Lynis a 5 min entertainment break from studying for V.T.

[abarbarian]

Studying can be a real drag if you never take a break. So I found this little gem which should provide some relief from the drudgery.

 

http://www.unixmen.com/audit-the-security-of-your-unixlinux-systems-using-lynis/

 

 

Lynis is an auditing tool for unix/linux like systems which is used to scan the entire unix/linux systems for security issues, installed software informations, general system information, configuration issues or mistakes, software patch management, malware and vulnerability, firewall auditing, user accounts without passwords, invalid file permissions and many more.

 

 

This tool is quite often used for novice system administrators, system auditors, network and security specialists. The notable feature of this tool is easy to use and it tests and gathers the linux systems security informations in few minutes. Sounds good, why don’t you give it a try?

 

 

http://www.rootkit.nl/files/lynis-documentation.html

 

https://aur.archlinux.org/packages/lynis/

 

Well I gave the program a run through on my home pc. Worked just fine and gave these warnings,

 

# grep Warning /var/log/lynis.log

[11:07:04] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]

[11:07:23] Warning: pwck found one or more errors/warnings in the password file [test:AUTH-9228] [impact:M]

[11:09:17] Warning: No syslog daemon found [test:LOGG-2130] [impact:H

[11:09:18] Warning: klogd is not running, which could lead to missing

kernel messages in log files [test:LOGG-2138] [impact:L]

 

and theses suggestions,

 

 

 

# grep Suggestion /var/log/lynis.log

[11:07:04] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> [test:BOOT-5121]

[11:07:23] Suggestion: Run pwck manually and correct found issues. [test:AUTH-9228]

[11:07:25] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]

[11:07:25] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]

[11:07:25] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]

[11:08:21] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410]

[11:08:21] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]

[11:08:21] Suggestion: Disable drivers like firewire storage when not

used, to prevent unauthorized storage or data theft [test:STRG-1846]

[11:09:02] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]

[11:09:17] Suggestion: Check if any syslog daemon is running and correctly configured. [test:LOGG-2130]

[11:09:18] Suggestion: Check why klogd is not running [test:LOGG-2138

[11:10:38] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]

[11:10:38] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]

[11:10:55] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]

[11:11:14] Suggestion: Install a file integrity tool [test:FINT-4350]

[11:11:31] Suggestion: One or more sysctl values differ from the scan

profile and could be tweaked [test:KRNL-6000]

[11:11:36] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]

[11:11:36] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]

[11:11:36] Suggestion: Harden the system by installing one or malware

scanners to perform periodic file system scans [test:HRDN-7230]

 

There is tons of stuff in the suggestions list an I am not sure about how to do everything it suggests or even if I need to act on every thing.

 

Can someone suggest a decent simple to use " file integrity tool "

Can a network expert help me to " Configure a firewall/packet filter to filter incoming and outgoing traffic "

Can someone give a very brief explanation of this " Default umask in /etc/profile could be more strict like 027 "

 

Thanks in advance and happy playing Eric.

[securitybreach]

Very nice!

 

Checking it out now.

[V.T. Eric Layton]

 

Can someone suggest a decent simple to use " file integrity tool "

Can a network expert help me to " Configure a firewall/packet filter to filter incoming and outgoing traffic "

Can someone give a very brief explanation of this " Default umask in /etc/profile could be more strict like 027 "

 

Thanks in advance and happy playing Eric.

 

Cool, but no time to build from source for Slackware... too lazy, actually.

 

Umask help --> http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html

 

IPtables --> https://en.wikipedia.org/wiki/Iptables

 

fsck --> http://linux.about.com/od/lsa_guide/a/gdelsa35t08.htm (a very powerful file integrity checker that you already have on your system)

 

Have funzies!

[securitybreach]

These two are pointless on Arch:

[11:09:17] Warning: No syslog daemon found [test:LOGG-2130] [impact:H

[11:09:18] Warning: klogd is not running, which could lead to missing

 

Arch does not use syslog as systemd's journal system replaces it.

 

Also, kdlogd was replaced by syslog on systems running systemd.

[abarbarian]

These two are pointless on Arch:

[/background][/color]

 

Arch does not use syslog as systemd's journal system replaces it.

