Lynis - аудит безопасности системы

user warning: Duplicate entry '30188860' for key 'PRIMARY' query: INSERT INTO accesslog (title, path, url, hostname, uid, sid, timer, timestamp) values('Send page by email', 'printmail/54', '', '216.73.216.62', 0, 'gdi3v49fndrsqj8k0cuica95a1', 119, 1768112750) in /usr/local/www/muff.kiev.ua/modules/statistics/statistics.module on line 63.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '2:7d733ef5e9ebee12e8f60f98dd4d0d83' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 27.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p class=\"rtejustify\">Развивая тему <a href=\"http://muff.kiev.ua/content/chkrootkit-poisk-v-sisteme-rootkit-i-backdoor\">проверки системы безопасности</a>, решил испробовать утилиту <strong>Lynis</strong>. В ходе своей работы она выполняет аудит системы, проверяя и систему и конфигурационные файлы. По завершению проверки выводится отчет, в котором также фигурирует общая оценка системы, предупреждения и советы...</p>\n<p class=\"rtejustify\">Пора это все проверить на практике. Тестовый стенд - тот же:</p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td>\n<p># <strong>uname -v</strong></p>\n<p>FreeBSD 7.0-RELEASE-p3 #0: Mon Aug  4 13:49:40 EEST 2008     <span class=\"spamspan\"><span class=\"u\">root</span> [at] <span class=\"d\">arey [dot] local</span></span>:/usr/obj/usr/src/sys/AREY</p>\n</td>\n</tr>\n</tbody>\n</table>\n<p class=\"rtejustify\">Выполним установку <strong>lynis</strong> из системы портов:</p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td># <strong>cd /usr/ports/security/lynis && make install clean && rehash</strong></td>\n</tr>\n</tbody>\n</table>\n<p class=\"rtejustify\">Возможности утилиты следующие (воспользуемся опцией -h для вывода короткой справки):</p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td>\n<pre>\n[+] Initializing program<br />------------------------------------<br />  Valid parameters:<br />    --auditor "<name>"            : Auditor name<br />    --check-all (-c)              : Check system<br />    --check-update                : Check for updates<br />    --no-colors                   : Don\'t use colors in output<br />    --no-log                      : Don\'t create a log file<br />    --profile <profile>           : Scan the system with the given profile file<br />    --quick (-Q)                  : Quick mode, don\'t wait for user input<br />    --quiet (-q)                  : No output, except warnings<br />    --reverse-colors              : Optimize color display for light backgrounds<br />    --tests "<tests>"             : Run only tests defined by <tests><br />    --tests-category "<category>" : Run only tests defined by <category><br />    --view-manpage (--man)        : View man page<br />    --version (-V)                : Display version number and quit</pre><pre>\n  See man page and documentation for all available options.</pre></td>\n</tr>\n</tbody>\n</table>\n<p class=\"rtejustify\">Для более подробного описания доступных опций - <strong>man lynis</strong>.</p>\n<p class=\"rtejustify\">Выполним полную проверку системы в "тихом" режиме (иначе после каждого блока проверок придется подтверждать действия вводом с клавиатуры):</p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td># <strong>lynis -c -Q</strong></td>\n</tr>\n</tbody>\n</table>\n<p class=\"rtejustify\">По завершению сканирования, внимательно изучаем отчет. Желательно в первую очередь исправить все <strong>Warnings </strong>и по мере возможности, выполнить рекомендации секции <strong>Suggestions</strong>. Также порадовал параметр <strong>Hardening index</strong>, который отображает числовое значение уровня защищенности сервера.</p>\n<p class=\"rtejustify\">В моем случае результат сканирования получился следующий:</p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td>\n<div>================================================================================</div>\n<div> </div>\n<div>  -[ Lynis 1.2.9 Results ]-</div>\n<div> </div>\n<div>  Tests performed: 136<br />\n   Warnings:<br />\n   ----------------------------<br />\n    - [00:25:16] Warning: Found one or more zombie processes (38686) [test:PROC-3612] [impact:L]<br />\n    - [00:25:16] Warning: Multiple users with UID 0 found in passwd file [test:AUTH-9204] [impact:H]<br />\n    - [00:25:16] Warning: Multiple accounts found with same UID [test:AUTH-9208] [impact:H]<br />\n    - [00:25:16] Warning: Possible harmful shell found (for passwordless account!) [test:AUTH-9218] [impact:H]<br />\n    - [00:25:16] Warning: Found unprotected console in /etc/ttys [test:SHLL-6202] [impact:M]<br />\n    - [00:25:33] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]<br />\n    - [00:25:34] Warning: Found one or more stratum 16 peers [test:TIME-3116] [impact:L]</div>\n<div> </div>\n<div>  Suggestions:<br />\n   ----------------------------<br />\n    - [00:25:14] Suggestion: update to the latest stable release.