首页问答社区 linux 正文

怎么利用lynis进行linux漏洞扫描

2021-02-23 07:38:44 185 0

这篇文章给大家分享的是有关怎么利用lynis进行linux漏洞扫描的内容。小编觉得挺实用的，因此分享给大家做个参考，一起跟随小编过来看看吧。

前言

lynis 是一款运行在 Unix/Linux 平台上的基于主机的、开源的安全审计软件。Lynis是针对Unix/Linux的安全检查工具，可以发现潜在的安全威胁。这个工具覆盖可疑文件监测、漏洞、恶意程序扫描、配置错误等。下面一起来看看使用lynis进行linux漏洞扫描的相关内容吧

安装lynis

在 archlinux 上可以直接通过 pacman 来安装

sudopacman-Slynis--noconfirm

resolvingdependencies...
lookingforconflictingpackages...

Packages(1)lynis-2.6.4-1

TotalInstalledSize:1.35MiB
NetUpgradeSize:0.00MiB

::Proceedwithinstallation?[Y/n]
(0/1)checkingkeysinkeyring[----------------------]0%
(1/1)checkingkeysinkeyring[######################]100%
(0/1)checkingpackageintegrity[----------------------]0%
(1/1)checkingpackageintegrity[######################]100%
(0/1)loadingpackagefiles[----------------------]0%
(1/1)loadingpackagefiles[######################]100%
(0/1)checkingforfileconflicts[----------------------]0%
(1/1)checkingforfileconflicts[######################]100%
(0/1)checkingavailablediskspace[----------------------]0%
(1/1)checkingavailablediskspace[######################]100%
::Processingpackagechanges...
(1/1)reinstallinglynis[----------------------]0%
(1/1)reinstallinglynis[######################]100%
::Runningpost-transactionhooks...
(1/2)Reloadingsystemmanagerconfiguration...
(2/2)ArmingConditionNeedsUpdate...

使用lynis进行主机扫描

首先让我们不带任何参数运行 lynis, 这会列出 lynis 支持的那些参数

[lujun9972@T520linux和它的小伙伴]$lynis

[Lynis2.6.4]

################################################################################
LyniscomeswithABSOLUTELYNOWARRANTY.Thisisfreesoftware,andyouare
welcometoredistributeitunderthetermsoftheGNUGeneralPublicLicense.
SeetheLICENSEfilefordetailsaboutusingthissoftware.

2007-2018,CISOfy-https://cisofy.com/lynis/
Enterprisesupportavailable(compliance,plugins,interfaceandtools)
################################################################################


[+]Initializingprogram
------------------------------------


Usage:lyniscommand[options]


Command:

audit
auditsystem:Performlocalsecurityscan
auditsystemremote<host>:Remotesecurityscan
auditdockerfile<file>:AnalyzeDockerfile

show
show:Showallcommands
showversion:ShowLynisversion
showhelp:Showhelp

update
updateinfo:Showupdatedetails


Options:

--no-log:Don'tcreatealogfile
--pentest:Non-privilegedscan(usefulforpentest)
--profile<profile>:Scanthesystemwiththegivenprofilefile
--quick(-Q):Quickmode,don'twaitforuserinput

Layoutoptions
--no-colors:Don'tusecolorsinoutput
--quiet(-q):Nooutput
--reverse-colors:Optimizecolordisplayforlightbackgrounds

Miscoptions
--debug:Debugloggingtoscreen
--view-manpage(--man):Viewmanpage
--verbose:Showmoredetailsonscreen
--version(-V):Displayversionnumberandquit

Enterpriseoptions
--plugindir<path>:Definepathofavailableplugins
--upload:Uploaddatatocentralnode

Moreoptionsavailable.Run'/usr/bin/lynisshowoptions',orusethemanpage.

Nocommandprovided.Exiting..

