Lynis EnterpriseTechnical Training: Product and Deployment
2017 edition (V001) - Sponsored by CISOfy
Trainer:
Michael Boelen
Classification: public
Training
Topics● Lynis● Lynis Enterprise● Additional resources
2
LynisLynis (client)● Installation● Usage● Advanced● Deployment
3
Installation
Options● Tarball● GitHub● Package
○ RPM○ DPKG○ Brew
4
InstallationPackageDistributions may have an old version
CISOfy repository https://packages.cisofy.com
5
Structure
lynisinclude
helperstests
pluginsplugin
6
Structurelynis
dbextras
includeplugins
default.prfcustom.prf
Main programDatabase filesSupporting filesScripts, helpers, testsAny available pluginsDefault configurationYour customizations
7
Running Lynis
Commands
Run Lynis to see most common commands
All options: man page or use ‘lynis show commands’
9
Command: Auditlynis audit systemPerforms an in-depth security scan
Test data● On screen● Log file● Report
10
Command: Audit SystemWhat is it?The command ‘audit system’ runs many small tests created in shell script language.
Why use it?The tests form the basis of a security audit to detect room for improvement, like possible weaknesses in the configuration of the system.
Background
TipLearn how tests work by looking at include/functions and the tests_* files.
11
Command: Show
lynis show
12
Options
Many options™
lynis show options
13
OptionsWhat is it?Options are flags that can be specified while running Lynis and start with two minus signs (--).
Why use it?By providing additional options you can alter the behavior of the scan.
Background
TipTry all options to see how it influences the output of a scan.
Commandslynis show options
14
Lynis Controls
Controls
Lynis Control = testGrouped by ‘group’
16
Custom tests
include/tests_custom
Tests can be written in shell script or use data from other tools and scripts (e.g. output of Python script)
17
ControlsWhat is it?Controls are individual tests within Lynis.
Why use it?Each test has an unique identifier and is referenced on screen, in the log file, report, and at the website. It allows the tool to provide a next step to take.
BackgroundTest identifiers start with 3 or 4 characters, followed by a dash and four numbers (e.g. TEST-1234).
Commandslynis show details KRNL-6000
Custom tests should go into include/tests_custom. ID should be CUST-xxxx (xxxx = number)
18
Controls
Tests flags include:● ID● Operating system● Description● Category
19
Operating System
include/osdetection
20
Functions
include/functions
21
Functions
Register--test-no--preqs-met--category
22
Screen, Logging, Report
Screen output
Results● Warnings● Suggestions
24
Screen outputWhat is it?Screen output is the outcome of an audit and displays the related details.
Why use it?The screen output is useful for interactive scans when scanning a system for the first time. It can help with testing and confirming the effectiveness of implemented security measures.
Background
Options--debug--verbose
25
Logging
Log file
26
LoggingWhat is it?Logging is detailed information about the scan.
Why use it?Technical users of Lynis can quickly determine what a test did and what it found. It is also a great source for troubleshooting.
BackgroundLocationsNon-privileged /tmpPrivileged (root) /var/log
Commandslynis show logfilelynis show report
27
Report
Scan results● Compare● Store● Upload
28
ReportWhat is it?A file containing all scan results.
Why use it?Use the report file to compare with previous scans, or share the data with a central management interface like Lynis Enterprise. It can also be used together with a Security Incident and Event Management system (SIEM).
BackgroundKey and value are separated with the is (=) sign
LocationsNon-privileged /tmpPrivileged (root) /var/log
Commandslynis show report
29
Hardening Index
Measure security
30
Hardening IndexWhat is it?Number displayed on screen near the bottom of the output.
Why use it?The index value provides a calculated number to quickly get an idea on the hardening level of the system. Good for comparing systems, or striving to increase the defense level.
BackgroundThe hardening index is calculated based on the performed tests. Each test has a specific number of points to achieve.
The value is between 1 and a maximum of 100. It is also stored in the log and report files.
31
Configuration
Configuration
Profiles● default.prf● custom.prf● [your-profile.prf]
Custom settings overrule default settings
33
ProfilesWhat is it?A configuration file for Lynis
Why use it?Tune how Lynis runs and the actions it should take, or skip. The default profile will always be used. The custom profile will overrule default. A temporary profile can be also specified to overrule the previous two.
BackgroundFilesdefault.prf, [custom.prf], [xxxxxx.prf]
Options--profile <profile-name.prf>
Commandslynis configure settingslynis show profiles
34
Basics: Plugins
Primary goal Collecting data
Two phases1. “Pre”2. “Post”
35
PluginsWhat is it?Plugins are little extensions to Lynis.
Why use it?Plugins help collecting more data than with the plain version of Lynis.
BackgroundTipsEach dot represents a test. This provides a visual queue when a test takes a while to execute.
36
System Upload
--upload Configure● License code● Server
37
System UploadOption: --upload
HTTPS protocolUsing self-signed certificates?upload-options=--insecure
38
System UploadWhat is it?The option to upload data with --upload
Why use it?By using --upload the data will be uploaded to the data collection server. This is useful for storing the data on a central system where the data is processed.
Background
TipsUse lynis upload-only to perform just the upload of data
39
● Lynis Collector● Installation● Configuration● Data uploads● Modules
Lynis Enterprise
40
Lynis Collector
Lynis Collector
Upload in batches● Offline deployments● Networked
environments
42
Lynis CollectorWhat is it?Utility to upload data reports
Why use it?Lynis Collector overcomes any barrier with segmented networks. It also helps when you only have the reports, but no access to the systems (e.g. security assessments).
