Análise de Segurança do GNU/LINUX Ubuntu 22.04 com Lynis
O Lynis é uma ferramenta de auditoria de código aberto projetada para avaliar a segurança de sistemas baseados em UNIX, incluindo o Ubuntu. Ao executar uma série de testes abrangentes, o Lynis identifica vulnerabilidades, configurações incorretas e sugestões de melhorias para fortalecer o seu ambiente Linux
Instalação
Instalar o Lynis no Ubuntu 22.04 é simples:
nathaniel@morais:~$ sudo apt -y install lynis
Uso Básico
nathaniel@morais:~$ sudo lynis audit system
[ Lynis 3.0.7 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
- Detecting language and localization [ pt ]
/usr/sbin/lynis: 612: [: -lt: unexpected operator
---------------------------------------------------
Program version: 3.0.7
Operating system: Linux
Operating system name: Ubuntu
Operating system version: 22.04
Kernel version: 6.5.0
Hardware platform: x86_64
Hostname: r2d2
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /etc/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: pt
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
[+] System tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (Fase 1)
------------------------------------
Nota: plugins requerem testes mais extensivos e podem levar vários minutos para completar
- Plugin: debian
[
[+] Debian Tests
------------------------------------
- Checking for system binaries that are required by Debian Tests...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Authentication:
- PAM (Pluggable Authentication Modules):
- libpam-tmpdir [ Not Installed ]
- File System Checks:
- DM-Crypt, Cryptsetup & Cryptmount:
- Checking / on /dev/nvme0n1p3 [ NOT ENCRYPTED ]
- Checking /snap/bare/5 on /var/lib/snapd/snaps/bare_5.snap [ NOT ENCRYPTED ]
- Checking /snap/chromium-ffmpeg/47 on /var/lib/snapd/snaps/chromium-ffmpeg_47.snap [ NOT ENCRYPTED ]
- Checking /snap/chromium-ffmpeg/55 on /var/lib/snapd/snaps/chromium-ffmpeg_55.snap [ NOT ENCRYPTED ]
- Checking /snap/code/165 on /var/lib/snapd/snaps/code_165.snap [ NOT ENCRYPTED ]
- Checking /snap/code/164 on /var/lib/snapd/snaps/code_164.snap [ NOT ENCRYPTED ]
- Checking /snap/core/16928 on /var/lib/snapd/snaps/core_16928.snap [ NOT ENCRYPTED ]
- Checking /snap/core/17200 on /var/lib/snapd/snaps/core_17200.snap [ NOT ENCRYPTED ]
- Checking /snap/core18/2823 on /var/lib/snapd/snaps/core18_2823.snap [ NOT ENCRYPTED ]
- Checking /snap/core18/2829 on /var/lib/snapd/snaps/core18_2829.snap [ NOT ENCRYPTED ]
- Checking /snap/core20/2318 on /var/lib/snapd/snaps/core20_2318.snap [ NOT ENCRYPTED ]
- Checking /snap/core20/2264 on /var/lib/snapd/snaps/core20_2264.snap [ NOT ENCRYPTED ]
- Checking /snap/core22/1380 on /var/lib/snapd/snaps/core22_1380.snap [ NOT ENCRYPTED ]
- Checking /snap/core24/423 on /var/lib/snapd/snaps/core24_423.snap [ NOT ENCRYPTED ]
- Checking /snap/dgen/1 on /var/lib/snapd/snaps/dgen_1.snap [ NOT ENCRYPTED ]
- Checking /snap/firefox/4539 on /var/lib/snapd/snaps/firefox_4539.snap [ NOT ENCRYPTED ]
- Checking /snap/firefox/4650 on /var/lib/snapd/snaps/firefox_4650.snap [ NOT ENCRYPTED ]
- Checking /snap/gnome-3-28-1804/198 on /var/lib/snapd/snaps/gnome-3-28-1804_198.snap [ NOT ENCRYPTED ]
- Checking /snap/gnome-3-38-2004/112 on /var/lib/snapd/snaps/gnome-3-38-2004_112.snap [ NOT ENCRYPTED ]
- Checking /snap/gnome-3-38-2004/143 on /var/lib/snapd/snaps/gnome-3-38-2004_143.snap [ NOT ENCRYPTED ]
- Checking /snap/gnome-42-2204/172 on /var/lib/snapd/snaps/gnome-42-2204_172.snap [ NOT ENCRYPTED ]
- Checking /snap/gnome-42-2204/176 on /var/lib/snapd/snaps/gnome-42-2204_176.snap [ NOT ENCRYPTED ]
- Checking /snap/gtk-common-themes/1535 on /var/lib/snapd/snaps/gtk-common-themes_1535.snap [ NOT ENCRYPTED ]
- Checking /snap/kf5-5-110-qt-5-15-11-core22/3 on /var/lib/snapd/snaps/kf5-5-110-qt-5-15-11-core22_3.snap [ NOT ENCRYPTED ]
- Checking /snap/kpat/87 on /var/lib/snapd/snaps/kpat_87.snap [ NOT ENCRYPTED ]
- Checking /snap/marktext/9 on /var/lib/snapd/snaps/marktext_9.snap [ NOT ENCRYPTED ]
- Checking /snap/opera/321 on /var/lib/snapd/snaps/opera_321.snap [ NOT ENCRYPTED ]
- Checking /snap/skype/351 on /var/lib/snapd/snaps/skype_351.snap [ NOT ENCRYPTED ]
- Checking /snap/skype/353 on /var/lib/snapd/snaps/skype_353.snap [ NOT ENCRYPTED ]
- Checking /snap/snap-store/1113 on /var/lib/snapd/snaps/snap-store_1113.snap [ NOT ENCRYPTED ]