从上面可以看出，使用 lynis 进行主机扫描很简单，只需要带上参数 audit system 即可。 Lynis在审计的过程中,会进行多种类似的测试,在审计过程中会将各种测试结果、调试信息、和对系统的加固建议都被写到 stdin 。我们可以执行下面命令来跳过检查过程,直接截取最后的扫描建议来看。

sudolynisauditsystem|sed'1,/Results/d'

lynis将扫描的内容分成几大类，可以通过 show groups 参数来获取类别

lynisshowgroups

accountingauthenticationbannersboot_servicescontainerscryptodatabasesdnsfile_integrityfile_permissionsfilesystemsfirewallshardeninghomedirsinsecure_serviceskernelkernel_hardeningldaploggingmac_frameworksmail_messagingmalwarememory_processesnameservicesnetworkingphpports_packagesprinters_spoolsschedulingshellssnmpsquidsshstoragestorage_nfssystem_integritytimetoolingusbvirtualizationwebservers

若指向扫描某几类的内容，则可以通过 –tests-from-group 参数来指定。

比如我只想扫描 shells 和 networking 方面的内容，则可以执行

sudolynis--tests-from-group"shellsnetworking"--no-colors

[Lynis2.6.4]

################################################################################
LyniscomeswithABSOLUTELYNOWARRANTY.Thisisfreesoftware,andyouare
welcometoredistributeitunderthetermsoftheGNUGeneralPublicLicense.
SeetheLICENSEfilefordetailsaboutusingthissoftware.

2007-2018,CISOfy-https://cisofy.com/lynis/
Enterprisesupportavailable(compliance,plugins,interfaceandtools)
################################################################################


[+]Initializingprogram
------------------------------------
[2C-DetectingOS...[41C[DONE]
[2C-Checkingprofiles...[37C[DONE]
[2C-Detectinglanguageandlocalization[22C[zh]
[4CNotice:nolanguagefilefoundfor'zh'(tried:/usr/share/lynis/db/languages/zh)[0C

---------------------------------------------------
Programversion:2.6.4
Operatingsystem:Linux
Operatingsystemname:ArchLinux
Operatingsystemversion:Rollingrelease
Kernelversion:4.16.13
Hardwareplatform:x86_64
Hostname:T520
---------------------------------------------------
Profiles:/etc/lynis/default.prf
Logfile:/var/log/lynis.log
Reportfile:/var/log/lynis-report.dat
Reportversion:1.0
Plugindirectory:/usr/share/lynis/plugins
---------------------------------------------------
Auditor:[NotSpecified]
Language:zh
Testcategory:all
Testgroup:shellsnetworking
---------------------------------------------------
[2C-Programupdatestatus...[32C[NOUPDATE]

[+]SystemTools
------------------------------------
[2C-Scanningavailabletools...[30C
[2C-Checkingsystembinaries...[30C

[+]Plugins(phase1)
------------------------------------
[0CNote:pluginshavemoreextensivetestsandmaytakeseveralminutestocomplete[0C
[0C[0C
[2C-Pluginsenabled[42C[NONE]

[+]Shells
------------------------------------
[2C-Checkingshellsfrom/etc/shells[25C
[4CResult:found5shells(validshells:5).[16C
[4C-Sessiontimeoutsettings/tools[25C[NONE]
[2C-Checkingdefaultumaskvalues[28C
[4C-Checkingdefaultumaskin/etc/bash.bashrc[13C[NONE]
[4C-Checkingdefaultumaskin/etc/profile[17C[WEAK]

[+]Networking
------------------------------------
[2C-CheckingIPv6configuration[30C[ENABLED]
[6CConfigurationmethod[35C[AUTO]
[6CIPv6only[46C[NO]
[2C-Checkingconfigurednameservers[26C
[4C-Testingnameservers[36C
[6CNameserver:202.96.134.33[30C[SKIPPED]
[6CNameserver:202.96.128.86[30C[SKIPPED]
[4C-Minimalof2responsivenameservers[20C[SKIPPED]
[2C-Gettinglisteningports(TCP/UDP)[24C[DONE]
[6C*Found11ports[39C
[2C-CheckingstatusDHCPclient[30C[RUNNING]
[2C-CheckingforARPmonitoringsoftware[21C[NOTFOUND]

[+]CustomTests
------------------------------------
[2C-Runningcustomtests...[33C[NONE]

[+]Plugins(phase2)
------------------------------------

================================================================================

-[Lynis2.6.4Results]-

Great,nowarnings

Suggestions(1):
----------------------------
*ConsiderrunningARPmonitoringsoftware(arpwatch,arpon)[NETW-3032]

https://cisofy.com/controls/NETW-3032/

Follow-up:
----------------------------
-Showdetailsofatest(lynisshowdetailsTEST-ID)
-Checkthelogfileforalldetails(less/var/log/lynis.log)
-Readsecuritycontrolstexts(https://cisofy.com)
-Use--uploadtouploaddatatocentralsystem(LynisEnterpriseusers)

