Auditoria de sistemas com Lynis

Após fazer uma instalação de um servidor, independente do sistema operacional, é aconselhável fazer uma auditoria de segurança. Há várias ferramentas para isso. No Linux temos uma bem simples, mas que ajuda muito, chamado Lynix.

Para instalá-lo, digite, como root:

# apt-get install lynis

Antes de usá-lo é importante atualizar seu banco de dados.

# lynis --check-update

 == Lynis ==

  Version         :   1.3.0 [ Outdated ]
  Release date    :   28 April 2011
  Update location :   http://www.rootkit.nl/

 == Databases ==
                      Current          Latest           Status
  -----------------------------------------------------------------------------
  Malware         :   2008062700       2008062700       Up-to-date
  File perms      :   2008053000       2008053000       Up-to-date


Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/

Agora vamos executá-lo. A cada tela, ou fase, o programa fará uma pausa para que você possa ver o que está sendo feito. No final, uma resumo do que foi encontrado e as dicas do que pode ser feito é listada.

# lynis -c

[ Lynis 1.3.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See LICENSE file for details about using this software.

 Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.3.0
  Operating system:          Linux
  Operating system name:     Linux
  Operating system version:  3.2.0-4-686-pae
  Kernel version:            3.2.0-4-686-pae
  Hardware platform:         i686
  Hostname:                  fpawks0703
  Auditor:                   [Unknown]
  Profile:                   /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

  - Checking profile file (/etc/lynis/default.prf)...
  - Program update status...                                  [ UPDATE AVAILABLE ]

      ===============================================================================
        Notice: Lynis update available
          Current version : 130   Latest version : 131
          Please update to the latest version for new features, bug fixes, tests
          and baselines.
      ===============================================================================


[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
    - Checking /bin...                                        [ FOUND ]
    - Checking /sbin...                                       [ FOUND ]
    - Checking /usr/bin...                                    [ FOUND ]
    - Checking /usr/sbin...                                   [ FOUND ]
    - Checking /usr/local/bin...                              [ FOUND ]
    - Checking /usr/local/sbin...                             [ FOUND ]
    - Checking /usr/local/libexec...                          [ NOT FOUND ]
    - Checking /usr/libexec...                                [ NOT FOUND ]
    - Checking /usr/sfw/bin...                                [ NOT FOUND ]
    - Checking /usr/sfw/sbin...                               [ NOT FOUND ]
    - Checking /usr/sfw/libexec...                            [ NOT FOUND ]
    - Checking /opt/sfw/bin...                                [ NOT FOUND ]
    - Checking /opt/sfw/sbin...                               [ NOT FOUND ]
    - Checking /opt/sfw/libexec...                            [ NOT FOUND ]
    - Checking /usr/xpg4/bin...                               [ NOT FOUND ]
    - Checking /usr/css/bin...                                [ NOT FOUND ]
    - Checking /usr/ucb...                                    [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

================================================================================

  -[ Lynis 1.3.0 Results ]-

  Tests performed: 181
  Warnings:
  ----------------------------
   - [15:17:02] Warning: Found one or more zombie processes (16988 16990 16992) [test:PROC-3612] [impact:L]
   - [15:19:27] Warning: Found BIND version in banner [test:NAME-4210] [impact:M]
   - [15:20:44] Warning: Found possible unused iptables rules (1 1 2 1 2 3 4 5 6 7 8 2 3 4 6 8) [test:FIRE-4513] [impact:L]
   - [15:21:06] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
   - [15:21:28] Warning: PHP option register_globals option is turned on, which can be a risk for variable value overwriting [test:PHP-2368] [impact:M]
   - [15:21:28] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
   - [15:21:58] Warning: klogd is not running, which could lead to missing kernel messages in log files [test:LOGG-2138] [impact:L]
   - [15:22:37] Warning: Found one or more stratum 16 peers [test:TIME-3116] [impact:L]

  Suggestions:
  ----------------------------
   - [15:15:42] Suggestion: update to the latest stable release.
   - [15:17:02] Suggestion: Check the output of ps for dead or zombie processes [test:PROC-3612]
   - [15:17:21] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
   - [15:17:21] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
   - [15:17:21] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
   - [15:17:21] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
   - [15:17:21] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
   - [15:17:21] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
   - [15:19:10] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
   - [15:19:10] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
   - [15:20:14] Suggestion: Purge removed packages (225 found) with aptitude purge command, to cleanup old configuration files, cron jobs and startup scripts. [test:PKGS-7346]
   - [15:20:44] Suggestion: Check iptables rules to see which rules are currently not used (iptables --list --numeric --verbose) [test:FIRE-4513]
   - [15:21:28] Suggestion: Change the register_globals line to: register_globals = Off [test:PHP-2368]
   - [15:21:28] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
   - [15:21:28] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
   - [15:21:38] Suggestion: Check if Squid has been configured to restrict access to all safe ports [test:SQD-3624]
   - [15:21:38] Suggestion: Configure Squid option reply_body_max_size to limit the upper size of requests. [test:SQD-3630]
   - [15:21:58] Suggestion: Check why klogd is not running [test:LOGG-2138]
   - [15:22:18] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
   - [15:22:18] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
   - [15:22:18] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
   - [15:22:34] Suggestion: Enable sysstat to collect accounting [test:ACCT-9626]
   - [15:22:34] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
   - [15:22:37] Suggestion: Check ntpq peers output [test:TIME-3116]
   - [15:22:37] Suggestion: Check ntpq peers output for time source candidates [test:TIME-3128]
   - [15:23:26] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
   - [15:23:41] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
   - [15:23:41] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]
================================================================================
  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat
================================================================================
  Notice: Lynis update available
  Current version : 130    Latest version : 131
================================================================================
  Hardening index : [64]     [############        ]
================================================================================
  Tip: Disable all tests which are not relevant or are too strict for the
       purpose of the particular machine. This will remove unwanted suggestions
       and also boost the hardening index. Each test should be properly analyzed
       to see if the related risks can be accepted, before disabling the test.
================================================================================
  Lynis 1.3.0
  Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
================================================================================


