簡易linux主機安全測試

臨到下班，突然冒出來一個任務，說是甲方驗收需要提供主機安全測試報告，我滴娘呀，這東西從來都沒有做過呀，唉，苦逼的乙方呀。就像《辣手神探》中梁朝偉跟發哥說的臺詞一樣：“槍在你手上，你就是要我抓頭牛過來擠奶給你喝我也得照做啊。”真還不如去抓頭奶牛呢。得，牢騷發完了，想法子吧。

最初搜到一個方法：OpenVAS。看看介紹：OpenVAS是開放式漏洞評估系統，也可以說它是一個包含着相關工具的網絡掃描器。其核心部件是一個服務器，包括一套網絡漏洞測試程序，可以檢測遠程系統和應用程序中的安全問題

用戶需要一種自動測試的方法，並確保正在運行一種最恰當的最新測試。OpenVAS包括一箇中央服務器和一個圖形化的前端。這個服務器准許用戶運行幾種不同的網絡漏洞測試（以Nessus攻擊腳本語言編寫），而且OpenVAS可以經常對其進行更新。OpenVAS所有的代碼都符合GPL規範。

下載：http://www.openvas.org/install-packages.html#openvas_windows_gb

再仔細看看，需要客戶端和服務器端，最省事的方案是先裝一個backtrack5，然後apt-get install一個openvas，然後再去做那堆配置，但是現在沒硬件沒backtrack5，配置看起來也很折騰人，搞完都不知道啥時候了。兩天後就要出報告，這個方法不行，光是走流程申請硬件就不知道什麼時候能夠到位。

立刻搜索其他方法，找到了一個簡易的法子。

看簡介：

Project information

Rootkit scanner is scanning tool to ensureyou for about 99.9%* you're clean of nasty tools. This tool scans for rootkits,backdoors and local exploits by running tests like:

- MD5 hash compare

- Look for default files used by rootkits

- Wrong file permissions for binaries

- Look for suspected strings in LKM and KLDmodules

- Look for hidden files

- Optional scan within plaintext and binaryfiles

Rootkit Hunter is released as GPL licensedproject and free for everyone to use.

* No, not really 99.9%.. It's just anothersecurity layer

解釋：簡單的說就是安全掃描的，做系統中重要文件的MD5值比對、檢查rootkit經常攻擊的檔案、檢查可執行文件的權限是否正常、檢查隱藏檔案、檢查可疑的核心模組(LKM/KLD)、作業系統的特殊檢測、檢查已啓動的監聽埠號和特定分析等等功能。

System requirements:

- Compatible operating system (see'Supported operating systems')

- Bourne Again Shell (BASH)

Supported operating systems

Supported:

- Most Linux distributions

- Most *BSD distributions

Currently unsupported:

- NetBSD

Tested on:

- AIX 4.1.5 / 4.3.3

- ALT Linux

- Aurora Linux

- CentOS 3.1 / 4.0

- Conectiva Linux 6.0

- Debian 3.x

- FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 /4.10

- FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3

- Fedora Core 1 / Core 2 / Core 3

- Gentoo 1.4, 2004.0, 2004.1

- Macintosh OS 10.3.4-10.3.8

- Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 /10.1

- OpenBSD 3.4 / 3.5

- Red Hat Linux 7.0-7.3 / 8 / 9

- Red Hat Enterprise Linux 2.1 / 3.0

- Slackware 9.0 / 9.1 / 10.0 / 10.1

- SME 6.0

- Solaris (SunOS)

- SuSE 7.3 / 8.0-8.2 / 9.0-9.2

- Ubuntu

- Yellow Dog Linux 3.0 / 3.01

Confirmed to work also on:

- CLFS

- DaNix (Debian clone)

- PCLinuxOS

- VectorLinux SOHO 3.2 / 4.0

- CPUBuilders Linux

- Virtuozzo (VPS)

看看系統需求，還好我這次是測試的ubuntu系統的主機，bash？當然有啦。嘿嘿，那看來可以開工了。

rkhunter 下載點：

http://download.csdn.net/detail/testingba/5102767

安裝和使用示例：

安裝步驟：

mkdir hostscan

cd /home/myname/hostscan

sudo tar -zxvf rkhunter-1.4.0.tar.gz

cd rkhunter-1.4.0

#看看/usr/local是否存在，通常都有的

ls -l /usr/local

sudo ./installer.sh --layout /usr/local –install

使用方法示例：

sudo /usr/local/bin/rkhunter --check --logfile /home/myname/hostscan/rkhunter-1.4.0/logfile.txt

參考信息：

安裝參考：

Usage: ./installer.sh <parameters>

Ordered valid parameters:

--help (-h) : Show this help.

