Archivo

Archive for the ‘Seguridad’ Category

Lynis: Found one or more vulnerable packages. [PKGS-7392]

21 agosto, 2015 Deja un comentario

El primer problema que debemos resolver es actualizar todo nuestro sistema, debemos recordar que un sistema operativo no es mas que un conjunto de aplicaciones que hacen un todo, así cada aplicación puede presentar problemas de seguridad o de estabilidad, por lo tanto lo primero que siempre debemos resolver es este pequeño inconveniente.

Normalmente al ejecutar por primera vez lynis, tendrás advertencias de 2 tipos

  • Warnings.
  • Suggestions.

Los Warnings son acciones que debemos realizar lo mas pronto posible, las Suggestionsson solo sugerencias que nos ayudaran a mejorar nuestra seguridad y estabilidad de nuestro sistema integralmente, ojo, no todas las sugerencias son aplicables en todos los casos donde tendremos un servidor instalado, por ejemplo, casos como:


To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]

No son aplicables a nuestro caso de estudio, por que estaremos trabajando sobre una VM estándar de Ubuntu sobre ec2, asi  al momento de crear la imagen, no controlamos estas opciones, sin embargo, mas adelante explicaremos como realizar este proceso, aunque es algo que debe realizarse al momento de la instalación del Sistema Operativo, normalmente esto es útil para quien tiene servidores dedicados o físicos.

Siguiendo entonces con la vulnerabilidad que debemos atacar, hoy:


Fix: Found one or more vulnerable packages. [PKGS-7392]

Los repositorios de Ubuntu están separados en 4 áreas o componentes, estas de acuerdo al nivel de soporte ofrecido por Ubuntu y si este paquete en cuestión cumple con la filosofía de Software de Ubuntu.

Estos 4 componentes son:

  • Main – Soporte Oficial de ubuntu.
  • Restricted – Soporte oficial, pero no necesariamente este software esta bajo una licencia libre.
  • Universe – Paquetes mantenidos por la comunidad. No tienen soporte oficial.
  • Multiverse – Este software no es libre.

Cada componente tiende a ofrecernos 2 rutas, una de los paquetes listos para instalación y otros para descargar las fuentes, sin embargo en nuestro servidor muy rara vez necesitaremos descargar las fuentes de algún paquete, así que en este caso solo dejaremos los repositorios de paquetes no los de sources.

Ademas, es una muy buena practica tener el servidor de repositorios que nos ofrezca una conexión realmente rápida, por lo que en muchos casos recomiendo que usen:

mirror://mirrors.ubuntu.com/mirrors.txt

Con este repositorio tendran siempre el servidor mas cercano o de mejor ping a la ubicacion de su equipo, ya con todo esto
nuestro source.list debe verse algo asi:

deb mirror://mirrors.ubuntu.com/mirrors.txt trusty main universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main universe multiverse
deb mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main universe multiverse
deb http://archive.canonical.com/ubuntu trusty partner

Luego de esto, realizamos una actualizacion de todo nuestro sistema, podria tardar esto unos minutos.

Ya con esto tendremos solucionado el item: PKGS-7392 de lynis, sin embargo no debemos quedarnos solo con esto, hay un par de cosas que podremos hacer para mejorar el rendimiento de nuestro equipo.

#Actualizaciones automáticas de seguridad

Quizás quieras tener actualizaciones seguridad automáticas de sistema, En la mayoría de las distribuciones de Linux esto es posible.

Atención: Actualizaciones automáticas pueden ser una pesadilla si no se saben manejar bien, sin embargo no hablo de actualizar todo
el sistema operativo, solo las actualizaciones de seguridad, en ciertos casos donde manejas un numero alto de servidores, el mantenerlos
actualizados puede ser un gran dolor de cabeza, así dejamos pasar muchas actualizaciones de seguridad importantes. Al menos en mi
experiencia, tener SOLO las actualizaciones de seguridad de manera automática, puede ser una opción muy validad e importante.