<br />\n    - [00:25:16] Suggestion: Check the output of ps for dead or zombie processes [test:PROC-3612]<br />\n    - [00:25:16] Suggestion: Use vipw to delete the \'toor\' user if not used. [test:AUTH-9204]<br />\n    - [00:25:16] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]<br />\n    - [00:25:16] Suggestion: Change the console line from \'secure\' to \'insecure\'. [test:SHLL-6202]<br />\n    - [00:25:16] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]<br />\n    - [00:25:32] Suggestion: Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD. [test:PKGS-7348]<br />\n    - [00:25:32] Suggestion:  [test:Install portaudit from the ports collection to query outdated (vulnerable) packages.]<br />\n    - [00:25:32] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]<br />\n    - [00:25:33] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]<br />\n    - [00:25:33] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]<br />\n    - [00:25:33] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]<br />\n    - [00:25:33] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]<br />\n    - [00:25:33] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]<br />\n    - [00:25:34] Suggestion: Check ntpq peers output [test:TIME-3116]<br />\n    - [00:25:34] Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128]<br />\n    - [00:25:34] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]<br />\n ================================================================================<br />\n   Files:<br />\n   - Test and debug information      : /var/log/lynis.log<br />\n   - Report data                     : /var/log/lynis-report.dat<br />\n ================================================================================<br />\n   Notice: Lynis update available<br />\n   Current version : 129    Latest version : 130<br />\n ================================================================================<br />\n   Hardening index : [54]     [##########          ]<br />\n ================================================================================<br />\n  </div>\n</td>\n</tr>\n</tbody>\n</table>\n<p class=\"rtejustify\">Кажется пора поработать над безопасностью даного сервера...</p>\n<p class=\"rtejustify\">Как итог, могу отметить, что по своей сути <strong>lynis</strong> оказался полезным и интересным инструментом. Однозначно стоит взять его на вооружение и использовать повседневно в работе.</p>\n', created = 1768112760, expire = 1768199160, headers = '', serialized = 0 WHERE cid = '2:7d733ef5e9ebee12e8f60f98dd4d0d83' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 112.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '2:07243fc0252056071eaa62af8c18d662' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 27.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p class=\"rtecenter\"><a class=\"thickbox\" href=\"/files/imagepicker/1/wake_up_ua.png\"><img alt=\"Вставай, Україно!\" class=\"imgp_img\" src=\"/files/imagepicker/1/thumbs/wake_up_ua.png\" style=\"height:200px; width:150px\" /></a></p>\n', created = 1768112760, expire = 1768199160, headers = '', serialized = 0 WHERE cid = '2:07243fc0252056071eaa62af8c18d662' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 112.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '3:cc913d232116f0426090404133377d88' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 27.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '2:d9a86123bfcbc57878743027b584400b' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 27.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p class=\"rtecenter\"><a href=\"http://muff.kiev.ua/rss.xml\"><img alt=\"RSS\" width=\"160\" height=\"60\" src=\"http://muff.kiev.ua/files/muf-rss.png\" /></a></p>\n', created = 1768112760, expire = 1768199160, headers = '', serialized = 0 WHERE cid = '2:d9a86123bfcbc57878743027b584400b' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 112.
user warning: Table './muffsql1/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '3:39649256b636e3d5ded656bc52bd8c01' in /usr/local/www/muff.kiev.ua/includes/cache.inc on line 27.

