简易linux主机安全测试

  

临到下班，突然冒出来一个任务，说是甲方验收需要提供主机安全测试报告，我滴娘呀，这东西从来都没有做过呀，唉，苦逼的乙方呀。就像《辣手神探》中梁朝伟跟发哥说的台词一样：“枪在你手上，你就是要我抓头牛过来挤奶给你喝我也得照做啊。”真还不如去抓头奶牛呢。得，牢骚发完了，想法子吧。

 

         最初搜到一个方法：OpenVAS。看看介绍：OpenVAS是开放式漏洞评估系统，也可以说它是一个包含着相关工具的网络扫描器。其核心部件是一个服务器，包括一套网络漏洞测试程序，可以检测远程系统和应用程序中的安全问题

 

用户需要一种自动测试的方法，并确保正在运行一种最恰当的最新测试。OpenVAS包括一个中央服务器和一个图形化的前端。这个服务器准许用户运行几种不同的网络漏洞测试（以Nessus攻击脚本语言编写），而且OpenVAS可以经常对其进行更新。OpenVAS所有的代码都符合GPL规范。

 

下载：http://www.openvas.org/install-packages.html#openvas_windows_gb

 

再仔细看看，需要客户端和服务器端，最省事的方案是先装一个backtrack5，然后apt-get install一个openvas，然后再去做那堆配置，但是现在没硬件没backtrack5，配置看起来也很折腾人，搞完都不知道啥时候了。两天后就要出报告，这个方法不行，光是走流程申请硬件就不知道什么时候能够到位。

 

立刻搜索其他方法，找到了一个简易的法子。

 

看简介：

Project information

Rootkit scanner is scanning tool to ensureyou for about 99.9%* you're clean of nasty tools. This tool scans for rootkits,backdoors and local exploits by running tests like:

 

- MD5 hash compare

- Look for default files used by rootkits

- Wrong file permissions for binaries

- Look for suspected strings in LKM and KLDmodules

- Look for hidden files

- Optional scan within plaintext and binaryfiles

 

Rootkit Hunter is released as GPL licensedproject and free for everyone to use.

* No, not really 99.9%.. It's just anothersecurity layer

 

 

解释：简单的说就是安全扫描的，做系统中重要文件的MD5值比对、检查rootkit经常攻击的档案、检查可执行文件的权限是否正常、检查隐藏档案、检查可疑的核心模组(LKM/KLD)、作业系统的特殊检测、检查已启动的监听埠号和特定分析等等功能。

 

 

 

System requirements:

- Compatible operating system (see'Supported operating systems')

- Bourne Again Shell (BASH)

 

Supported operating systems

Supported:

- Most Linux distributions

- Most *BSD distributions

 

Currently unsupported:

- NetBSD

 

Tested on:

- AIX 4.1.5 / 4.3.3

- ALT Linux

- Aurora Linux

- CentOS 3.1 / 4.0

- Conectiva Linux 6.0

- Debian 3.x

- FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 /4.10

- FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3

- Fedora Core 1 / Core 2 / Core 3

- Gentoo 1.4, 2004.0, 2004.1

- Macintosh OS 10.3.4-10.3.8

- Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 /10.1

- OpenBSD 3.4 / 3.5

- Red Hat Linux 7.0-7.3 / 8 / 9

- Red Hat Enterprise Linux 2.1 / 3.0

- Slackware 9.0 / 9.1 / 10.0 / 10.1

- SME 6.0

- Solaris (SunOS)

- SuSE 7.3 / 8.0-8.2 / 9.0-9.2

- Ubuntu

- Yellow Dog Linux 3.0 / 3.01

 

Confirmed to work also on:

- CLFS

- DaNix (Debian clone)

- PCLinuxOS

- VectorLinux SOHO 3.2 / 4.0

- CPUBuilders Linux

- Virtuozzo (VPS)

 

看看系统需求，还好我这次是测试的ubuntu系统的主机，bash？当然有啦。嘿嘿，那看来可以开工了。

 

rkhunter 下载点：

http://download.csdn.net/detail/testingba/5102767

 

安装和使用示例：

安装步骤：

mkdir hostscan

cd /home/myname/hostscan

sudo tar -zxvf rkhunter-1.4.0.tar.gz

cd rkhunter-1.4.0

#看看/usr/local是否存在，通常都有的

ls -l /usr/local

sudo ./installer.sh --layout /usr/local –install

 

使用方法示例：

sudo /usr/local/bin/rkhunter --check --logfile /home/myname/hostscan/rkhunter-1.4.0/logfile.txt

 

 

 

 

参考信息：

安装参考：

Usage: ./installer.sh <parameters>

 

Ordered valid parameters:

  --help (-h)      : Show this help.

  --examples       : Show layout examples.

  --layout <value> : Choose installation template.

                     The templates are:

                      - default: (FHS compliant; the default)

                      - /usr

                      - /usr/local

                      - oldschool: old version file locations

                      - custom: supply your own installation directory

                      - RPM: for building RPM's. Requires $RPM_BUILD_ROOT.

