Security Audit and Hardening
Prepare for a Security Audit or check your Server for Security Hardening. All Companies need to take a SA from tile to time by an outside Agency. Many corporations with ISO 9001/27001 certs has written protocols to follow visa-vi testing and setting up services. #security #hardening #audit # lynis
How to prepare for a System Security Audit (SSA) or check your Server for Security Hardening. Hardening is usually the process of securing a system by reducing its surface of vulnerability.
Attack Surface Analysis (ASA) is the process of identifying the attack surface, typically includes identifying and discuss what this means from a risk perspective:
- ASA of computer systems and applications is mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. Both hardware and software risks need to be addressed
- What parts of the system are open to the public, internet or/and internal users.
- What is the minimum exposure needed for the effective operation of the company.
- Understand the risk areas in an application or a machine and find ways of minimizing these risks
- How to notice and how to act when the Attack Surface changes
- How to secure updates to machines and software
- Attack Surface Analysis is usually done independently by security architects and pen testers.
Reducing the attack surface of systems and applications typically includes:
- use of keys and tokens instead of passwords,
- changing passwords to long and complicated ones,
- adding 2FA or MFA authentication,
- removal of unnecessary software, usernames, and services
- denial of root and other unnecessary logins
- disabling or removal of unnecessary services
See my next blog on Hardening Servers
All Companies need to take an SSA from tile to time by an outside Agency. It's a stressful time for IT Managers and DevOps to prepare and fix all minor bugs and to be ready in time. Many corporations with ISO 9001 and ISO 27001 certs has written protocols to follow visa-vi testing and setting up services. The problem is to keep them up to date. Enterprises uses tools like Lynis to cope with it.
I will show you a way to do a DIY SSA for your Servers with a tool called Lynis witch is Free and Open Source Software (FOSS). They also provide Lynis Enterprise - SaaS for $3/system/month, SaaS Premium has many added features like a dashboard. For large Enterprises (100+ systems) they provide special pricing.
Lynis by Cisofy
Auditing, system hardening, compliance testing
Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007. See Lynis Enterprise page for more screenshots.
How it works
Lynis scanning is modular and opportunistic. This means it will only use and test the components that it can find, such as the available system tools and its libraries. The benefit is that no installation of other tools is needed, so you can keep your systems clean.
By using this scanning method, the tool can run with almost no dependencies. Also, the more components it discovers, the more extensive the audit will be. In other words: Lynis will always perform scans that are tailored to your system. No audit will be the same!
Installation of the Community version
You can run it as an installation from your OS Repo or run without installing from the GitHub. The Community version is CLI based, so no Dashboard. It offers many of the benefits of the Enterprise version, but not all.
Proxmox node or any other Debian/Ubuntu server
First we need to install some apps and a key.
We need to run as sudo
or as root with su -
sudo apt update && sudo apt install apt-transport-https gnupg2 -y
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 013baa07180c50a7101097ef9de922f1c2fde6c4
For English speakers, configure APT to skip downloading translations. It will save bandwidth and prevents additional load on the repository servers.
sudo echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
Set the packages and install Lynis
sudo echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update && sudo apt install lynis -y
Confirm the installation
Run lynis show version
current version is 3.0.8. Is your version not the latest, run sudo apt-cache policy lynis
to see where your package came from.
Running Lynis Community version
Lynis has a ton of features and ways to run it. You can run an open test or a pinpoint version. First run is best to run an open test. You will see a very long list as output. See this link.
Audit steps
This is what happens during a typical scan with Lynis:
- Initialization
- Perform basic checks, such as file ownership
- Determine operating system and tools
- Search for available software components
- Check latest Lynis version
- Run enabled plugins
- Run security tests per category
- Perform execution of your custom tests (optional)
- Report status of security scan
Besides the report and information displayed on screen, all technical details about the scan are stored in a log file /var/log/lynis.log
. Findings like warnings and suggestions are stored in a separate report file /var/log/lynis-report.dat
.
You may enhance Lynis audits by adding your personal settings to /etc/lynis/custom.prf
(for all settings, see the defaults in /etc/lynis/default.prf
)
Run Lynis
Due to the nature of the audit, you need to run as root su -
or use sudo
. It's good practice to state your name and make a new file for each scan.
sudo lynis audit system --auditor "Full Name" --logfile ~/name_of_file.log
sudo lynis audit system
Or if you cloned it cd lynis && ./lynis audit system
After the initial scan, you are presented with a report on screen and in the logs. The report also includes several links to explanations of things you should consider doing to up your security score.