Si deseas habilitar las actualizaciones automáticas, lo primero es asegurarte que tienes instalado unattended-upgrades:

sudo apt-get install -y unattended-upgrades

Luego Actualizar /etc/apt/apt.conf.d/50unattended-upgrades . El numero que esta delante de “unattended-upgrades” puede variar.
Justo aqui asegurate que ${distro_id}:${distro_codename}-security”; este habilitado. Debemos tener algo como esto:

Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

En este archivo existen muchas opciones de configuración, desde enviar un correo de notificación cada al ejecutar una actualización, realizar reinicios
automáticos si la actualización así lo requiere. Tras realizar esto, debemos reiniciar nuestro servidor ya que nos aparece un nuevo warning

- Reboot of system is most likely needed [KRNL-5830]

Tras realizar un reboot tenemos ya un indice de linys de 66

[ Lynis 2.1.1 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2015 - CISOfy, https://cisofy.com
 Enterprise support and plugins available via CISOfy
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]

  ---------------------------------------------------
  Program version:           2.1.1
  Operating system:          Linux
  Operating system name:     Ubuntu
  Operating system version:  14.04
  Kernel version:            3.13.0
  Hardware platform:         x86_64
  Hostname:                  ip-172-31-51-20
  Auditor:                   [Unknown]
  Profile:                   ./default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          ./plugins
  ---------------------------------------------------
  - Checking profile file (./default.prf)...
  - Program update status...                                  [ NO UPDATE ]

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests, which may take a few minutes to complete

  - Plugins enabled                                           [ NONE ]

[+] Boot and services
------------------------------------
  - Service Manager                                           [ UNKNOWN ]
    - Checking presence GRUB                                  [ OK ]
    - Checking presence GRUB2                                 [ FOUND ]
    - Checking for password protection                        [ WARNING ]
  - Check services at startup (rc2.d)                         [ DONE ]
    Result: found 9 services
  - Check startup files (permissions)                         [ OK ]

[+] Kernel
------------------------------------
  - Checking default run level                                [ RUNLEVEL 2 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported               [ FOUND ]
  - Checking kernel version and release                       [ DONE ]
  - Checking kernel type                                      [ DONE ]
  - Checking loaded kernel modules                            [ DONE ]
      Found 19 active modules
  - Checking Linux kernel configuration file                  [ FOUND ]
  - Checking default I/O kernel scheduler                     [ FOUND ]
  - Checking for available kernel update                      [ OK ]
  - Checking core dumps configuration                         [ DISABLED ]
    - Checking setuid core dumps configuration                [ PROTECTED ]
  - Check if reboot is needed                                 [ NO ]

[+] Memory and processes
------------------------------------
  - Checking /proc/meminfo                                    [ FOUND ]
  - Searching for dead/zombie processes                       [ OK ]
  - Searching for IO waiting processes                        [ OK ]

[+] Users, Groups and Authentication
------------------------------------
  - Search administrator accounts                             [ OK ]
  - Checking for non-unique UIDs                              [ OK ]
  - Checking consistency of group files (grpck)               [ OK ]
  - Checking non unique group ID's                            [ OK ]
  - Checking non unique group names                           [ OK ]
  - Checking password file consistency                        [ OK ]
  - Query system users (non daemons)                          [ DONE ]
  - Checking NIS+ authentication support                      [ NOT ENABLED ]
  - Checking NIS authentication support                       [ NOT ENABLED ]
  - Checking sudoers file                                     [ FOUND ]
    - Check sudoers file permissions                          [ OK ]
  - Checking PAM password strength tools                      [ SUGGESTION ]
  - Checking PAM configuration files (pam.conf)               [ FOUND ]
  - Checking PAM configuration files (pam.d)                  [ FOUND ]
  - Checking PAM modules                                      [ FOUND ]
  - Checking LDAP module in PAM                               [ NOT FOUND ]
  - Checking accounts without expire date                     [ OK ]
  - Checking accounts without password                        [ OK ]
  - Checking user password aging                              [ DISABLED ]
  - Determining default umask
    - Checking umask (/etc/profile)                           [ OK ]
    - Checking umask (/etc/login.defs)                        [ SUGGESTION ]
    - Checking umask (/etc/init.d/rc)                         [ SUGGESTION ]
  - Checking LDAP authentication support                      [ NOT ENABLED ]

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 6 shells (valid shells: 6).
    - Session timeout settings/tools                          [ NONE ]

[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                              [ SUGGESTION ]
    - Checking /tmp mount point                               [ SUGGESTION ]
    - Checking /var mount point                               [ SUGGESTION ]
  - Querying FFS/UFS mount points (fstab)                     [ NONE ]
  - Query swap partitions (fstab)                             [ NONE ]
  - Testing swap partitions                                   [ CHECK NEEDED ]
  - Checking for old files in /tmp                            [ OK ]
  - Checking /tmp sticky bit                                  [ OK ]
  - ACL support root file system                              [ ENABLED ]
  - Checking Locate database                                  [ NOT FOUND ]