- Checking /snap/snap-store/959 on /var/lib/snapd/snaps/snap-store_959.snap [ NOT ENCRYPTED ]
- Checking /snap/snapd/21465 on /var/lib/snapd/snaps/snapd_21465.snap [ NOT ENCRYPTED ]
- Checking /snap/snapd/21759 on /var/lib/snapd/snaps/snapd_21759.snap [ NOT ENCRYPTED ]
- Checking /snap/snapd-desktop-integration/157 on /var/lib/snapd/snaps/snapd-desktop-integration_157.snap [ NOT ENCRYPTED ]
- Checking /snap/snapd-desktop-integration/83 on /var/lib/snapd/snaps/snapd-desktop-integration_83.snap [ NOT ENCRYPTED ]
- Checking /snap/telegram-desktop/6055 on /var/lib/snapd/snaps/telegram-desktop_605
...........
...........
...........
...........
* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/lynis/controls/ACCT-9626/
* Enable auditd to collect audit information [ACCT-9628]
https://cisofy.com/lynis/controls/ACCT-9628/
* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/lynis/controls/FINT-4350/
* Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/lynis/controls/TOOL-5002/
* Consider restricting file permissions [FILE-7524]
- Details : See screen output or log file
- Solution : Use chmod to change file permissions
https://cisofy.com/lynis/controls/FILE-7524/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/lynis/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/
* Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
- Solution : Install a tool like rkhunter, chkrootkit, OSSEC
https://cisofy.com/lynis/controls/HRDN-7230/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 51 [########## ]
Tests performed : 267
Plugins enabled : 1
Components:
- Firewall [V]
- Malware scanner [X]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 3.0.7
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
Após a execução, o Lynis gera um relatório completo localizado em /var/log/lynis-report.dat. Para focar em avisos e sugestões, utilize:
nathaniel@morais:~$ sudo grep -E "^warning|^suggestion" /var/log/lynis-report.dat
suggestion[]=LYNIS|This release is more than 4 months old. Check the website or GitHub to see if there is an update available.|-|-|
suggestion[]=DEB-0280|Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions|-|-|
suggestion[]=DEB-0810|Install apt-listbugs to display a list of critical bugs prior to each APT installation.|-|-|
suggestion[]=DEB-0811|Install apt-listchanges to display any significant changes prior to any upgrade via APT.|-|-|
suggestion[]=DEB-0831|Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting.|-|-|
suggestion[]=DEB-0880|Install fail2ban to automatically ban hosts that commit multiple authentication errors.|-|-|
suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-|
suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9230|Configure password hashing rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9328|Default umask in /etc/login.defs could be more strict like 027|-|-|
suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separate partition|-|-|
suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separate partition|-|-|
suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-|
suggestion[]=FILE-6410|The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file.|-|-|
suggestion[]=USB-1000|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|-|-|
suggestion[]=STRG-1928|/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system|-|-|
warning[]=NAME-4018|Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration|-|-|
suggestion[]=NAME-4028|Check DNS configuration for the dns domain name|-|-|
suggestion[]=PKGS-7346|Purge old/removed packages (50 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts.|-|-|
suggestion[]=PKGS-7370|Install debsums utility for the verification of packages with known good database.|-|-|
warning[]=PKGS-7392|Found one or more vulnerable packages.|-|-|
suggestion[]=PKGS-7392|Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades|-|-|
suggestion[]=PKGS-7394|Install package apt-show-versions for patch management purposes|-|-|
suggestion[]=PKGS-7410|Remove any unneeded kernel packages|17 kernels|text:validate dpkg -l output and perform cleanup with apt autoremove|
suggestion[]=NETW-3200|Determine if protocol 'dccp' is really needed on this system|-|-|
suggestion[]=NETW-3200|Determine if protocol 'sctp' is really needed on this system|-|-|
suggestion[]=NETW-3200|Determine if protocol 'rds' is really needed on this system|-|-|
