The Hunters Hut
The Hunters Hut

vulnerability-management

OpenScap

The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. The tool is charecterized for its great flexibility and interoperability, reducing the costs of performing security audits.

References

  • Latest compiled SCAP packages: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.50
  • Github Repo: https://github.com/ComplianceAsCode/content
  • oscap cmdline tool user manual: http://static.open-scap.org/openscap-1.2/oscap_user_manual.html
  • Great Red Hat Documentation on OpenSCAP: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-scanning_the_system_in_oscap

Install on OpenSUSE

zypper install  spacewalk-oscap

Lynis

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007. Documentation can be found here.

Installing Lynis via a package manager is one option to get started with Lynis. For most operating systems and distributions, a port or package is available.

First add our software repository. This way the latest version will be available to your system.

Install Lynis

Red Hat

This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).

yum install lynis

Debian

Systems running Debian, Linux Mint, Ubuntu, or are based on one of these.

apt-get install lynis

openSUSE

zypper install lynis

After the installation, it is time to run Lynis for the first time:

lynis audit system

Convert Lynis report file to HTML or JSON

Once Lynis is ran, it will save the final report to /var/log/lynis-report.dat. This file however is not very friendly for us humans. The good news is that there is a lynis conversion tool that will allow us to convert the results to JSON or HTML.

Install Lynis Report Converter

I know… it’s a PERL script, I would like to complain (well, I kinda am ha) but there’s no other alternative out there at the moment so… let’s eat this bowl of cereals

# *** Install Pre-Requisites ***# versions prior to Ubuntu 16.04 LTS should use apt-getapt updateapt -y install htmldoc libxml-writer-perl libarchive-zip-perl libjson-perlpushd /tmp/wget http://search.cpan.org/CPAN/authors/id/M/MF/MFRANKL/HTML-HTMLDoc-0.10.tar.gztar xvf HTML-HTMLDoc-0.10.tar.gzpushd HTML-HTMLDoc-0.10perl Makefile.PLmake && make installpopd# *** Clone the repo with the perl script ***git clone https://github.com/d4t4king/lynis-report-converter.git

Use Docker Image

There seems to also be a docker image that runs the converter, see https://hub.docker.com/r/kuznetsovv/lynis-report-converter/

To convert those nasty linux hardening reports to juicy JSON for the amusment of elasticsearch and splunk users alike simply run:

docker run -v /path/to/lynis-reports:/lynis-reports kuznetsovv/lynis-report-converter ./opt/lynis-report-converter-master/lynis-report-converter.pl "-i" "/lynis-reports/report-HOST1-20200125.dat" "-j" "-o" "/lynis-reports/report-HOST1-20200125.json"

Alternatively to convert multiple reports in a folder, let’s pass a small bash script to docker. Create the following script:

echo 'for i in $(find /lynis-reports/ -name "*.dat"); do lynis_output_file=$(echo $i | sed 's/.*\///' | sed 's/\.dat//') ; /opt/lynis-report-converter-master/lynis-report-converter.pl -i $i -j -o /lynis-reports/$lynis_output_file.json; done' > lynis-convert.sh

Save the file in the directory that is passed to the docker container as a mount volume and execute with bash.

docker run -v /path/to/lynis-reports:/lynis-reports kuznetsovv/lynis-report-converter /bin/bash "/lynis-reports/lynis-convert.sh"

Run unattended or on multiple targets

You can also run Lynis unattended with their “cronjob” function. The latter can also be leveraged to run Lynis remotely on multiple systems using a bash script.

#!/bin/bash# NOTE: Don't run the script with SUDO, credentials will be prompted for when running commands on the target system via SSHHOSTSLIST=(    "HOST1"    "HOST2"    "HOST3")# ENVIRONMENT VARSAUDITOR="your_user_name"DATE=$(date +%Y%m%d)REPORT_RECEIVER="[email protected]"LYNIS_FILES_DIR="lynis-files"LYNIS_VERSION="2.7.5"LYNIS_PACKAGE="lynis-${LYNIS_VERSION}.tar.gz"# Preparation## Create a new RSA Key to login via SSH: ssh-keygen -t rsa## The script will add the key to each host with: ssh-copy-id [email protected]$LYNIS_HOSTfor LYNIS_HOST in "${HOSTSLIST[@]}"do    # Setup ENV    echo "[Lynis Scan] - Target: $LYNIS_HOST"    NON_SUDO_HOME_DIR="/home/your_user_name"    LOG_DIR="/home/your_user_name/lynis-reports"    REPORT="$LOG_DIR/report-$LYNIS_HOST-${DATE}.dat"    REPORT_LOG="$LOG_DIR/log-$LYNIS_HOST-${DATE}.log"    DATA="$LOG_DIR/report-data-$LYNIS_HOST.${DATE}.txt"    # Copy Public RSA Key for SSH Access    echo "[Lynis Scan] - Copying SSH Public Key to $LYNIS_HOST"    ssh-copy-id -o StrictHostKeyChecking=no -i $NON_SUDO_HOME_DIR/.ssh/id_rsa [email protected]$LYNIS_HOST    # Run Lynis Remote    # Step 1: Get Lynis tarball    mkdir -p $LYNIS_FILES_DIR    mkdir -p $LOG_DIR    if [ ! -f "$LYNIS_FILES_DIR/$LYNIS_PACKAGE" ]; then       wget -P $LYNIS_FILES_DIR https://cisofy.com/files/$LYNIS_PACKAGE    fi    # Step 2: Copy tarball to target $LYNIS_HOST    scp -q ./$LYNIS_FILES_DIR/$LYNIS_PACKAGE [email protected]$LYNIS_HOST:$NON_SUDO_HOME_DIR/tmp-lynis-remote.tgz    # Step 3: Execute audit command    ssh -t [email protected]$LYNIS_HOST "GROUP=/home/your_user_name \                                && AUDITOR=your_user_name \                                && mkdir -p ~/tmp-lynis \                                && cd ~/tmp-lynis \                                && tar xzf ../tmp-lynis-remote.tgz \                                && rm ../tmp-lynis-remote.tgz \                                && sudo chown -R 0:0 lynis \                                && cd lynis \                                && sudo ./lynis audit system \                                && sudo rm -rf ~/tmp-lynis \                                && sudo mv /var/log/lynis.log /tmp/lynis.log \                                && sudo mv /var/log/lynis-report.dat /tmp/lynis-report.dat \                                && sudo chown "$AUDITOR:$GROUP" /tmp/lynis.log \                                && sudo chown "$AUDITOR:$GROUP" /tmp/lynis-report.dat"    # Step 4: Fetch report files    scp -q [email protected]$LYNIS_HOST:/tmp/lynis.log $REPORT_LOG    scp -q [email protected]$LYNIS_HOST:/tmp/lynis-report.dat $REPORT    # Step 5: Clean up tmp files (when using non-privileged account)    ssh [email protected]$LYNIS_HOST "rm /tmp/lynis.log /tmp/lynis-report.dat"    # Step 6: Send Report    cat $REPORT | mailx -s lynis-report_$LYNIS_HOST $REPORT_RECEIVERdone