A colleague of mine pointed me out to Lynis, a system’s configuration audit tool which checks the hardening of any running UNIX or UNIX-like system, including the BSDs. This tool has a built in check list and a set of sane and safe configurations and compares them to the target system. As output we find several topics, from system discovery to suggestions for some configs.
This tool is useful for system administrators, auditors and security analysts. It serves as a first step in an audit and it’s a quick way to get real information from running systems. It also includes some suggestions and useful warnings which will allow novice and old system administrators in the tedious, never-ending task of system’s hardening.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.
Although every step is pretty self explanatory these are a few of the topic’s list Lynis checks with a few comments on some remarkable aspects after launching an audit to a couple of random systems.
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
- Detecting language and localization [ en ]
---------------------------------------------------
Program version: 2.7.4
Operating system: FreeBSD
Operating system name: FreeBSD
Operating system version: 11.2-RELEASE-p9
Kernel version: GENERIC
Hardware platform: amd64
Hostname: DefConDos
---------------------------------------------------
Profiles: /usr/local/etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/local/share/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugins enabled [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ bsdrc ]
- Checking presence FreeBSD loader [ FOUND ]
- Checking services at startup (service/rc.conf) [ DONE ]
Result: found 28 services/options set
[+] Kernel
------------------------------------
- Checking active kernel modules
Found 8 kernel modules [ DONE ]
[+] Memory and Processes
------------------------------------
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]
A useful check falls onto the users, groups and authentication configurations.
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ WARNING ]
- Unique UIDs [ WARNING ]
- Checking chkgrp tool [ FOUND ]
- Checking consistency of /etc/group file [ OK ]
- Login shells [ WARNING ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ ENABLED ]
- sudoers file [ FOUND ]
- Permissions for directory: /usr/local/etc/sudoers.d [ WARNING ]
- Permissions for: /usr/local/etc/sudoers [ WARNING ]
- Permissions for: /usr/local/etc/sudoers.d/90-cloud-init-users [ WARNING ]
- PAM password strength tools [ OK ]
- PAM configuration file (pam.conf) [ NOT FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Determining default umask
- umask (/etc/profile and /etc/profile.d) [ OK ]
- umask (/etc/login.conf) [ WEAK ]
- LDAP authentication support [ NOT ENABLED ]
At the bottom of this scan we can find the warnings and the basis on which they are based. For example, for the Unique UIDs parameter, the warning includes an URL so anyone can follow some good and decent advice on this particular.
https://cisofy.com/lynis/controls/AUTH-9204/
On a Debian system scan we can find specific checks for Linux like the following.
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ WARNING ]
- Check running services (systemctl) [ DONE ]
Result: found 25 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 36 enabled services
- Check startup files (permissions) [ OK ]
[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 113 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ DEFAULT ]
- Check if reboot is needed [ NO ]
But there are even more specific checks for Debian like the following ones:
[+] Debian Tests
------------------------------------
- Checking for system binaries that are required by Debian Tests...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Authentication:
- PAM (Pluggable Authentication Modules):
- libpam-tmpdir [ Not Installed ]
- libpam-usb [ Not Installed ]
- File System Checks:
- DM-Crypt, Cryptsetup & Cryptmount:
- Software:
- apt-listbugs [ Not Installed ]
- apt-listchanges [ Installed and enabled for apt ]
- checkrestart [ Not Installed ]
- needrestart [ Not Installed ]
- debsecan [ Not Installed ]
- debsums [ Not Installed ]
- fail2ban [ Not Installed ]
]
There are some other interesting checks, this time for applications. Be them SSH, LDAP, PHP and others.
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ SUGGESTION ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ OK ]
- SSH option: Protocol [ NOT FOUND ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ OK ]
- SSH option: UsePrivilegeSeparation [ OK ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
- MySQL process status [ FOUND ]
- Checking empty MySQL root password [ WARNING ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
Interesting to read are the suggestions. For example we’ll grab one configuration suggestion for SSH. Like this:
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (YES --> NO)
https://cisofy.com/controls/SSH-7408/
This is relative to allowing SSH connections to be forwarded. Setting this to no will help in the system’s hardening. As their advice URL tells, it is wise to know users with shell access can install their own SSH forwarders so… take care of that as well.
Many of the suggestions are just having tighter or stronger policies on settings. Some are interesting to implement and some are not that much.
Installing Lynis is very simple and is documented on the official website. At the end of every scan you will find the warnings, the suggestions and all the useful information to start working on your system’s hardening.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.