terça-feira, 29 de outubro de 2013

Auditoria de sistemas com Lynis

Após fazer uma instalação de um servidor, independente do sistema operacional, é aconselhável fazer uma auditoria de segurança. Há várias ferramentas para isso. No Linux temos uma bem simples, mas que ajuda muito, chamado Lynix.

Para instalá-lo, digite, como root:

# apt-get install lynis

Antes de usá-lo é importante atualizar seu banco de dados.

# lynis --check-update

 == Lynis ==

  Version         :   1.3.0 [ Outdated ]
  Release date    :   28 April 2011
  Update location :   http://www.rootkit.nl/

 == Databases ==
                      Current          Latest           Status
  -----------------------------------------------------------------------------
  Malware         :   2008062700       2008062700       Up-to-date
  File perms      :   2008053000       2008053000       Up-to-date


Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/

Agora vamos executá-lo. A cada tela, ou fase, o programa fará uma pausa para que você possa ver o que está sendo feito. No final, uma resumo do que foi encontrado e as dicas do que pode ser feito é listada.

# lynis -c

[ Lynis 1.3.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See LICENSE file for details about using this software.

 Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.3.0
  Operating system:          Linux
  Operating system name:     Linux
  Operating system version:  3.2.0-4-686-pae
  Kernel version:            3.2.0-4-686-pae
  Hardware platform:         i686
  Hostname:                  fpawks0703
  Auditor:                   [Unknown]
  Profile:                   /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

  - Checking profile file (/etc/lynis/default.prf)...
  - Program update status...                                  [ UPDATE AVAILABLE ]

      ===============================================================================
        Notice: Lynis update available
          Current version : 130   Latest version : 131
          Please update to the latest version for new features, bug fixes, tests
          and baselines.
      ===============================================================================


[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
    - Checking /bin...                                        [ FOUND ]
    - Checking /sbin...                                       [ FOUND ]
    - Checking /usr/bin...                                    [ FOUND ]
    - Checking /usr/sbin...                                   [ FOUND ]
    - Checking /usr/local/bin...                              [ FOUND ]
    - Checking /usr/local/sbin...                             [ FOUND ]
    - Checking /usr/local/libexec...                          [ NOT FOUND ]
    - Checking /usr/libexec...                                [ NOT FOUND ]
    - Checking /usr/sfw/bin...                                [ NOT FOUND ]
    - Checking /usr/sfw/sbin...                               [ NOT FOUND ]
    - Checking /usr/sfw/libexec...                            [ NOT FOUND ]
    - Checking /opt/sfw/bin...                                [ NOT FOUND ]
    - Checking /opt/sfw/sbin...                               [ NOT FOUND ]
    - Checking /opt/sfw/libexec...                            [ NOT FOUND ]
    - Checking /usr/xpg4/bin...                               [ NOT FOUND ]
    - Checking /usr/css/bin...                                [ NOT FOUND ]
    - Checking /usr/ucb...                                    [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

================================================================================

  -[ Lynis 1.3.0 Results ]-

  Tests performed: 181
  Warnings:
  ----------------------------
   - [15:17:02] Warning: Found one or more zombie processes (16988 16990 16992) [test:PROC-3612] [impact:L]
   - [15:19:27] Warning: Found BIND version in banner [test:NAME-4210] [impact:M]
   - [15:20:44] Warning: Found possible unused iptables rules (1 1 2 1 2 3 4 5 6 7 8 2 3 4 6 8) [test:FIRE-4513] [impact:L]
   - [15:21:06] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
   - [15:21:28] Warning: PHP option register_globals option is turned on, which can be a risk for variable value overwriting [test:PHP-2368] [impact:M]
   - [15:21:28] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
   - [15:21:58] Warning: klogd is not running, which could lead to missing kernel messages in log files [test:LOGG-2138] [impact:L]
   - [15:22:37] Warning: Found one or more stratum 16 peers [test:TIME-3116] [impact:L]

  Suggestions:
  ----------------------------
   - [15:15:42] Suggestion: update to the latest stable release.
   - [15:17:02] Suggestion: Check the output of ps for dead or zombie processes [test:PROC-3612]
   - [15:17:21] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
   - [15:17:21] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
   - [15:17:21] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
   - [15:17:21] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
   - [15:17:21] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
   - [15:17:21] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
   - [15:19:10] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
   - [15:19:10] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
   - [15:20:14] Suggestion: Purge removed packages (225 found) with aptitude purge command, to cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346]
   - [15:20:44] Suggestion: Check iptables rules to see which rules are currently not used (iptables --list --numeric --verbose) [test:FIRE-4513]
   - [15:21:28] Suggestion: Change the register_globals line to: register_globals = Off [test:PHP-2368]
   - [15:21:28] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
   - [15:21:28] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
   - [15:21:38] Suggestion: Check if Squid has been configured to restrict access to all safe ports [test:SQD-3624]
   - [15:21:38] Suggestion: Configure Squid option reply_body_max_size to limit the upper size of requests. [test:SQD-3630]
   - [15:21:58] Suggestion: Check why klogd is not running [test:LOGG-2138]
   - [15:22:18] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
   - [15:22:18] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
   - [15:22:18] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
   - [15:22:34] Suggestion: Enable sysstat to collect accounting [test:ACCT-9626]
   - [15:22:34] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
   - [15:22:37] Suggestion: Check ntpq peers output [test:TIME-3116]
   - [15:22:37] Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128]
   - [15:23:26] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
   - [15:23:41] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
   - [15:23:41] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]
================================================================================
  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat
================================================================================
  Notice: Lynis update available
  Current version : 130    Latest version : 131
================================================================================
  Hardening index : [64]     [############        ]
================================================================================
  Tip: Disable all tests which are not relevant or are too strict for the
       purpose of the particular machine. This will remove unwanted suggestions
       and also boost the hardening index. Each test should be properly analyzed
       to see if the related risks can be accepted, before disabling the test.
================================================================================
  Lynis 1.3.0
  Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
================================================================================


#

* Resumi a saida do comando acima

Veja quantas coisas eu posso fazer para melhorar a segurança do meu servidor.