[+] Storage
------------------------------------
  - Checking usb-storage driver (modprobe config)             [ NOT DISABLED ]
  - Checking firewire ohci driver (modprobe config)           [ DISABLED ]

[+] NFS
------------------------------------
  - Check running NFS daemon                                  [ NOT FOUND ]

[+] Name services
------------------------------------
  - Checking default DNS search domain                        [ NONE ]
  - Checking search domains                                   [ FOUND ]
  - Checking /etc/resolv.conf options                         [ NONE ]
  - Searching DNS domain name                                 [ FOUND ]
      Domain name: ec2.internal
  - Checking nscd status                                      [ NOT FOUND ]
  - Checking BIND status                                      [ NOT FOUND ]
  - Checking PowerDNS status                                  [ NOT FOUND ]
  - Checking ypbind status                                    [ NOT FOUND ]
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)                        [ OK ]
    - Checking /etc/hosts (hostname)                          [ SUGGESTION ]
    - Checking /etc/hosts (localhost)                         [ OK ]

[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                          [ FOUND ]
      - Querying package manager
    - Query unpurged packages                                 [ NONE ]
  - Checking security repository in sources.list file         [ OK ]
  - Checking APT package database                             [ OK ]
  - Checking vulnerable packages                              [ OK ]
  - Checking upgradeable packages                             [ SKIPPED ]
  - Checking package audit tool                               [ INSTALLED ]
    Found: apt-check

[+] Networking
------------------------------------
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 172.31.0.2                                [ OK ]
    - Minimal of 2 responsive nameservers                     [ WARNING ]
  - Checking default gateway                                  [ DONE ]
  - Getting listening ports (TCP/UDP)                         [ DONE ]
      * Found 5 ports
  - Checking promiscuous interfaces                           [ OK ]
  - Checking waiting connections                              [ OK ]
  - Checking status DHCP client                               [ RUNNING ]

[+] Printers and Spools
------------------------------------
  - Checking cups daemon                                      [ NOT FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
  - Checking Exim status                                      [ NOT FOUND ]
  - Checking Postfix status                                   [ NOT FOUND ]
  - Checking Qmail status                                     [ NOT FOUND ]
  - Checking Sendmail status                                  [ NOT FOUND ]

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ NOT FOUND ]
    - Checking pflogd status                                  [ NOT FOUND ]
  - Checking pf                                               [ NOT FOUND ]
  - Checking host based firewall                              [ NOT ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache                                           [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - Checking defined SSH options                            [ DONE ]
    - SSH option: PermitRootLogin (without-password)          [ OK ]
    - SSH option: Protocol                                    [ OK ]
    - SSH option: StrictModes                                 [ OK ]
    - SSH option: AllowUsers                                  [ NOT FOUND ]
    - SSH option: AllowGroups                                 [ NOT FOUND ]

[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                              [ NOT FOUND ]

[+] Databases
------------------------------------
  - MySQL process status                                      [ NOT FOUND ]
  - PostgreSQL processes status                               [ NOT FOUND ]
  - Oracle processes status                                   [ NOT FOUND ]

[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                                [ NOT FOUND ]

[+] PHP
------------------------------------
  - Checking PHP                                              [ NOT FOUND ]

[+] Squid Support
------------------------------------
  - Checking running Squid daemon                             [ NOT FOUND ]

[+] Logging and files
------------------------------------
  - Checking for a running log daemon                         [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking systemd journal status                         [ NOT FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
    - Checking minilogd instances                             [ NOT FOUND ]
  - Checking logrotate presence                               [ OK ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ DONE ]

[+] Insecure services
------------------------------------
  - Checking inetd status                                     [ NOT ACTIVE ]

[+] Banners and identification
------------------------------------
  - /etc/motd                                                 [ NOT FOUND ]
  - /etc/issue                                                [ FOUND ]
    - /etc/issue contents                                     [ WEAK ]
  - /etc/issue.net                                            [ FOUND ]
    - /etc/issue.net contents                                 [ WEAK ]

[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]
  - Checking atd status                                       [ NOT RUNNING ]

[+] Accounting
------------------------------------
  - Checking accounting information                           [ NOT FOUND ]
  - Checking sysstat accounting data                          [ NOT FOUND ]
  - Checking auditd                                           [ NOT FOUND ]

[+] Time and Synchronization
------------------------------------

[+] Cryptography
------------------------------------
  - Checking SSL certificate expiration                       [ WARNING ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ FOUND ]
    - Checking AppArmor status                                [ ENABLED ]
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
  - Checking for implemented MAC framework                    [ OK ]

