Friday, June 8, 2018

Lynis – Automated Security Auditing tool for Linux Servers

https://www.linuxtechi.com/lynis-security-auditing-tool-linux-servers

Today, as we all know that how security is important for servers and network in this era. We spend our most of time to implement our security policy for infrastructure. So here is a question in mind that, is there any automatic tool which can help us to find out the vulnerability for us. So I would like to introduce free and open source tool called Lynis.
Lynis is a one of the popular security auditing tool for Unix and Linux like systems, it can find out malwares and security related vulnerability in Linux based systems.
Lynis-Security-Auditing-Tool
Normally we run so many things on our Linux server like webserver, database server, Email server, FTP server etc. Lynis can make Linux administrator’s life easy by doing the automated security auditing and penetration testing on their all Linux Boxes.
Lynis is free and open source all in one network and Server auditing tool. Once the audit is complete, we can review the results, warnings, and suggestions, and then we can implement our security related policy according to it. It will show reports of a system, that report can be broken into sections.

Why we should use Lynis :

There are numbers of reasons why we should Lynis in our environment, but prominent are listed below:
  • Network and Servers Security Audit
  • Vulnerability detection and scanning
  • System hardening
  • Penetration Testing
Till date Lynis supports multiple operating systems like :
  • RPM Based OS like Red Hat, CentOS and Fedora
  • Debian Based OS like Ubuntu, Linux Mint
  • FreeBS
  • macOS
  • NetBSD
  • OpenBSD
  • Solaris
In this article this article, we will demonstrate how we can install Lynis on a Linux server and how to perform security auditing of a Linux Server.

Installation of Lynis on Linux Server

Lynis is light weight software, it will not break your system and will not affect any application or services which are hosted on your Linux Box
First of all we will create a directory for Lynis installation,
[root@linuxtechi ~]# mkdir /usr/local/lynis
[root@linuxtechi ~]#
Now go to the directory and download latest Lynis source code with the help of wget command
[root@linuxtechi ~]# cd /usr/local/lynis/
[root@linuxtechi lynis]# wget https://downloads.cisofy.com/lynis/lynis-2.6.4.tar.gz
Extract the downloaded Lynis tar.gz file using below command,
[root@linuxtechi lynis]# ll
total 268
-rw-r--r--. 1 root root 273031 May  2 07:45 lynis-2.6.4.tar.gz
[root@linuxtechi lynis]# tar zxpvf lynis-2.6.4.tar.gz
[root@linuxtechi lynis]# ll
total 272
drwxr-xr-x. 6 root root   4096 Jun  1 23:17 lynis
-rw-r--r--. 1 root root 273031 May  2 07:45 lynis-2.6.4.tar.gz
[root@linuxtechi lynis]#
Now Go to the directory lynis, run lynis script what options available. Root user or user with admin privileges can run the script, all logs and output will be saved in /var/log/lynis.log file
root@linuxtechi lynis]# cd lynis
[root@linuxtechi lynis]# ./lynis
Output of above command will be something like below
Lynis-Command-options