Lynis commands (see man or help for full list)
Usage: lynis command [options]
Audit
audit system : Perform local security scan audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile Options
--auditor "Full Name" or name : Use "quotes" for full name
--logfile /full/path/to/file : Create a dedicated file
Show
show : Show all commands
show version : Show Lynis version
show help : Show help
update info : Show update details
Other options
Alternative system audit modes
--forensics : Perform forensics on a running/mounted system
--pentest : Non-privileged, show points of interest for
pen testing
Layout options
--no-colors (colours) : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
Misc options
--debug : Debug logging to screen
--no-log : Don't create a log file
--profile <profile> : Scan the system with the given profile file
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
--wait : Wait between a set of tests
--slow-warning <seconds> : Threshold for slow test warning in seconds
(the default is 10)
For more options, run /usr/sbin/lynis show options
, lynis show options
or use the man page man lynis
.
Examine Lynis Audit Reports
A newly installed server may get scores like 60-65. Meaning, you should do something to improve your servers' security according to your safety rules.
Send the report to your security team or start figuring out how to improve the score. Lynis helps you by identifying things and giving advice like links to articles.
For example, some of the important categories include:
- Boot and Services: In this category, Lynis gives you an overview of the boot process and the service manager in use on your system. Lynis indicates which services pose a security threat to your system as unsafe or exposed.
- Users, Groups, and Authentication: Lynis scans your user administrator accounts, checks for password strength and expiry. Lynis will examine if important files like /etc/passwd and PAM config have the proper permissions.
- Ports and Packages: Lynis gives an overview of unsafe and open ports that infiltrators can use to exploit your system. Lynis informs you of outdated packages, i.e. a security risk.
- Logging and Files: Lynis checks if the logging daemon is up and running. It checks the availability and security of important log files.
Apart from these categories, Lynis also checks your kernel, memory and processes, shells, file systems, DNS stuff, networking, virtualization and other critical parts of your system.
It also creates a "Warnings and a Suggestion" section, all with links to articles. And also an executive summary called Lynis security scan details.
A hardening index of 60-65 is to be expected before hardening the server for production usage. Be aware that a CEO may freak out from seeing that number.
The lynis.log
contains the output in list form for future reference.
Final thoughts
I definitely prefer to use the Enterprise version over the Community version for a number of reasons. First the number of tests 171/211, a set of ready plugins, the ease of use with the Dashboard and the extensive reporting (ISO 27001).
This is part 1 in a multi part series on Server Security and Hardening
General thoughts on Hardening Servers
Hardening servers is an interesting topic. It's a key task for IT professionals. There are some excellent guides on this subject on the net that I recommend you read and argument with your self what to do.
- Don't use passwords. If you do, use long and complicated ones.
- Uses different passwords on everything
- Use a good password manager like Bitwarden
- Don't run as root - create superusers
- Block root on SSH
- Use keys and tokens
- Use 2FA as a minimum - even for the intranet
- Don't open ports if you can avoid it
- Don't run old software or firmware
- Kill unnecessary processes and severs
- Pay special attention to network security
- Treat the intranet as the web - Prepare for an intrusion
- Use VPN tunnels
- Use firewalls - not the ISP junk but a real one
- Add Malware and Virus protection to your servers
- Do SSAs frequently
- Read security blogs
References
Lynis Auditing system [1] Installing the Community version [2] Lynis on Github [3]
Kali Linux [4] is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.
Multi-factor authentication (MFA), includind two-factor authentication (2FA), is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. [5]
Check Rootkit (chkrootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies. [6]
Rootkit hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian, etc.) [7]
Clam Antivirus [8] (ClamAV) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
Other Host-based intrusion detection systems comparison [9] Computer security on Wikipedia [10]
The Hardening Servers Serie [11]
Lynis on GitHub Lynis Development Guid for Lynis Plugins ↩︎
Clam AntiVirus by Cisco Systems on Wikipedia and the Home Page ↩︎
Host-based intrusion detection systems on Wikipedia and a long list of FOSS packages on this Wikipedia Page or this Page ↩︎
Security Audit and Hardening post Hardening your Servers blog Hardening Servers 3 blog Proxmox Backup Server blog Moitoring your Serversblog ↩︎