2

I'm looking for a tool, that scans unix operating systems for configuration issues. E.g. a script that finds

PermitRootLogin yes

in the ssh config file or with other words: a script that automates compliance checks. Since there are quite a few configuration files with security relevant configurations, that lie in all sorts of different places already differing from linux distribution to linux distribution, I'd rather check if that exists before I start writing my own script. :)

What I was able to find so far is:

  • Vulnerability scanner Nessus supports UNIX Configuration Auditing. As far as I could see, it reads only the list of installed packets and then checks if there are vulnerabilities in those

  • eEye has a tool called Retina of which I'm not sure, if it's for windows only, and what it checks exactly.

  • BastilleLinux, BastilleMac, which tests and hardens. It is still shiped with current Ubuntu version, and it says on their website, that they'll be restarting development, I can't see any updates.

Do you know of a tool (preferably OpenSource so I can edit/contribute), that might match better?

user857990
  • 903
  • 1
  • 9
  • 21
  • 1
    If you know what you want to look for, why not write your own scripts? –  Aug 09 '12 at 08:06
  • That example isn't even worth a script. Just `find` or `grep`. – Polynomial Aug 09 '12 at 08:16
  • @TerryChia This script is supposed to look for configuration issueS. There are quite a lot of configuration files too look at (Network, Kernel, Applications, ...). Depending on which distribution the files change already. I don't mind writing such a script, but it's a lot of work, and if such a script already exists, it'd be to reinvent the wheel. That's why I first want to see if it already exists :) Polynomial, it's only an example. Look at the comment to TerryChia please. – user857990 Aug 09 '12 at 08:21
  • @user857990 Why would it not be a smart choice? –  Aug 09 '12 at 08:22
  • I edited the question, I hope the motivation for the question is better explained. – user857990 Aug 09 '12 at 08:51
  • Nessus uses the CIS benchmarks, which you can use to create your own scripts to grep and regex configuration files: https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf – schroeder Aug 09 '12 at 14:49

4 Answers4

4

You might want to look at Nessus Compliance checks. They provide an interface which allows you to check files for specific items and settings.

Also there a quite a few pre-defined templates available through the support portal which cover a wide range of unix/linux flavours, and checks against the Center for Internet Security standards amongst others

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

There's also a tool called Security Blanket that may be of interest to you (not sure of your budget), which I've heard is easy to configure and run as per here.

Regarding CIS (Center for Internet Security) standards, although still very valid, I had heard that they weren't been actively worked on :(

The Tripwire Enterprise solutions (if within your budget) might also help but to be honest, I haven't played with any Tripwire stuff in a very long time so you'd have to check it out yourself.

Mark Hillick
  • 2,124
  • 11
  • 14
1

Im not very talented at coding but used the basics of creating a shell script and printing out outputs to check for configuration standards and write them to a text file. Ive tried to show expected/desired output and then what the output is.

You can get the document from CIS here or you may need to fill in a form to get it https://benchmarks.cisecurity.org/downloads/multiform/index.cfm?do=download&download=/ubuntu/CIS_Ubuntu_12.04_LTS_Server_Benchmark_v1.0.0.pdf

Ive used this on ubuntu 14.04 as server benchmarks are not published for this yet but will be pretty close.

Create the shell script on the server with nano hardeningtests.sh and paste in below content in the link and run with sh hardeningtests.sh

Then read the output file hardeningtests.txt

The tests are based on CIS Ubuntu Hardening Standards and a few other output items. Some further clean up to make it clearer is necessary but its pretty comprehensive.

http://www.gtp.com.au/serverscripts/ubuntu-hardening-tests.sh

Hope it helps.

Dale Carter
  • 11
  • 1
1

I would look at Nessus, OpenScap and Lynis. Lynis is the best tool that i have encountered thus far. Nessus and OpenScap both have more dependencies than Lynis. For example Red Hat releases oval patch definitions but they may not be compatible with Nessus / OpenScap. Lynis does an excellent job at being cross compatible.

Lynis is also free and open source so that is an added benefit. https://cisofy.com/lynis/ https://github.com/CISOfy/Lynis

Lynis can easily be extended by writing plugins.

cybergirl
  • 21
  • 3