Linux Hardening. We select tools for a comprehensive security audit

Ivan Piskunov
14 min readJul 1, 2022

--

In this article, we will get acquainted with the main utilities for Linux hardening. In Russian, this is called something like “checking the level of security of Linux systems and assessing the correctness of configs from the point of view of information security.” Of course, we will not only review the programs, but also give examples of their use.

Your own auditor, or security on your own

Administrators, and even more so auditors, are often faced with the task of checking the security of a large number of hosts in a very short time. And of course, there are specialized tools in the Enterprise segment to solve these problems, for example, such as network security scanners . I am sure that all of them — from open sources of the OpenVAS engine to commercial products like Nessus or Nexpose — are known to our reader. However, this software is usually used to look for outdated and therefore vulnerable software and then run patch management.. In addition, not all scanners take into account some specific features of the built-in protection mechanisms of Linux and other open source products. And last but not least, the price of the issue matters, because only companies that allocate budgets for this business are able to afford commercial products.

That is why today we will talk about a specialized set of freely distributed utilities that can diagnose the current level of system security, assess potential risks, for example, “extra services” sticking out on the Internet, or an unsafe default config, and even suggest options for correcting the deficiencies found. Another advantage of using these tools is the ability to replicate typical farm test scripts from any number of Linux systems and form a documented base of tests in the form of logs and separate reports.

Practical Aspects of Security Auditing

If you look through the eyes of the auditor, then the approach to testing can be divided into two types.

The first is compliance with the so-called compliance requirements , here the presence of mandatory security elements prescribed in some international standard or “best practice” is checked. A classic example is the PCI DSS requirements for payment IT systems, SOX404 , NIST-800 series , MITER .

The second is a purely rational approach based on the question “What else can be done to increase security?”. There are no mandatory requirements — only your knowledge, bright head and skillful hands. For example, this is updating the kernel version and / or application packages, enabling volume encryption , forcing SELinux , setting up the iptables firewall .

Everything related to the second approach is usually called the special term Hardening , which can also be defined as “actions aimed at strengthening the level of initial security of the operating system (or program) mainly by standard means.”

Compliance with compliance requirements is usually checked in preparation for passing a mandatory audit such as PCI DSS or other certification audit. We will pay more attention to the Hardening component. All major developers offer Hardening Guidelines for their products — guides containing tips and recommendations on how to strengthen security, taking into account standard security mechanisms and the specifics of the software. So, Red Hat , Debian , Oracle , Cisco have similar manuals .

Tool overview

1. Lynis — auditing, system hardening, compliance testing

Lynis is the first on our list of tools and perhaps the most sophisticated tool for auditing Linux systems. At the same time, it is very easy to use and very visual — all tests and their results are displayed on the screen. The utility scans the settings of the current security level and determines the hardening state of the machine. Found alarms and important security alerts are output to the terminal console and separately to a log file, grouped by blocks. In addition to security information, Lynis will also help you get system-wide information, information about installed packages and possible configuration errors, and kernel updates.

The developers announced support for a huge number of operating systems: from Arch, BackTrack, Kali to Debian / Ubuntu, RHEL / CentOS, SuSE, BSD families (FreeBSD, NetBSD, OpenBSD, DragonFly BSD), as well as more exotic HPUX, Solaris 10+, TrueOS and macOS.

All documentation with a more detailed description and examples of use is available in the Lynis Documentation section on the official CISOfy website. If you do not want to be limited to the proposed tests, it is possible to develop your own. More details about this are written in the Lynis Software Development Kit section . Well, for those who still doubt whether or not to install the utility, the developers have prepared a small demo explaining how the installation and initial launch take place.

In addition to the free version, which we will use below, the developers offer an Enterprise-level solution . In this case, a web interface for administration, optional dashboards, additional documentation (hardening snippets) and a detailed plan for correcting identified violations are added to the standard delivery. And that’s not all, this solution can also be obtained as a cloud service (Software-as-a-Service).

Lynis runs hundreds of individual tests to determine the security status of a system. The security check itself consists of a set of steps from program initialization to report generation.

