Tips en Trucs 2017

Malware en Rootkit scanners

Servers verbonden met het internet worden constant aangevallen en gescand. Een firewall en regelmatige updates houden de server veilig. Regelmatig controleren of er geen aanvaller binnen geraakte, kan ook geen kwaad. En daarvoor scan je het systeem regelmatig op malware, virussen en rootkits. Dit kan automatisch, bijvoorbeeld elke nacht waarbij een rapport per e-mail wordt verstuurd en bij verdachte activiteiten zoals verhoogde belasting, verdachte processen of wanneer de server opeens malware begint te verdelen.

Om een systeem grondig te kunnen scannen, moet je vanzelfsprekend root rechten hebben.

chkrootkit - Linux rootkit scanner

Chkrootkit is een klassieke rootkit scanner. Het controleert een systeem op verdachte processen en op een lijst met gekende rootkit bestanden. Chkrootkit installeer je in openSUSE Leap 42.2 met de opdracht:

dany@laptop:~> sudo /sbin/OCICLI https://software.opensuse.org/ymp/security/openSUSE_Leap_42.2/chkrootkit.ymp
root's password:
Als u verdergaat, dan worden de volgende installatiebronnen toegevoegd:
        * http://download.opensuse.org/repositories/security/openSUSE_Leap_42.2/
Als verdergaat, dan zullen de volgende softwarepakketten worden geïnstalleerd op uw systeem:
        * chkrootkit
Continue? y/N
y
Toevoegen van installatiebronnen...

Daarbij moet je de GnuPG-sleutel van de Security softwarebron vertrouwen (zie afbeelding).

Scan een systeem met chkrootkit met de opdracht:

dany@laptop:~> sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/perl5/5.18.2/x86_64-linux-thread-multi/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
vmnet1: not promisc and no PF_PACKET sockets
vmnet8: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         1567 tty7   /usr/bin/X -nolisten tcp -auth /run/sddm/{bf1f2a65-c576-4b22-81a8-be2fcd60a34d} -background none -noreset -displayfd 18 vt7
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

Hoewel de uitvoer zich beperkt tot een minimum per test kan je een waarschuwing toch over het hoofd zien. Dit los je op door de uitvoer met grep te filteren op infecties:

dany@laptop:~> sudo chkrootkit | grep INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

Volgens chkrootkit is het /sbin/init besmet met de Suckit rootkit. Nader onderzoek wees echter uit dat chkrootkit dit veronderstelde enkel en alleen omdat /sbin/init een koppeling naar /usr/lib/systemd/systemd is. We hebben hier dus met een onterechte waarschuwing te maken (false positive).

Lynis - Universal security auditing and rootkit tool

Lynis (vroeger rkhunter) is een scanner voor Linux en BSD systemen. Het voert een voert een grondige systeemcontrole uit en onderzoekt daarbij verschillende veiligheidsaspecten en -instellingen van uw systeem. De meest recente versie van Lynis installeer je op openSUSE Leap 42.2 als volgt:

dany@laptop:~> sudo rpm --import https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
root's password:
dany@laptop:~> sudo zypper addrepo --gpgcheck --name "CISOfy Lynis repository" --priority 1 --refresh --type rpm-md https://packages.cisofy.com/community/lynis/rpm/ lynis
Installatiebron 'CISOfy Lynis repository' wordt toegevoegd ..................................................................[gereed]
Opslagruimte 'CISOfy Lynis repository' is toegevoegd

URI                    : https://packages.cisofy.com/community/lynis/rpm/
Ingeschakeld           : Ja                                              
GPG-controle           : Ja                                              
Automatisch vernieuwen : Ja                                              
Prioriteit             : 1 (verhoogde prioriteit)                        

Prioriteiten van opslagruimten zijn van kracht:                                                     (Zie 'zypper lr -P' voor details)
       1 (verhoogde prioriteit) :  1 opslagruimte 
      99 (standaard prioriteit) :  8 opslagruimten
dany@laptop:~> sudo zypper refresh
Installatiebron 'Filesystems' is actueel.                                                                                            
Installatiebron 'VLC' is actueel.                                                                                                    
Installatiebron 'home:Krysanto' is actueel.                                                                                          
Installatiebron 'security' is actueel.                                                                                               
Ophalen van metagegevens uit installatiebron 'CISOfy Lynis repository' ......................................................[gereed]
Cache van installatiebron 'CISOfy Lynis repository' wordt gebouwd ...........................................................[gereed]
Installatiebron 'openSUSE-Leap-42.2-Non-Oss' is actueel.                                                                             
Installatiebron 'openSUSE-Leap-42.2-Oss' is actueel.                                                                                 
Installatiebron 'openSUSE-Leap-42.2-Update' is actueel.                                                                              
Installatiebron 'openSUSE-Leap-42.2-Update-Non-Oss' is actueel.                                                                      
Alle opslagruimten zijn vernieuwd.
dany@laptop:~> sudo zypper install lynis
Gegevens van installatiebron laden...
Lezen van geïnstalleerde pakketten...
Pakketafhankelijkheden oplossen...

