>
think that only computers running Microsoft Windows are targeted by attackers, youre wrong! UNIX (used here as a generic term, not focusing on a specific distribution or brand) is a key operating system on the Internet. Many websites and other public services are relying on it (
Netcraftis compiling interesting stats on this topic).">">Therefore it is mandatory to keep an eye on your servers by using proactive and reactive controls. Besides the classic monitoring of log files, reactive security controls may include a deeper check at the operating system level to look for suspicious activity like processes, files, ... On the proactive side, misconfigurationsmust also be tracked.">">A few days ago, Daniel Cid published an interesting
article about the tool rootcheck.It is a component of the well known
OSSEC suite but a stand alone versionexists. To use it, just follow">
# wget http://dcid.me/ossec-packages/rootcheck-latest.tar.gz# tar xzvf rootcheck-latest.tar.gz# cd rootcheck*# ./install.sh">
# ls -1 dbcis_debian_linux_rcl.txtcis_rhel5_linux_rcl.txtcis_rhel_linux_rcl.txtrootkit_files.txtrootkit_trojans.txtsystem_audit_rcl.txtwin_applications_rcl.txtwin_audit_rcl.txt">The provided files are good enough to write your owncustomrules.rootcheck works quite well but does not test the hardening level of your UNIX host. Its also a binary. They are two ways to use it: You must pre-compileallversions depending on your UNIX flavors (*BSD, Linux, Solaris,">">But, there is anothertoolthat I like:
Lynis. It is an auditing tool which is compatible with many UNIX flavors and itdoes not require">
# wget https://cisofy.com/files/lynis-2.1.1.tar.gz# tar xzvf lynis-2.1.1.tar.gzor (to get the latest code)# git clone https://github.com/CISOfy/lynis # cd lynis# ./lynis audit system">By default, the scan runs in interactive mode and display colored output. But you can automate stuff and customize the tests performed. Here is a (brief)resume of the">File">Standard daemons settings">Here is small extracts of a generated report">
[08:57:29] Test: Checking PermitRootLogin in /etc/ssh/sshd_config[08:57:29] Result: Option PermitRootLogin found in /etc/ssh/sshd_config[08:57:29] Result: Option PermitRootLogin value is WITHOUT-PASSWORD[08:57:29] Result: SSH option PermitRootLogin is configured reasonably[08:57:29] Suggestion: Consider hardening of SSH configuration [test:SSH-7408] [details:PermitRootLogin (WITHOUT-PASSWORD -- NO)] [solution:-][08:57:29] Hardening: assigned 1 hardening points (max for this item: 3), current: 98, total: 154...[08:57:30] Performing test ID LOGG-2190 (Checking deleted files in file table)[08:57:30] Test: checking deleted files but are still in use[08:57:30] Result: found one or more files which are deleted, but still in use[08:57:30] Found deleted file: /tmp/tmpfHXNnZp[08:57:30] Found deleted file: /var/log/upstart/docker.log.1[08:57:30] Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]...[08:57:31] Performing test ID BANN-7126 (Check issue banner file contents)[08:57:31] Test: Checking file /etc/issue contents for legal key words[08:57:31] Result: Found only 0 key words (5 or more suggested), to warn unauthorized users and could be increased[08:57:31] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]...[08:57:31] Performing test ID CONT-8104 (Checking Docker info for any warnings)[08:57:31] Test: Check for any warnings[08:57:46] Result: found warning(s) in output[08:57:46] Output: No swap limit support[08:57:46] Suggestion: Run docker info to see warnings applicable to Docker daemon [test:CONT-8104] [details:-] [solution:-]...[08:57:47] Binary: found /usr/bin/gcc (world executable)[08:57:47] Hardening: assigned 2 hardening points (max for this item: 3), current: 151, total: 244[08:57:47] Result: at least one compiler could be better hardened by restricting executable access to root or group only">The generated report is complete and, as you can see, also contains suggestions to improve the host security. Other features can be added viaplugins. Profiles can be created to test specific environments:per operating system, per network zone (PCI, DMZ) or per security level. I also like the pentest">">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.