Lynis EnterpriseTechnical Training: Product and Deployment

2017 edition (V001) - Sponsored by CISOfy

michael.boelen@cisofy.com

Trainer:

Michael Boelen

Classification: public

Training

Topics● Lynis● Lynis Enterprise● Additional resources

2

LynisLynis (client)● Installation● Usage● Advanced● Deployment

3

Installation

Options● Tarball● GitHub● Package

○ RPM○ DPKG○ Brew

4

InstallationPackageDistributions may have an old version

CISOfy repository https://packages.cisofy.com

5

Structure

lynisinclude

helperstests

pluginsplugin

6

Structurelynis

dbextras

includeplugins

default.prfcustom.prf

Main programDatabase filesSupporting filesScripts, helpers, testsAny available pluginsDefault configurationYour customizations

7

Running Lynis

Commands

Run Lynis to see most common commands

All options: man page or use ‘lynis show commands’

9

Command: Auditlynis audit systemPerforms an in-depth security scan

Test data● On screen● Log file● Report

10

Command: Audit SystemWhat is it?The command ‘audit system’ runs many small tests created in shell script language.

Why use it?The tests form the basis of a security audit to detect room for improvement, like possible weaknesses in the configuration of the system.

Background

TipLearn how tests work by looking at include/functions and the tests_* files.

11

Command: Show

lynis show

12

Options

Many options™

lynis show options

13

OptionsWhat is it?Options are flags that can be specified while running Lynis and start with two minus signs (--).

Why use it?By providing additional options you can alter the behavior of the scan.

Background

TipTry all options to see how it influences the output of a scan.

Commandslynis show options

14

Lynis Controls

Controls

Lynis Control = testGrouped by ‘group’

16

Custom tests

include/tests_custom

Tests can be written in shell script or use data from other tools and scripts (e.g. output of Python script)

17

ControlsWhat is it?Controls are individual tests within Lynis.

Why use it?Each test has an unique identifier and is referenced on screen, in the log file, report, and at the website. It allows the tool to provide a next step to take.

BackgroundTest identifiers start with 3 or 4 characters, followed by a dash and four numbers (e.g. TEST-1234).

Commandslynis show details KRNL-6000

Custom tests should go into include/tests_custom. ID should be CUST-xxxx (xxxx = number)

18

Controls

Tests flags include:● ID● Operating system● Description● Category

19

Operating System

include/osdetection

20

Functions

include/functions

21

Functions

Register--test-no--preqs-met--category

22

Screen, Logging, Report

Screen output

Results● Warnings● Suggestions

24

Screen outputWhat is it?Screen output is the outcome of an audit and displays the related details.

Why use it?The screen output is useful for interactive scans when scanning a system for the first time. It can help with testing and confirming the effectiveness of implemented security measures.

Background

Options--debug--verbose

25

Logging

Log file

26

LoggingWhat is it?Logging is detailed information about the scan.

Why use it?Technical users of Lynis can quickly determine what a test did and what it found. It is also a great source for troubleshooting.

BackgroundLocationsNon-privileged /tmpPrivileged (root) /var/log

Commandslynis show logfilelynis show report

27

Report

Scan results● Compare● Store● Upload

28

ReportWhat is it?A file containing all scan results.

Why use it?Use the report file to compare with previous scans, or share the data with a central management interface like Lynis Enterprise. It can also be used together with a Security Incident and Event Management system (SIEM).

BackgroundKey and value are separated with the is (=) sign

LocationsNon-privileged /tmpPrivileged (root) /var/log

Commandslynis show report

29

Hardening Index

Measure security

30

Hardening IndexWhat is it?Number displayed on screen near the bottom of the output.

Why use it?The index value provides a calculated number to quickly get an idea on the hardening level of the system. Good for comparing systems, or striving to increase the defense level.

BackgroundThe hardening index is calculated based on the performed tests. Each test has a specific number of points to achieve.

The value is between 1 and a maximum of 100. It is also stored in the log and report files.

31

Configuration

Configuration

Profiles● default.prf● custom.prf● [your-profile.prf]

Custom settings overrule default settings

33

ProfilesWhat is it?A configuration file for Lynis

Why use it?Tune how Lynis runs and the actions it should take, or skip. The default profile will always be used. The custom profile will overrule default. A temporary profile can be also specified to overrule the previous two.

BackgroundFilesdefault.prf, [custom.prf], [xxxxxx.prf]

Options--profile <profile-name.prf>

Commandslynis configure settingslynis show profiles

34

Basics: Plugins

Primary goal Collecting data

Two phases1. “Pre”2. “Post”

35

PluginsWhat is it?Plugins are little extensions to Lynis.

Why use it?Plugins help collecting more data than with the plain version of Lynis.

BackgroundTipsEach dot represents a test. This provides a visual queue when a test takes a while to execute.

36

System Upload

--upload Configure● License code● Server

37

System UploadOption: --upload

HTTPS protocolUsing self-signed certificates?upload-options=--insecure

38

System UploadWhat is it?The option to upload data with --upload

Why use it?By using --upload the data will be uploaded to the data collection server. This is useful for storing the data on a central system where the data is processed.

Background

TipsUse lynis upload-only to perform just the upload of data

39

● Lynis Collector● Installation● Configuration● Data uploads● Modules

Lynis Enterprise

40

Lynis Collector

Lynis Collector

Upload in batches● Offline deployments● Networked

environments

42

Lynis CollectorWhat is it?Utility to upload data reports

Why use it?Lynis Collector overcomes any barrier with segmented networks. It also helps when you only have the reports, but no access to the systems (e.g. security assessments).

