Security Audit and Hardening

How to prepare for a System Security Audit (SSA) or check your Server for Security Hardening. Hardening is usually the process of securing a system by reducing its surface of vulnerability.

Attack Surface Analysis (ASA) is the process of identifying the attack surface, typically includes identifying and discuss what this means from a risk perspective:

• ASA of computer systems and applications is ‌‌mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. Both hardware and software risks need to be addressed
• What parts of the system are open to the public, internet or/and internal users.
• What is the minimum exposure needed for the effective operation of the company.
• Understand the risk areas in an application or a machine and find ways of minimizing these risks
• How to notice and how to act when the Attack Surface changes
• How to secure updates to machines and software
• Attack Surface Analysis is usually done independently by security architects and pen testers.

Reducing the attack surface of systems and applications typically includes:

• use of keys and tokens instead of passwords,
• changing passwords to long and complicated ones,
• adding 2FA or MFA authentication,
• removal of unnecessary software, usernames, and services
• denial of root and other unnecessary logins
• disabling or removal of unnecessary services

See my next blog on Hardening Servers

All Companies need to take an SSA from tile to time by an outside Agency. It's a stressful time for IT Managers and DevOps to prepare and fix all minor bugs and to be ready in time. Many corporations with ISO 9001 and ISO 27001 certs has written protocols to follow visa-vi testing and setting up services. The problem is to keep them up to date. Enterprises uses tools like Lynis to cope with it.

I will show you a way to do a DIY SSA for your Servers with a tool called Lynis witch is Free and Open Source Software (FOSS). They also provide Lynis Enterprise - SaaS for $3/system/month, SaaS Premium has many added features like a dashboard. For large Enterprises (100+ systems) they provide special pricing.

Lynis by Cisofy

Auditing, system hardening, compliance testing

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007. See Lynis Enterprise page for more screenshots.

How it works

Lynis scanning is modular and opportunistic. This means it will only use and test the components that it can find, such as the available system tools and its libraries. The benefit is that no installation of other tools is needed, so you can keep your systems clean.

By using this scanning method, the tool can run with almost no dependencies. Also, the more components it discovers, the more extensive the audit will be. In other words: Lynis will always perform scans that are tailored to your system. No audit will be the same!

Installation of the Community version

You can run it as an installation from your OS Repo or run without installing from the GitHub. The Community version is CLI based, so no Dashboard. It offers many of the benefits of the Enterprise version, but not all.

Proxmox node or any other Debian/Ubuntu server

First we need to install some apps and a key.
We need to run as sudo or as root with su -

sudo apt update && sudo apt install apt-transport-https gnupg2 -y

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 013baa07180c50a7101097ef9de922f1c2fde6c4‌

For English speakers, configure APT to skip downloading translations. It will save bandwidth and prevents additional load on the repository servers.

sudo echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations

Set the packages and install Lynis

sudo echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

sudo apt update && sudo apt install lynis -y

Confirm the installation

Run lynis show version current version is 3.0.8. Is your version not the latest, run sudo apt-cache policy lynis to see where your package came from.

Running Lynis Community version

Lynis has a ton of features and ways to run it. You can run an open test or a pinpoint version. First run is best to run an open test. You will see a very long list as output. See this link.

Audit steps

This is what happens during a typical scan with Lynis:

1. Initialization
2. Perform basic checks, such as file ownership
3. Determine operating system and tools
4. Search for available software components
5. Check latest Lynis version
6. Run enabled plugins
7. Run security tests per category
8. Perform execution of your custom tests (optional)
9. Report status of security scan

Besides the report and information displayed on screen, all technical details about the scan are stored in a log file /var/log/lynis.log. ‌‌Findings like warnings and suggestions are stored in a separate report file /var/log/lynis-report.dat.

You may enhance Lynis audits by adding your personal settings to /etc/lynis/custom.prf (for all settings, see the defaults in /etc/lynis/default.prf)

Run Lynis

Due to the nature of the audit, you need to run as root su - or use sudo.‌‌ ‌‌It's good practice to state your name and make a new file for each scan.

sudo lynis audit system --auditor "Full Name" --logfile ~/name_of_file.log

sudo lynis audit system

Or if you cloned it cd lynis && ./lynis audit system

After the initial scan, you are presented with a report on screen and in the logs. ‌‌The report also includes several links to explanations of things you should consider doing to up your security score.