#

* Resumi a saida do comando acima

Veja quantas coisas eu posso fazer para melhorar a segurança do meu servidor.

Criando partições com Fdisk

Uma das mais conhecidas ferramentas para manipular a tabela de partições no Linux é o Fdisk.

Para listarmos a tabela de partições de um disco use a opção "-l":

# fdisk -l /dev/sda

Disk /dev/sda: 500 GB, 500105249280 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       12158    97659103   83  Linux
Warning: Partition 1 does not end on cylinder boundary.
/dev/sda2           12158       36473   195310237   83  Linux
Warning: Partition 2 does not end on cylinder boundary.
/dev/sda3           36473       60801   195414660    f  Extended LBA
/dev/sda5           36473       60801   195414660   83  Linux
Warning: Partition 5 does not end on cylinder boundary.
#

Aqui temos um disco de 500Gb com 2 partições primárias (1 e 2), uma extendida (3) e uma lógica (5).

Para alteramos as partições, podemos chamar o Ddisk passando como parâmetro o disco (no nosso exemplo, /dev/sda).

# fdisk /dev/sda
GNU Fdisk 1.2.4
Copyright (C) 1998 - 2006 Free Software Foundation, Inc.
This program is free software, covered by the GNU General Public License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

Using /dev/sda
Command (m for help):

Para ajuda, tecle "m".

Command (m for help): m
Command action
   a   toggle bootable flag
   b   edit bsd disklabel
   d   delete a partition
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)
Command (m for help):  

O Fdisk pode assustar no início, mas ele tem opções bem interessantes, e sua ajuda realmente nos ajuda. Por exemplo, para listar as partições, tecle "p".

Command (m for help): p                                                  

Disk /dev/sda: 500 GB, 500105249280 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       12158    97659103   83  Linux
Warning: Partition 1 does not end on cylinder boundary.                  
/dev/sda2           12158       36473   195310237   83  Linux
Warning: Partition 2 does not end on cylinder boundary.                  
/dev/sda3           36473       60801   195414660    f  Extended LBA
/dev/sda5           36473       60801   195414660   83  Linux
Warning: Partition 5 does not end on cylinder boundary.                  
Command (m for help):                                                    

Use "n" para criar uma nova partição, "d" para excluir, "p" para listar as partições, "l" para listar os tipos de partições que o Fdisk conhece, "w" para gravar as mudanças e "q" para sair.

É usuário Linux mas o Windows veio instalado no PC? Saiba que é possível pedir reembolso!

Se você comprou um computador com Windows, mas prefere usar o Linux, saiba que você pode desinstalar o Windows e pedir reembolso do valor do software. 

No vídeo abaixo isso é explicado melhor.

Entendendo TCP/IP (Parte 6) - Firewall

Escrevi um artigo sobre TCP/IP no site Viva o Linux, o sexto da série. Neste eu falo sobre o firewall Iptables. O link está aí em baixo.

http://www.vivaolinux.com.br/artigo/Entendendo-TCPIP-Parte-6-Firewall/

Compartilhamento de arquivos via nfs

A melhor forma de compartilhar arquivos entre máquinas Unix/Linux é usando o Nfs. Ao contrário de outros sistemas, como o Smb, o Nfs usa o protocolo Udp, o que agiliza a transferência dos dados. As permissões, por padrão, são dadas para as máquina, e não para um usuário como acontece no Smb.

Para instalar o servidor nfs, basta instalar o pacote nfs-kernel-server.

# apt-get install nfs-kernel-server

Após a instalação, edite o arquivo /etc/exportfs para configurar os compartilhamentos.

/home/ricardo/tmp    172.20.120.4(rw,no_subtree_check)

Nesta linha estou compartilhando a pasta /home/ricardo/tmp com o equipamento 172.20.120.4 no modo de leitura e escrita. Para habilitar as mudanças digite:

# exportfs -a

Na máquina cliente, execute:

# mount -t nfs 172.20.1.127:/home/ricardo/tmp /mnt/tmp

Para que o mapeamento seja montado no boot, crie uma entrada no arquivo /etc/fstab como a seguinte:

172.20.1.127:/home/ricardo/tmp /mnt/tmp nfs defaults 0 0

O nfs tem muitos parâmetros que podem ser ajustados. Para ter uma visão geral sobre eles consulte a página de manual.

$ man nfs