OpenScap
The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. The tool is charecterized for its great flexibility and interoperability, reducing the costs of performing security audits.
References
- Latest compiled SCAP packages: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.50
- Github Repo: https://github.com/ComplianceAsCode/content
oscap
cmdline tool user manual: http://static.open-scap.org/openscap-1.2/oscap_user_manual.html- Great Red Hat Documentation on OpenSCAP: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-scanning_the_system_in_oscap
Install on OpenSUSE
zypper install spacewalk-oscap
Lynis
Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007. Documentation can be found here.
Installing Lynis via a package manager is one option to get started with Lynis. For most operating systems and distributions, a port or package is available.
First add our software repository. This way the latest version will be available to your system.
Install Lynis
Red Hat
This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).
yum install lynis
Debian
Systems running Debian, Linux Mint, Ubuntu, or are based on one of these.
apt-get install lynis
openSUSE
zypper install lynis
After the installation, it is time to run Lynis for the first time:
lynis audit system
Convert Lynis report file to HTML or JSON
Once Lynis is ran, it will save the final report to /var/log/lynis-report.dat
. This file however is not very friendly for us humans. The good news is that there is a lynis conversion tool that will allow us to convert the results to JSON or HTML.
Install Lynis Report Converter
I know… it’s a PERL script, I would like to complain (well, I kinda am ha) but there’s no other alternative out there at the moment so… let’s eat this bowl of cereals
# *** Install Pre-Requisites ***# versions prior to Ubuntu 16.04 LTS should use apt-getapt updateapt -y install htmldoc libxml-writer-perl libarchive-zip-perl libjson-perlpushd /tmp/wget http://search.cpan.org/CPAN/authors/id/M/MF/MFRANKL/HTML-HTMLDoc-0.10.tar.gztar xvf HTML-HTMLDoc-0.10.tar.gzpushd HTML-HTMLDoc-0.10perl Makefile.PLmake && make installpopd# *** Clone the repo with the perl script ***git clone https://github.com/d4t4king/lynis-report-converter.git
Use Docker Image
There seems to also be a docker image that runs the converter, see https://hub.docker.com/r/kuznetsovv/lynis-report-converter/
To convert those nasty linux hardening reports to juicy JSON for the amusment of elasticsearch and splunk users alike simply run:
docker run -v /path/to/lynis-reports:/lynis-reports kuznetsovv/lynis-report-converter ./opt/lynis-report-converter-master/lynis-report-converter.pl "-i" "/lynis-reports/report-HOST1-20200125.dat" "-j" "-o" "/lynis-reports/report-HOST1-20200125.json"
Alternatively to convert multiple reports in a folder, let’s pass a small bash script to docker. Create the following script:
echo 'for i in $(find /lynis-reports/ -name "*.dat"); do lynis_output_file=$(echo $i | sed 's/.*\///' | sed 's/\.dat//') ; /opt/lynis-report-converter-master/lynis-report-converter.pl -i $i -j -o /lynis-reports/$lynis_output_file.json; done' > lynis-convert.sh
Save the file in the directory that is passed to the docker container as a mount volume and execute with bash.
docker run -v /path/to/lynis-reports:/lynis-reports kuznetsovv/lynis-report-converter /bin/bash "/lynis-reports/lynis-convert.sh"
Run unattended or on multiple targets
You can also run Lynis unattended with their “cronjob” function. The latter can also be leveraged to run Lynis remotely on multiple systems using a bash script.
#!/bin/bash# NOTE: Don't run the script with SUDO, credentials will be prompted for when running commands on the target system via SSHHOSTSLIST=( "HOST1" "HOST2" "HOST3")# ENVIRONMENT VARSAUDITOR="your_user_name"DATE=$(date +%Y%m%d)REPORT_RECEIVER="[email protected]"LYNIS_FILES_DIR="lynis-files"LYNIS_VERSION="2.7.5"LYNIS_PACKAGE="lynis-${LYNIS_VERSION}.tar.gz"# Preparation## Create a new RSA Key to login via SSH: ssh-keygen -t rsa## The script will add the key to each host with: ssh-copy-id [email protected]$LYNIS_HOSTfor LYNIS_HOST in "${HOSTSLIST[@]}"do # Setup ENV echo "[Lynis Scan] - Target: $LYNIS_HOST" NON_SUDO_HOME_DIR="/home/your_user_name" LOG_DIR="/home/your_user_name/lynis-reports" REPORT="$LOG_DIR/report-$LYNIS_HOST-${DATE}.dat" REPORT_LOG="$LOG_DIR/log-$LYNIS_HOST-${DATE}.log" DATA="$LOG_DIR/report-data-$LYNIS_HOST.${DATE}.txt" # Copy Public RSA Key for SSH Access echo "[Lynis Scan] - Copying SSH Public Key to $LYNIS_HOST" ssh-copy-id -o StrictHostKeyChecking=no -i $NON_SUDO_HOME_DIR/.ssh/id_rsa [email protected]$LYNIS_HOST # Run Lynis Remote # Step 1: Get Lynis tarball mkdir -p $LYNIS_FILES_DIR mkdir -p $LOG_DIR if [ ! -f "$LYNIS_FILES_DIR/$LYNIS_PACKAGE" ]; then wget -P $LYNIS_FILES_DIR https://cisofy.com/files/$LYNIS_PACKAGE fi # Step 2: Copy tarball to target $LYNIS_HOST scp -q ./$LYNIS_FILES_DIR/$LYNIS_PACKAGE [email protected]$LYNIS_HOST:$NON_SUDO_HOME_DIR/tmp-lynis-remote.tgz # Step 3: Execute audit command ssh -t [email protected]$LYNIS_HOST "GROUP=/home/your_user_name \ && AUDITOR=your_user_name \ && mkdir -p ~/tmp-lynis \ && cd ~/tmp-lynis \ && tar xzf ../tmp-lynis-remote.tgz \ && rm ../tmp-lynis-remote.tgz \ && sudo chown -R 0:0 lynis \ && cd lynis \ && sudo ./lynis audit system \ && sudo rm -rf ~/tmp-lynis \ && sudo mv /var/log/lynis.log /tmp/lynis.log \ && sudo mv /var/log/lynis-report.dat /tmp/lynis-report.dat \ && sudo chown "$AUDITOR:$GROUP" /tmp/lynis.log \ && sudo chown "$AUDITOR:$GROUP" /tmp/lynis-report.dat" # Step 4: Fetch report files scp -q [email protected]$LYNIS_HOST:/tmp/lynis.log $REPORT_LOG scp -q [email protected]$LYNIS_HOST:/tmp/lynis-report.dat $REPORT # Step 5: Clean up tmp files (when using non-privileged account) ssh [email protected]$LYNIS_HOST "rm /tmp/lynis.log /tmp/lynis-report.dat" # Step 6: Send Report cat $REPORT | mailx -s lynis-report_$LYNIS_HOST $REPORT_RECEIVERdone