Lynis commands (see man or help for full list)

Usage: lynis command [options]

Audit

audit system                  : Perform local security scan audit system remote <host>                 : Remote security scan 
audit dockerfile <file>         : Analyze Dockerfile Options 
--auditor "Full Name" or name : Use "quotes" for full name 
--logfile /full/path/to/file    : Create a dedicated file

Show

show                          : Show all commands 
show version                  : Show Lynis version 
show help                     : Show help 
update info                   : Show update details

Other options

Alternative system audit modes
--forensics              : Perform forensics on a running/mounted system
--pentest                : Non-privileged, show points of interest for 
                           pen testing 
Layout options 
--no-colors (colours)    : Don't use colors in output 
--quiet (-q)             : No output 
--reverse-colors         : Optimize color display for light backgrounds 

Misc options 
--debug                  : Debug logging to screen 
--no-log                 : Don't create a log file 
--profile <profile>        : Scan the system with the given profile file 
--view-manpage (--man)   : View man page 
--verbose                : Show more details on screen 
--version (-V)           : Display version number and quit 
--wait                   : Wait between a set of tests 
--slow-warning <seconds> : Threshold for slow test warning in seconds
                           (the default is 10)

For more options, run /usr/sbin/lynis show options, lynis show options or use the man page man lynis.

Examine Lynis Audit Reports

A newly installed server may get scores like 60-65. Meaning, you should do something to improve your servers' security according to your safety rules.

Send the report to your security team or start figuring out how to improve the score. Lynis helps you by identifying things and giving advice like links to articles.

For example, some of the important categories include:

• Boot and Services: In this category, Lynis gives you an overview of the boot process and the service manager in use on your system. Lynis indicates which services pose a security threat to your system as unsafe or exposed.
• Users, Groups, and Authentication: Lynis scans your user administrator accounts, checks for password strength and expiry. Lynis will examine if important files like /etc/passwd and PAM config have the proper permissions.
• Ports and Packages: Lynis gives an overview of unsafe and open ports that infiltrators can use to exploit your system.‌‌ Lynis informs you of outdated packages, i.e. a security risk.
• Logging and Files: Lynis checks if the logging daemon is up and running. ‌‌It checks the availability and security of important log files.

Apart from these categories, Lynis also checks your kernel, memory and processes, shells, file systems, DNS stuff, networking, virtualization and other critical parts of your system.

It also creates a "Warnings and a Suggestion" section, all with links to articles. And also an executive summary called Lynis security scan details.

A hardening index of 60-65 is to be expected before hardening the server for production usage. Be aware that a CEO may freak out from seeing that number.

The lynis.log contains the output in list form for future reference.

Final thoughts

I definitely prefer to use the Enterprise version over the Community version for a number of reasons. First the number of tests 171/211, a set of ready plugins, the ease of use with the Dashboard and the extensive reporting (ISO 27001).

This is part 1 in a multi part series on Server Security and Hardening

General thoughts on Hardening Servers

Hardening servers is an interesting topic. It's a key task for IT professionals. There are some excellent guides on this subject on the net that I recommend you read and argument with your self what to do.

• Don't use passwords. If you do, use long and complicated ones.
• Uses different passwords on everything
• Use a good password manager like Bitwarden
• Don't run as root - create superusers
• Block root on SSH
• Use keys and tokens
• Use 2FA as a minimum - even for the intranet
• Don't open ports if you can avoid it
• Don't run old software or firmware
• Kill unnecessary processes and severs
• Pay special attention to network security
• Treat the intranet as the web - Prepare for an intrusion
• Use VPN tunnels
• Use firewalls - not the ISP junk but a real one
• Add Malware and Virus protection to your servers
• Do SSAs frequently
• Read security blogs

References

Lynis Auditing system ^[1] Installing the Community version ^[2] Lynis on Github ^[3]
Kali Linux ^[4] is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.
Multi-factor authentication (MFA), includind two-factor authentication (2FA), is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. ^[5]
Check Rootkit (chkrootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies. ^[6]
Rootkit hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian, etc.) ^[7]
Clam Antivirus ^[8] (ClamAV) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
Other Host-based intrusion detection systems comparison ^[9] Computer security on Wikipedia ^[10]
The Hardening Servers Serie ^[11]