IT Audit
Security Training
Security Certification
Internet Storm Center
Cyber Security Graduate School
Security Awareness Training
ICS/SCADA
Penetration Testing
Cyber Defense Foundations
Computer Forensics
Software SecurityLast week we passed along some information on a Unix audit tool called Lynis, maintained by Michael Boelen (http://www.rootkit.nl/projects/lynis.html). The value of this tool is that it is an open script that auditors can give to system administrators to run on their Unix servers in order to assess specific technical security controls on the system.
If an auditor chose to use this tool to gather data, likely the process would look something like this:
- The auditor gives a copy of the script to the data custodian (system administrator).
- The system administrator runs the script on the target machine (note, it does not work across the network).
- Lynis produces an output file: /var/log/lynis-report.dat (location can be customized).
- The system administrator gives the auditor a copy of this output file.
- The auditor parses the file for relevant information to include in their findings report.
At a minimum, an auditor will want to parse a list of all the warnings and suggestions automatically made by the tool. Let's use built in commands, like the Linux cat, grep, and sed commands. A simple command line command that will give an auditor the ability to parse out only the warnings made in the report file is the following:
cat /var/log/lynis-report.dat | grep warning | sed —e 's/warning\[\]\=//g'
The same can be done with the suggestions as well using the following command line syntax:
cat /var/log/lynis-report.dat | grep suggestion | sed —e 's/suggestion\[\]\=//g'
A couple other commands that you might want to play with to parse this file are the following commands as well. The following gathers a list of all installed software packages on the system:
cat /var/log/lynis-report.dat | grep installed_package | sed —e 's/installed_package\[\]\=//g'
The following command gathers a list of all the installed shells on the system from the report:
cat /var/log/lynis-report.dat | grep available_shell | sed —e 's/available_shell\[\]\=//g'
You get the idea. The system administrator can provide the auditor one output file, and the auditor could easily write a parsing script based on this syntax to completely parse the file into a manageable output that is a little more friendly to read.
We hope this inspires you to continue writing your own scripts to automate the audit process. The more we can automate, the faster our audit analysis. The faster our audit analysis, the more technical audits we can perform and the more likely our systems will be properly secured. Until next time...
Posted October 19, 2011 at 12:43 PM | Permalink | Reply
fjavier2ja
This information would have helped me a few weeks ago! :-)
In our organization we have created some scripts to:
- Copy Lynis to all servers and run linux.
- Generate a custom report and upload it along with the reports generated by Lynis (Lynis-report.dat, etc.) to a centralized server. A folder for each server running Lynis. The name of each report contains the server name, date and time.
- Compare the custom report with the previous report and send the differences that exist.
- Send a short email including servers that have been analyzed with Lynis, indicating the level of hardening and the differences detected.
Our intention is to create a cron job to run the scripts every two months, for example.
Just my two cents.