Skip to main content Link Search Menu Expand Document (external link)
Lynis, auditando sistemas

Bloque 10 - LDAP, PHP, Squid y registros

Nuevamente no detecta LDAP porque no tenemos ese servicio corriendo en nuestra máquina y como salta el siguiente test relacionado con el archivo de configuración:

2022-11-29 09:23:11 ====
2022-11-29 09:23:11 Action: Performing tests from category: LDAP Services
2022-11-29 09:23:11 ====
2022-11-29 09:23:11 Performing test ID LDAP-2219 (Check running OpenLDAP instance)
2022-11-29 09:23:11 Performing pgrep scan without uid
2022-11-29 09:23:11 IsRunning: process 'slapd' not found
2022-11-29 09:23:11 Result: No running slapd process found.
2022-11-29 09:23:11 ====
2022-11-29 09:23:11 Skipped test LDAP-2224 (Check presence slapd.conf)
2022-11-29 09:23:11 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)

...

PHP

De la misma forma pasa con este, busca en varios directorios el archivo php.ini sin encontrarlo, por lo que salta test consecutivos sobre configuraciones:

2022-11-29 09:23:11 Checking permissions of /usr/local/lynis/include/tests_php
2022-11-29 09:23:11 File permissions are OK
2022-11-29 09:23:11 ====
2022-11-29 09:23:11 Action: Performing tests from category: PHP
2022-11-29 09:23:11 ====
2022-11-29 09:23:11 Performing test ID PHP-2211 (Check php.ini presence)
2022-11-29 09:23:11 Test: Checking for presence php.ini
2022-11-29 09:23:11 Test: checking presence /etc/php.ini
2022-11-29 09:23:11 Result: file /etc/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php.ini.default
2022-11-29 09:23:11 Result: file /etc/php.ini.default not found
2022-11-29 09:23:11 Test: checking presence /etc/php/php.ini
2022-11-29 09:23:11 Result: file /etc/php/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php5.5/php.ini
2022-11-29 09:23:11 Result: file /etc/php5.5/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php5.6/php.ini
2022-11-29 09:23:11 Result: file /etc/php5.6/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php7.0/php.ini
2022-11-29 09:23:11 Result: file /etc/php7.0/php.ini not found

...

2022-11-29 09:23:11 Test: checking presence /etc/php/apache2-php7.2/php.ini
2022-11-29 09:23:11 Result: file /etc/php/apache2-php7.2/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php/apache2-php7.3/php.ini
2022-11-29 09:23:11 Result: file /etc/php/apache2-php7.3/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php/apache2-php7.4/php.ini
2022-11-29 09:23:11 Result: file /etc/php/apache2-php7.4/php.ini not found
2022-11-29 09:23:11 Test: checking presence /etc/php/cgi-php5.5/php.ini

...

2022-11-29 09:23:11 Test: checking presence /usr/local/php71/lib/php.ini
2022-11-29 09:23:11 Result: file /usr/local/php71/lib/php.ini not found
2022-11-29 09:23:11 Test: checking presence /usr/local/php72/lib/php.ini
2022-11-29 09:23:11 Result: file /usr/local/php72/lib/php.ini not found
2022-11-29 09:23:11 Test: checking presence /usr/local/php73/lib/php.ini
2022-11-29 09:23:11 Result: file /usr/local/php73/lib/php.ini not found
2022-11-29 09:23:11 Test: checking presence /usr/local/php74/lib/php.ini
2022-11-29 09:23:11 Result: file /usr/local/php74/lib/php.ini not found

...

2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Skipped test PHP-2320 (Check PHP disabled functions)
2022-11-29 09:23:12 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Skipped test PHP-2368 (Check PHP register_globals option)
2022-11-29 09:23:12 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Skipped test PHP-2372 (Check PHP expose_php option)
2022-11-29 09:23:12 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-11-29 09:23:12 ====

...

