Lynis : Install2019/12/17 |
Install Lynis which is the Security Audit Tool.
|
|
[1] | Install Lynis. |
# install from EPEL [root@dlp ~]# dnf --enablerepo=epel -y install lynis
|
[2] | This is the Basic usage of Lynis. |
# run like follows for initial scanning [root@dlp ~]# lynis audit system [ Lynis 2.7.5 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software. 2007-2019, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ################################################################################ [+] Initializing program ------------------------------------ - Detecting OS... [ DONE ] - Checking profiles... [ DONE ] --------------------------------------------------- Program version: 2.7.5 Operating system: Linux Operating system name: CentOS Operating system version: CentOS Linux release 8.0.1905 (Core) Kernel version: 4.18.0 Hardware platform: x86_64 Hostname: dlp --------------------------------------------------- Profiles: /etc/lynis/default.prf Log file: /var/log/lynis.log Report file: /var/log/lynis-report.dat Report version: 1.0 Plugin directory: /usr/share/lynis/plugins --------------------------------------------------- Auditor: [Not Specified] Language: en Test category: all Test group: all ..... ..... Lynis security scan details: Hardening index : 64 [############ ] Tests performed : 215 Plugins enabled : 0 Components: - Firewall [V] - Malware scanner [X] Lynis modules: - Compliance status [?] - Security audit [V] - Vulnerability scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat ================================================================================ Lynis 2.7.5 Auditing, system hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others) 2007-2019, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ================================================================================ [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) |
[3] | The report of scanning result is saved on [/var/log/lynis-report.dat]. Search the file with words [warning] or [suggestion], then it shows recommended settings like follows. |
[root@dlp ~]# grep -E "^warning|^suggestion" /var/log/lynis-report.dat suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-| suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9328|Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-| suggestion[]=STRG-1840|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|-|-| suggestion[]=STRG-1846|Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft|-|-| suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-| suggestion[]=PKGS-7420|Consider using a tool to automatically apply upgrades|-|-| suggestion[]=NETW-3032|Consider running ARP monitoring software (arpwatch,arpon)|-|-| warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (3 --> 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Compression (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|LogLevel (INFO --> VERBOSE)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxAuthTries (6 --> 3)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (10 --> 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (22 --> )|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|X11Forwarding (YES --> NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (YES --> NO)|-| suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-| suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-| suggestion[]=ACCT-9622|Enable process accounting|-|-| suggestion[]=ACCT-9626|Enable sysstat to collect accounting (no results)|-|-| suggestion[]=ACCT-9630|Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules|-|-| suggestion[]=FINT-4350|Install a file integrity tool to monitor changes to critical and sensitive files|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)| suggestion[]=HRDN-7230|Harden the system by installing at least one malware scanner, to perform periodic file system scans|-|Install a tool like rkhunter, chkrootkit, OSSEC| |
Sponsored Link |