• B правой части каждого сообщения есть стрелки и . Не стесняйтесь оценивать ответы. Чтобы автору вопроса закрыть свой тикет, надо выбрать лучший ответ. Просто нажмите значок в правой части сообщения.

lynis audit system(кто паможет разабраться)у кого такие пробелмы давай решать в этой теме.

Z

zai4yk8867

Member
13.06.2021
8
0
BIT
0
Код: 
rogram version:           3.0.5
  Operating system:          Linux
  Operating system name:     Kali Linux
  Operating system version:  Rolling release
  Kernel version:            5.10.0
  Hardware platform:         x86_64

 Plugin: pam
    [..]
  - Plugin: systemd
    [................]

[+] Boot and services
------------------------------------
  - Service Manager                                           [ systemd ]
  - Checking UEFI boot                                        [ ВКЛЮЧЕНО ]
  - Checking Secure Boot                                      [ ОТКЛЮЧЕНО ]
  - Checking presence GRUB2                                   [ Найдено ]
    - Checking for password protection                        [ Отсутствует ]
  - Check running services (systemctl)                        [ Завершено ]
        Result: found 20 running services
  - Check enabled services at boot (systemctl)                [ Завершено ]
        Result: found 17 enabled services
  - Check startup files (permissions)                         [ ОК ]
  - Running 'systemd-analyze security'
        - ModemManager.service:                               [ MEDIUM ]
        - NetworkManager.service:                             [ EXPOSED ]
        - accounts-daemon.service:                            [ UNSAFE ]
        - colord.service:                                     [ EXPOSED ]
        - cron.service:                                       [ UNSAFE ]
        - dbus.service:                                       [ UNSAFE ]
        - emergency.service:                                  [ UNSAFE ]
        - gdm.service:                                        [ UNSAFE ]
        - getty@tty1.service:                                 [ UNSAFE ]
        - haveged.service:                                    [ PROTECTED ]
        - iio-sensor-proxy.service:                           [ EXPOSED ]
        - inetutils-inetd.service:                            [ UNSAFE ]
        - mlocate.service:                                    [ EXPOSED ]
        - packagekit.service:                                 [ UNSAFE ]
        - plymouth-start.service:                             [ UNSAFE ]
        - polkit.service:                                     [ UNSAFE ]
        - rc-local.service:                                   [ UNSAFE ]
        - rescue.service:                                     [ UNSAFE ]
        - rpc-gssd.service:                                   [ UNSAFE ]
        - rpc-svcgssd.service:                                [ UNSAFE ]
        - rsync.service:                                      [ EXPOSED ]
        - rsyslog.service:                                    [ UNSAFE ]
        - rtkit-daemon.service:                               [ MEDIUM ]
        - smartmontools.service:                              [ UNSAFE ]
        - systemd-ask-password-console.service:               [ UNSAFE ]
        - systemd-ask-password-plymouth.service:              [ UNSAFE ]
        - systemd-ask-password-wall.service:                  [ UNSAFE ]
        - systemd-fsckd.service:                              [ UNSAFE ]
        - systemd-initctl.service:                            [ UNSAFE ]
        - systemd-journald.service:                           [ PROTECTED ]
        - systemd-logind.service:                             [ PROTECTED ]
        - systemd-networkd.service:                           [ PROTECTED ]
        - systemd-rfkill.service:                             [ UNSAFE ]
        - systemd-udevd.service:                              [ EXPOSED ]
        - udisks2.service:                                    [ UNSAFE ]
        - upower.service:                                     [ PROTECTED ]
        - user@1000.service:                                  [ UNSAFE ]
        - wpa_supplicant.service:                             [ UNSAFE ]

[+] Kernel
------------------------------------
  - Checking default run level                                [ RUNLEVEL 5 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported               [ Найдено ]
  - Checking kernel version and release                       [ Завершено ]
  - Checking kernel type                                      [ Завершено ]
  - Checking loaded kernel modules                            [ Завершено ]
      Found 135 active modules
  - Checking Linux kernel configuration file                  [ Найдено ]
  - Checking default I/O kernel scheduler                     [ НЕ НАЙДЕНО ]
  - Checking for available kernel update                      [ ОК ]
  - Checking core dumps configuration
    - configuration in systemd conf files                     [ DEFAULT ]
    - configuration in etc/profile                            [ DEFAULT ]
    - 'hard' configuration in security/limits.conf            [ DEFAULT ]
    - 'soft' configuration in security/limits.conf            [ DEFAULT ]
    - Checking setuid core dumps configuration                [ ОТКЛЮЧЕНО ]
  - Check if reboot is needed                                 [ НЕТ ]

