Auditing

Alternatives to Bastille Linux: system hardening with Lynis

Bastille Linux is a great tool for hardening of Linux systems. With the project looking outdated (or even dead), there are new alternatives to Bastille. One example is hardening your system after...

Summary of Alternatives to Bastille Linux: system hardening with Lynis

Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.

Read the full article…

Are security hardening guides still useful?

With Linux and other Unix systems being decently hardened by default, would it make sense to invest a lot of time in reading hardening guides to harden your system?

Summary of Are security hardening guides still useful?

This was the big question we asked ourselves recently, when reading a few of them. With Linux and other Unix systems being decently hardened by default, would it still make sense to invest a lot of time to harden your system? Hardening guides Years ago both Windows and Linux were easy targets. A lot of system software was installed by default and these services were targeted often by malicious people and scripts.

Read the full article…

Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, including system auditing. A look at how to audit security events on Unix and dealing with these events.

Summary of Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems. Security events First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems. 1. File changes Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.

Read the full article…

Audit SuSE with zypper: vulnerable packages

Stay up-to-date with security patching is part of a decent security management process. This article looks into vulnerable packages on OpenSuSE and how to detect them.

Summary of Audit SuSE with zypper: vulnerable packages

Proper software management is an important part in keeping your system secured. Acting on time is important, especially when network services have discovered security vulnerabilities. Vulnerable packages Usually packages with known security vulnerabilities, get priority and updates are soon available. The risk in installing these packages is fairly low, as they don’t introduce new features. Instead, they fix the related security hole, which sometimes is nothing more than 1 single character!

Read the full article…

Auditing Linux processes: The Deep Dive!

In-depth article about auditing Linux processes. Determination of running processes, memory and on-disk structure and the proper tools for analyzing them.

Summary of Auditing Linux processes: The Deep Dive!

From the initial start of the Linux operating system, the first processes are already born. In this article we have a look on dealing with processes. In particular we look at how to do process auditing. Whenever you are an auditor, system administrator or just a Linux enthusiast, you can’t ignore processes and should know how to deal with them. Process listing For most people working on Linux systems, it might be obvious to display running processes with ps.

Read the full article…

Auditing Linux: what to audit?

When auditing a Linux system it might be hard to determine what to audit actually. This article will provide the answers to the "what to audit?" question.

Summary of Auditing Linux: what to audit?

In this article we answer the big question on Linux systems “what to audit?”. Where do you start and what is useful to audit? We apply our three C’s in this article to determine what we should look for when auditing a Linux system. Current state What is the current state of the system and how does it compare to previous time? Ideal situation: compare current state of the system with a predefined baseline or previous scan

Read the full article…

Become a Linux auditor: tips to start with auditing the Linux platform

Guide to become a Linux auditor in just a matter of minutes. Focus on how to determine running processes, installed software or possible vulnerabilities.

Summary of Become a Linux auditor: tips to start with auditing the Linux platform

This guide helps people new to the Linux platform to get a grasp on how the system works. Whenever you are an IT auditor, or simply want to know more about the basics, this guide helps you in determining where to start an audit. Processes Each operating system consists of smaller running processes. In case of Linux this is true as well and can be displayed with the ps tool. Without parameters it will already show some processes, but the list is not complete.

Read the full article…

Become a Linux Auditor: What to know?

Tips for people who would like to perform audits on Linux and become a Linux auditor in particular. Including hints regarding certifications and tools.

Summary of Become a Linux Auditor: What to know?

Now open source software and platforms are very common, the need for knowledge in this area is increasing. Becoming a technical auditor with specialized knowledge about Linux, might be a clever move. Technical When specializing in Linux, the auditing area is already more technically oriented, instead of the processes. A true Linux auditor knows more than the basics of Linux. In-depth knowledge is required, like what file systems are common, how permissions are arranged, popular applications are common (at the presentation layer, middleware, backend).

Read the full article…

CAATTs for Linux: Lynis

Article about a tool within CAATTs for Linux: Lynis. Helping auditors with computer-assisted audit tools and techniques, with focus on Linux and Unix scans.