suggestion[]=NETW-3200|Determine if protocol 'tipc' is really needed on this system|-|-|
suggestion[]=PRNT-2307|Access to CUPS configuration could be more strict.|-|-|
suggestion[]=PRNT-2308|Check CUPS configuration if it really needs to listen on the network|-|-|
suggestion[]=FIRE-4513|Check iptables rules to see which rules are currently not used|-|-|
suggestion[]=HTTP-6640|Install Apache mod_evasive to guard webserver against DoS/brute force attempts|-|-|
suggestion[]=HTTP-6643|Install Apache modsecurity to guard webserver against web application attacks|-|-|
suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-|
suggestion[]=LOGG-2190|Check what deleted files are still in use and why.|-|-|
suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-|
suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-|
suggestion[]=ACCT-9622|Enable process accounting|-|-|
suggestion[]=ACCT-9626|Enable sysstat to collect accounting (no results)|-|-|
suggestion[]=ACCT-9628|Enable auditd to collect audit information|-|-|
suggestion[]=FINT-4350|Install a file integrity tool to monitor changes to critical and sensitive files|-|-|
suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-|
suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions|
suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)|
suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-|
suggestion[]=HRDN-7230|Harden the system by installing at least one malware scanner, to perform periodic file system scans|-|Install a tool like rkhunter, chkrootkit, OSSEC|
Cada linha possui o formato:
tipo[]=TESTE-ID|Mensagem|Detalhes|Solução
Resolvendo Problemas Comuns
- Lynis Desatualizado: Atualize para a versão mais recente consultando o site oficial ou o repositório GitHub.
- PAM (Pluggable Authentication Modules): Instale o
libpam-tmpdirpara aprimorar a segurança da autenticação. - Criptografia de Disco: Avalie se a criptografia de disco (DM-Crypt) é necessária para suas partições.
- Ferramentas de Monitoramento de Integridade de Arquivos: Considere instalar ferramentas como
aideoutripwirepara detectar alterações não autorizadas em arquivos. - Automação de Gerenciamento de Sistemas: Explore ferramentas como o Ansible para automatizar tarefas de gerenciamento e aplicação de patches.
- Permissões de Arquivo: Utilize o comando
chmodpara ajustar as permissões de arquivos e diretórios, garantindo que apenas usuários autorizados tenham acesso. - Valores do sysctl: Personalize os valores do sysctl em
/etc/sysctl.confpara otimizar o desempenho e a segurança do kernel. - Compiladores: Restrinja o acesso aos compiladores (gcc, g++) para usuários root, caso não sejam necessários para outros usuários.
- Scanner de Malware: Instale e configure um scanner de malware, como o ClamAV, para realizar varreduras periódicas.
- Particionamento: Considere particionar separadamente diretórios como
/home,/tmpe/varpara melhor gerenciamento de espaço e isolamento de falhas. - Atualização do Banco de Dados ‘locate’: Execute o comando
updatedbpara atualizar o banco de dados da ferramentalocate. - Drivers USB: Desative drivers USB (como armazenamento) se não forem utilizados, prevenindo o acesso não autorizado.
- NFS (Network File System): Verifique se o daemon NFS é necessário e se a configuração em
/etc/exportsestá correta. - Configuração de DNS: Corrija a configuração em
/etc/resolv.confse houver mais de uma linha de pesquisa. - Pacotes Antigos: Remova pacotes antigos ou não utilizados com
apt purgeoudpkg --purgepara liberar espaço e evitar conflitos. - Pacotes Vulneráveis: Mantenha o sistema atualizado com
apt updateeapt upgradepara corrigir vulnerabilidades conhecidas. - Protocolos de Rede: Desabilite protocolos de rede desnecessários, como DCCp, SCTP, RDS e TIPC, para reduzir a superfície de ataque.
- CUPS (Sistema de Impressão): Proteja o serviço de impressão CUPS, restringindo o acesso e configurando-o para não escutar na rede, se não for necessário.
- Regras do iptables: Revise as regras do firewall iptables e remova ou ajuste as que não estiverem em uso.
Conclusão
O Lynis é uma ferramenta poderosa que auxilia na manutenção de um ambiente Ubuntu seguro e eficiente. Ao analisar e solucionar os problemas identificados no relatório, você garante a integridade e a proteção dos seus dados, mitigando riscos e prevenindo ataques.
No responses yet