[+] Память и процессы
------------------------------------
  - Checking /proc/meminfo                                    [ Найдено ]
  - Searching for dead/zombie processes                       [ Найдено ]
  - Searching for IO waiting processes                        [ Найдено ]
  - Search prelink tooling                                    [ НЕ НАЙДЕНО ]

[+] Users, Groups and Authentication
------------------------------------
  - Administrator accounts                                    [ ОК ]
  - Unique UIDs                                               [ ОК ]
  - Consistency of group files (grpck)                        [ ОК ]
  - Unique group IDs                                          [ ОК ]
  - Unique group names                                        [ ОК ]
  - Password file consistency                                 [ ОК ]
  - Password hashing methods                                  [ ОК ]
  - Checking password hashing rounds                          [ ОТКЛЮЧЕНО ]
  - Query system users (non daemons)                          [ Завершено ]
  - NIS+ authentication support                               [ NOT ENABLED ]
  - NIS authentication support                                [ NOT ENABLED ]
  - Sudoers file(s)                                           [ Найдено ]
    - Permissions for directory: /etc/sudoers.d               [ ПРЕДУПРЕЖДЕНИЕ ]
    - Permissions for: /etc/sudoers                           [ ОК ]
    - Permissions for: /etc/sudoers.d/kali-grant-root         [ ОК ]
    - Permissions for: /etc/sudoers.d/README                  [ ОК ]
  - PAM password strength tools                               [ ПРЕДЛОЖЕНИЕ ]
  - PAM configuration files (pam.conf)                        [ Найдено ]
  - PAM configuration files (pam.d)                           [ Найдено ]
  - PAM modules                                               [ Найдено ]
  - LDAP module in PAM                                        [ НЕ НАЙДЕНО ]
  - Accounts without expire date                              [ ПРЕДЛОЖЕНИЕ ]
  - Accounts without password                                 [ ОК ]
  - Locked accounts                                           [ ОК ]
  - Checking user password aging (minimum)                    [ ОТКЛЮЧЕНО ]
  - User password aging (maximum)                             [ ОТКЛЮЧЕНО ]
  - Checking expired passwords                                [ ОК ]
  - Checking Linux single user mode authentication            [ ОК ]
  - Determining default umask
    - umask (/etc/profile)                                    [ НЕ НАЙДЕНО ]
    - umask (/etc/login.defs)                                 [ ПРЕДЛОЖЕНИЕ ]
  - LDAP authentication support                               [ NOT ENABLED ]
  - Logging failed login attempts                             [ ВКЛЮЧЕНО ]

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 13 shells (valid shells: 13).
    - Session timeout settings/tools                          [ Отсутствует ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc              [ Отсутствует ]
    - Checking default umask in /etc/profile                  [ Отсутствует ]

[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                              [ ПРЕДЛОЖЕНИЕ ]
    - Checking /tmp mount point                               [ ПРЕДЛОЖЕНИЕ ]
    - Checking /var mount point                               [ ПРЕДЛОЖЕНИЕ ]
  - Query swap partitions (fstab)                             [ ОК ]
  - Testing swap partitions                                   [ ОК ]
  - Testing /proc mount (hidepid)                             [ ПРЕДЛОЖЕНИЕ ]
  - Checking for old files in /tmp                            [ ОК ]
  - Checking /tmp sticky bit                                  [ ОК ]
  - Checking /var/tmp sticky bit                              [ ОК ]
  - ACL support root file system                              [ ВКЛЮЧЕНО ]
  - Mount options of /                                        [ NON DEFAULT ]
  - Mount options of /dev                                     [ PARTIALLY HARDENED ]
  - Mount options of /dev/shm                                 [ PARTIALLY HARDENED ]
  - Mount options of /run                                     [ HARDENED ]
  - Total without nodev:7 noexec:9 nosuid:5 ro or noexec (W^X): 9 of total 25
  - Checking Locate database                                  [ Найдено ]
  - Disable kernel support of some filesystems

[+] USB Devices
------------------------------------
  - Checking usb-storage driver (modprobe config)             [ NOT DISABLED ]
  - Checking USB devices authorization                        [ ВКЛЮЧЕНО ]
  - Checking USBGuard                                         [ НЕ НАЙДЕНО ]

