Lynis是针对Unix操作系统的开源和强大的审核工具。它会扫描系统以获取保护知识,通用方法知识,任何预装的软件知识,配置错误,安全性障碍,无密码的用户帐户,不合适的文件权限,防火墙审核等。
了解Lynis
Linux执行个别测试用例以保护您的Linux系统。要显示测试报告,请遵循以下情况–确定操作系统
搜索可用的工具和实用程序
检查Lynis更新
从启用的插件运行测试
按类别运行安全测试
报告安全扫描状态
在测试案例中,所有扫描的详细信息都存储在日志文件中,所有警告和错误都存储在报告文件中。
安装Lynis
要安装Lynis,请使用以下命令-# yum install lynis
样本输出应如下所示–Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00
elrepo | 2.9 kB 00:00
epel/x86_64/metalink | 3.2 kB 00:00
epel | 4.3 kB 00:00
extras | 3.4 kB 00:00
google-chrome | 951 B 00:00
updates | 3.4 kB 00:00
(1/2): epel/x86_64/updateinfo | 501 kB 00:02
(2/2): epel/x86_64/primary_db | 3.9 MB 00:02
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* elrepo: mirrors.ircam.fr
* epel: mirrors.hustunique.com
* extras: ftp.iitm.ac.in
* updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package lynis.noarch 0:2.1.0-1.el7 will be installed
.......
请注意,Lynis将需要具有root特权才能运行。
运行Lynis命令
在运行Lynis之前,您应该了解以下参数––checkall或-c-将开始扫描
–check- update-检查Lynis更新
–cronjob −将Lynis作为cronjob运行(包括-c -Q)
–help或-h-显示有效参数
–quick或-Q –不要等待用户输入,除非出现错误
–version或-V-显示Lynis版本
要运行Lynis,请使用以下命令–# lynis -c --auditor “nhooo”
建议使用-c参数。-c参数表示进行所有测试以检查系统。如果要输入审核员姓名,只需添加–auditor参数。
在上面的示例中,nhooo是审核员姓名。上面命令的示例输出应如下所示–[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
---------------------------------------------------
Program version: 2.1.0
Operating system: Linux
Operating system name: CentOS
Operating system version: CentOS Linux release 7.2.1511 (Core)
Kernel version: 3.10.0
Hardware platform: x86_64
Hostname: linux
Auditor: “nhooo”
Profile: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
- Checking profile file (/etc/lynis/default.prf)...
- Program update status... [ UPDATE AVAILABLE ]
.......
以上结果表明Lynis的初始化程序。[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts [ OK ]
- Checking for non-unique UIDs [ OK ]
- Checking consistency of group files (grpck) [ OK ]
- Checking non unique group ID's [ OK ]
- Checking non unique group names [ OK ]
- Checking password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- Checking NIS+ authentication support [ NOT ENABLED ]
- Checking NIS authentication support [ NOT ENABLED ]
- Checking sudoers file [ FOUND ]
- Check sudoers file permissions [ OK ]
- Checking PAM password strength tools [ OK ]
- Checking PAM configuration file (pam.conf) [ NOT FOUND ]
- Checking PAM configuration files (pam.d) [ FOUND ]
- Checking PAM modules [ FOUND ]
- Checking user password aging [ DISABLED ]
- Checking Linux single user mode authentication [ WARNING ]
- Determining default umask
- Checking umask (/etc/profile) [ SUGGESTION ]
- Checking umask (/etc/login.defs) [ OK ]
- Checking umask (/etc/init.d/functions) [ SUGGESTION ]
- Checking LDAP authentication support [ NOT ENABLED ]
......
上面的输出指示用户,组和身份验证。[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ OK ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ OK ]
- Checking LVM volume groups [ FOUND ]
- Checking LVM volumes [ FOUND ]
- Querying FFS/UFS mount points (fstab) [ NONE ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ WARNING ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ DISABLED ]
- Checking Locate database [ FOUND ]
........
以上结果表明文件系统。[+] Ports and packages
------------------------------------
- Searching package managers
- Searching RPM package manager [ FOUND ]
- Querying RPM package manager
- Checking YUM package management consistency [ OK ]
- Checking package database duplicates [ OK ]
- Checking package database for problems [ OK ]
- Checking missing security packages [ OK ]
- Checking GPG checks (yum.conf) [ OK ]
- Checking package audit tool [ INSTALLED ]
Found: yum-security
.......
上面的结果表明了Linux系统的端口和软件包。[+] Networking
------------------------------------
- Checking configured nameservers
- Testing nameservers
Nameserver: 192.168.1.1 [ OK ]
- Minimal of 2 responsive nameservers [ WARNING ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 22 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client
.....
以上结果说明网络信息。[+] Printers and Spools
------------------------------------
- Checking cups daemon [ RUNNING ]
- Checking CUPS configuration file [ OK ]
- File permissions [ OK ]
- Checking CUPS addresses/sockets [ FOUND ]
- Checking lp daemon
......
以上结果表明打印机和线轴信息。
创建Lynis Cronjobs
要创建系统的每日扫描,请使用以下命令–# crontab -e
使用选项–e添加以下cron作业。所有特殊字符将从输出中忽略,并且扫描将自动运行。3022***root /path/to/lynis -c -Q --auditor "automated" --cronjob
上面的示例cron作业每天晚上10:30在晚上运行,并在/var/log/lynis.log文件下创建每日报告。
更新Lynis
要更新Lynis,请使用以下命令-# lynis --check-update
恭喜你!现在,您知道“如何在CentOS中安装Lynis(Linux审核工具)”。在我们的下一篇Linux文章中,我们将详细了解这些类型的命令。继续阅读!