                      - DEB: for building DEB's. Requires $DEB_BUILD_ROOT.

                      - TGZ: for building Slackware TGZ's. Requires $TGZ_BUILD_ROOT.

                      - TXZ: for building Slackware TXZ's. Requires $TXZ_BUILD_ROOT.

  --striproot      : Strip path from custom layout (for package maintainers).

  --install        : Install according to chosen layout.

  --overwrite      : Overwrite the existing configuration file.

                     (Default is to create a separate configuration file.)

  --show           : Show chosen layout.

  --remove         : Uninstall according to chosen layout.

  --version        : Show the installer version.

安装和卸载的示例：

sudo ./installer.sh --examples

Rootkit Hunter installer

 

Examples:

1. Show layout, files in /usr:

        installer.sh --layout /usr --show

 

2. Install in /usr/local:

        installer.sh --layout /usr/local --install

 

3. Install in chosen (custom) directory /opt:

        installer.sh --layout custom /opt --install

 

4. Install in temporary directory /tmp/rkhunter/usr/local,

   with files in /usr/local (for package maintainers):

        mkdir -p /tmp/rkhunter/usr/local

        installer.sh --layout custom /tmp/rkhunter/usr/local \

                     --striproot /tmp/rkhunter --install

 

5. Remove files, layout /usr/local:

        installer.sh --layout /usr/local –remove

 

 

扫描工具参考：

 

Usage: rkhunter {--check | --unlock | --update | --versioncheck |

                 --propupd [{filename | directory | package name},...] |

                 --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |

                 --config-check | --version | --help} [options]

 

Current options are:

         --append-log                  Append to the logfile, do not overwrite

         --bindir <directory>...       Use the specified command directories

     -c, --check                       Check the local system

     -C, --config-check                Check the configuration file(s), then exit

  --cs2, --color-set2                  Use the second color set for output

         --configfile <file>           Use the specified configuration file

         --cronjob                     Run as a cron job

                                       (implies -c, --sk and --nocolors options)

         --dbdir <directory>           Use the specified database directory

         --debug                       Debug mode

                                       (Do not use unless asked to do so)

         --disable <test>[,<test>...]  Disable specific tests

                                       (Default is to disable no tests)

         --display-logfile             Display the logfile at the end

         --enable  <test>[,<test>...]  Enable specific tests

                                       (Default is to enable all tests)

         --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |

                 NONE | <command>}     Use the specified file hash function

                                       (Default is SHA1, then MD5)

     -h, --help                        Display this help menu, then exit

 --lang, --language <language>         Specify the language to use

                                       (Default is English)

         --list [tests | languages |   List the available test names, languages,

                 rootkits | perl |     rootkit names, perl module status

                 propfiles]            or file properties database, then exit

     -l, --logfile [file]              Write to a logfile

                                       (Default is /var/log/rkhunter.log)

         --noappend-log                Do not append to the logfile, overwrite it

         --nocf                        Do not use the configuration file entries

                                       for disabled tests (only valid with --disable)

         --nocolors                    Use black and white output

         --nolog                       Do not write to a logfile

--nomow, --no-mail-on-warning          Do not send a message if warnings occur

   --ns, --nosummary                   Do not show the summary of check results

 --novl, --no-verbose-logging          No verbose logging

         --pkgmgr {RPM | DPKG | BSD |  Use the specified package manager to obtain or

                   SOLARIS | NONE}     verify file property values. (Default is NONE)

         --propupd [file | directory | Update the entire file properties database,

                    package]...        or just for the specified entries

     -q, --quiet                       Quiet mode (no output at all)

  --rwo, --report-warnings-only        Show only warning messages

   --sk, --skip-keypress               Don't wait for a keypress after each test

         --summary                     Show the summary of system check results

                                       (This is the default)

         --syslog [facility.priority]  Log the check start and finish times to syslog

                                       (Default level is authpriv.notice)

         --tmpdir <directory>          Use the specified temporary directory

         --unlock                      Unlock (remove) the lock file

         --update                      Check for updates to database files

   --vl, --verbose-logging             Use verbose logging (on by default)

     -V, --version                     Display the version number, then exit

         --versioncheck                Check for latest version of program

     -x, --autox                       Automatically detect if X is in use

     -X, --no-autox                    Do not automatically detect if X is in use

 

 

非常简单吧，至于那些警告，就慢慢翻资料吧。先对付过去再说，下次有空搭建一个openvas环境。

 

安全测试绝对是个吃力不讨好的活，防守始终被动，而且说不定对方是个大牛，你就算学了两年也未必扛得住。且不说要学习的东西特别多，就算你真做好了安全防御，不出事的话领导就觉得你是不是整天在玩呢，你要真那么强，领导说不定还怕你万一不爽了黑公司呢，出了事你铁定要背锅。所以同学们，可以多学，但是一定要少show，一定要低调。这个领域最好找个专业公司来背锅才是王道，离远点，安全第一。