Preview-Image: Lynis Vorschläge lösen

Das eigene Debian/Linux-System kontrollieren und absichern.

Lynis

Auditierung, Systemhärtung, Konformitätstests

Ein Sicherheitstool für Systeme mit Linux-, MacOS- oder Unix-basierten Betriebssystemen. Es führt einen umfangreichen Health Scan Ihrer Systeme durch, um die Systemhärtung und Compliance-Tests zu unterstützen.

//cisofy.com/lynis/

Installation per

apt install lynis

oder auf demmanuellen Weg:

wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -

apt install apt-transport-https

echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
deb https://packages.cisofy.com/community/lynis/deb/ stable main

apt install lynis

Das eigene System testen

lynis audit system


Nach Einrichtung des Desktops die erste Analyse

  Great, no warnings

  Suggestions (31)
  Lynis security scan details:

  Hardening index : 74 [##############      ]
  Tests performed : 238

Test mit Lynis v2.7.5, ohne Plugins ( Download )

-

GRUB password

  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/lynis/controls/BOOT-5122/

[ x ] Wird ignoriert wenn nicht gewünscht wird, auf einem Laptop als Desktop, jedes mal nach einem Reboot ein Passwort einzugeben.


Nach vielen Einstellungen zusätzlich aufgetaucht...

locate

  * The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410] 
      https://cisofy.com/lynis/controls/FILE-6410/

Ausführen von:

updatedb


password strengh

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      https://cisofy.com/lynis/controls/AUTH-9262/

Nachinstallation:

apt install libpam-cracklib


password age

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/
  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

Editiere:

nano /etc/login.defs
#PASS_MAX_DAYS 99999
PASS_MAX_DAYS 365
#PASS_MIN_DAYS 0
PASS_MIN_DAYS 365
PASS_WARN_AGE 14

Überprüfe den eigenen Account mit:

chage -l <USERNAME>

Setze Maximale Anzahl der Tage zwischen Passwortänderungen

chage -M 365 <USERNAME>

Setze Anzahl der Tage, an denen vor Passwortablauf gewarnt wird

chage -W 14 <USERNAME>


unmask

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/lynis/controls/AUTH-9328/

Editiere:

nano /etc/login.defs

... runter scrollen bis zu:

#
# Login configuration initializations:
#
...
...
...
# ERASECHAR 0177 KILLCHAR 025 #UMASK 022 UMASK 027


firewire

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/lynis/controls/STRG-1846/

Blacklist FireWire

echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf


debsums

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370]
      https://cisofy.com/lynis/controls/PKGS-7370/

Nachinstallation:

apt install debsums


unattended-upgrade

  * Consider using a tool to automatically apply upgrades [PKGS-7420]
      https://cisofy.com/lynis/controls/PKGS-7420/

Nachinstallation:

apt install unattended-upgrade


ARP

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
      https://cisofy.com/lynis/controls/NETW-3032/

Nachinstallation:

apt install arpwatch

[ x ] noch offen


iptables

  * Check iptables rules to see which rules are currently not used [FIRE-4513] 
      https://cisofy.com/lynis/controls/FIRE-4513/

[ x ] noch offen


SSH

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 3)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

Separater Post für: SSH Konfiguration


  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/lynis/controls/LOGG-2190/

[ x ] noch offen


Banner

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/lynis/controls/BANN-7126/
  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/lynis/controls/BANN-7130/

editiere ...

nano /etc/ssh/sshd_config

Banner aktivieren/freigeben

# no default banner path
#Banner none
Banner /etc/issue

editiere:

nano /etc/issue

Inhalt per Default:

Debian GNU/Linux 10 \n \l

... einfach beigrfügt:

********************************************************************
*                                                                  *
* This system is for the use of authorized users only.  Usage of   *
* this system may be monitored and recorded by system personnel.   *
*                                                                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *
*                                                                  *
********************************************************************

editiere:

nano /etc/issue.net

Inhalt per Default:

Debian GNU/Linux 10

... einfach beigrfügt:

********************************************************************
*                                                                  *
* This system is for the use of authorized users only.  Usage of   *
* this system may be monitored and recorded by system personnel.   *
*                                                                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *
*                                                                  *
********************************************************************

//wiki.centos.org/TipsAndTricks/BannerFiles


ACC

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/lynis/controls/ACCT-9622/

Nachinstallation:

apt install acc


sysstat

  * Enable sysstat to collect accounting (disabled) [ACCT-9626] 
      https://cisofy.com/lynis/controls/ACCT-9626/

editiere:

nano /etc/default/sysstat
#ENABLED="false"
ENABLED="true"

Optional:

nano /etc/cron.d/sysstat

Change the collection interval from every 10 minutes.

5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

e.g. to every 2 minutes if needed

*/2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

sysstat starten

systemctl enable sysstat

sysstat neustarten

service sysstat restart

oder

/etc/init.d/sysstat restart


auditd

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/lynis/controls/ACCT-9628/

Separater Post für: Installation des Audit daemon


ntpq

  * Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120] 
      https://cisofy.com/lynis/controls/TIME-3120/

[ x ] noch offen


certificates

  * Check available certificates for expiration [CRYP-7902] 
      https://cisofy.com/lynis/controls/CRYP-7902/

[ x ] noch offen


ansible

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/lynis/controls/TOOL-5002/

Nachinstallation:

apt install ansible


sysctl

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
      https://cisofy.com/lynis/controls/KRNL-6000/

editiere:

nano /etc/sysctl.conf
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1

neu laden per

sysctl -p

[ x ] noch offen


compilers

  * Harden compilers like restricting access to root user only [HRDN-7222]
      https://cisofy.com/lynis/controls/HRDN-7222/

[ x ] noch offen


Apache

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
//cisofy.com/lynis/controls/HTTP-6640/
  • apt install libapache2-mod-evasive
  • a2enmod mod-evasive
  • apachectl -M | grep evasive

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
//cisofy.com/lynis/controls/HTTP-6643/
  • apt install libapache2-mod-security2
  • /etc/init.d/apache2 restart
  • apt-cache show libapache2-mod-security2

Configure ModSecurity

cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf


# Start

  Lynis security scan details:
  Hardening index : 74 [##############      ]
  Tests performed : 238

  • Nach der Installation von:
    • libpam-cracklib
    • debsums
    • unattended-upgrade
    • arpwatch ( noch nicht abschließend gelöst )
    • ansible
    • auditd
    • acc
  • und der Ausführung/Einstellungen für:
    • SSH
    • UNMASK
    • Banner
    • sysstat ( noch nicht abschließend gelöst )
    • sysctl
    • firewire
    • updatedb
  Suggestions (8):
  Hardening index : 88 [#################   ]
  Tests performed : 245

Um sich den Report als Datei ausgeben zu lassen:

lynis audit system >> /home/<USERNAE>/<FOLDER>/lynis-results.txt


THX to some of many readed sources:

Wir benutzen Cookies

Wir nutzen Cookies auf unserer Website. Einige von ihnen sind essenziell für den Betrieb der Seite, während andere uns helfen, diese Website und die Nutzererfahrung zu verbessern (Tracking Cookies). Sie können selbst entscheiden, ob Sie die Cookies zulassen möchten. Bitte beachten Sie, dass bei einer Ablehnung womöglich nicht mehr alle Funktionalitäten der Seite zur Verfügung stehen.