如何安裝 Lynis 2.2.0 – Linux 安全審計工具

Lynis 是一個用於 Unix 和 Linux 系統的安全審計工具。它幫助審計員掃描系統及其安全防禦,有助於改進系統加固。此軟體將確定特定於作業系統型別、已安裝的軟體包、系統和網路配置的系統資訊。此外,它還將檢查系統是否存在配置錯誤和安全問題。本文介紹如何在 Ubuntu 上安裝 Lynis。

特性

  • 它是開源的
  • 它支援 shell 指令碼
  • 無需依賴
  • 易於理解
  • 動態作業系統檢測
  • 它支援 300 多個內建測試
  • 它支援自定義測試
  • 外掛支援
  • 它支援合規性檢查
  • 廣泛的軟體支援

安裝 Lynis

Lynis 不需要任何安裝,可以直接從任何目錄使用。為了更好地練習,請在 /usr/local/lynis 下為 Lynis 建立一個目錄,如下所示:

# mkdir /usr/local/lynis

下載 Lynis 原始檔的穩定版本,如下所示:

# cd /usr/local/lynis
# wget https://cisofy.com/files/lynis-2.2.0.tar.gz

示例輸出如下:

--2016-05-05 10:27:09-- https://cisofy.com/files/lynis-2.2.0.tar.gz
Resolving cisofy.com (cisofy.com)... 149.210.134.182, 2a01:7c8:aab2:209::1
Connecting to cisofy.com (cisofy.com)|149.210.134.182|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 202825 (198K) [application/octet-stream]
Saving to: ‘lynis-2.2.0.tar.gz’

lynis-2.2.0.tar.gz 100%[===================>] 198.07K 209KB/s in 0.9s

2016-05-05 10:27:11 (209 KB/s) - ‘lynis-2.2.0.tar.gz’ saved [202825/202825]

現在解壓上述軟體包,如下所示:

# tar -xvf lynis-2.2.0.tar.gz

示例輸出如下:

lynis/CHANGELOG
lynis/CONTRIBUTIONS.md
lynis/CONTRIBUTORS
lynis/FAQ
lynis/INSTALL
lynis/LICENSE
lynis/README
lynis/db/
lynis/db/integrity.db
lynis/db/sbl.db
lynis/db/fileperms.db
lynis/db/malware-susp.db
lynis/db/malware.db
lynis/db/hints.db
lynis/default.prf
lynis/extras/
lynis/extras/README
lynis/extras/files.dat
lynis/extras/lynis.spec
lynis/extras/systemd/
lynis/extras/systemd/lynis.service
lynis/extras/systemd/lynis.timer
lynis/extras/openbsd/
lynis/extras/openbsd/+CONTENTS
lynis/extras/check-lynis.sh
lynis/extras/bash_completion.d/
lynis/extras/bash_completion.d/lynis
lynis/extras/.bzrignore
lynis/extras/build-lynis.sh
lynis/include/
lynis/include/helper_audit_dockerfile
lynis/include/profiles
lynis/include/tests_malware
lynis/include/tests_containers
lynis/include/tests_accounting
lynis/include/parameters
lynis/include/tests_ssh
lynis/include/tool_tips
lynis/include/tests_time
lynis/include/tests_firewalls
lynis/include/tests_nameservices
lynis/include/binaries
lynis/include/tests_webservers
lynis/include/tests_squid
lynis/include/tests_storage_nfs
lynis/include/tests_insecure_services
lynis/include/tests_scheduling
lynis/include/tests_tooling
lynis/include/tests_hardening
lynis/include/tests_networking
lynis/include/tests_custom.template

......................................

執行和使用 Lynis 基礎知識

要執行 Lynis,需要 root 使用者許可權並將輸出寫入 /var/log/lynis.log 檔案。使用以下命令執行 Lynis:

# cd lynis
# ./lynis

上述命令將提供完整的可用引數列表,如下所示:

[ Lynis 2.2.0 ]

################################################################################
   comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   welcome to redistribute it under the terms of the GNU General Public License.
   See the LICENSE file for details about using this software.

   Copyright 2007-2016 - CISOfy, https://cisofy.com/lynis/
   Enterprise support and plugins available via CISOfy
################################################################################

[+] Initializing program
------------------------------------

   Usage: lynis [options] mode


   Mode:

      audit
         audit system          : Perform security scan
         audit dockerfile      : Analyze Dockerfile

      update
         update info           : Show update details
         update release        : Update Lynis release


   Scan options:
      --auditor ""             : Auditor name
      --dump-options           : See all available options
      --no-log                 : Don't create a log file
      --pentest                : Non-privileged scan (useful for pentest)
      --profile                : Scan the system with the given profile file
      --quick (-Q)             : Quick mode, don't wait for user input
      --tests ""               : Run only tests defined by
      --tests-category ""      : Run only tests defined by

   Layout options:
      --no-colors              : Don't use colors in output
      --quiet (-q)             : No output, except warnings
      --reverse-colors         : Optimize color display for light backgrounds

...............................................................................................

要啟動 Lynis 程序,必須定義一個 –check-all 引數以開始掃描您的整個 Linux 系統,如下所示:

# ./lynis --check-all

示例輸出如下:

[+] Initializing program
------------------------------------
   - Detecting OS...                         [ DONE ]

---------------------------------------------------
   Program version:               2.2.0
   Operating system:              Linux
   Operating system name:         Ubuntu
   Operating system version:      16.04
   Kernel version:                4.4.0
   Hardware platform:             x86_64
   Hostname:                      linux
   Auditor:                       [Unknown]
   Profile:                       ./default.prf
   Log file:                      /var/log/lynis.log
   Report file:                   /var/log/lynis-report.dat
   Report version:                1.0
   Plugin directory:              ./plugins
   ---------------------------------------------------
   - Checking profile file (./default.prf)...
   - Program update status...                [ NO UPDATE ]

[+] System Tools
------------------------------------
   - Scanning available tools...
   - Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
   Note: plugins have more extensive tests, which may take a few minutes to complete

      - Plugins enabled                      [ NONE ]

[+] Boot and services
------------------------------------
   - Service Manager                            [ systemd ]
   - Checking UEFI boot                         [ ENABLED ]
   - Checking Secure Boot                       [ DISABLED ]
   - Checking presence GRUB2                    [ FOUND ]
      - Checking for password protection        [ WARNING ]
   - Check running services (systemctl)         [ DONE ]
         Result: found 31 running services
   - Check enabled services at boot (systemctl) [ DONE ]
         Result: found 38 enabled services
   - Check startup files (permissions)          [ OK ]

建立 Lynis cron 作業

要為系統的每日掃描報告建立 Lynis cron 作業,請使用以下命令:

# crontab -e

示例輸出如下:

# crontab -e# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/

新增以下行以每天晚上 10:30 執行 cron 作業

3022***root /path/to/lynis -c -Q --auditor "automated" --cronjob

更新 Lynis

更新 Lynis,使用以下命令:

# ./lynis update info       [Show update details]
# ./lynis update release    [Update Lynis release]

閱讀本文後,您將能夠理解“如何安裝 Lynis 2.2.0”。在我們的下一篇文章中,我們將提供更多基於 Linux 的技巧和提示。繼續關注!

更新於:2020年1月22日

瀏覽量:171

開啟你的職業生涯

透過完成課程獲得認證

開始學習
廣告
© . All rights reserved.