Das eigene Debian/Linux-System kontrollieren und absichern.
Lynis
Auditierung, Systemhärtung, Konformitätstests
Ein Sicherheitstool für Systeme mit Linux-, MacOS- oder Unix-basierten Betriebssystemen. Es führt einen umfangreichen Health Scan Ihrer Systeme durch, um die Systemhärtung und Compliance-Tests zu unterstützen.
Installation per
apt install lynis
oder auf demmanuellen Weg:
wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
apt install apt-transport-https
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
deb https://packages.cisofy.com/community/lynis/deb/ stable main
apt install lynis
Das eigene System testen
lynis audit system
Nach Einrichtung des Desktops die erste Analyse
Great, no warnings Suggestions (31)
Lynis security scan details: Hardening index : 74 [############## ] Tests performed : 238
Test mit Lynis v2.7.5, ohne Plugins ( Download )
-
GRUB password
* Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/lynis/controls/BOOT-5122/
[ x ] Wird ignoriert wenn nicht gewünscht wird, auf einem Laptop als Desktop, jedes mal nach einem Reboot ein Passwort einzugeben.
Nach vielen Einstellungen zusätzlich aufgetaucht...
locate
* The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410] https://cisofy.com/lynis/controls/FILE-6410/
Ausführen von:
updatedb
password strengh
* Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] https://cisofy.com/lynis/controls/AUTH-9262/
Nachinstallation:
apt install libpam-cracklib
password age
* Configure minimum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/lynis/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/lynis/controls/AUTH-9286/
Editiere:
nano /etc/login.defs
#PASS_MAX_DAYS 99999
PASS_MAX_DAYS 365
#PASS_MIN_DAYS 0
PASS_MIN_DAYS 365
PASS_WARN_AGE 14
Überprüfe den eigenen Account mit:
chage -l <USERNAME>
Setze Maximale Anzahl der Tage zwischen Passwortänderungen
chage -M 365 <USERNAME>
Setze Anzahl der Tage, an denen vor Passwortablauf gewarnt wird
chage -W 14 <USERNAME>
unmask
* Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/lynis/controls/AUTH-9328/
Editiere:
nano /etc/login.defs
... runter scrollen bis zu:
# # Login configuration initializations: # ...
...
... # ERASECHAR 0177 KILLCHAR 025 #UMASK 022 UMASK 027
firewire
* Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] https://cisofy.com/lynis/controls/STRG-1846/
Blacklist FireWire
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
debsums
* Install debsums utility for the verification of packages with known good database. [PKGS-7370] https://cisofy.com/lynis/controls/PKGS-7370/
Nachinstallation:
apt install debsums
unattended-upgrade
* Consider using a tool to automatically apply upgrades [PKGS-7420] https://cisofy.com/lynis/controls/PKGS-7420/
Nachinstallation:
apt install unattended-upgrade
ARP
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/lynis/controls/NETW-3032/
Nachinstallation:
apt install arpwatch
[ x ] noch offen
iptables
* Check iptables rules to see which rules are currently not used [FIRE-4513] https://cisofy.com/lynis/controls/FIRE-4513/
[ x ] noch offen
SSH
* Consider hardening SSH configuration [SSH-7408] - Details : AllowTcpForwarding (YES --> NO) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : ClientAliveCountMax (3 --> 2) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Compression (YES --> NO) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : LogLevel (INFO --> VERBOSE) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : MaxAuthTries (6 --> 3) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : MaxSessions (10 --> 2) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Port (22 --> ) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : TCPKeepAlive (YES --> NO) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : X11Forwarding (YES --> NO) https://cisofy.com/lynis/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : AllowAgentForwarding (YES --> NO) https://cisofy.com/lynis/controls/SSH-7408/
Separater Post für: SSH Konfiguration
* Check what deleted files are still in use and why. [LOGG-2190] https://cisofy.com/lynis/controls/LOGG-2190/
[ x ] noch offen
Banner
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/lynis/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/lynis/controls/BANN-7130/
editiere ...