Het volgende NIEUWE pakket zal worden geïnstalleerd:
  lynis

1 nieuw te installeren pakket.
Totale downloadgrootte: 257,5 KiB. Reeds in de cache: 0 B. Na de bewerking zal aanvullend 1,3 MiB worden gebruikt.
Doorgaan? [j/n/...? alle opties tonen] (j): 
pakket lynis-2.5.0-1.noarch wordt opgehaald                                                    (1/1), 257,5 KiB (  1,3 MiB uitgepakt)
Ophalen: lynis-2.5.0-1.noarch.rpm ...........................................................................................[gereed]
Controleren op conflicten tussen bestanden: .................................................................................[gereed]
(1/1) Installeert: lynis-2.5.0-1.noarch .....................................................................................[gereed]

Bij scanners is het belangrijk steeds de recentste versie te gebruiken, want alleen dan ontdek je ook recente malware. Met de volgende opdracht controleer je of je met de recentste versie van Lynis werkt:

dany@laptop:~> sudo lynis update info
root's password:

 == Lynis ==

  Version            : 2.5.0
  Status             : Up-to-date
  Release date       : 2017-05-03
  Update location    : https://cisofy.com/lynis/


2007-2017, CISOfy - https://cisofy.com/lynis/

Scan uw systeem met Lynis met de volgende opdracht:

dany@laptop:~> sudo lynis audit system

[ Lynis 2.5.0 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2017, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
- Detecting OS...  [ DONE ]
- Checking profiles... [ DONE ]
- Detecting language and localization [ nl ]

  ---------------------------------------------------
  Program version:           2.5.0
  Operating system:          Linux
  Operating system name:     SuSE
  Operating system version:  openSUSE 42.2 (x86_64)
  Kernel version:            4.4.62
  Hardware platform:         x86_64
  Hostname:                  laptop.pindanet.home
  ---------------------------------------------------
  Profiles:                  /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/share/lynis/plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Test category:             all
  Test group:                all
  ---------------------------------------------------
- Program update status...  [ NO UPDATE ]

[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...

[+] Plugins (fase 1)
------------------------------------
Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren
 
- Plugins geactiveerd [ NONE ]

[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ INGESCHAKELD ]
- Checking Secure Boot [ UITGESCHAKELD ]
- Checking presence GRUB2 [ GEVONDEN ]
- Checking for password protection [ WAARSCHUWING ]
- Check running services (systemctl) [ KLAAR ]
Result: found 32 running services
- Check enabled services at boot (systemctl) [ KLAAR ]
Result: found 39 enabled services
- Check startup files (permissions) [ OK ]

[+] Kernel
------------------------------------
- Checking default runlevel [ runlevel 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ GEVONDEN ]
- Checking kernel version and release [ KLAAR ]
- Checking kernel type [ KLAAR ]
- Checking loaded kernel modules [ KLAAR ]
Found 169 active modules
- Checking Linux kernel configuration file [ GEVONDEN ]
- Checking default I/O kernel scheduler [ GEVONDEN ]
- Checking core dumps configuration [ UITGESCHAKELD ]
- Checking setuid core dumps configuration [ DEFAULT ]
- Check if reboot is needed [ NEE ]

[+] Geheugen en Processen
------------------------------------
- Checking /proc/meminfo [ GEVONDEN ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]

[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ KLAAR ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ GEVONDEN ]
- Check sudoers file permissions [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration file (pam.conf) [ NIET GEVONDEN ]
- PAM configuration files (pam.d) [ GEVONDEN ]
- PAM modules [ GEVONDEN ]
- LDAP module in PAM [ NIET GEVONDEN ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ UITGESCHAKELD ]
- User password aging (maximum) [ UITGESCHAKELD ]
- Checking expired passwords [ OK ]
- Determining default umask
- umask (/etc/profile) [ NIET GEVONDEN ]
- umask (/etc/login.defs) [ SUGGESTIE ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ UITGESCHAKELD ]