Since Lynis is a very flexible and versatile tool, it is used for a variety of purposes. For example, typical use cases for Lynis include:

  • security audit (typical user-defined scenario);
  • compliance testing (eg PCI DSS, HIPAA, SOX404, OpenSCAP, NSA);
  • vulnerability detection (outdated software);
  • Penetration testing mode (an attempt to escalate privileges);
  • system improvement (unused tweaks of the kernel, daemons, etc.).

There are several ways to install the utility — like downloading from the GitHub repository:

git clone https://github.com/CISOfy/lynis
cd lynis
./lynis

and by installing from the Debian/Ubuntu repository :

sudo apt-get update
sudo apt-get install lynis

And for RPM-oriented distributions (after adding the appropriate repositories):

yum install linus -y

Installation on macOS:

$ brew search lynis
$ brew install lynis

To start Lynis, it is enough to specify at least one key. For example, to run all available tests, you should specify the key -c(check all, check all):

# Типовой набор тестов
sudo lynis audit system
# Полный набор тестов
sudo lynis audit system -c
# Сканирование удаленного хоста
audit system remote <host>

It’s always a good idea to check if a new version of Lynis is available before an audit:

lynis update info && lynis update check

The Lynis utility, in addition to the standard one, has another mode — unprivileged launch :

lynis audit --pentest

If you want to put the name of the auditor who started the test, just add the parameter -auditor <name>:

sudo lynis audit system -c -auditor Daddy

At any stage of the audit, the verification process can be continued (Enter) or forcibly terminated (Ctrl+C). The results of the tests performed will be written to the Lynis log in /var/log/lynis.log. Please note that the log will be overwritten each time the utility is launched.

To test on a systematic basis in automatic mode, you can assign the appropriate task to the Cron scheduler using the key -cronjob. In this case, the utility will run according to the specified template (config) and will not display any interactive messages, questions, or warnings. All results will be saved to the log. For example, here is a utility launch script with a default config once a month:

#!/bin/sh
AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"
cd /usr/local/lynis
./lynis -c –auditor "${AUDITOR}" –cronjob > ${REPORT}
mv /var/log/lynis-report.dat ${DATA}
# End

Save this script to directory /etc/cron.monthly/lynis. And don't forget to add paths for saving logs ( /usr/local/lynisand /var/log/lynis), otherwise incorrect work is possible.

You can see a list of all commands available for calling:

lynis show commands

Particularly curious can look at the settings from the default config:

lynis show settings

Brief instruction on working with the utility:

man lynis

The options for possible statuses based on the results of the check are limited to the following list: NONE, WEAK, DONE, FOUND, NOT_FOUND, OK, WARNING .

Running Individual Tests in Lynis

In practice, it may be necessary to carry out only a few tests. For example, if your server performs only the functions of Mail Server or Apache. We can use the parameter for this -tests. The command syntax is as follows:

lynis -tests "Test-IDs"

If you find it difficult to understand due to the large number of test IDs, then you can use the group parameter -test-category. With this option, Lynis only runs test IDs that fall into a specific category. For example, we plan to run firewall and kernel tests:

./lynis -tests-category "firewalls kernel"

A list of all available tests can be viewed in the Controls section .

In addition, the functionality of Lynis is extended by various plugins that you can add on your own, or you can put new ones in an existing directory.

Correction Suggestions

All Warnings will be listed after the results. Each one starts with the warning text, then the test that generated it is indicated in brackets next to it. The next line suggests a solution to the problem, if one exists. In fact, the last line is a URL where you can see the details and find additional recommendations on how to fix the problem.

Profiles

The profiles that control auditing are defined in .prf files located in the /etc/lynis. The default profile is named predictably: default.prf. The developers do not recommend editing it directly: any changes that you want to make to the audit are best added to a file custom.prflocated in the same directory.

Create and edit a custom profile:

touch /etc/lynis/custom.prf
sudo nano /etc/lynis/custom.prf

In this file, you can define a list of tests to be excluded from the Lynis audit. For example:

  • FILE-6310: checking partitions;
  • HTTP-6622: nginx installation test;
  • HTTP-6702: Apache installation test.