Summary of CAATTs for Linux: Lynis

Within the field of the audit profession the usage of CAAT (Computer-assisted audit techniques) or CAATTs (computer-assisted audit tools and techniques) is growing. Lynis is filling this gap for Linux and Unix based systems. It’s a well-known and stable tool in this area and improves the audit process by automation. Only a few items could then be checked manually. This saves time, makes the audit more predictable and increases the quality of the overall audit.

Read the full article…

Central audit logging: Configuration and collecting of Linux audit events

Guide to setup central audit logging for your Linux based systems, with the use of the powerful Linux audit framework. No single audit log should get lost!

Summary of Central audit logging: Configuration and collecting of Linux audit events

This guide is to help our users of the Lynis Enterprise Suite to configure a central node to receive Linux audit events. It provides some pointers on how to do a quick set-up, to store and forward events. This information is very valuable for forensic investigations and intrusion detection. Configure the server First start by configuring the server. Since this is a central log host, it should have enough disk capacity and enough bandwidth to sustain peaks.

Read the full article…

Conducting a Linux Server Security Audit

Performing a Linux server security audit can be a time consuming process. In this article the most important parts are explained including automation.

Summary of Conducting a Linux Server Security Audit

Auditing a system can be a time-consuming job, which is no different when conducting a Linux server security audit. Within this article, we give some highlights regarding the audit and tips to automate them by using Lynis. The business goal Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down? Usually each system has a clear role or multiple roles, like being a web server.

Read the full article…

Configuring and auditing Linux systems with Audit daemon

Guide for auditing Linux systems by using the audit daemon and related utilities. This powerful audit framework has many possibilities for auditing Linux.

Summary of Configuring and auditing Linux systems with Audit daemon

The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing. Auditing goals By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include: Audit file access and modification See who changed a particular file Detect unauthorized changes Monitoring of system calls and functions Detect anomalies like crashing processes Set tripwires for intrusion detection purposes Record commands used by individual users Components The framework itself has several components:

Read the full article…

Creating audit trails – Logging commands on Linux with Snoopy

Snoopy is a useful utility to log commands on Linux and create a related audit trail. If you need to be PCI compliant, auditing trails are considered to be important for proper accounting.

Summary of Creating audit trails – Logging commands on Linux with Snoopy

Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function.

Read the full article…

Do NOT use Linux hardening checklists for your servers

The solution to avoid using Linux hardening checklists for your servers is simple. With proper automation and regular checks, checklists could be avoided.

Summary of Do NOT use Linux hardening checklists for your servers

Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists.. But checklists are good, right?

Read the full article…

Find Differences Between Two Daily Lynis Audits

It can be useful to see the differences between scans of Lynis, especially when running it daily. Learn how to do this with just a few steps

Summary of Find Differences Between Two Daily Lynis Audits

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data:

Read the full article…

Find the alternatives: CIS-CAT auditing tool

Sometimes time or money is limited. We hunt to find great alternatives to commercial solutions. This time alternatives for the CIS auditing tool CIS-CAT.

Summary of Find the alternatives: CIS-CAT auditing tool

The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis.

Read the full article…

Finding setuid binaries on Linux and BSD

To perform a basic audit of the binaries on your system, we can search for setuid binaries. Finding these setuid binaries is easy with the find command.

Summary of Finding setuid binaries on Linux and BSD

Why setuid? Binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user. This enables normal (non-privileged) users to use special privileges, like opening sockets. While this seems unnecessary for a normal user, it is actually needed for simple commands like ping. Finding files with setuid bit To discover all files with the setuid bit, we can use the find command.

Read the full article…

Forget Linux Vulnerability Scanning: Get Better Defenses

Vulnerability scanning focuses on weaknesses, or negative aspects of information security. Wouldn't it be better if we focus on the positive, the actual defenses?

Summary of Forget Linux Vulnerability Scanning: Get Better Defenses

Every month or so, I get a few questions about the vulnerability capabilities Lynis has to offer. It made me think about this subject and I realized something: Many security professionals are still focusing too much on vulnerabilities. They want to know their security gaps, so they can know where they stand. While this isn’t a bad approach, there might be a better solution. The solution I will discuss today is to focus on (permanent) processes, instead of vulnerability scanning.