Опубликовано muff в Ср, 2012-12-05 22:52

Развивая тему проверки системы безопасности, решил испробовать утилиту Lynis. В ходе своей работы она выполняет аудит системы, проверяя и систему и конфигурационные файлы. По завершению проверки выводится отчет, в котором также фигурирует общая оценка системы, предупреждения и советы...

Пора это все проверить на практике. Тестовый стенд - тот же:

# uname -v

FreeBSD 7.0-RELEASE-p3 #0: Mon Aug 4 13:49:40 EEST 2008 root [at] arey [dot] local:/usr/obj/usr/src/sys/AREY

Выполним установку lynis из системы портов:

# cd /usr/ports/security/lynis && make install clean && rehash

Возможности утилиты следующие (воспользуемся опцией -h для вывода короткой справки):

[+] Initializing program
------------------------------------
  Valid parameters:
    --auditor "<name>"            : Auditor name
    --check-all (-c)              : Check system
    --check-update                : Check for updates
    --no-colors                   : Don't use colors in output
    --no-log                      : Don't create a log file
    --profile <profile>           : Scan the system with the given profile file
    --quick (-Q)                  : Quick mode, don't wait for user input
    --quiet (-q)                  : No output, except warnings
    --reverse-colors              : Optimize color display for light backgrounds
    --tests "<tests>"             : Run only tests defined by <tests>
    --tests-category "<category>" : Run only tests defined by <category>
    --view-manpage (--man)        : View man page
    --version (-V)                : Display version number and quit

  See man page and documentation for all available options.

Для более подробного описания доступных опций - man lynis.

Выполним полную проверку системы в "тихом" режиме (иначе после каждого блока проверок придется подтверждать действия вводом с клавиатуры):

# lynis -c -Q

По завершению сканирования, внимательно изучаем отчет. Желательно в первую очередь исправить все Warnings и по мере возможности, выполнить рекомендации секции Suggestions. Также порадовал параметр Hardening index, который отображает числовое значение уровня защищенности сервера.

В моем случае результат сканирования получился следующий:

================================================================================

-[ Lynis 1.2.9 Results ]-

Tests performed: 136
Warnings:
----------------------------
   - [00:25:16] Warning: Found one or more zombie processes (38686) [test:PROC-3612] [impact:L]
   - [00:25:16] Warning: Multiple users with UID 0 found in passwd file [test:AUTH-9204] [impact:H]
   - [00:25:16] Warning: Multiple accounts found with same UID [test:AUTH-9208] [impact:H]
   - [00:25:16] Warning: Possible harmful shell found (for passwordless account!) [test:AUTH-9218] [impact:H]
   - [00:25:16] Warning: Found unprotected console in /etc/ttys [test:SHLL-6202] [impact:M]
   - [00:25:33] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
   - [00:25:34] Warning: Found one or more stratum 16 peers [test:TIME-3116] [impact:L]

Suggestions:
----------------------------
   - [00:25:14] Suggestion: update to the latest stable release.
   - [00:25:16] Suggestion: Check the output of ps for dead or zombie processes [test:PROC-3612]
   - [00:25:16] Suggestion: Use vipw to delete the 'toor' user if not used. [test:AUTH-9204]
   - [00:25:16] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
   - [00:25:16] Suggestion: Change the console line from 'secure' to 'insecure'. [test:SHLL-6202]
   - [00:25:16] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
   - [00:25:32] Suggestion: Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD. [test:PKGS-7348]
   - [00:25:32] Suggestion: [test:Install portaudit from the ports collection to query outdated (vulnerable) packages.]
   - [00:25:32] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
   - [00:25:33] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
   - [00:25:33] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]
   - [00:25:33] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
   - [00:25:33] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]
   - [00:25:33] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
   - [00:25:34] Suggestion: Check ntpq peers output [test:TIME-3116]
   - [00:25:34] Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128]
   - [00:25:34] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
================================================================================
Files:
- Test and debug information      : /var/log/lynis.log
- Report data                     : /var/log/lynis-report.dat
================================================================================
Notice: Lynis update available
Current version : 129    Latest version : 130
================================================================================
Hardening index : [54]     [##########          ]
================================================================================

Кажется пора поработать над безопасностью даного сервера...

Как итог, могу отметить, что по своей сути lynis оказался полезным и интересным инструментом. Однозначно стоит взять его на вооружение и использовать повседневно в работе.

Не клади голову на трансформатор - мозги размагнитишь...

Ваш IP-адрес:

216.73.216.62

Последние комментарии

Re: Linksys SPS224G4 - обновление програмного обеспечения ...
1 год 24 недели назад
Re: Top - интерактивный мониторинг
1 год 49 недель назад
Re: Ubench - "гоняем" железо под FreeBSD
3 года 49 недель назад
Re: D-Link DES-3526 - сброс в дефолт
4 года 19 недель назад
Re: Скрипт удаления файлов старше N дней
4 года 42 недели назад
Re: Nload - просмотр загрузки канала в консольном режиме
5 лет 5 недель назад
Re: Nload - просмотр загрузки канала в консольном режиме
5 лет 6 недель назад
Re: Icecast - ретрансляция Internet-радиостанций
5 лет 9 недель назад
Re: D-Link DES-3526 - сброс в дефолт
5 лет 21 неделя назад
Re: Extreme Networks Summit 200-24 - сброс в дефолт
5 лет 25 недель назад

Создавая "Новую папку", не считайте себя Создателем - это право Вам дано Админом!