To exclude a specific test, use the skip-test directive and specify the test ID. For example, like this:

# Is nginx installed?
skip-test=HTTP-6622
# Is Apache installed?
skip-test=HTTP-6702

Hardening state score

Based on the results of all tests, at the end of each utility audit output (just below the suggestions section), you will find a section that looks something like this:

Lynis security scan details:
Hardening index : 57 [############.........]
Tests performed : 216
Plugins enabled : 0

This result, expressed as a number, shows the number of tests passed and the system security index, that is, the hardening index is the final number by which Lynis evaluates the overall security level of the server. And it’s very important to remember that the Security Index changes depending on the number of warnings fixed and Lynis recommendations implemented. Therefore, after the fixes, a re-audit may show a completely different number!

2. Lunar — a UNIX security auditing tool based on several security frameworks

Lunar is a set of native scripts written in the bash shell language that test a target Linux machine and generate a security audit report based on the results of the test. Toolza is based on CIS standards and other global security frameworks. Support for all popular systems is declared: Linux — RHEL and CentOS since version 5, SLES since version 10, Debian / Ubuntu, Amazon Linux, Solaris since version 6, macOS (latest builds), FreeBSD (partially), AIX (partially) and even ESXi.

Among other things, this utility supports the Amazon Web Services (AWS) cloud platform and Docker containers . A detailed description of all features, as well as examples of running the utility and initiating tests, are given in the Wiki documentation on GitHub .

Run in audit mode, that is, without making changes to the system :

./lunar.sh -a

Run in audit mode and provide more information:

./lunar.sh -a -v

List tests:

./lunar.sh -S

Run only shell-based tests:

./lunar.sh -s audit_shell_services

Run in repair mode, that is, with changes to the system :

./lunar.sh -l

Viewing proposed changes (tweaks) to the system before they are added to the configs:

./lunar.sh -d

3. Nix Auditor — a CIS Audit made easier

Nix Auditor — это еще один скрипт для проверки, соответствует ли безопасность Linux-систем требованиям бенчмарка CIS. Ориентирован на RHEL, CentOS и прочие RPM-дистрибутивы.

Разработчики заявляют о таких преимуществах Nix Auditor:

  • scanning speed — you can conduct a basic OS check in less than 120 seconds and immediately get a report;
  • verification accuracy — the utility has been tested on different versions of CentOS and Red Hat distributions;
  • customizability — the source code with the documentation for the program is on GitHub, so the code is easily configured in accordance with the type of OS and the set of system elements that need to be checked;
  • ease of use — just make the start script executable, and it is ready for testing.

An example of executing commands to download the utility from the GitHub repository and then run the script:

git clone https://github.com/XalfiE/Nix-Auditor.git
cd Nix-Auditor
chmod +x nixauditor
./nixauditor

4. Loki — Simple IOC and Incident Response Scanner

The Loki utility is not quite a classic tool for conducting an information security audit, but it is great for finding traces of hacking, which can partly be attributed to audit practice.

According to the assurances of the developers, these are the possibilities that their tool gives us:

I. Four ways to detect hacking:

  • filenames (compliance with the regular expression of the full path of the file);
  • verification in accordance with Yara rules (search for compliance with Yara signatures on the contents of files and process memory);
  • hash check (comparison of scanned files with hashes (MD5, SHA-1, SHA-256) of known malicious files);
  • C2 feedback test (compares process connection endpoints with C2 IOC).

II. Additional checks:

  • checking the Regin file system (via — reginfs);
  • check of anomalies of system and user processes;
  • scanning unpacked SWF;
  • checking the SAM dump;
  • DoublePulsar check — an attempt to detect the DoublePulsar backdoor listening on ports 445/tcp and 3389/tcp.

Let’s briefly touch on how Loki determines the fact of a compromise. Typical signs (Indicators of Compromise) indicating that the computer has been compromised (that is, hacked) can be:

  • the appearance on the computer of malware (viruses, backdoors, trojans, keyloggers, cryptors, miners, and so on), as well as hacker utilities (for example, to explore the network, exploit vulnerabilities, collect credentials);
  • the appearance of unknown new executable and other files, even if they are not detected by the anti-virus engine as malware code;
  • abnormal network activity (connecting to remote hosts, opening ports for listening by unknown programs, etc.);
  • abnormal activity on disk devices (I / O) and increased consumption of system resources (CPU, RAM, Swap).

