Securing linux hosts,
while Windows host have mostly some kind of virus scanners for malicious software. UNIX hosts mostly do not have such a software at default.
There are 3 software packages that scan UNIX hosts for rootkits and malicious software
[I] app-forensics/chkrootkit
Available versions: [M]0.49 0.50{tbz2} {+cron}
Homepage: http://www.chkrootkit.org/
Description: Tool to locally check for signs of a rootkit
[I] app-forensics/rkhunter
Available versions: 1.4.2{tbz2}
Homepage: http://rkhunter.sf.net/
Description: Rootkit Hunter scans for known and unknown rootkits, backdoors, and sniffers
[I] app-forensics/lynis
Available versions: 1.6.4{tbz2} (~)2.1.0 (~)2.1.1{tbz2}
Homepage: http://cisofy.com/lynis/
Description: Security and system auditing tool
While the chkrootkit only scans for rootkits on localhost. The 2nd software in list (rkhunter) additionally is verifying the consistency of configuration, malicious symlinks in the file system, open TCP sockets on localhost, also installed crypto-software like OpenSSH, GnuPG or OpenSSL.
The report after a scan is stored in the local file system and looks like here:
...
Checking application versions...
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of OpenSSH [ OK ]
System checks summary
=====================
File properties checks...
Files checked: 149
Suspect files: 5
Rootkit checks...
Rootkits checked : 379
Possible rootkits: 0
Applications checks...
Applications checked: 3
Suspect applications: 0
The system checks took: 5 minutes and 26 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
The 3-rd application in the list (lynis) is a security auditing tool, that scans the local host for available * system tools * boot managers * kernel configuration * processes running at the moment * users, groups * shells, filesystems, * services running (daemons) * installed packages, etc.
There are around 30 modules in lynis that verify the configuration of localhost Lynis is available for: - BSD - OSX - UNIX - Linux The final report with suggestions is stored in the local filessystem and might look like this:
================================================================================
-[ Lynis 2.1.1 Results ]-
Warnings:
----------------------------
- None found
Follow-up:
----------------------------
- Check the logfile for more details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 100 [####################]
Tests performed : 174
Plugins enabled : 0
Quick overview:
- Firewall [X] - Malware scanner [V]
Lynis Modules:
- Heuristics Check [NA] - Security Audit [V]
- Compliance Tests [X] - Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Exceptions found
None exceptional events or information was found!
What to do:
You can help improving Lynis by providing your report file.
Go to https://cisofy.com/contact/ and send your file to the e-mail address listed
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 2.1.1
Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix
Copyright 2007-2015 - CISOfy, https://cisofy.com
Enterprise support and plugins available via CISOfy
================================================================================
lynis -c 10.62s user 2.77s system 6% cpu 3:14.07 total
This 3 tools might improve the security of the scanned linux box. However nothing can replace a sane configuration and a sharp eye. They will point out where to look or which service configuration could be made more robust, or easier.
At the end nothing can replace a sane configuration of a *NIX host that can be only verified by yourself. Continous improvement of the configuration, using best current practices where it applies, patching security holes, keeping things easy, automating configuration tasks, these are only a few examples howto minimise security risks.