[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 23 shells (valid shells: 14).
- Session timeout settings/tools [ GEEN ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ GEEN ]
- Checking default umask in /etc/csh.cshrc [ GEEN ]
- Checking default umask in /etc/profile [ GEEN ]

[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ OK ]
- Checking /tmp mount point [ SUGGESTIE ]
- Checking /var mount point [ SUGGESTIE ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTIE ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ INGESCHAKELD ]
- Mount options of / [ NON DEFAULT ]
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs freevxfs hfs hfsplus jffs2 squashfs udf 

[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ INGESCHAKELD ]
- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]

[+] NFS
------------------------------------
- Query rpc registered programs [ KLAAR ]
- Query NFS versions [ KLAAR ]
- Query NFS protocols [ KLAAR ]
- Check running NFS daemon [ NIET GEVONDEN ]

[+] Name services
------------------------------------
- Checking search domains [ GEVONDEN ]
- Searching DNS domain name [ ONBEKEND ]
- Checking nscd status [ ACTIEF ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ SUGGESTIE ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]

[+] Ports and packages
------------------------------------
- Searching package managers
- Searching RPM package manager [ GEVONDEN ]
- Querying RPM package manager
- Using Zypper to find vulnerable packages [ GEEN ]
Repository 'Filesystems' is up to date.
Repository 'VLC' is up to date.
Repository 'home:Krysanto' is up to date.
Repository 'security' is up to date.
Repository 'CISOfy Lynis repository' is up to date.
Repository 'openSUSE-Leap-42.2-Non-Oss' is up to date.
Repository 'openSUSE-Leap-42.2-Oss' is up to date.
Repository 'openSUSE-Leap-42.2-Update' is up to date.
Repository 'openSUSE-Leap-42.2-Update-Non-Oss' is up to date.
All repositories have been refreshed.
- Checking vulnerable packages (apt-get only) [ KLAAR ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get

[+] Networking
------------------------------------
- Checking IPv6 configuration [ INGESCHAKELD ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 192.168.1.1 [ OK ]
- Minimal of 2 responsive nameservers [ WAARSCHUWING ]
- Checking default gateway [ KLAAR ]
- Getting listening ports (TCP/UDP) [ KLAAR ]
* Found 32 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ ACTIEF ]
- Checking for ARP monitoring software [ NIET GEVONDEN ]

[+] Printers and Spools
------------------------------------
- Checking cups daemon [ ACTIEF ]
- Checking CUPS configuration file [ OK ]
- File permissions [ OK ]
- Checking CUPS addresses/sockets [ GEVONDEN ]
- Checking lp daemon [ NIET ACTIEF ]

[+] Software: e-mail and messaging
------------------------------------
- Exim status [ ACTIEF ]
- Dovecot status [ ACTIEF ]

[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ GEVONDEN ]
- Checking iptables policies of chains [ GEVONDEN ]
- Checking chain INPUT (table: nfilter) policy [ DROP ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ GEVONDEN ]
- Checking host based firewall [ ACTIVE ]

[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/httpd2-prefork) [ GEVONDEN ]
Info: Configuration file found (/etc/apache2/httpd.conf)
Info: Found 1 virtual hosts
* Loadable modules [ GEVONDEN (115) ]
- Found 115 loadable modules
mod_evasive: anti-DoS/brute force [ NIET GEVONDEN ]
mod_reqtimeout/mod_qos [ GEVONDEN ]
ModSecurity: web application firewall [ NIET GEVONDEN ]
- Checking nginx [ NIET GEVONDEN ]

[+] SSH Support
------------------------------------
- Checking running SSH daemon [ GEVONDEN ]
- Searching SSH configuration [ GEVONDEN ]
- SSH option: AllowTcpForwarding [ SUGGESTIE ]
- SSH option: ClientAliveCountMax [ SUGGESTIE ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTIE ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTIE ]
- SSH option: MaxAuthTries [ SUGGESTIE ]
- SSH option: MaxSessions [ SUGGESTIE ]
- SSH option: PermitRootLogin [ SUGGESTIE ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTIE ]
- SSH option: PrintLastLog [ OK ]
- SSH option: Protocol [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTIE ]
- SSH option: UseDNS [ OK ]
- SSH option: UsePrivilegeSeparation [ OK ]
- SSH option: VerifyReverseMapping [ NIET GEVONDEN ]
- SSH option: X11Forwarding [ SUGGESTIE ]
- SSH option: AllowAgentForwarding [ SUGGESTIE ]
- SSH option: AllowUsers [ NIET GEVONDEN ]
- SSH option: AllowGroups [ NIET GEVONDEN ]

