blog/ posts/ Securing and hardening UNIX and UNIXlike hosts
Enabling MPLS on IOS routers | posts | Binding services to the Loopback interface

Securing linux hosts,

while Windows host have mostly some kind of virus scanners for malicious software. UNIX hosts mostly do not have such a software at default.

There are 3 software packages that scan UNIX hosts for rootkits and malicious software 

[I] app-forensics/chkrootkit
     Available versions:  [M]0.49 0.50{tbz2} {+cron}
     Homepage:            http://www.chkrootkit.org/
     Description:         Tool to locally check for signs of a rootkit


[I] app-forensics/rkhunter
     Available versions:  1.4.2{tbz2}
     Homepage:            http://rkhunter.sf.net/
     Description:         Rootkit Hunter scans for known and unknown rootkits, backdoors, and sniffers


[I] app-forensics/lynis
     Available versions:  1.6.4{tbz2} (~)2.1.0 (~)2.1.1{tbz2}
     Homepage:            http://cisofy.com/lynis/
     Description:         Security and system auditing tool

While the chkrootkit only scans for rootkits on localhost. The 2nd software in list (rkhunter) additionally is verifying the consistency of configuration, malicious symlinks in the file system, open TCP sockets on localhost, also installed crypto-software like OpenSSH, GnuPG or OpenSSL.

The report after a scan is stored in the local file system and looks like here:

...
Checking application versions...

    Checking version of GnuPG                                [ OK ]
    Checking version of OpenSSL                              [ OK ]
    Checking version of OpenSSH                              [ OK ]


System checks summary
=====================

File properties checks...
    Files checked: 149
    Suspect files: 5

Rootkit checks...
    Rootkits checked : 379
    Possible rootkits: 0

Applications checks...
    Applications checked: 3
    Suspect applications: 0

The system checks took: 5 minutes and 26 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

The 3-rd application in the list (lynis) is a security auditing tool, that scans the local host for available * system tools * boot managers * kernel configuration * processes running at the moment * users, groups * shells, filesystems, * services running (daemons) * installed packages, etc.

There are around 30 modules in lynis that verify the configuration of localhost Lynis is available for: - BSD - OSX - UNIX - Linux The final report with suggestions is stored in the local filessystem and might look like this:

================================================================================

  -[ Lynis 2.1.1 Results ]-

  Warnings:
  ----------------------------
  - None found

  Follow-up:
  ----------------------------
  - Check the logfile for more details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 100 [####################]
  Tests performed : 174
  Plugins enabled : 0

  Quick overview:
  - Firewall [X] - Malware scanner [V]

  Lynis Modules:
  - Heuristics Check [NA] - Security Audit [V]
  - Compliance Tests [X] - Vulnerability Scan [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Exceptions found
  None exceptional events or information was found!

  What to do:
  You can help improving Lynis by providing your report file.
  Go to https://cisofy.com/contact/ and send your file to the e-mail address listed

================================================================================
  Tip: Disable all tests which are not relevant or are too strict for the
       purpose of this particular machine. This will remove unwanted suggestions
       and also boost the hardening index. Each test should be properly analyzed
       to see if the related risks can be accepted, before disabling the test.
================================================================================

  Lynis 2.1.1
  Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix
  Copyright 2007-2015 - CISOfy, https://cisofy.com
  Enterprise support and plugins available via CISOfy
================================================================================

lynis -c 10.62s user 2.77s system 6% cpu 3:14.07 total

This 3 tools might improve the security of the scanned linux box. However nothing can replace a sane configuration and a sharp eye. They will point out where to look or which service configuration could be made more robust, or easier.

At the end nothing can replace a sane configuration of a *NIX host that can be only verified by yourself. Continous improvement of the configuration, using best current practices where it applies, patching security holes, keeping things easy, automating configuration tasks, these are only a few examples howto minimise security risks.