[+] Storage
------------------------------------
  - Checking firewire ohci driver (modprobe config)           [ NOT DISABLED ]

[+] NFS
------------------------------------
  - Query rpc registered programs                             [ Завершено ]
  - Query NFS versions                                        [ Завершено ]
  - Query NFS protocols                                       [ Завершено ]
  - Check running NFS daemon                                  [ НЕ НАЙДЕНО ]

[+] Name services
------------------------------------
  - Searching DNS domain name                                 [ НЕИЗВЕСТНО ]
  - Checking /etc/hosts
    - Duplicate entries in hosts file                         [ Отсутствует ]
    - Presence of configured hostname in /etc/hosts           [ Найдено ]
    - Hostname mapped to localhost                            [ НЕ НАЙДЕНО ]
    - Localhost mapping to IP address                         [ ОК ]

[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                          [ Найдено ]
      - Querying package manager
    - Query unpurged packages                                 [ Найдено ]
  - Checking APT package database                             [ ПРЕДУПРЕЖДЕНИЕ ]
  - Checking vulnerable packages (apt-get only)               [ Завершено ]
  - Checking upgradeable packages                             [ ПРОПУЩЕНО ]
  - Checking package audit tool                               [ INSTALLED ]
    Found: apt-get
  - Toolkit for automatic upgrades (unattended-upgrade)       [ Найдено ]

[+] Networking
------------------------------------
  - Checking IPv6 configuration                               [ ВКЛЮЧЕНО ]
      Configuration method                                    [ AUTO ]
      IPv6 only                                               [ НЕТ ]
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 10.82.0.1                                 [ ОК ]
        Nameserver: 10.7.7.1                                  [ ОК ]
        Nameserver: 78.30.254.70                              [ ОК ]
    - Minimal of 2 responsive nameservers                     [ ОК ]
    - DNSSEC supported (systemd-resolved)                     [ НЕИЗВЕСТНО ]
  - Checking default gateway                                  [ Завершено ]
  - Getting listening ports (TCP/UDP)                         [ ПРОПУЩЕНО ]
  - Checking promiscuous interfaces                           [ ПРЕДУПРЕЖДЕНИЕ ]
  - Checking waiting connections                              [ ОК ]
  - Checking status DHCP client
  - Checking for ARP monitoring software                      [ НЕ НАЙДЕНО ]
  - Uncommon network protocols                                [ 0 ]

[+] Printers and Spools
------------------------------------
  - Checking cups daemon                                      [ НЕ НАЙДЕНО ]
  - Checking lp daemon                                        [ НЕ ЗАПУЩЕНО ]

[+] Software: e-mail and messaging
------------------------------------

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ Найдено ]
    - Checking iptables policies of chains                    [ Найдено ]
    - Checking for empty ruleset                              [ ПРЕДУПРЕЖДЕНИЕ ]
    - Checking for unused rules                               [ ОК ]
  - Checking host based firewall                              [ ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/apache2)                [ Найдено ]
      Info: Configuration file found (/etc/apache2/apache2.conf)
      Info: No virtual hosts found
    * Loadable modules                                        [ Найдено (119) ]
        - Found 119 loadable modules
          mod_evasive: anti-DoS/brute force                   [ НЕ НАЙДЕНО ]
          mod_reqtimeout/mod_qos                              [ Найдено ]
          ModSecurity: web application firewall               [ НЕ НАЙДЕНО ]
  - Checking nginx                                            [ НЕ НАЙДЕНО ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ НЕ НАЙДЕНО ]

[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                              [ НЕ НАЙДЕНО ]

[+] Databases
------------------------------------
    No database engines found

[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                                [ НЕ НАЙДЕНО ]

[+] PHP
------------------------------------
  - Checking PHP                                              [ Найдено ]
    - Checking PHP disabled functions                         [ Найдено ]
    - Checking expose_php option                              [ Выключено ]
    - Checking enable_dl option                               [ Выключено ]
    - Checking allow_url_fopen option                         [ Включено ]
    - Checking allow_url_include option                       [ Выключено ]
    - Checking listen option                                  [ ОК ]

[+] Squid Support
------------------------------------
  - Checking running Squid daemon                             [ НЕ НАЙДЕНО ]