nano /etc/ssh/sshd_config
Banner aktivieren/freigeben
# no default banner path
#Banner none
Banner /etc/issue
editiere:
nano /etc/issue
Inhalt per Default:
Debian GNU/Linux 10 \n \l
... einfach beigrfügt:
******************************************************************** * * * This system is for the use of authorized users only. Usage of * * this system may be monitored and recorded by system personnel. * * * * Anyone using this system expressly consents to such monitoring * * and is advised that if such monitoring reveals possible * * evidence of criminal activity, system personnel may provide the * * evidence from such monitoring to law enforcement officials. * * * ********************************************************************
editiere:
nano /etc/issue.net
Inhalt per Default:
Debian GNU/Linux 10
... einfach beigrfügt:
******************************************************************** * * * This system is for the use of authorized users only. Usage of * * this system may be monitored and recorded by system personnel. * * * * Anyone using this system expressly consents to such monitoring * * and is advised that if such monitoring reveals possible * * evidence of criminal activity, system personnel may provide the * * evidence from such monitoring to law enforcement officials. * * * ********************************************************************
ACC
* Enable process accounting [ACCT-9622] https://cisofy.com/lynis/controls/ACCT-9622/
Nachinstallation:
apt install acc
sysstat
* Enable sysstat to collect accounting (disabled) [ACCT-9626] https://cisofy.com/lynis/controls/ACCT-9626/
editiere:
nano /etc/default/sysstat
#ENABLED="false"
ENABLED="true"
Optional:
nano /etc/cron.d/sysstat
Change the collection interval from every 10 minutes.
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
e.g. to every 2 minutes if needed
*/2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
sysstat starten
systemctl enable sysstat
sysstat neustarten
service sysstat restart
oder
/etc/init.d/sysstat restart
auditd
* Enable auditd to collect audit information [ACCT-9628] https://cisofy.com/lynis/controls/ACCT-9628/
Separater Post für: Installation des Audit daemon
ntpq
* Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120] https://cisofy.com/lynis/controls/TIME-3120/
[ x ] noch offen
certificates
* Check available certificates for expiration [CRYP-7902] https://cisofy.com/lynis/controls/CRYP-7902/
[ x ] noch offen
ansible
* Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/lynis/controls/TOOL-5002/
Nachinstallation:
apt install ansible
sysctl
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>) https://cisofy.com/lynis/controls/KRNL-6000/
editiere:
nano /etc/sysctl.conf
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
neu laden per
sysctl -p
[ x ] noch offen
compilers
* Harden compilers like restricting access to root user only [HRDN-7222] https://cisofy.com/lynis/controls/HRDN-7222/
[ x ] noch offen
Apache
* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
//cisofy.com/lynis/controls/HTTP-6640/
apt install libapache2-mod-evasive
a2enmod mod-evasive
apachectl -M | grep evasive
* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
//cisofy.com/lynis/controls/HTTP-6643/
apt install libapache2-mod-security2
/etc/init.d/apache2 restart
apt-cache show libapache2-mod-security2
Configure ModSecurity
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Start
Lynis security scan details: Hardening index : 74 [############## ] Tests performed : 238
- Nach der Installation von:
- libpam-cracklib
- debsums
- unattended-upgrade
- arpwatch ( noch nicht abschließend gelöst )
- ansible
- auditd
- acc
- und der Ausführung/Einstellungen für:
- SSH
- UNMASK
- Banner
- sysstat ( noch nicht abschließend gelöst )
- sysctl
- firewire
- updatedb
Suggestions (8):
Hardening index : 88 [################# ] Tests performed : 245
Um sich den Report als Datei ausgeben zu lassen:
lynis audit system >> /home/<USERNAE>/<FOLDER>/lynis-results.txt
THX to some of many readed sources:
- //cisofy.com/documentation/lynis/
- //outhereinthefield.wordpress.com/2019/02/13/fail2ban-ufw-and-sshd-with-custom-port-on-ubuntu/
- //www.cyberciti.biz/faq/securing-passwords-libpam-cracklib-on-debian-ubuntu-linux/
- //dev.to/lestephane/sanity-checking-debian-1-2f4g
- //serverfault.com/questions/922235/what-is-the-difference-between-etc-issue-net-and-etc-issue
- //www.leonardoborda.com/blog/how-to-configure-sysstatsar-on-ubuntudebian/
- //www.cyberciti.biz/tips/linux-security.html
- //www.howtoforge.com/linux-chage-command/
- //www.tecmint.com/how-to-monitor-user-activity-with-psacct-or-acct-tools/
- //elatov.github.io/2017/06/install-lynis-and-fix-some-suggestions/
- //www.digitalocean.com/community/tutorials/how-to-write-custom-system-audit-rules-on-centos-7
- //gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee
- //linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/
- //help.ubuntu.com/community/OpenSSL
- //www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-debian-9
- //phoenixnap.com/kb/setup-configure-modsecurity-on-apache