Read the full article…

FreeBSD hardening with Lynis

This article provides tips for FreeBSD hardening by using a powerful tool named Lynis. This script will perform an extensive audit to secure your systems.

Summary of FreeBSD hardening with Lynis

Lynis development has its roots on a FreeBSD system, therefore FreeBSD hardening is also easy and supported when using Lynis. People who want to audit and harden their FreeBSD system will discover Lynis to be a powerful tool for this purpose. In this article we will focus on how to audit your system with Lynis. Ports Lynis is available from the ports tree and usually the version is close or at the latest version.

Read the full article…

Hardening Guides and Tools for Red Hat Linux (RHEL)

Overview of tools and hardening guides to implement system hardening for Red Hat Linux. Also applies Fedora, CentOS and Scientific Linux systems.

Summary of Hardening Guides and Tools for Red Hat Linux (RHEL)

System hardening is an important part in securing computer networks. Each system should get the appropriate security measures to provide a minimum level of trust. In this post we have a look at some of the options when securing a Red Hat based system. This information applies to Red Hat Linux (RHEL), Fedora, CentOS, Scientific Linux and others. Red Hat Red Hat itself has a hardening guide for RHEL 4 and is freely available.

Read the full article…

How and why Linux daemons drop privileges

We have a look on how to drop privileges for Linux daemons. By dropping privileges a process can be safeguarded against attacks and a successful compromise of the system.

Summary of How and why Linux daemons drop privileges

In this article we have a look at the privileges of Linux daemons and dropping privileges in particular. The samples provided are in C. Why drop privileges? Some daemons need root permissions to start. This happens for example when a daemon wants to bind to a low port (<1024). However running network based daemons with root permissions is considered to be a serious risk. In case of compromise of the process, an attacker has full access to the system.

Read the full article…

How to audit AIX Unix systems with Lynis

The term audit may sound more official than it is. This article shows how to perform a security scan of your AIX systems and apply hardening measures.

Summary of How to audit AIX Unix systems with Lynis

How to audit AIX Unix systems with Lynis Each system is as strong as its weakest link. Also for systems running on AIX this rule applies. Therefore a regular audit can help finding the weakest links. Next step is then the fortification of these weakened areas and implementing system hardening measures. What to audit? There is a lot to look for when auditing a system running AIX. Let’s have a look at the most important areas.

Read the full article…

How to deal with Lynis suggestions?

Auditing tool Lynis for Linux, guides administrators with discovering weaknesses. This article helps in dealing with Lynis suggestions displayed on screen.

Summary of How to deal with Lynis suggestions?

After finishing an audit with Lynis, the screen is usually filled with a lot of suggestions. Most users don’t know where to start with hardening and how to deal with these Lynis suggestions in particular. We provide you some tips! Before we start, we strongly suggest to use the latest version of Lynis. If you are using an outdated version from the software repositories, the output could be slightly different.

Read the full article…

How to secure a Linux system

Looking to secure your Linux system? This security guide shows you how to perform system hardening and run technical audits to keep it in optimal condition.

Summary of How to secure a Linux system

Every Linux system will benefit from more security, especially if it contains sensitive data. With so many resources available on the internet, one might think that securing Linux has become easy. We know it is not. Linux system hardening takes a good amount of understanding about how the Linux kernel works. It also requires a good understanding of the operating system principles. In this guide, we will help you to get this understanding and provide you with tips and tools.

Read the full article…

How to use Lynis

Article about how to use Lynis, a security auditing and hardening tool to test Unix and Linux based systems for vulnerabilities.

Summary of How to use Lynis

This article explains in a few quick steps how to start with using Lynis. A more extensive explanation can be found in the documentation of Lynis. Download Lynis wget http://cisofy.com/files/lynis-**version**.tar.gz Unpack tarball tar xfvz lynis-version.tar.gz This will unpack the tarball with a Lynis directory. Run Lynis Go to the newly created directory named lynis. cd lynis When running Lynis for the very first time, use the audit system command. It will start the audit process and pauses after every batch of tests.

Read the full article…

Linux Audit Framework 101 – Basic Rules for Configuration

The Linux audit framework is a very powerful tool to monitor files, directories and system calls. It helps with troubleshooting, accounting and intrusion detection.