[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
  - Checking presence integrity tool                          [ NOT FOUND ]

[+] Software: System tooling
------------------------------------
  - Checking automation tooling
  - Automation tooling                                        [ NOT FOUND ]

[+] Software: Malware scanners
------------------------------------

[+] File Permissions
------------------------------------
  - Starting file permissions check
    /etc/lilo.conf                                            [ NOT FOUND ]
    /root/.ssh                                                [ OK ]

[+] Home directories
------------------------------------
  - Checking shell history files                              [ OK ]

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.kptr_restrict (exp: 1)                           [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ OK ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0)                        [ DIFFERENT ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]

[+] Hardening
------------------------------------
    - Installed compiler(s)                                   [ NOT FOUND ]
    - Installed malware scanner                               [ NOT FOUND ]

[+] Custom Tests
------------------------------------
  - Running custom tests...                                   [ NONE ]

================================================================================

  -[ Lynis 2.1.1 Results ]-

  Warnings:
  ----------------------------
  - Couldn't find 2 responsive nameservers [NETW-2705]
      https://cisofy.com/controls/NETW-2705/

  Suggestions:
  ----------------------------
  - Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
      https://cisofy.com/controls/BOOT-5122/
  - Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
      https://cisofy.com/controls/AUTH-9262/
  - Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
      https://cisofy.com/controls/AUTH-9286/
  - Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
      https://cisofy.com/controls/AUTH-9328/
  - Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328]
      https://cisofy.com/controls/AUTH-9328/
  - To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
      https://cisofy.com/controls/FILE-6310/
  - To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
      https://cisofy.com/controls/FILE-6310/
  - To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
      https://cisofy.com/controls/FILE-6310/
  - Check your /etc/fstab file for swap partition mount options [FILE-6336]
      https://cisofy.com/controls/FILE-6336/
  - The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]
      https://cisofy.com/controls/FILE-6410/
  - Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
      https://cisofy.com/controls/STRG-1840/
  - Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
      https://cisofy.com/controls/NAME-4404/
  - Install debsums utility for the verification of packages with known good database. [PKGS-7370]
      https://cisofy.com/controls/PKGS-7370/
  - Install package apt-show-versions for patch management purposes [PKGS-7394]
      https://cisofy.com/controls/PKGS-7394/
  - Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
      https://cisofy.com/controls/NETW-2705/
  - Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
      https://cisofy.com/controls/FIRE-4590/
  - Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
      https://cisofy.com/controls/BANN-7126/
  - Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
      https://cisofy.com/controls/BANN-7130/
  - Enable process accounting [ACCT-9622]
      https://cisofy.com/controls/ACCT-9622/
  - Enable sysstat to collect accounting (no results) [ACCT-9626]
      https://cisofy.com/controls/ACCT-9626/
  - Enable auditd to collect audit information [ACCT-9628]
      https://cisofy.com/controls/ACCT-9628/
  - Check available certificates for expiration [CRYP-7902]
      https://cisofy.com/controls/CRYP-7902/
  - Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
      https://cisofy.com/controls/FINT-4350/
  - Determine if automation tools are present for system management [TOOL-5002]
      https://cisofy.com/controls/TOOL-5002/
  - One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
      https://cisofy.com/controls/KRNL-6000/
  - Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
      https://cisofy.com/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Check the logfile for more details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 66 [#############       ]
  Tests performed : 175
  Plugins enabled : 0

  Quick overview:
  - Firewall [X] - Malware scanner [X]

  Lynis Modules:
  - Heuristics Check [NA] - Security Audit [V]
  - Compliance Tests [X] - Vulnerability Scan [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================
  Tip: Disable all tests which are not relevant or are too strict for the
       purpose of this particular machine. This will remove unwanted suggestions
       and also boost the hardening index. Each test should be properly analyzed
       to see if the related risks can be accepted, before disabling the test.
================================================================================

  Lynis 2.1.1
  Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix
  Copyright 2007-2015 - CISOfy, https://cisofy.com
  Enterprise support and plugins available via CISOfy
================================================================================
Anuncios

Auditando nuestros servidores con Linux

12 agosto, 2015 1 comentario

Desde hace un tiempo, me ha tocado convertirme en sysadmin, no es el tipo de trabajo que normalmente me gusta hacer, considero que los conocimientos de un sysadmin van mucho mas allá de los que yo poseo, sin embargo hago mi mejor esfuerzo y no he resultado tan malo.