Start auditing and find Vulnerabilities

Now we need to start Lynis process, so we must define a ‘audit system’ parameter for scanning whole system.
Run the either of the below command to start the auditing for whole system,
[root@linuxtechi lynis]# ./lynis audit system
Or
[root@linuxtechi lynis]# ./lynis audit system --wait --> (wait for user to hit enter to display report for next section)
Output above command would be something like below:
1)    Initialize Lynis tool
Initialize-lynis-tool
2) System Tool and Boot & Services
system-tool-Boot-services-lynis
3)    Kernel and Memory & Process auditing
Kernel-Memory-Proccess-Lynis
4) User and Group & Authentication
Users-Group-authentication-Audit-Lynis
5) Shells and File System Auditing
Shells-FileSystem-Audit-Lynis
6) USB, Storage, NFS and Name Service Audit
USB-Storage-NFS-Name-Services-Audit-Lynis
7) Port, Packages, Networking and Printers & Spool Audit
Ports-Packages-Networking-Printer-Spools-Audit-lynis
8) Installed Software Audit
Installed-Software-Audit-Lynis
9) SSH Server and SNMP Audit
SSH-SNMP-Audit-Lynis
10) LDAP Service, PHP, Squid and Logging audit
LDAP-PHP-Squid-Logging-Audit-Lynis
11) Insecure Services, Banners, Cron jobs and Accounting audit 
Insecure-service-Banners-Cronjob-Accounting-Audit-Lynis
12) Time Synchronization, Cryptography, Virtualization, Containers and Security Framework Audit
Time Synchronization-Virtualization-Security-frameworks-audit-lynis
13) File Permissions, Malware detection and Home Directory Audit
Malware-detction-File-Permissions-Audit-Lynis
14) Kernel Hardening Audit
Kernel-Hardening-Audit-Lynis
15) Warning and suggestions
Warnings-Suggestion-Lynis
16) Lynis Scan and Audit results
Lynis-Scan-audit-Result
Sometimes we don’t want to scan or audit full system’s Applications or service, So we can audit custom application by category. Let have a look how to perform it,
[root@linuxtechi lynis]# ./lynis show groups
accounting
authentication
banners
boot_services
containers
crypto
databases
dns
file_integrity
file_permissions
filesystems
firewalls
hardening
homedirs
insecure_services
kernel
kernel_hardening
ldap
logging
mac_frameworks
mail_messaging
malware
memory_processes
nameservices
networking
php
ports_packages
printers_spools
scheduling
shells
snmp
squid
ssh
storage
storage_nfs
system_integrity
time
tooling
usb
virtualization
webservers
[root@linuxtechi lynis]#
So now we will get an simple audit of Linux Kernel and database, We will use the command as below.
[root@linuxtechi lynis]# ./lynis  --tests-from-group "databases kernel"
Audit-Specific-Group-Lynis1
Audit-Specific-Group-Lynis2
Audit-Specific-Group-Lynis3
To check more options of lynis command, please refer its man page,
[root@linuxtechi lynis]# ./lynis --man
That’s all from this article, please do share your feedback & comments.

MySQL without the MySQL: An introduction to the MySQL Document Store

https://opensource.com/article/18/6/mysql-document-store

The MySQL Document Store enables storing data without having to create an underlying schema, normalize data, or do other tasks normally required to use a database.

An introduction to the MySQL Document Store
Image credits : 

Get the newsletter

Join the 85,000 open source advocates who receive our giveaway alerts and article roundups.
MySQL can act as a NoSQL JSON Document Store so programmers can save data without having to normalize data, set up schemas, or even have a clue what their data looks like before starting to code. Since MySQL version 5.7 and in MySQL 8.0, developers can store JSON documents in a column of a table. By adding the new X DevAPI, you can stop embedding nasty strings of structured query language in your code and replace them with API calls that support modern programming design.
Very few developers have any formal training in structured query language (SQL), relational theory, sets, or other foundations of relational databases. But they need a secure, reliable data store. Add in a dearth of available database administrators, and things can get very messy quickly.
The MySQL Document Store allows programmers to store data without having to create an underlying schema, normalize data, or any of the other tasks normally required to use a database. A JSON document collection is created and can then be used.

JSON data type

This is all based on the JSON data type introduced a few years ago in MySQL 5.7. This provides a roughly 1GB column in a row of a table. The data has to be valid JSON or the server will return an error, but developers are free to use that space as they want.

X DevAPI

The old MySQL protocol is showing its age after almost a quarter-century, so a new protocol was developed called X DevAPI. It includes a new high-level session concept that allows code to scale from one server to many with non-blocking, asynchronous I/O that follows common host-language programming patterns. The focus is put on using CRUD (create, replace, update, delete) patterns while following modern practices and coding styles. Or, to put it another way, you no longer have to embed ugly strings of SQL statements in your beautiful, pristine code.
A new shell, creatively called the MySQL Shell, supports this new protocol. It can be used to set up high-availability clusters, check servers for upgrade readiness, and interact with MySQL servers. This interaction can be done in three modes: JavaScript, Python, and SQL.