Summary of Linux Audit Framework 101 – Basic Rules for Configuration

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.

Read the full article…

Linux Audit Framework: using aureport

Guide regarding the aureport utility, including some aureport examples. Aureport helps with audit reports and is part of the Linux audit framework.

Summary of Linux Audit Framework: using aureport

The Linux audit framework logs events, as specified by the configured watches. To extract particular events we can use the ausearch or aureport tools. The latter is the one we will focus on in this article, to get the most out of the tool. Aureport The aureport utility can be executed without any parameters. It will then extract all audit events available from the log. Since the audit log can be very big, it might be better to use the -start parameter, together with a time interval (e.

Read the full article…

Linux audit log: dealing with audit.log file

Article to deal with the Linux audit log file and how to use it. Including tips to search events and safeguard it against unintended alteration of the log.

Summary of Linux audit log: dealing with audit.log file

The Linux kernel audit framework consists of several components including a daemon, control client, audit rules and Linux audit log. In this article we take additional measures to protect the audit.log file. Aureport The first useful utility to parse the audit.log is aureport. Without parameters it will give a summary of all events. This includes the files, users, audit keys and also items like suspicious events (anomalies). Each sub item can be read independently by using the related parameter.

Read the full article…

Linux Audit: Auditing the Network Configuration

This article describes how to audit the network configuration of Unix and Linux based systems, with useful tips for auditors and system administrators.

Summary of Linux Audit: Auditing the Network Configuration

Within this article we have a look on how to audit and check the network configuration of Linux and other systems. The main focus is on gathering information and discover how systems are configured. By taking these steps we will do a manual audit. For efficiency reasons we suggest to use an automated tool like Lynis. Where to start? Each Linux distribution has their own way and files to configure the network.

Read the full article…

Linux audit: Log files in /var/log/audit

This article describes the purpose of the audit.log file in /var/log/audit and the relationship with the Linux audit framework.

Summary of Linux audit: Log files in /var/log/audit

By default the Linux audit framework logs all data in the /var/log/audit directory. Usually the related file is named audit.log and contains audit related information such as events. /var/log/audit/audit.log This file is the default log file for the Linux audit daemon. It has all related audit events and is configured using the configuration file of auditd (auditd.conf). # cat /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Usually there is no reason to alter this location, unless a different storage location is preferred.

Read the full article…

Linux Security Scanning for Dummies

Security scanning can be boring and time consuming. In this &quot;for dummies&quot; article we have a look at how simple it can be, when it comes to security scans.

Summary of Linux Security Scanning for Dummies

Every system needs some level of protection. Still, many people simply forget to do it, or can not find the time to properly do it. To be as efficient and effective as possible, let’s take at a structured way for security scanning your Linux machines. The 5 dummy steps are: 1. Focus on risk Like not every company is a bank, our systems are not all part of a top secret mission.

Read the full article…

Linux security: Reviewing log files

Log files are the precious collection of system events. Still many people don&#039;t use them, until it is really needed. Let&#039;s go from the reactive use of log files to a proactive stance.

Summary of Linux security: Reviewing log files

Log files are the precious collection of system events. Still many people don’t use them, until it is really needed. Let’s go from the reactive use of log files to a proactive stance. The Logging Dilemma Capturing events helps in troubleshooting. By defining what events are ignored and which ones are logged, we get a quick overview on the status of a system. The dilemma is usually in how much logging is enough to get a fair picture and when is it too much.

Read the full article…

Linux server security: Three steps to secure each system

Article about Linux server security and guidance for securing your Linux systems. Focus on auditing, hardening and compliance, to improve security defenses.

Summary of Linux server security: Three steps to secure each system

Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate.

Read the full article…

Linux System Integrity Explained: Ensure Data, Logging and Kernel Integrity

Linux system integrity can be achieved with security measures which focus on kernel integrity, file integrity and hardware integrity. With many software solutions available, we have a look at the options and some common tools to use.

Summary of Linux System Integrity Explained: Ensure Data, Logging and Kernel Integrity

From Data and Logging, up to Kernel Integrity Systems exist for one primary goal, which is processing data. Information security helps protecting this valuable data, by ensuring its availability, integrity, and confidentiality. In other words, data should be available when we need it. Then it should be properly transmitted and stored, without errors. Our last goal ensures that it is only available to those with a need to know. Many open source software components are available to help with these goals.

