ARM, security

Security audit your ARM board with Lynis

Be it powerful production servers, or humble home hosted ARM boards, an internet facing system requires that we take security very seriously.

But security is hard. No matter how much we try to secure our systems, any small detail we oversee can ruin all our efforts.

In the same way that intruders make use of automated scanning tools to detect vulnerabilities, we also have some tools at our hand to help secure our systems and try to validate that we are not missing anything.

Lynis is an open source security auditing tool. It is really simple to use and allows us to perform a thorough security analysis.

Installation

Install not only the lynis package, but also some other helpful tools

Probably too much for an ARM board, but in a production server we can also afford to include

We will cover those other tools in another post.

Usage

Just

You can run a non privileged scan for pentesting

These examples run with the default profile, which you can find in /etc/lynis/default.prf. It is recommended that add your modifications to custom.prf instead of modifying default.prf directly.

Your modifications to custom.prf will be picked up automatically. If we want to run from another custom profile we can indicate it with

Warnings will have an explanation and a code, such as ACCT-9628. Also, we will receive suggestions on how to solve, and a link to their extensive documentation, in our example this link.

As we try to fix issues, it is handy to see how Lynis checks for a particular warning to be issued. We can do this by inspecting the log /var/log/lynis.log, or with the command

Lynis in ARM boards

The output of the above commands will provide us with very valuable information to improve our security and the configuration of our system.

For instance, this is the output after installing on plain Raspbian

We can see that we are granted a score of 57. We should take this score with a grain of salt, but a rule of thumb, the higher the better, and a score of around 80 is very decent.

We can see that some of these warnings are taylored towards fat x86 servers and might not make sense in our home ARM setups where we don’t have resources to spare, and we have some different constrains and usage cases.

As with anything else in security, there are compromises to me made between security and inconvenience. For this reason, I add these rules to my custom profile

For NextCloudPi, the system is a bit different from plain Raspbian, so you can check a more customized profile here.

Currently, NextCloudPi has a 79 hardening score.

References

https://www.digitalocean.com/community/tutorials/how-to-perform-security-audits-with-lynis-on-ubuntu-16-04

Author: nachoparker

Humbly sharing things that I find useful [ github dockerhub ]

Leave a Reply

Your email address will not be published. Required fields are marked *