当前位置: 首页 > 网络学院 >

如何借助lynis扫描Linux的安全漏洞?

新客网 XKER.COM 时间:2015-02-11 01:38:14来源:布加迪编译 51CTO.com  评论:

作为系统管理员、Linux安全技术员或系统审查员,你的职责可能涉及下列任务:软件补丁管理、恶意软件扫描、文件完整性检查、安全审查、配置错误检查等等。要是有一款安全漏洞自动扫描工具,那么可以为你在检查常见安全问题方面节省大量的时间。

lynis就是Linux平台上的这样一款安全漏洞扫描工具。这款工具是开源工具(采用GPLv3许可证),实际上在包括Linux、FreeBSD和Mac OS在内的多个平台上得到支持。

想把lynis安装到Linux上,只要执行下列命令。

$ wget 如何借助lynis扫描Linux的安全漏洞?

一旦扫描完毕,你系统的审查报告就会自动生成,并保存在/var/log/lynis.log中。

审查报告含有该工具检测到的潜在安全漏洞方面的警告信息。比如说:

$ sudo grep Warning /var/log/lynis.log

[20:20:04] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
[20:20:04] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
[20:20:06] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

审查报告还含有许多建议措施,有助于加固你的Linux系统。比如说:

$ sudo grep Suggestion /var/log/lynis.log

[20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
[20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
[20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
[20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
[20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
[20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
[20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
. . . .

扫描你系统的安全漏洞,作为一项日常计划任务

想最充分地利用lynis,建议经常来运行它,比如说将它安排成一项日常计划任务。在用“--cronjob”选项来运行时,lynis在自动的非交互式扫描模式下运行。

下面是日常计划任务脚本,在自动模式下运行lynis,以便审查你的系统,并且将每日扫描报告进行归档。

$ sudo vi /etc/cron.daily/scan.sh

#!/bin/sh

AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /opt/lynis
./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}

$ sudo chmod 755 /etc/cron.daily/scan.sh

原文地址:http://xmodulo.com/how-to-scan-linux-for-vulnerabilities.html


本文来源:布加迪编译 51CTO.com

如果您喜欢本文请分享给您的好友,谢谢!

评论列表(网友评论仅供网友表达个人看法,并不表明本站同意其观点或证实其描述)