Read the full article…

Logging root actions by capturing execve system calls

Logging all actions performed by root might be needed for compliance or security. With the help of Linux audit we log all root actions easy in an audit log.

Summary of Logging root actions by capturing execve system calls

Capturing execve system calls and store them in the audit log For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file. Configure audit To enable auditing, use the following commands: # auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands # auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user.

Read the full article…

Lynis for Auditors: Linux and Unix auditing

Article about Linux / Unix auditing with a focus on the usage of Lynis for auditors. Simplifying the work of the auditor and increasing the quality of work.

Summary of Lynis for Auditors: Linux and Unix auditing

Auditing on Linux Although Unix and Linux based systems are not new, getting an extensive knowledge of the operating system takes years of practice. Even then, with all changes it might be hard to keep up, especially when being an auditor. Examples of these are the differences between package managers, the way services are started and where binaries or configuration files are located. But no worries, there is help! Why Lynis?

Read the full article…

Monitor file access by Linux processes

Linux is powerful with the help of small utilities like lsof and strace. They help with monitoring disk and file activity, of new and running processes.

Summary of Monitor file access by Linux processes

Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity.

Read the full article…

Monitoring Linux File access, Changes and Data Modifications

Linux has several methods available to protect your valuable data. With the right tool we can audit file access, changes and data modifications, including meta-data.

Summary of Monitoring Linux File access, Changes and Data Modifications

Linux has several solutions to monitor what happens with your data. From changing contents to who accessed particular information, and at what time. For our auditing toolkit Lynis, we researched and tested several solutions over the last few years. In this article we have a look at these solutions to monitor file access, changes and modifications to the data and beyond. What is Data? Data is a collection of bits, ordered in such a way it gives meaning to humans.

Read the full article…

Open source vulnerability scanner for Linux systems – Lynis

Within this article we discuss the possibilities of using an open source vulnerability scanner for Linux based systems.

Summary of Open source vulnerability scanner for Linux systems – Lynis

There are several open source vulnerability scanners for Linux, like OpenVAS. While tools like these are powerful as well, we will have a look at Lynis, our auditing tool to detect vulnerabilities of Linux and Unix systems. Why is it different than others and how can it help you in securing your systems? Vulnerabilities Every piece of software will have sooner or later a vulnerability, a minor or major weakness which can be abused by evildoers.

Read the full article…

Password Security with Linux /etc/shadow file

Learn the structure of the /etc/shadow file and what the underlying fields mean in this article. After reading, the file should be less cryptic than it was before.

Summary of Password Security with Linux /etc/shadow file

Linux systems use a password file to store accounts, commonly available as /etc/passwd. For additional safety measures, a shadow copy of this file is used which includes the passwords of your users. Or actually hashed password, for maximum security. An example of a password entry in /etc/shadow may look like this: user1:$6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tKXiOGNCfWBsrTGY7wtC6Cep6co9eVNkRFrpK6koXs1NU3AZQF8v/:16092:0:99999:7::: For proper display, let’s split this up in several fields: user1 $6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tK 16092 0 99999 7 Field explanations Time to have a look what all these strings mean:

Read the full article…

PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

PCI DSS v3 compliance (A.1.2.a) requires you to verify if no application processes are running as root. We audit these application processes and check the status of each.

Summary of PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin). For Unix and Linux based systems, processes should run as a non-privileged user where possible. However to be able to start, a process is usually started with root permissions (uid 0). This is required to open the required sockets (e.g. bind to port 80). After the initial start, the process drops its privileges by switching to another user.

Read the full article…

PCI DSS (v3) Linux: Creation and deletion of system-level objects (10.2.7)

The PCI DSS standard defines &quot;Creation and deletion of system-level objects&quot; in control 10.2.7. For Linux systems this might be handled with the Linux audit framework.

Summary of PCI DSS (v3) Linux: Creation and deletion of system-level objects (10.2.7)

Some areas are within the PCI standard are definitely not directly clear when reading the description. Section 10.2.7 is one of them. It talks about the creation and deletion of system-level objects and specifically the ability to log them. System-level objects? The guidance in 10.2.7 speaks about malware and mentions database related items. That does not make auditing very obvious, as malware usually targets binaries. Therefore we have to look first what a system-level object is.