[+] Logging and files
------------------------------------
  - Checking for a running log daemon                         [ ОК ]
    - Checking Syslog-NG status                               [ НЕ НАЙДЕНО ]
    - Checking systemd journal status                         [ Найдено ]
    - Checking Metalog status                                 [ НЕ НАЙДЕНО ]
    - Checking RSyslog status                                 [ Найдено ]
    - Checking RFC 3195 daemon status                         [ НЕ НАЙДЕНО ]
    - Checking minilogd instances                             [ НЕ НАЙДЕНО ]
  - Checking logrotate presence                               [ ОК ]
  - Checking remote logging                                   [ NOT ENABLED ]
  - Checking log directories (static list)                    [ Завершено ]
  - Checking open log files                                   [ Завершено ]
  - Checking deleted files in use                             [ FILES FOUND ]

[+] Insecure services
------------------------------------
  - Installed inetd package                                   [ НЕ НАЙДЕНО ]
    - Checking enabled inetd services                         [ ОК ]
  - Installed xinetd package                                  [ ОК ]
    - xinetd status
  - Installed rsh client package                              [ ОК ]
  - Installed rsh server package                              [ ОК ]
  - Installed telnet client package                           [ ОК ]
  - Installed telnet server package                           [ НЕ НАЙДЕНО ]
  - Checking NIS client installation                          [ ОК ]
  - Checking NIS server installation                          [ ОК ]
  - Checking TFTP client installation                         [ ПРЕДЛОЖЕНИЕ ]
  - Checking TFTP server installation                         [ ПРЕДЛОЖЕНИЕ ]

[+] Banners and identification
------------------------------------
  - /etc/issue                                                [ Найдено ]
    - /etc/issue contents                                     [ WEAK ]
  - /etc/issue.net                                            [ Найдено ]
    - /etc/issue.net contents                                 [ WEAK ]

[+] Scheduled tasks
------------------------------------
  - Checking crontab and cronjob files                        [ Завершено ]

[+] Accounting
------------------------------------
  - Checking accounting information                           [ НЕ НАЙДЕНО ]
  - Checking sysstat accounting data                          [ ОТКЛЮЧЕНО ]
  - Checking auditd                                           [ НЕ НАЙДЕНО ]

[+] Time and Synchronization
------------------------------------
  - Checking for a running NTP daemon or client               [ ПРЕДУПРЕЖДЕНИЕ ]

[+] Cryptography
------------------------------------
  - Checking for expired SSL certificates [0/134]             [ Отсутствует ]

  [WARNING]: Test CRYP-7902 had a long execution: 27.734958 seconds

  - Found 0 encrypted and 1 unencrypted swap devices in use.  [ OK ]
  - Kernel entropy is sufficient                              [ ДА ]
  - HW RNG & rngd                                             [ НЕТ ]
  - SW prng                                                   [ ДА ]
  MOR-bit set                                                 [ НЕТ ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ Найдено ]
    - Checking AppArmor status                                [ ОТКЛЮЧЕНО ]
  - Checking presence SELinux                                 [ НЕ НАЙДЕНО ]
  - Checking presence TOMOYO Linux                            [ НЕ НАЙДЕНО ]
  - Checking presence grsecurity                              [ НЕ НАЙДЕНО ]
  - Checking for implemented MAC framework                    [ Отсутствует ]

[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
  - dm-integrity (status)                                     [ ОТКЛЮЧЕНО ]
  - dm-verity (status)                                        [ ОТКЛЮЧЕНО ]
  - Checking presence integrity tool                          [ НЕ НАЙДЕНО ]

[+] Software: System tooling
------------------------------------
  - Checking automation tooling
  - Automation tooling                                        [ НЕ НАЙДЕНО ]
  - Checking for IDS/IPS tooling                              [ Отсутствует ]

[+] Вредоносное ПО
------------------------------------

[+] File Permissions
------------------------------------
  - Starting file permissions check
    File: /boot/grub/grub.cfg                                 [ ОК ]
    File: /etc/crontab                                        [ ПРЕДЛОЖЕНИЕ ]
    File: /etc/group                                          [ ОК ]
    File: /etc/group-                                         [ ОК ]
    File: /etc/hosts.allow                                    [ ОК ]
    File: /etc/hosts.deny                                     [ ОК ]
    File: /etc/issue                                          [ ОК ]
    File: /etc/issue.net                                      [ ОК ]
    File: /etc/motd                                           [ ОК ]
    File: /etc/passwd                                         [ ОК ]
    File: /etc/passwd-                                        [ ОК ]
    File: /etc/ssh/sshd_config                                [ ПРЕДЛОЖЕНИЕ ]
    Directory: /etc/cron.d                                    [ ПРЕДЛОЖЕНИЕ ]
    Directory: /etc/cron.daily                                [ ПРЕДЛОЖЕНИЕ ]
    Directory: /etc/cron.hourly                               [ ПРЕДЛОЖЕНИЕ ]
    Directory: /etc/cron.weekly                               [ ПРЕДЛОЖЕНИЕ ]
    Directory: /etc/cron.monthly                              [ ПРЕДЛОЖЕНИЕ ]