Coding examples

The coding examples that follow are in the JavaScript mode of the MySQL Shell; it has a JS> prompt.
Here, we will log in as dstokes with the password password to the local system and a schema named demo. There is a pointer to the schema demo that is named db.
$ mysqlsh dstokes:password@localhost/demo JS> db.createCollection("example") JS> db.example.add(       {         Name: "Dave",         State:  "Texas",         foo : "bar"       }      ) JS>
Above we logged into the server, connected to the demo schema, created a collection named example, and added a record, all without creating a table definition or using SQL. We can use or abuse this data as our whims desire. This is not an object-relational mapper, as there is no mapping the code to the SQL because the new protocol “speaks” at the server layer.

Node.js supported

The new shell is pretty sweet; you can do a lot with it, but you will probably want to use your programming language of choice. The following example uses the world_x demo database to search for a record with the _id field matching "CAN." We point to the desired collection in the schema and issue a find command with the desired parameters. Again, there’s no SQL involved.
var mysqlx = require('@mysql/xdevapi'); mysqlx.getSession({             //Auth to server         host: 'localhost',         port: '33060',         dbUser: 'root',         dbPassword: 'password' }).then(function (session) {    // use world_x.country.info      var schema = session.getSchema('world_x');      var collection = schema.getCollection('countryinfo'); collection                      // Get row for 'CAN'   .find("$._id == 'CAN'")   .limit(1)   .execute(doc => console.log(doc))   .then(() => console.log("\n\nAll done"));   session.close(); })
Here is another example in PHP that looks for "USA":
#!/usr/bin/php // Connection parameters   $user = 'root';   $passwd = 'S3cret#';   $host = 'localhost';   $port = '33060';   $connection_uri = 'mysqlx://'.$user.':'.$passwd.'@'.$host.':'.$port;   echo $connection_uri . "\n"; // Connect as a Node Session   $nodeSession = mysql_xdevapi\getNodeSession($connection_uri); // "USE world_x" schema   $schema = $nodeSession->getSchema("world_x"); // Specify collection to use   $collection = $schema->getCollection("countryinfo"); // SELECT * FROM world_x WHERE _id = "USA"   $result = $collection->find('_id = "USA"')->execute(); // Fetch/Display data   $data = $result->fetchAll();   var_dump($data); ?>
Note that the find operator used in both examples looks pretty much the same between the two different languages. This consistency should help developers who hop between programming languages or those looking to reduce the learning curve with a new language.
Other supported languages include C, Java, Python, and JavaScript, and more are planned.

Best of both worlds

Did I mention that the data entered in this NoSQL fashion is also available from the SQL side of MySQL? Or that the new NoSQL method can access relational data in old-fashioned relational tables? You now have the option to use your MySQL server as a SQL server, a NoSQL server, or both.

How to use autofs to mount NFS shares

https://opensource.com/article/18/6/using-autofs-mount-nfs-shares

Configure a basic automount function on your network file system.