Read the full article…

PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

PCI compliance (A.1.2.c) demands that no write access is allowed to shared system binaries. For this to test we can use several tools to determine if write access is allowed.

Summary of PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

A.1.2.c Verify that an entity’s users do not have write access to shared system binaries Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible. Paths for system binaries Depending on the distribution used there are several directories which have shared system binaries.

Read the full article…

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Linux users who want to compliant with PCI DSS have to restrict log file viewing to only the owner. We have a look at how to discover log files which can be viewed by others.

Summary of PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

Read the full article…

Perform NetBSD security audit with pkg_admin

NetBSD can perform a security audit on its packages with the pkg_admin tool. With the check and audit parameters it can perform security check in seconds.

Summary of Perform NetBSD security audit with pkg_admin

Security audit of NetBSD software packages with pkg_admin NetBSD is especially known for it’s diverse platforms it can run on. What is less known is the ability to audit the installed packages. In this article we have a look on how to audit NetBSD and ensure the file integrity of your packages. Performing a security audit is easy, as long as you use the right tool! Packages When using packages, their metadata will be installed in directory within /var/db/pkg.

Read the full article…

Plus sign in ls output

When file access control lists, or ACLs are being used, the output of ls will change. An additional character shows up (plus sign) to indicate the usage of these access control lists.

Summary of Plus sign in ls output

Ever wondered what the plus (+) sign is when showing a directory listing? It is part of a POSIX standard to support access control lists (ACL) on files. Normal files on a file system will have only 10 characters displayed, with the last 9 used for file permissions. However, when file access control lists are used, an 11th character shows up. This plus sign indicates the usage of a file ACL.

Read the full article…

Securing Linux: Audit with Lynis (an introduction into auditing)

Introduction article into securing Linux based systems by performing a scan with Lynis. After this first audit it will be much easier to harden the system!

Summary of Securing Linux: Audit with Lynis (an introduction into auditing)

Securing a Linux system can take a lot of time. For this purpose we have written Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. The main audience for this tool is auditors, security professionals, penetrating testers and system administrators. First audit Most Linux distributions already have Lynis in their software repository.

Read the full article…

Security Audits – How to Prioritize Audit Findings

After extensive auditing and analysis of the results, the time is there to prioritize audit findings. Several tools to achieve this is by looking at impact, urgency and effort.

Summary of Security Audits – How to Prioritize Audit Findings

Technical audits or vulnerability scans will reveal a lot of findings. They can be overwhelmed and forcing the reviewer to freeze, not knowing where to start. To overcome this issue, we should prioritize the findings and determine the consequences of each finding for our company. While an open directory listing on a web server might in one situation not be preferred, it would make sense for others. It is the context which makes a finding “serious” or completely harmless.

Read the full article…

Security Integration: Configuration Management and Auditing

Configuration Management and Auditing. Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid...

Summary of Security Integration: Configuration Management and Auditing

Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.

Read the full article…

The Difference Between Auditing and Vulnerability Scanning

Technical Auditing and Vulnerability Scanning. Why both look the same, yet have subtle differences When talking about auditing, I see that most technical people immediately think about...

Summary of The Difference Between Auditing and Vulnerability Scanning

Why both look the same, yet have subtle differences When talking about auditing, I see that most technical people immediately think about vulnerability scanning. While they definitely have things in common, there are also a lot of minor differences. In this blog post I will show them, and also share how technical auditing and vulnerability scanning can work together. Similarities and Differences Let’s first determine what makes technical auditing and vulnerability scanning look similar.

Read the full article…

The ultimate strace cheat sheet

The strace utility is diverse and helpful in performance tuning, troubleshooting and monitoring process activity. This cheat sheet helps with getting the most out of strace.

Summary of The ultimate strace cheat sheet

The strace utility is very powerful to learn what a new or running process is doing. Due to its diversity of monitoring options, the tool is less accessible at first. This strace cheat sheet helps with getting the best out of this tool. Normally cheat sheets come in a single 1 page PDF. In this case, we combined it all within a blog post. First section shows an explanation per area, the bottom of the post contains all useful commands for quick reference.