Background
TipsUse this utility when systems can not directly reach the central system.
43
Lynis Enterprise: Framework
Open Source● Django● Nginx● PostgreSQL
44
Requirements
Operating SystemCentOS, Debian, OEL, openSUSE, RHEL, Ubuntu
Memory1 GB or more
See https://cisofy.com/support/ for the self-hosted guide
Lynis Enterprise: Framework
Django● Security● Quick iterations● Many modules
45
Lynis Enterprise: Installation
Lynis Updater● Installation● Packages● Database migrations● Configuration● Monitoring
Note: this applies only to self-hosted installations
46
Lynis UpdaterWhat is it?Installation and update utility for self-hosted Lynis Enterprise installations.
Why use it?Run the utility regularly to keep your Enterprise installation up-to-date.
Background
Commandslynis-updater checklynis-updater statuslynis-updater updatelynis-updater upgrade
47
Lynis Enterprise: Configuration
Multi-tenancy CompaniesLicensesAccounts
48
Admin PanelReportingAdditional reports
InternalsDatabase synchronization
StatusSystem monitoring
Note: these options are only visible when running a self-hosted installation.
49
Uploads
50
Data UploadClient
Run Lynislynis audit system --upload
Repeat uploadComplete uploads can be uploaded again with lynis upload-only.Otherwise you will see an error:
51
Server
Phase 1 - Collect:● Retrieve data uploads
Phase 2 - Import data:● Host IDs● Ownership● License check● Previous scans● Compliance
Host IDs
Identifier
Allow multiple uploads● MAC address● SSH public key
52
Host IDSWhat is it?Identification strings that Lynis generate for a system.
Why use it?To allow repeated uploads, each system needs to be unique. The identifiers automatically created.
Background
Commandslynis show hostids
53
Ownership
License keyExisting owner
Background
When a system is uploaded, a check will be performed to see if the system is already know. If the owner of the license does not match the system owner, the data upload will be cancelled.
54
License KeyWhat is it?Unique identifier for a company.
Why use it?Typically the license key is used when uploading a system.
BackgroundMaster license keyUsed for setting up Lynis Enterprise as a self-hosted installation and retrieve updates.
Sub license keyKey linked to a company in Lynis Enterprise, to proof ownership of a system. Also used on software repository.
55
Modules
56
Lynis Enterprise
57
System Details
58
System Overview
Available systems● Hostname● Version● Compliance● Warnings / Suggestions● Updated● Client version
59
System Details
60
Tags
Quickly find systems with tag (or without)
61
Compliance
62
Compliance● PCI DSS● HIPAA● Sarbanes-Oxley Act (SOx)● General Data Protection Regulation (GDPR)● CIS benchmarks● Your policies?
63
Compliance: Policies
Policy Policy PolicyRule set
RuleRule
Rule setRule
64
Compliance: Policies
Policy Policy PolicyRule set
RuleRule
Rule setRule
65
Compliance: Policies
RulesetsOne or more rules
66
Compliance
67
Compliance
68
Compliance: ExplainWhat is it?The ‘explain’ utility shows the details of rule sets.
Why use it?Use ‘explain’ to see what Lynis Enterprise does in the background. It provides the steps, data from the database, and guidance.
69
BackgroundCreate custom policy rules with your own Lynis tests. Example: if some event is true, use Report function.
Report “has_my_event=1”
Compliance
Policies
70
Customization:Policy Editor
Compliance: Policy EditorWhat is it?The policy editor imports rule sets from other policies.
Why use it?Quickly create custom policies by using rule sets from other security policies and standards.
BackgroundTipsStart out with the available policies before creating your own.
First test a policy against a few systems, to see what kind of issues show up. Otherwise you will end up with all systems being non-compliant.
71
Solve findings: Snippets
72
Hardening Snippets
73
Hardening SnippetsWhat is it?Small scripts to solve findings.
Why use it?Use the snippets to implement system hardening measures, or disable/enable components. Combine these snippets with a configuration management solution
74
BackgroundSnippets for configuration managements: Ansible, Cfengine, Chef, or Puppet.
Usually there is also a generic shell script available.
Improvement Plan
75
Improvement Plan
Prioritize your work● Quick wins● Impact● Control count● System risk
76
Improvement PlanWhat is it?The improvement plan shows a small list of controls or systems, sorted by count or priority.
Why use it?It may be hard to start with system hardening as there is so much to do. Get started by solving some quick wins, or items that affect many systems.
77
BackgroundThe improvement plan is an ideal step to use the very first few times when using Lynis Enterprise.
Have junior system administrators pick easier tasks from the quick wins category.
Select controls that may show up in multiple categories (quick wins, count).
Reporting and API
78
Reporting
Formats● CSV● PDF● JSON
79
Reporting
Grouping dataUse available fields
Security tipQuickly detect vulnerable systems
80
API
Connect your data● CMDB● Monitoring system● Reporting● SIEM
https://hostname/api/
81
Resources
82
Support
Documentation● Installation● Plugins● Controls
URL: https://cisofy.com/support/
83
Configuration
Deployment tip
Use lynis configure settingsShip custom.prf with Ansible, Puppet,etc
84
Deployment
85
TasksClient
● Install Lynis● Configure● Upload data
86
Interface● See system details● Define policy● Test compliance
Server● Run lynis-updater
87