En la búsqueda de herramientas que ayuden a mejorar el mantenimiento, seguridad y administración de los servidores que tengo bajo mi responsabilidad, me he encontrado con Lynis, es una herramienta de auditoria de Seguridad de Código Libre desarrollada y mantenida por CISOfy, su principal objetivo es ayudar a los Administradores de Sistemas, Auditores y profesionales de Seguridad auditar y asegurar sus sistemas basados en Linux o Unix, Es bastante flexible y corre en casi todas las distribuciones.

Instalación:

La instalación es realmente simple, solo hay que descargar el archivo que esta en el sitio web, descomprimirlo y ejecutarlo.


$ curl https://cisofy.com/files/lynis-2.1.1.tar.gz -o lynis.tar.gz
# tar xvfz lynis.tar.gz -C /opt/

No hay mucho mas que hacer, para tener lynis instalado en nuestro equipo.

Ejecución:

#./lynis -c -Q

Resultado:

[ Lynis 2.1.1 ]

################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

Copyright 2007-2015 - CISOfy, https://cisofy.com
Enterprise support and plugins available via CISOfy
################################################################################

[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]

---------------------------------------------------
Program version: 2.1.1
Operating system: Linux
Operating system name: Ubuntu
Operating system version: 14.04
Kernel version: 3.13.0
Hardware platform: x86_64
Hostname: ip-172-31-54-190
Auditor: [Unknown]
Profile: ./default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: ./plugins
---------------------------------------------------
- Checking profile file (./default.prf)...
- Program update status... [ NO UPDATE ]

[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests, which may take a few minutes to complete

- Plugins enabled [ NONE ]

[+] Boot and services
------------------------------------
- Service Manager [ UNKNOWN ]
- Checking presence GRUB [ OK ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ WARNING ]
- Check services at startup (rc2.d) [ DONE ]
Result: found 9 services
- Check startup files (permissions) [ OK ]

[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 2 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 19 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ PROTECTED ]
- Check if reboot is needed [ NO ]

[+] Memory and processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]

[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts [ OK ]
- Checking for non-unique UIDs [ OK ]
- Checking consistency of group files (grpck) [ OK ]
- Checking non unique group ID's [ OK ]
- Checking non unique group names [ OK ]
- Checking password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- Checking NIS+ authentication support [ NOT ENABLED ]
- Checking NIS authentication support [ NOT ENABLED ]
- Checking sudoers file [ FOUND ]
- Check sudoers file permissions [ OK ]
- Checking PAM password strength tools [ SUGGESTION ]
- Checking PAM configuration files (pam.conf) [ FOUND ]
- Checking PAM configuration files (pam.d) [ FOUND ]
- Checking PAM modules [ FOUND ]
- Checking LDAP module in PAM [ NOT FOUND ]
- Checking accounts without expire date [ OK ]
- Checking accounts without password [ OK ]
- Checking user password aging [ DISABLED ]
- Determining default umask
- Checking umask (/etc/profile) [ OK ]
- Checking umask (/etc/login.defs) [ SUGGESTION ]
- Checking umask (/etc/init.d/rc) [ SUGGESTION ]
- Checking LDAP authentication support [ NOT ENABLED ]

[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]

[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Querying FFS/UFS mount points (fstab) [ NONE ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ CHECK NEEDED ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Checking Locate database [ NOT FOUND ]

[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking firewire ohci driver (modprobe config) [ DISABLED ]

[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]

[+] Name services
------------------------------------
- Checking default DNS search domain [ NONE ]
- Checking search domains [ FOUND ]
- Checking /etc/resolv.conf options [ NONE ]
- Searching DNS domain name [ FOUND ]
Domain name: ec2.internal
- Checking nscd status [ NOT FOUND ]
- Checking BIND status [ NOT FOUND ]
- Checking PowerDNS status [ NOT FOUND ]
- Checking ypbind status [ NOT FOUND ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ SUGGESTION ]
- Checking /etc/hosts (localhost) [ OK ]

[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages [ WARNING ]
- Checking upgradeable packages [ SKIPPED ]
- Checking package audit tool [ INSTALLED ]
Found: apt-check

[+] Networking
------------------------------------
- Checking configured nameservers
- Testing nameservers
Nameserver: 172.31.0.2 [ OK ]
- Minimal of 2 responsive nameservers [ WARNING ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 5 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]