--examples : Show layout examples.

--layout <value> : Choose installation template.

The templates are:

- default: (FHS compliant; the default)

- /usr

- /usr/local

- oldschool: old version file locations

- custom: supply your own installation directory

- RPM: for building RPM's. Requires $RPM_BUILD_ROOT.

- DEB: for building DEB's. Requires $DEB_BUILD_ROOT.

- TGZ: for building Slackware TGZ's. Requires $TGZ_BUILD_ROOT.

- TXZ: for building Slackware TXZ's. Requires $TXZ_BUILD_ROOT.

--striproot : Strip path from custom layout (for package maintainers).

--install : Install according to chosen layout.

--overwrite : Overwrite the existing configuration file.

(Default is to create a separate configuration file.)

--show : Show chosen layout.

--remove : Uninstall according to chosen layout.

--version : Show the installer version.

安裝和卸載的示例：

sudo ./installer.sh --examples

Rootkit Hunter installer

Examples:

1. Show layout, files in /usr:

installer.sh --layout /usr --show

2. Install in /usr/local:

installer.sh --layout /usr/local --install

3. Install in chosen (custom) directory /opt:

installer.sh --layout custom /opt --install

4. Install in temporary directory /tmp/rkhunter/usr/local,

with files in /usr/local (for package maintainers):

mkdir -p /tmp/rkhunter/usr/local

installer.sh --layout custom /tmp/rkhunter/usr/local \

--striproot /tmp/rkhunter --install

5. Remove files, layout /usr/local:

installer.sh --layout /usr/local –remove

掃描工具參考：

Usage: rkhunter {--check | --unlock | --update | --versioncheck |

--propupd [{filename | directory | package name},...] |

--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |

--config-check | --version | --help} [options]

Current options are:

--append-log Append to the logfile, do not overwrite

--bindir <directory>... Use the specified command directories

-c, --check Check the local system

-C, --config-check Check the configuration file(s), then exit

--cs2, --color-set2 Use the second color set for output

--configfile <file> Use the specified configuration file

--cronjob Run as a cron job

(implies -c, --sk and --nocolors options)

--dbdir <directory> Use the specified database directory

--debug Debug mode

(Do not use unless asked to do so)

--disable <test>[,<test>...] Disable specific tests

(Default is to disable no tests)

--display-logfile Display the logfile at the end

--enable <test>[,<test>...] Enable specific tests

(Default is to enable all tests)

--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |

NONE | <command>} Use the specified file hash function

(Default is SHA1, then MD5)

-h, --help Display this help menu, then exit

--lang, --language <language> Specify the language to use

(Default is English)

--list [tests | languages | List the available test names, languages,

rootkits | perl | rootkit names, perl module status

propfiles] or file properties database, then exit

-l, --logfile [file] Write to a logfile

(Default is /var/log/rkhunter.log)

--noappend-log Do not append to the logfile, overwrite it

--nocf Do not use the configuration file entries

for disabled tests (only valid with --disable)

--nocolors Use black and white output

--nolog Do not write to a logfile

--nomow, --no-mail-on-warning Do not send a message if warnings occur

--ns, --nosummary Do not show the summary of check results

--novl, --no-verbose-logging No verbose logging

--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or

SOLARIS | NONE} verify file property values. (Default is NONE)

--propupd [file | directory | Update the entire file properties database,

package]... or just for the specified entries

-q, --quiet Quiet mode (no output at all)

--rwo, --report-warnings-only Show only warning messages

--sk, --skip-keypress Don't wait for a keypress after each test

--summary Show the summary of system check results

(This is the default)

--syslog [facility.priority] Log the check start and finish times to syslog

(Default level is authpriv.notice)

--tmpdir <directory> Use the specified temporary directory

--unlock Unlock (remove) the lock file

--update Check for updates to database files

--vl, --verbose-logging Use verbose logging (on by default)

-V, --version Display the version number, then exit

--versioncheck Check for latest version of program

-x, --autox Automatically detect if X is in use

-X, --no-autox Do not automatically detect if X is in use

非常簡單吧，至於那些警告，就慢慢翻資料吧。先對付過去再說，下次有空搭建一個openvas環境。

安全測試絕對是個吃力不討好的活，防守始終被動，而且說不定對方是個大牛，你就算學了兩年也未必扛得住。且不說要學習的東西特別多，就算你真做好了安全防禦，不出事的話領導就覺得你是不是整天在玩呢，你要真那麼強，領導說不定還怕你萬一不爽了黑公司呢，出了事你鐵定要背鍋。所以同學們，可以多學，但是一定要少show，一定要低調。這個領域最好找個專業公司來背鍋纔是王道，離遠點，安全第一。