Jump to content
abarbarian

Lynis a 5 min entertainment break from studying for V.T.

Recommended Posts

Studying can be a real drag if you never take a break. So I found this little gem which should provide some relief from the drudgery. :laugh:

 

http://www.unixmen.com/audit-the-security-of-your-unixlinux-systems-using-lynis/

 

 

Lynis is an auditing tool for unix/linux like systems which is used to scan the entire unix/linux systems for security issues, installed software informations, general system information, configuration issues or mistakes, software patch management, malware and vulnerability, firewall auditing, user accounts without passwords, invalid file permissions and many more.

 

 

This tool is quite often used for novice system administrators, system auditors, network and security specialists. The notable feature of this tool is easy to use and it tests and gathers the linux systems security informations in few minutes. Sounds good, why don’t you give it a try?

 

 

http://www.rootkit.nl/files/lynis-documentation.html

 

https://aur.archlinux.org/packages/lynis/

 

Well I gave the program a run through on my home pc. Worked just fine and gave these warnings,

 

# grep Warning /var/log/lynis.log

[11:07:04] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]

[11:07:23] Warning: pwck found one or more errors/warnings in the password file [test:AUTH-9228] [impact:M]

[11:09:17] Warning: No syslog daemon found [test:LOGG-2130] [impact:H

[11:09:18] Warning: klogd is not running, which could lead to missing

kernel messages in log files [test:LOGG-2138] [impact:L]

 

and theses suggestions,

 

 

 

# grep Suggestion /var/log/lynis.log

[11:07:04] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> [test:BOOT-5121]

[11:07:23] Suggestion: Run pwck manually and correct found issues. [test:AUTH-9228]

[11:07:25] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]

[11:07:25] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]

[11:07:25] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]

[11:08:21] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410]

[11:08:21] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]

[11:08:21] Suggestion: Disable drivers like firewire storage when not

used, to prevent unauthorized storage or data theft [test:STRG-1846]

[11:09:02] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]

[11:09:17] Suggestion: Check if any syslog daemon is running and correctly configured. [test:LOGG-2130]

[11:09:18] Suggestion: Check why klogd is not running [test:LOGG-2138

[11:10:38] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]

[11:10:38] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]

[11:10:55] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]

[11:11:14] Suggestion: Install a file integrity tool [test:FINT-4350]

[11:11:31] Suggestion: One or more sysctl values differ from the scan

profile and could be tweaked [test:KRNL-6000]

[11:11:36] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]

[11:11:36] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]

[11:11:36] Suggestion: Harden the system by installing one or malware

scanners to perform periodic file system scans [test:HRDN-7230]

 

There is tons of stuff in the suggestions list an I am not sure about how to do everything it suggests or even if I need to act on every thing.

 

Can someone suggest a decent simple to use " file integrity tool "

Can a network expert help me to " Configure a firewall/packet filter to filter incoming and outgoing traffic "

Can someone give a very brief explanation of this " Default umask in /etc/profile could be more strict like 027 "

 

Thanks in advance :breakfast: and happy playing Eric. :harhar:

Share this post


Link to post
Share on other sites

 

Can someone suggest a decent simple to use " file integrity tool "

Can a network expert help me to " Configure a firewall/packet filter to filter incoming and outgoing traffic "

Can someone give a very brief explanation of this " Default umask in /etc/profile could be more strict like 027 "

 

Thanks in advance :breakfast: and happy playing Eric. :harhar:

 

Cool, but no time to build from source for Slackware... too lazy, actually. :)

 

Umask help --> http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html

 

IPtables --> https://en.wikipedia.org/wiki/Iptables

 

fsck --> http://linux.about.com/od/lsa_guide/a/gdelsa35t08.htm (a very powerful file integrity checker that you already have on your system)

 

Have funzies! :)

Share this post


Link to post
Share on other sites

These two are pointless on Arch:

[11:09:17] Warning: No syslog daemon found [test:LOGG-2130] [impact:H

[11:09:18] Warning: klogd is not running, which could lead to missing

 

Arch does not use syslog as systemd's journal system replaces it.

 

Also, kdlogd was replaced by syslog on systems running systemd.

Share this post


Link to post
Share on other sites

These two are pointless on Arch:

[/background][/color]

 

Arch does not use syslog as systemd's journal system replaces it.

 

Also, kdlogd was replaced by syslog on systems running systemd.

 

Ok ta.

 

Eric ta fer the links though only one was useful. I think that

 

http://afick.sourceforge.net/

 

https://help.ubuntu.com/community/FileIntegrityAIDE

 

Afic or Aide are the type of file integrity tools looked for rather than fsck.

 

IPtables just make me shudder and go weak at the knees so I'll leave that eplore for another day.

 

I could understand unmask so I had a twiddle around with it.

Seems my Arch has 022 for root and user. So I changed it to 027 as per guide an me system crashed. No probs I thought change it back again from a tty which I did.Still have a crashed system.

E17, Window Maker and TWM all refuse to play it seems something has borked me X (X11 or xorg-server or whatever it is called) So I am now posting from W7. At first I thought E17 was to blame but it looks like me fiddling with unmask has done something or it could just be coincidental.Anyways I can still access Arch via the cli and mostly it seems ok apart from me kb seems to have a different layout.

So have I got a nuked system or will it live to ride another day ?

Time will tell.

:whistling:

Share this post


Link to post
Share on other sites

As long as you don't p*ss around with it too much. ;)

 

Or follow any guides on the internet. :228823:

 

Thanks for the link which I have read through before. Still makes me shudder. I think I'll leave iptables for another day after reading through this follow up guide.

 

https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_rules_file

 

I have me Arch back again. The problem it would seem was not with X but is related to E17 I think. I managed to fiddle a little and now am back with Window Maker. Funnily enough I have been reading up on WM lately with a view to running it again.

 

Oh an just to give you all a good laugh. I badgered loads of folk to do regular backups. I read all about how to do backups several different ways. Did I do even one backup never mind regular ones. Answers on a pin head please to the usual addy. :cool:

  • Like 1

Share this post


Link to post
Share on other sites

I can't say I'm worried about any of those warnings or suggestions for my home system. Maybe different for an enterprise system or if you had sensitive information stored.

  • Like 2

Share this post


Link to post
Share on other sites

I can't say I'm worried about any of those warnings or suggestions for my home system. Maybe different for an enterprise system or if you had sensitive information stored.

 

Same here

Share this post


Link to post
Share on other sites

Well it was a post aimed at Eric, thought it might be useful for him in his new career as a network geek.

 

So you more experienced folk don't think it is worth doing any of these then,

 

Default umask in /etc/profile could be more strict like 027

Configure a firewall/packet filter to filter incoming and outgoing traffic

Install a file integrity tool (Like AIDE)

Harden the system by installing one or malware

scanners to perform periodic file system scans

 

:shifty:

Share this post


Link to post
Share on other sites
So you more experienced folk don't think it is worth doing any of these then,

 

Default umask in /etc/profile could be more strict like 027

Configure a firewall/packet filter to filter incoming and outgoing traffic

Install a file integrity tool (Like AIDE)

Harden the system by installing one or malware

scanners to perform periodic file system scans

 

umask - only for enterprise

firewall - netfilter filters incoming by default on most Linux systems, and is doubly safe if you're behind a NAT router

file integrity tool - just run regular backups

malware scanner - only if you interact with Windows files, eg. mail server

  • Like 1

Share this post


Link to post
Share on other sites

Thanks. It's the thought that counts. :)

 

It was a level four type of badgering. Thought you might like to know that. :Laughing:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...