Squid

Idéntico procedimiento con este servicio:

2022-11-29 09:23:12 Checking permissions of /usr/local/lynis/include/tests_squid
2022-11-29 09:23:12 File permissions are OK
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Action: Performing tests from category: Squid Support
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Performing test ID SQD-3602 (Check for running Squid daemon)
2022-11-29 09:23:12 Test: Searching for a Squid daemon
2022-11-29 09:23:12 Result: No running Squid daemon found
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Skipped test SQD-3604 (Check Squid daemon file location)
2022-11-29 09:23:12 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Skipped test SQD-3606 (Check Squid version)
2022-11-29 09:23:12 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-11-29 09:23:12 ====

...

Registros

En esta parte difiere del Bloque 14 de Primera auditoría, ahora detecta journald:

2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Performing test ID LOGG-2132 (Check for running syslog-ng daemon)
2022-11-29 09:23:12 Test: Searching for syslog-ng daemon in process list
2022-11-29 09:23:12 Performing pgrep scan without uid
2022-11-29 09:23:12 IsRunning: process 'syslog-ng' not found
2022-11-29 09:23:12 Result: Syslog-ng NOT found in process list
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Skipped test LOGG-2134 (Checking Syslog-NG configuration file consistency)
2022-11-29 09:23:12 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Performing test ID LOGG-2136 (Check for running systemd journal daemon)
2022-11-29 09:23:12 Test: Searching for systemd journal daemon in process list
2022-11-29 09:23:12 Performing pgrep scan without uid
2022-11-29 09:23:12 IsRunning: process 'systemd-journal' found (499 )
2022-11-29 09:23:12 ====

...

Al igual que en el otro, no detecta remote logging, veamos qué busca:

2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Performing test ID LOGG-2154 (Checking syslog configuration file)
2022-11-29 09:23:12 Test: analyzing file /etc/rsyslog.conf for remote target
2022-11-29 09:23:12 Result: no remote target found
2022-11-29 09:23:12 Test: analyzing file /etc/rsyslog.d/20-ufw.conf for remote target
2022-11-29 09:23:12 Result: no remote target found
2022-11-29 09:23:12 Test: analyzing file /etc/rsyslog.d/postfix.conf for remote target
2022-11-29 09:23:12 Result: no remote target found
2022-11-29 09:23:12 Test: analyzing file /etc/rsyslog.d/50-default.conf for remote target
2022-11-29 09:23:12 Result: no remote target found
2022-11-29 09:23:12 Result: no remote logging found
2022-11-29 09:23:12 Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154] [details:-] [solution:-]
2022-11-29 09:23:12 Hardening: assigned partial number of hardening points (1 of 3). Currently having 183 points (out of 259)

...

Vemos que busca archivos de configuración del protocolo de registro del sistema (rsyslog) y analiza su contenido en busca de un servidor donde se centralice el registro de estos eventos. Si tenemos un servidor externo que almacene estos registros, aumentaremos en la eficacia de analizar y depurar lo que ocurre en el servidor del cuál estamos recolectando datos. Para ello nos haría falta otro servidor o nuestra propia máquina, ir a los archivos de configuración pertinentes de rsyslog y configurar este (rsyslog.d/50-default.conf) para enviarlos al servidor con una línea así:

*.* @@[dirección_ip_servidor]:[puerto_habitualmente_514]


## Específico para cada servicio que queramos enviar

mail.* 						-/var/log/mail.log

Por último, al igual que entradas anteriores se habla de los archivos borrados que siguen en uso:

2022-11-29 09:23:12 ====
2022-11-29 09:23:12 Performing test ID LOGG-2190 (Checking for deleted files in use)
2022-11-29 09:23:12 Test: checking deleted files that are still in use
2022-11-29 09:23:12 Result: found one or more files which are deleted, but still in use
2022-11-29 09:23:12 Found deleted file: /run/lock/apache2/authdigest-client.1829(apache2)
2022-11-29 09:23:12 Found deleted file: /run/lock/apache2/authdigest-opaque.1829(apache2)
2022-11-29 09:23:12 Found deleted file: /run/lock/apache2/mpm-accept.1829(apache2)
2022-11-29 09:23:12 Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]
2022-11-29 09:23:12 ====


...

Como se comentó en Corrección 6 de Resultados e implementación de mejoras habría que listar con lsof, investigar los procesos e ir cerrándolos de manera manual o directamente reiniciar la máquina.