[+] Home directories
------------------------------------
  - Permissions of home directories                           [ ПРЕДУПРЕЖДЕНИЕ ]
  - Ownership of home directories                             [ ОК ]
  - Checking shell history files                              [ ОК ]

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - dev.tty.ldisc_autoload (exp: 0)                         [ DIFFERENT ]
    - fs.protected_fifos (exp: 2)                             [ DIFFERENT ]
    - fs.protected_hardlinks (exp: 1)                         [ ОК ]
    - fs.protected_regular (exp: 2)                           [ ОК ]
    - fs.protected_symlinks (exp: 1)                          [ ОК ]
    - fs.suid_dumpable (exp: 0)                               [ ОК ]
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ ОК ]
    - kernel.dmesg_restrict (exp: 1)                          [ ОК ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.modules_disabled (exp: 1)                        [ DIFFERENT ]
    - kernel.perf_event_paranoid (exp: 3)                     [ ОК ]
    - kernel.randomize_va_space (exp: 2)                      [ ОК ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - kernel.unprivileged_bpf_disabled (exp: 1)               [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)                   [ DIFFERENT ]
    - net.core.bpf_jit_harden (exp: 2)                        [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ ОК ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ ОК ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ ОК ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ ОК ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ ОК ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ DIFFERENT ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ ОК ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ ОК ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ ОК ]
    - net.ipv4.tcp_timestamps (exp: 0 1)                      [ ОК ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ ОК ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ ОК ]

[+] Hardening
------------------------------------
    - Installed compiler(s)                                   [ Найдено ]
    - Installed malware scanner                               [ НЕ НАЙДЕНО ]
    - Non-native binary formats                               [ Найдено ]

[+] Пользовательские тесты
------------------------------------
  - Running custom tests...                                   [ Отсутствует ]

[+] Plugins (Стадия 2)
------------------------------------
  - Plugins (phase 2)                                         [ Завершено ]

================================================================================

  -[ Lynis 3.0.5 Results ]-

  Warnings (3):
  ----------------------------
  ! apt-get check returned a non successful exit code. [PKGS-7390]
      Lynis control :  - CISOfy

 ! Found promiscuous interface [NETW-3015]
 
    - Solution : Determine if this mode is required or whitelist interface in profile
      Lynis control NETW-3015: Promiscuous network interface (Linux) - CISOfy

  ! iptables module(s) loaded, but no rules active [FIRE-4512]
      Lynis control FIRE-4512: Empty iptables ruleset - CISOfy
вот что я получил,кто может указать в 2 словах на серьезные дырки тыкните хотябы я почитаю.
 
Сортировать по дате Сортировать по голосам
Pernat1y

Pernat1y

Well-known member
05.04.2018
1 443
135
BIT
0
Зависит от использования.
Для среднестатистического пользователя достаточно нормального пароля и не сидеть под рутом.
Если чуть заморочиться, то добавить шифрование диска + selinux/apparmor.
Ну а дальше
Ссылка скрыта от гостей
 
За 0 Против
Pernat1y

Pernat1y

Well-known member
05.04.2018
1 443
135
BIT
0
zai4yk8867 сказал(а):
пытаюсь получить максимум защиты.
Нажмите, чтобы раскрыть...
Для начала примите как аксиому, что вы не получите "максимум защиты". Это иллюзия, которая может в очень неподходящий момент дать по яйцам (или ещё куда).
Также учтите, что чем ближе приближение к "хорошей защите", тем неудобнее будет использование системы в целом.
Второй шаг - начинать читать про hardened-дистрибутивы и сносить Kali.
 
За 0 Против
Для ответа нужно войти/зарегистрироваться
Мы в соцсетях:

Обучение наступательной кибербезопасности в игровой форме. Начать игру!

Верх Низ