open source button on keyboard
Image by : 
opensource.com

Get the newsletter

Join the 85,000 open source advocates who receive our giveaway alerts and article roundups.
Most Linux file systems are mounted at boot and remain mounted while the system is running. This is also true of any remote file systems that have been configured in the fstab file. However, there may be times when you prefer to have a remote file system mount only on demand—for example, to boost performance by reducing network bandwidth usage, or to hide or obfuscate certain directories for security reasons. The package autofs provides this feature. In this article, I'll describe how to get a basic automount configuration up and running.
First, a few assumptions: Assume the NFS server named tree.mydatacenter.net is up and running. Also assume a data directory named ourfiles and two user directories, for Carl and Sarah, are being shared by this server. A few best practices will make things work a bit better: It is a good idea to use the same user ID for your users on the server and any client workstations where they have an account. Also, your workstations and server should have the same domain name. Checking the relevant configuration files should confirm.
alan@workstation1:~$ sudo getent passwd carl sarah [sudo] password for alan: carl:x:1020:1020:Carl,,,:/home/carl:/bin/bash sarah:x:1021:1021:Sarah,,,:/home/sarah:/bin/bash alan@workstation1:~$ sudo getent hosts 127.0.0.1       localhost 127.0.1.1       workstation1.mydatacenter.net workstation1 10.10.1.5       tree.mydatacenter.net tree
As you can see, both the client workstation and the NFS server are configured in the hosts file. I’m assuming a basic home or even small office network that might lack proper internal domain name service (i.e., DNS).

Install the packages

You need to install only two packages: nfs-common for NFS client functions, and autofs to provide the automount function.
alan@workstation1:~$ sudo apt-get install nfs-common autofs
You can verify that the autofs files have been placed in the etc directory:
alan@workstation1:~$ cd /etc; ll auto* -rw-r--r-- 1 root root 12596 Nov 19  2015 autofs.conf -rw-r--r-- 1 root root   857 Mar 10  2017 auto.master -rw-r--r-- 1 root root   708 Jul  6  2017 auto.misc -rwxr-xr-x 1 root root  1039 Nov 19  2015 auto.net* -rwxr-xr-x 1 root root  2191 Nov 19  2015 auto.smb* alan@workstation1:/etc$

Configure autofs

Now you need to edit several of these files and add the file auto.home. First, add the following two lines to the file auto.master:
/mnt/tree  /etc/auto.misc /home/tree  /etc/auto.home
Each line begins with the directory where the NFS shares will be mounted. Go ahead and create those directories:
alan@workstation1:/etc$ sudo mkdir /mnt/tree /home/tree
Second, add the following line to the file auto.misc:
ourfiles        -fstype=nfs     tree:/share/ourfiles
This line instructs autofs to mount the ourfiles share at the location matched in the auto.master file for auto.misc. As shown above, these files will be available in the directory /mnt/tree/ourfiles.
Third, create the file auto.home with the following line:
*               -fstype=nfs     tree:/home/&
This line instructs autofs to mount the users share at the location matched in the auto.master file for auto.home. In this case, Carl and Sarah's files will be available in the directories /home/tree/carl or /home/tree/sarah, respectively. The asterisk (referred to as a wildcard) makes it possible for each user's share to be automatically mounted when they log in. The ampersand also works as a wildcard representing the user's directory on the server side. Their home directory should be mapped accordingly in the passwd file. This doesn’t have to be done if you prefer a local home directory; instead, the user could use this as simple remote storage for specific files.
Finally, restart the autofs daemon so it will recognize and load these configuration file changes.
alan@workstation1:/etc$ sudo service autofs restart

Testing autofs

If you change to one of the directories listed in the file auto.master and run the ls command, you won’t see anything immediately. For example, change directory (cd) to /mnt/tree. At first, the output of ls won’t show anything, but after running cd ourfiles, the ourfiles share directory will be automatically mounted. The cd command will also be executed and you will be placed into the newly mounted directory.
carl@workstation1:~$ cd /mnt/tree carl@workstation1:/mnt/tree$ ls carl@workstation1:/mnt/tree$ cd ourfiles carl@workstation1:/mnt/tree/ourfiles$
To further confirm that things are working, the mount command will display the details of the mounted share.
carl@workstation1:~$ mount tree:/mnt/share/ourfiles on /mnt/tree/ourfiles type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.10.1.22,local_lock=none,addr=10.10.1.5)
The /home/tree directory will work the same way for Carl and Sarah.
I find it useful to bookmark these directories in my file manager for quicker access.