[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NIET GEVONDEN ]

[+] Databases
------------------------------------
- MySQL process status [ GEVONDEN ]

[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NIET GEVONDEN ]

[+] PHP
------------------------------------
- Checking PHP [ GEVONDEN ]
- Checking PHP disabled functions [ GEVONDEN ]
- Checking expose_php option [ UIT ]
- Checking enable_dl option [ UIT ]
- Checking allow_url_fopen option [ AAN ]
- Checking allow_url_include option [ UIT ]

[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NIET GEVONDEN ]

[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NIET GEVONDEN ]
- Checking systemd journal status [ GEVONDEN ]
- Checking Metalog status [ NIET GEVONDEN ]
- Checking RSyslog status [ NIET GEVONDEN ]
- Checking RFC 3195 daemon status [ NIET GEVONDEN ]
- Checking minilogd instances [ NIET GEVONDEN ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ KLAAR ]
- Checking open log files [ KLAAR ]
- Checking deleted files in use [ FILES FOUND ]

[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]

[+] Banners and identification
------------------------------------
- /etc/issue [ GEVONDEN ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ GEVONDEN ]
- /etc/issue.net contents [ WEAK ]

[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ KLAAR ]

[+] Accounting
------------------------------------
- Checking accounting information [ NIET GEVONDEN ]
- Checking sysstat accounting data [ NIET GEVONDEN ]
- Checking auditd [ INGESCHAKELD ]
- Checking audit rules [ SUGGESTIE ]
- Checking audit configuration file [ OK ]
- Checking auditd log file [ GEVONDEN ]

[+] Time and Synchronization
------------------------------------
- NTP daemon found: ntpd [ GEVONDEN ]
- NTP daemon found: systemd (timesyncd) [ GEVONDEN ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ GEVONDEN ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ GEVONDEN ]
- Checking selected time source [ OK ]
- Checking time source candidates [ OK ]
- Checking falsetickers [ OK ]
- Checking NTP version [ GEVONDEN ]

[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [ GEEN ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ GEVONDEN ]
- Checking AppArmor status [ INGESCHAKELD ]
- Checking presence SELinux [ NIET GEVONDEN ]
- Checking presence grsecurity [ NIET GEVONDEN ]
- Checking for implemented MAC framework [ OK ]

[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NIET GEVONDEN ]

[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NIET GEVONDEN ]
- Checking for IDS/IPS tooling [ GEEN ]

[+] Software: Kwaadaardige software (malware)
------------------------------------
- Zoeken naar chkrootkit [ GEVONDEN ]
- Checking ClamAV scanner [ GEVONDEN ]

[+] File Permissions
------------------------------------
- Starting file permissions check

[+] Home directories
------------------------------------
- Checking shell history files [ OK ]

[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.suid_dumpable (exp: 0) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ OK ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ OK ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
------------------------------------
- Installed compiler(s) [ GEVONDEN ]
- Installed malware scanner [ GEVONDEN ]

[+] Eigen Testen
------------------------------------
- Running custom tests...  [ NONE ]

[+] Plugins (fase 2)
------------------------------------

================================================================================

  -[ Lynis 2.5.0 Results ]-

  Warnings (1):
  ----------------------------
  ! Couldn't find 2 responsive nameservers [NETW-2705] 
      https://cisofy.com/controls/NETW-2705/

  Suggestions (38):
  ----------------------------
  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/controls/BOOT-5122/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/

  * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/controls/STRG-1840/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/controls/STRG-1846/

  * Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/controls/NAME-4028/

  * Add the IP name and FQDN to /etc/hosts for proper name resolving [NAME-4404] 
      https://cisofy.com/controls/NAME-4404/

  * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705] 
      https://cisofy.com/controls/NETW-2705/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
      https://cisofy.com/controls/NETW-3032/

  * Check iptables rules to see which rules are currently not used [FIRE-4513] 
      https://cisofy.com/controls/FIRE-4513/

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] 
      https://cisofy.com/controls/HTTP-6640/

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
      https://cisofy.com/controls/HTTP-6643/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] 
      https://cisofy.com/controls/PHP-2376/

  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/controls/LOGG-2190/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/controls/ACCT-9626/

  * Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630] 
      https://cisofy.com/controls/ACCT-9630/

  * Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120] 
      https://cisofy.com/controls/TIME-3120/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
      https://cisofy.com/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222] 
      https://cisofy.com/controls/HRDN-7222/

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 69 [#############       ]
  Tests performed : 229
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [V]

  Lynis Modules:
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Lynis 2.5.0

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2017, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
Lynis samenvatting