Background

TipsUse this utility when systems can not directly reach the central system.

43

Lynis Enterprise: Framework

Open Source● Django● Nginx● PostgreSQL

44

Requirements

Operating SystemCentOS, Debian, OEL, openSUSE, RHEL, Ubuntu

Memory1 GB or more

See https://cisofy.com/support/ for the self-hosted guide

Lynis Enterprise: Framework

Django● Security● Quick iterations● Many modules

45

Lynis Enterprise: Installation

Lynis Updater● Installation● Packages● Database migrations● Configuration● Monitoring

Note: this applies only to self-hosted installations

46

Lynis UpdaterWhat is it?Installation and update utility for self-hosted Lynis Enterprise installations.

Why use it?Run the utility regularly to keep your Enterprise installation up-to-date.

Background

Commandslynis-updater checklynis-updater statuslynis-updater updatelynis-updater upgrade

47

Lynis Enterprise: Configuration

Multi-tenancy CompaniesLicensesAccounts

48

Admin PanelReportingAdditional reports

InternalsDatabase synchronization

StatusSystem monitoring

Note: these options are only visible when running a self-hosted installation.

49

Uploads

50

Data UploadClient

Run Lynislynis audit system --upload

Repeat uploadComplete uploads can be uploaded again with lynis upload-only.Otherwise you will see an error:

51

Server

Phase 1 - Collect:● Retrieve data uploads

Phase 2 - Import data:● Host IDs● Ownership● License check● Previous scans● Compliance

Host IDs

Identifier

Allow multiple uploads● MAC address● SSH public key

52

Host IDSWhat is it?Identification strings that Lynis generate for a system.

Why use it?To allow repeated uploads, each system needs to be unique. The identifiers automatically created.

Background

Commandslynis show hostids

53

Ownership

License keyExisting owner

Background

When a system is uploaded, a check will be performed to see if the system is already know. If the owner of the license does not match the system owner, the data upload will be cancelled.

54

License KeyWhat is it?Unique identifier for a company.

Why use it?Typically the license key is used when uploading a system.

BackgroundMaster license keyUsed for setting up Lynis Enterprise as a self-hosted installation and retrieve updates.

Sub license keyKey linked to a company in Lynis Enterprise, to proof ownership of a system. Also used on software repository.

55

Modules

56

Lynis Enterprise

57

System Details

58

System Overview

Available systems● Hostname● Version● Compliance● Warnings / Suggestions● Updated● Client version

59

System Details

60

Tags

Quickly find systems with tag (or without)

61

Compliance

62

Compliance● PCI DSS● HIPAA● Sarbanes-Oxley Act (SOx)● General Data Protection Regulation (GDPR)● CIS benchmarks● Your policies?

63

Compliance: Policies

Policy Policy PolicyRule set

RuleRule

Rule setRule

64

Compliance: Policies

Policy Policy PolicyRule set

RuleRule

Rule setRule

65

Compliance: Policies

RulesetsOne or more rules

66

Compliance

67

Compliance

68

Compliance: ExplainWhat is it?The ‘explain’ utility shows the details of rule sets.

Why use it?Use ‘explain’ to see what Lynis Enterprise does in the background. It provides the steps, data from the database, and guidance.

69

BackgroundCreate custom policy rules with your own Lynis tests. Example: if some event is true, use Report function.

Report “has_my_event=1”

Compliance

Policies

70

Customization:Policy Editor

Compliance: Policy EditorWhat is it?The policy editor imports rule sets from other policies.

Why use it?Quickly create custom policies by using rule sets from other security policies and standards.

BackgroundTipsStart out with the available policies before creating your own.

First test a policy against a few systems, to see what kind of issues show up. Otherwise you will end up with all systems being non-compliant.

71

Solve findings: Snippets

72

Hardening Snippets

73

Hardening SnippetsWhat is it?Small scripts to solve findings.

Why use it?Use the snippets to implement system hardening measures, or disable/enable components. Combine these snippets with a configuration management solution

74

BackgroundSnippets for configuration managements: Ansible, Cfengine, Chef, or Puppet.

Usually there is also a generic shell script available.

Improvement Plan

75

Improvement Plan

Prioritize your work● Quick wins● Impact● Control count● System risk

76

Improvement PlanWhat is it?The improvement plan shows a small list of controls or systems, sorted by count or priority.

Why use it?It may be hard to start with system hardening as there is so much to do. Get started by solving some quick wins, or items that affect many systems.

77

BackgroundThe improvement plan is an ideal step to use the very first few times when using Lynis Enterprise.

Have junior system administrators pick easier tasks from the quick wins category.

Select controls that may show up in multiple categories (quick wins, count).

Reporting and API

78

Reporting

Formats● CSV● PDF● JSON

79

Reporting

Grouping dataUse available fields

Security tipQuickly detect vulnerable systems

80

API

Connect your data● CMDB● Monitoring system● Reporting● SIEM

https://hostname/api/

81

Resources

82

Support

Documentation● Installation● Plugins● Controls

URL: https://cisofy.com/support/

83

Configuration

Deployment tip

Use lynis configure settingsShip custom.prf with Ansible, Puppet,etc

84

Deployment

85

TasksClient

● Install Lynis● Configure● Upload data

86

Interface● See system details● Define policy● Test compliance

Server● Run lynis-updater

87