Read the full article…

Tiger is History, Long Live Modern Alternatives!

The tiger tool was known for a long time to help with auditing Unix-based systems. Fortunately there are new tools that are better maintained.

Summary of Tiger is History, Long Live Modern Alternatives!

Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software. History of Tiger In its day, the tool was quite good.

Read the full article…

Tuning auditd: high-performance Linux Auditing

To achieve better performance with a auditd configuration, it needs to be tuned. See performance boosters like events exclusion, rule ordering, and more.

Summary of Tuning auditd: high-performance Linux Auditing

The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of decreased system performance. Let’s have a look at how we can optimize our audit rules. Performance tips Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest benchmarking your system performance before and after.

Read the full article…

Unix security audit: Perform an audit in 3 minutes

Quick guide for performing a unix security audit on a Unix or Linux based system. Under three minutes you have the results and finished the first audit!

Summary of Unix security audit: Perform an audit in 3 minutes

Want to know the vulnerabilities of a Unix/Linux system is in just 3 minutes? How? Perform a scan with Lynis, the open source Unix security audit tool! Lynis Lynis is open source software (GPLv3), released in 2007 and a popular choice by many security professionals and system administrators. Hundreds of downloads in the first week of each release and with a lot of community feedback, Lynis is the right tool for the job.

Read the full article…

Using Open Source Auditing Tools as alternative to CIS Benchmarks

Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to...

Summary of Using Open Source Auditing Tools as alternative to CIS Benchmarks

An alternative to CIS Benchmarks and hardening guides Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to cover, and apply every single step? In this article, we have a look at the alternative: open source auditing tools. Time.. Hardening is a time-consuming task. As security specialists, we know that.

Read the full article…

Viewing available test categories in Lynis

Lynis has all tests categorized and lets the user select which tests to run. Using the --tests-category and --view-categories the selection can be made.

Summary of Viewing available test categories in Lynis

When auditing a server, it may be useful to only run a particular category of tests, like firewall related tests. In that case the -tests-category parameter can be used, together with the category name. Available categories To determine what categories are available, Lynis has a built-in parameter -view-categories which lists all available files. Most of the names are self-explanatory on what of tests they include. For more information about the included tests, have a look in the .

Read the full article…

What is a security audit?

This article describes what a security audit is and why or when to use it. System audits also apply to Linux systems as part of technical auditing.

Summary of What is a security audit?

In the world of compliance, reported break-ins on the news and many security incidents, it’s common to see a security audit showing up sooner or later. Still, many people in our field don’t like them. But what is a security audit and why should we actually embrace them? Why audit? Auditing has a simple goal: check if something is configured according to best practices, a baseline or a preferred state. In an ideal situation these values are all the same and part of a properly taken decision.

Read the full article…

What’s New in Lynis 2: Features

The upcoming Lynis 2 release will bring many new features. Focus is on simplicity, speed and supporting newer technologies like Docker and systemd.

Summary of What’s New in Lynis 2: Features

Lynis 2.x will bring security auditing of Linux and Unix systems to a new level. In this blog post we share some exciting new features. Release of Lynis 2 is planned for February 2015. Overview: History Lynis 2.x Plugins Systemd Support File Integrity Monitoring Containers & Virtualization Operating Systems Focus on Simplicity Free and Commercial Support History Lynis has been created in 2007, as a follow-up on the well-known tool Rootkit Hunter (rkhunter).

Read the full article…

Yum plugins: Available plugins and built-in security support

To determine the available yum plugins, we analyze them for our goal: discovering if security support is in the yum plugins itself or built-in by default.

Summary of Yum plugins: Available plugins and built-in security support

Enhancing yum Determine available plugins and built-in security support To enhance the support in our auditing tool Lynis, we wanted to know if yum supports security related functions by using a plugin or having it as built-in functionality. Yum Yum, or Yellowdog Updater Modified, is a software management tool for Linux based systems. Usually it is used on systems running SuSE or Red Hat based (like RHEL, Fedora or CentOS). Plugins extend the functionality of yum, to improve its functionality.

Read the full article…