[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
- Checking Exim status [ NOT FOUND ]
- Checking Postfix status [ NOT FOUND ]
- Checking Qmail status [ NOT FOUND ]
- Checking Sendmail status [ NOT FOUND ]

[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ NOT FOUND ]
- Checking pflogd status [ NOT FOUND ]
- Checking pf [ NOT FOUND ]
- Checking host based firewall [ NOT ACTIVE ]

[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]

[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- Checking defined SSH options [ DONE ]
- SSH option: PermitRootLogin (without-password) [ OK ]
- SSH option: Protocol [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]

[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]

[+] Databases
------------------------------------
- MySQL process status [ NOT FOUND ]
- PostgreSQL processes status [ NOT FOUND ]
- Oracle processes status [ NOT FOUND ]

[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]

[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]

[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]

[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ NOT FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]

[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]

[+] Banners and identification
------------------------------------
- /etc/motd [ NOT FOUND ]
- /etc/issue [ FOUND ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ WEAK ]

[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
- Checking atd status [ NOT RUNNING ]

[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]

[+] Time and Synchronization
------------------------------------

[+] Cryptography
------------------------------------
- Checking SSL certificate expiration [ OK ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ ENABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ OK ]

[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]

[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]

[+] Software: Malware scanners
------------------------------------

[+] File Permissions
------------------------------------
- Starting file permissions check
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ OK ]

[+] Home directories
------------------------------------
- Checking shell history files [ OK ]

[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.kptr_restrict (exp: 1) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
------------------------------------
- Installed compiler(s) [ NOT FOUND ]
- Installed malware scanner [ NOT FOUND ]

[+] Custom Tests
------------------------------------
- Running custom tests... [ NONE ]

================================================================================

-[ Lynis 2.1.1 Results ]-

Warnings:
----------------------------
- Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/controls/PKGS-7392/

- Couldn't find 2 responsive nameservers [NETW-2705]
https://cisofy.com/controls/NETW-2705/

Suggestions:
----------------------------
- Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
https://cisofy.com/controls/BOOT-5122/
- Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
https://cisofy.com/controls/AUTH-9262/
- Configure password aging limits to enforce password changing on a regular base [AUTH-9286]
https://cisofy.com/controls/AUTH-9286/
- Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/
- Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328]
https://cisofy.com/controls/AUTH-9328/
- To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
- To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
- To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
- Check your /etc/fstab file for swap partition mount options [FILE-6336]
https://cisofy.com/controls/FILE-6336/
- The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [FILE-6410]
https://cisofy.com/controls/FILE-6410/
- Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/controls/STRG-1840/
- Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404]
https://cisofy.com/controls/NAME-4404/
- Install debsums utility for the verification of packages with known good database. [PKGS-7370]
https://cisofy.com/controls/PKGS-7370/
- Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392]
https://cisofy.com/controls/PKGS-7392/
- Install package apt-show-versions for patch management purposes [PKGS-7394]
https://cisofy.com/controls/PKGS-7394/
- Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
https://cisofy.com/controls/NETW-2705/
- Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590]
https://cisofy.com/controls/FIRE-4590/
- Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/controls/BANN-7126/
- Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/controls/BANN-7130/
- Enable process accounting [ACCT-9622]
https://cisofy.com/controls/ACCT-9622/
- Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/controls/ACCT-9626/
- Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/controls/ACCT-9628/
- Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/controls/FINT-4350/
- Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/controls/TOOL-5002/
- One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
https://cisofy.com/controls/KRNL-6000/
- Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
https://cisofy.com/controls/HRDN-7230/

Follow-up:
----------------------------
- Check the logfile for more details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data (Lynis Enterprise users)

================================================================================

Lynis security scan details:

Hardening index : 57 [########### ]
Tests performed : 175
Plugins enabled : 0

Quick overview:
- Firewall [X] - Malware scanner [X]

Lynis Modules:
- Heuristics Check [NA] - Security Audit [V]
- Compliance Tests [X] - Vulnerability Scan [V]

Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat

================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================

Lynis 2.1.1
Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix
Copyright 2007-2015 - CISOfy, https://cisofy.com
Enterprise support and plugins available via CISOfy
================================================================================

Esta es la ejecución tras la inmediata iniciación de una instancia de AWS Ubuntu 14.04, vemos que tenemos un indice de seguridad de 57/100, lo que es realmente bajo, sin embargo el mismo reporte nos realiza las sugerencias para mejorar nuestra seguridad, cada uno de estos items los iremos abordando poco a poco a lo largo de una serie de artículos.

Auditen sus sistemas y comencemos a mejorar la seguridad.