Before starting the installation, you need to install several dependent packages. These are colorama (gives colorization of lines in the console), psutil (a process checking utility) and, if not already installed, the Yara package.

So let’s get started. Installation in Kali Linux (the Yara package must first be installed, which is already installed by default in Kali Linux):

sudo pip2 install psutil netaddr pylzma colorama
git clone https://github.com/Neo23x0/Loki
cd Loki/
python2 loki-upgrader.py
python2 loki.py -h

Installation on Ubuntu/Debian:

sudo apt-get install yara python-yara python-pip python-setuptools python-dev git
sudo pip2 install --upgrade pip
sudo pip2 install -U setuptools
sudo pip2 install psutil netaddr pylzma colorama
git clone https://github.com/Neo23x0/Loki
cd /home/download/Loki
python2 loki-upgrader.py
python2 loki.py -h

Installation in BlackArch:

sudo pacman -S yara python2-pip python2-yara
sudo pip2 install psutil netaddr pylzma colorama
git clone https://github.com/Neo23x0/Loki
cd /home/download/Loki
python2 loki-upgrader.py
python2 loki.py -h

Usage example

Some launch options:

optional arguments:
-h, --help show this help message and exit
-p path Path to scan
-l log-file Log file
--printAll Print all files that are scanned
--noprocscan Skip the process scan
--nofilescan Skip the file scan
--noindicator Do not show a progress indicator
--reginfs Do check for Regin virtual file system
--onlyrelevant Only print warnings or alerts
--nolog Don't write a local log file

By the way, after installing the utility, it would be nice to check the local IoC database for updates, you can do this using the Upgrader command:

Loki - Upgraderoptional arguments:
-h, --help show this help message and exit
--sigsonly Update the signatures only
--progonly Update the program files only
--nolog Don’t write a local log file
--debug Debug output

First of all, pay close attention to the messages highlighted in red. The DESCRIPTION field contains a description of the file and reasons for its suspicion. Usually these are viruses, backdoors and other similar programs.

5. Linux Security Auditing Tool (LSAT)

LSAT is the final Linux security audit tool in our selection. The peculiarity of this tool is its modular design, which, according to the developer, allows you to add new verification functions very quickly. To date, the utility claims to support all the most common operating systems: Linux — Gentoo, Red Hat, Debian, Mandrake on the x86 architecture ; SunOS (2.x), Red Hat, Mandrake on the Sparc architecture ; as well as Apple macOS.

LSAT is installed using a build from source and has a pre-configured autoconfig — autoconf. If you are not going to edit it to your taste, then you can immediately start compiling:

./configure
make
# Также можно установить LSAT в систему, путь расположения /usr/local/bin
make install
# и очистить постинсталляционные файлы
make clean

Or, for Debian/Ubuntu distributions, you can install the package directly from the repository:

sudo apt-get install lsat

The utility is launched using the /lsat command and the added options:

/lsat [OPTIONS]Options:
-d diff current and old md5, output in lsatmd5.diff
-f Force a specific distribution test. Distro names are:
redhat
debian
mandrake
solaris
gentoo
macosx
If no -f option, lsat will guess. If lsat can
not guess the distribution, default is redhat.
-a Show this (advanced) help page
-o Output file name -- default is lsat.out
-r Check rpm integrity -- redhat or mandrake only
-s Silent mode
-v Verbose output
-w Output file in html format
-x eXclude module(s) in filelist from checks..

Conclusion

We have reviewed with you the most popular and at the same time very cool and functional tools for auditing the security of Linux servers. Now you can prepare well for a certification or any other compliance audit. It will also allow you to objectively assess the current level of security and automatically or semi-automatically tune your Linux machine farm to the maximum hardening index!

--

--

Ivan Piskunov

DevSecOps expert, Security Evangelist, Researcher, Speaker, Book’s author