postfix banner [ WARNING ]
- Checking for empty ruleset [ WARNING ]
- Checking empty MySQL root password [ WARNING ]
so there are Lynis errors/warnings.. what it means?
lynis log file: /var/log/lynis.log
Grep all suggestions and warnings along with line number at beginning:
# cat /var/log/lynis.log | grep "Suggestion:|Warning:" -nE
example output:
1465:[10:11:46] Suggestion: Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)
1518:[10:11:46] Suggestion: Run chkconfig --list to see all services and disable unneeded services
1997:[10:11:48] Suggestion: Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
2015:[10:11:48] Suggestion: Set password for single user mode to minimize physical access attack surface [AUTH-9308]
2026:[10:11:48] Suggestion: Default umask in /etc/profile could be more strict like 027 [AUTH-9328]
2109:[10:11:48] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
2144:[10:11:48] Suggestion: Check your /etc/fstab file for swap partition mount options [FILE-6336]
2179:[10:11:49] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]
2186:[10:11:49] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
2192:[10:11:49] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
2297:[10:11:49] Suggestion: Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
2748:[10:11:58] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [PKGS-7384]
2759:[10:11:58] Suggestion: Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security) [PKGS-7386]
2788:[10:11:59] Suggestion: Install a package audit tool to determine vulnerable packages [PKGS-7398]
2914:[10:11:59] Suggestion: You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818]
2943:[10:11:59] Suggestion: Disable iptables kernel module if not used or make sure rules are being used [FIRE-4512]
3075:[10:12:00] Suggestion: Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
3081:[10:12:00] Suggestion: Install Apache mod_qos to guard webserver against Slowloris attacks [HTTP-6641]
3087:[10:12:00] Suggestion: Install Apache mod_spamhaus to guard webserver against spammers [HTTP-6642]
3093:[10:12:00] Suggestion: Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
3195:[10:12:00] Suggestion: Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [DBS-1816]
3270:[10:12:01] Suggestion: Change the expose_php line to: expose_php = Off [PHP-2372]
3280:[10:12:01] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
3433:[10:12:01] Suggestion: Check what deleted files are still in use and why. [LOGG-2190]
3464:[10:12:02] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [BANN-7122]
3473:[10:12:02] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
3483:[10:12:02] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
3547:[10:12:02] Suggestion: Enable process accounting [ACCT-9622]
3564:[10:12:02] Suggestion: Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
3635:[10:12:02] Suggestion: Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120]
3661:[10:12:02] Suggestion: Some time servers missing in step-tickers file [TIME-3160]
3762:[10:12:03] Suggestion: Install a file integrity tool [FINT-4350]
3770:[10:12:03] Suggestion: Determine if automation tools are present for system management [TOOL-5002]
3922:[10:12:04] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
3929:[10:12:04] Suggestion: Harden the system by removing unneeded compilers. This might decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [HRDN-7220]
3941:[10:12:04] Suggestion: Harden compilers like restricting access to root user only [HRDN-7222]
For example, last entry is "Harden compilers like restricting access to root user only [HRDN-7222]" and is at line 3941
to get more info, open log file /var/log/lynis.log and find that line number (vi /var/log/lynis.log and then ":3941" and then Enter key)
*** RkHunter ***
It is an Linu security auditing tool. Scans for rootkits, backdoors. Website: http://rkhunter.sourceforge.net/
On redhat Linux, i installed by: yum install rkhunter
EPEL repository should be installed probably.
Show rkhunter commands:
# rkhunter
Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
--config-check | --version | --help} [options]
Current options are:
--append-log Append to the logfile, do not overwrite
--bindir <directory>... Use the specified command directories
-c, --check Check the local system
-C, --config-check Check the configuration file(s), then exit
--cs2, --color-set2 Use the second color set for output
--configfile <file> Use the specified configuration file
--cronjob Run as a cron job
(implies -c, --sk and --nocolors options)
--dbdir <directory> Use the specified database directory
--debug Debug mode
(Do not use unless asked to do so)
--disable <test>[,<test>...] Disable specific tests
(Default is to disable no tests)
--display-logfile Display the logfile at the end
--enable <test>[,<test>...] Enable specific tests
(Default is to enable all tests)
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | <command>} Use the specified file hash function
(Default is SHA1, then MD5)
-h, --help Display this help menu, then exit
--lang, --language <language> Specify the language to use
(Default is English)
--list [tests | languages | List the available test names, languages,
rootkits | perl | rootkit names, perl module status
propfiles] or file properties database, then exit
-l, --logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
--noappend-log Do not append to the logfile, overwrite it
--nocf Do not use the configuration file entries
for disabled tests (only valid with --disable)
--nocolors Use black and white output
--nolog Do not write to a logfile
--nomow, --no-mail-on-warning Do not send a message if warnings occur
--ns, --nosummary Do not show the summary of check results
--novl, --no-verbose-logging No verbose logging
--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or
SOLARIS | NONE} verify file property values. (Default is NONE)
--propupd [file | directory | Update the entire file properties database,
package]... or just for the specified entries
-q, --quiet Quiet mode (no output at all)
--rwo, --report-warnings-only Show only warning messages
--sk, --skip-keypress Don't wait for a keypress after each test
--summary Show the summary of system check results
(This is the default)
--syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
--tmpdir <directory> Use the specified temporary directory
--unlock Unlock (remove) the lock file
--update Check for updates to database files
--vl, --verbose-logging Use verbose logging (on by default)
-V, --version Display the version number, then exit
--versioncheck Check for latest version of program
-x, --autox Automatically detect if X is in use
-X, --no-autox Do not automatically detect if X is in use
Do checking
# rkhunter -c
RkHunter logfile
a) # vi /var/log/rkhunter/rkhunter.log
b) # vi [B]/var/log/rkhunter.log
List only warnings:
find /var/log -name rkhunter.log -exec cat {} \;|grep Warning|grep -vE "the group file|the passwd file"
*** Chrootkit ***
What is its? Security auditting tool, scan the system for rootkits
Website: http://www.chkrootkit.org/
Installation on Redhat based Linux:
# yum install chkrootkit
If not found, yum install epel-release
then enable it (enabled=1) in /etc/yum.repos.d/epel-bootstrap.repo
yum update?
Run all tests (takes just a minute or couple of them):
# chkrootkit
*** Maldet ***
What is its? Malware detection system with real-time scanning. Website: https://www.rfxn.com/projects/linux-malware-detect/
My installation tutorial and how to run the check: http://internetlifeforum.com/security-protection/2155-maldet-linux-malware-detector-how-install-use/
*** AIDE ***
AIDE - Advanced Intrusion Detection Environment. Monitor system for newly changed system files & folders.
Website: http://aide.sourceforge.net/
My installation and usage tutorial: http://internetlifeforum.com/security-protection/1754-aide-setup-usage-centos/
--------
What do You think? Do you have ideas regarding security auditing software?