 

Also, kdlogd was replaced by syslog on systems running systemd.

 

Ok ta.

 

Eric ta fer the links though only one was useful. I think that

 

http://afick.sourceforge.net/

 

https://help.ubuntu.com/community/FileIntegrityAIDE

 

Afic or Aide are the type of file integrity tools looked for rather than fsck.

 

IPtables just make me shudder and go weak at the knees so I'll leave that eplore for another day.

 

I could understand unmask so I had a twiddle around with it.

Seems my Arch has 022 for root and user. So I changed it to 027 as per guide an me system crashed. No probs I thought change it back again from a tty which I did.Still have a crashed system.

E17, Window Maker and TWM all refuse to play it seems something has borked me X (X11 or xorg-server or whatever it is called) So I am now posting from W7. At first I thought E17 was to blame but it looks like me fiddling with unmask has done something or it could just be coincidental.Anyways I can still access Arch via the cli and mostly it seems ok apart from me kb seems to have a different layout.

So have I got a nuked system or will it live to ride another day ?

Time will tell.

[V.T. Eric Layton]

As usual, the Arch Wiki has some good info --> https://wiki.archlinux.org/index.php/Iptables

[V.T. Eric Layton]

Install ARCH

You'll never need to install it again

"I did and I'm really happy"

 

As long as you don't p*ss around with it too much.

[abarbarian]

As long as you don't p*ss around with it too much.

 

Or follow any guides on the internet.

 

Thanks for the link which I have read through before. Still makes me shudder. I think I'll leave iptables for another day after reading through this follow up guide.

 

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_rules_file

 

I have me Arch back again. The problem it would seem was not with X but is related to E17 I think. I managed to fiddle a little and now am back with Window Maker. Funnily enough I have been reading up on WM lately with a view to running it again.

 

Oh an just to give you all a good laugh. I badgered loads of folk to do regular backups. I read all about how to do backups several different ways. Did I do even one backup never mind regular ones. Answers on a pin head please to the usual addy.

[sunrat]

I can't say I'm worried about any of those warnings or suggestions for my home system. Maybe different for an enterprise system or if you had sensitive information stored.

[securitybreach]

I can't say I'm worried about any of those warnings or suggestions for my home system. Maybe different for an enterprise system or if you had sensitive information stored.

 

Same here

[abarbarian]

Well it was a post aimed at Eric, thought it might be useful for him in his new career as a network geek.

 

So you more experienced folk don't think it is worth doing any of these then,

 

Default umask in /etc/profile could be more strict like 027

Configure a firewall/packet filter to filter incoming and outgoing traffic

Install a file integrity tool (Like AIDE)

Harden the system by installing one or malware

scanners to perform periodic file system scans

 

[sunrat]

So you more experienced folk don't think it is worth doing any of these then,

 

Default umask in /etc/profile could be more strict like 027

Configure a firewall/packet filter to filter incoming and outgoing traffic

Install a file integrity tool (Like AIDE)

Harden the system by installing one or malware

scanners to perform periodic file system scans

 

umask - only for enterprise

firewall - netfilter filters incoming by default on most Linux systems, and is doubly safe if you're behind a NAT router

file integrity tool - just run regular backups

malware scanner - only if you interact with Windows files, eg. mail server

[V.T. Eric Layton]

Thanks. It's the thought that counts.

[abarbarian]

Thanks. It's the thought that counts.

 

It was a level four type of badgering. Thought you might like to know that.

[V.T. Eric Layton]

What's a soul to do with all these badgers?

 

[abarbarian]

I wonder how many badgers there are in the backyard now.

 

I came across a recent article on lynis and thought I had come across this program before so I am posting here in this old thread as opposed to starting a new thread.

 

Scan your Linux security with Lynis

Lynis home site - documentation

 

https://www.archlinux.org/packages/community/any/lynis/

 

This article is out of date as lynis is now in the Arch Community repository. The article gives some examples of how to use it though.

 

How To Check The Security Of A Linux PC With Lynis

 

Lynis is mentioned here way back in 2009,

 

https://forums.scotsnewsletter.com/index.php?/topic/24608-using-cronsendmailthunderird/&tab=comments#comment-267535

 

Running lynis on my Arch set up gives me a Hardening Index score of 69,

 

 Lynis security scan details:

  Hardening index : 69 [#############       ]
  Tests performed : 216
  Plugins enabled : 0

Lynis threw up several items I could look into changing nothing major but useful non the less.