================================================================================

Lynissecurityscandetails:

Hardeningindex:33[######]
Testsperformed:13
Pluginsenabled:0

Components:
-Firewall[X]
-Malwarescanner[X]

LynisModules:
-ComplianceStatus[?]
-SecurityAudit[V]
-VulnerabilityScan[V]

Files:
-Testanddebuginformation:/var/log/lynis.log
-Reportdata:/var/log/lynis-report.dat

================================================================================

Lynis2.6.4

Auditing,systemhardening,andcomplianceforUNIX-basedsystems
(Linux,macOS,BSD,andothers)

2007-2018,CISOfy-https://cisofy.com/lynis/
Enterprisesupportavailable(compliance,plugins,interfaceandtools)

================================================================================

[TIP]:EnhanceLynisauditsbyaddingyoursettingstocustom.prf(see/etc/lynis/default.prfforallsettings)

查看详细说明

在查看审计结果时,你可以通过 show details 参数来获取关于某条警告/建议的详细说明。其对应的命令形式为:

lynisshowdetails${test_id}

比如，上面图中有一个建议

*ConsiderrunningARPmonitoringsoftware(arpwatch,arpon)[NETW-3032]

我们可以运行命令：

sudolynisshowdetailsNETW-3032

2018-06-0818:18:01PerformingtestIDNETW-3032(CheckingforARPmonitoringsoftware)
2018-06-0818:18:01IsRunning:process'arpwatch'notfound
2018-06-0818:18:01IsRunning:process'arpon'notfound
2018-06-0818:18:01Suggestion:ConsiderrunningARPmonitoringsoftware(arpwatch,arpon)[test:NETW-3032][details:-][solution:-]
2018-06-0818:18:01Checkingpermissionsof/usr/share/lynis/include/tests_printers_spools
2018-06-0818:18:01FilepermissionsareOK
2018-06-0818:18:01===---------------------------------------------------------------===

查看日志文件

lynis在审计完成后会将详细的信息记录在 /var/log/lynis.log 中.

sudotail/var/log/lynis.log

2018-06-0817:59:46================================================================================
2018-06-0817:59:46Lynis2.6.4
2018-06-0817:59:462007-2018,CISOfy-https://cisofy.com/lynis/
2018-06-0817:59:46Enterprisesupportavailable(compliance,plugins,interfaceandtools)
2018-06-0817:59:46Programendedsuccessfully
2018-06-0817:59:46================================================================================
2018-06-0817:59:46PIDfileremoved(/var/run/lynis.pid)
2018-06-0817:59:46Temporaryfiles:/tmp/lynis.sGxCR0hSPz
2018-06-0817:59:46Action:removingtemporaryfile/tmp/lynis.sGxCR0hSPz
2018-06-0817:59:46Lynisendedsuccessfully.

同时将报告数据被保存到 /var/log/lynis-report.dat 中.

sudotail/var/log/lynis-report.dat

另外需要注意的是，每次审计都会覆盖原日志文件.

检查更新

审计软件需要随时进行更新从而得到最新的建议和信息，我们可以使用 update info 参数来检查更新:

lynisupdateinfo--no-colors

==[1;37mLynis[0m==

Version:2.6.4
Status:[1;32mUp-to-date[0m
Releasedate:2018-05-02
Updatelocation:https://cisofy.com/lynis/


2007-2018,CISOfy-https://cisofy.com/lynis/

自定义lynis安全审计策略

lynis的配置信息以 .prf 文件的格式保存在 /etc/lynis 目录中。其中，默认lynis自带一个名为 default.prf 的默认配置文件。

不过我们无需直接修改这个默认的配置文件，只需要新增一个 custom.prf 文件将自定义的信息加入其中就可以了。

关于配置文件中各配置项的意义，在 default.prf 中都有相应的注释说明,这里就不详述了。

想了解lynis的更多信息，可以访问它的官网.

感谢各位的阅读！关于“怎么利用lynis进行linux漏洞扫描”这篇文章就分享到这里了，希望以上内容可以对大家有一定的帮助，让大家可以学到更多知识，如果觉得文章不错，可以把它分享出去让更多的人看到吧！

linux