 

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/lynis/controls/STRG-1840/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/lynis/controls/STRG-1846/

 

  * Turn off PHP information exposure [PHP-2372] 
    - Details  : expose_php = Off
      https://cisofy.com/lynis/controls/PHP-2372/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] 
      https://cisofy.com/lynis/controls/PHP-2376/

  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/lynis/controls/LOGG-2190/

 

* Use NTP daemon or NTP client to prevent time issues. [TIME-3104] 
      https://cisofy.com/lynis/controls/TIME-3104/

 * Harden compilers like restricting access to root user only [HRDN-7222] 
      https://cisofy.com/lynis/controls/HRDN-7222/

I'll look into the above and see whats what, none of them seem serious security breaches though.

 

One aspect of lynis that may be of interest is that you can do an audit of any Docker instances you have on your system.

 

I would be interested to see what Hardening Index score other folk get on their systems.

 

 

 

Edited May 14, 2020 by abarbarian

[abarbarian]

37 minutes ago, abarbarian said:

* Use NTP daemon or NTP client to prevent time issues. [TIME-3104] https://cisofy.com/lynis/controls/TIME-3104/

 

Lynis threw up the above and I was curious as to why, so of I went to investigate. I thought I had set up time synchronisation as per the Arch install guide.

 

It seems I had by using a systemd service

 

[longship@09:40:35 ~]$ timedatectl status
               Local time: Thu 2020-05-14 09:41:01 BST
           Universal time: Thu 2020-05-14 08:41:01 UTC
                 RTC time: Thu 2020-05-14 08:41:14    
                Time zone: Europe/London (BST, +0100) 
System clock synchronized: no                         
              NTP service: inactive                   
          RTC in local TZ: no   

 

this showed that my time was set correctly. However it looks like the System clock was not synchronised and the NTP service was inactive. I was not sure what that meant so had a look at the Arch wiki and followed this instruction

 

$ sudo timedatectl set-ntp true

 

which gave me this result

 

[longship@09:41:59 ~]$ timedatectl status
               Local time: Thu 2020-05-14 09:44:09 BST
           Universal time: Thu 2020-05-14 08:44:09 UTC
                 RTC time: Thu 2020-05-14 08:44:09    
                Time zone: Europe/London (BST, +0100) 
System clock synchronized: yes                        
              NTP service: active                     
          RTC in local TZ: no      

 Am a bit puzzled as my pc time showed the correct time before doing the above. So how did the pc get the correct time ? An was the systemd service running correctly before   I made the change ? Did I even need to make the change ? Did I ever have the systemd service running ? if not how did the pc know the time ?

 

Am baffled.

 

 

 

 

 

[V.T. Eric Layton]

Hmm... too much systemd in this thread. It's all Geek to me.

 

2013. Wow. That seems forever-ago. I remember playing network geek back then. It was mostly time wasted, sadly. Never earned me a cent... the Cisco Cert, that is. Seems certs, knowledge, and vast amounts of experience are no longer things that are considered by employers these days; particularly if the applicant is over 45 years of age.

 

Just one more thing on the long list of things that's wrong with our modern world.

 

/mini-rant

[securitybreach]

Most large companies still need people with a CCNA (Cisco Certified Network Associate) cert.  If you work in networking or telcom, it's a requirement.

 

Quote

Seems certs, knowledge, and vast amounts of experience are no longer things that are considered by employers these days

 

Of course they are considered. The ones coming out of college are mostly still morons, the experienced guys mentor them otherwise they would fail miserably. I would hire a self-taught person any day over someone with multiple degrees and such. The self-taught guy learned because he was interested and not just for a career. You want smart people and college degrees doesn't always mean smart people. I have had high level engineers making 200k a year not realize that their monitor needed power to turn on. I had one guy tell me that he thought it was wireless, like we have wireless electricity.

 

I have a couple of coworkers who didn't go to college or went for something completely unrelated who can run circles around some of the younger guys out of school.