Auditez la sécurité de votre Linux avec LSAT – Linux Security Auditing Tool

Linux Security Auditing Tool (Appelé communément LSAT) est un outil d’audit de sécurité pour Linux/Unix. Il permet d’analyser la configuration système et réseau de votre plateforme afin de détecter d’éventuelles failles de sécurité. En complément il permet de lister les modules non utilisés.

Il fonctionne sous Linux (x86: Gentoo, RedHat, Debian, Mandrake; Sparc: SunOS (2.x), Redhat sparc, Mandrake Sparc; Apple OS X).

Vous pouvez télécharger LSAT directement depuis le site de l’éditeur ou sur la page Sourceforge de RSAT.

Installation de LSAT

Suivez simplement les instructions d’installations de l’éditeur, LSAT intègre désormais un fichier d’installation, c’est donc hyper simple.

Utiliser LSAT

Pour lancer LSAT entrez :

./lsat [OPTIONS]

Pour afficher les OPTIONS tapez :

./lsat -a

Les options disponibles sont les suivantes :

-d diff current and old md5, output in lsatmd5.diff
-f Force a specific distribution test.
   Distro names are:
   If no -f option, lsat will guess. If lsat can
   not guess the distribution, default is redhat.
-a Show this (advanced) help page
-o Output file name -- default is lsat.out
-r Check rpm integrity -- redhat or mandrake only
-s Silent mode
-v Verbose output
-w Output file in html format
-x eXclude module(s) in filelist from checks...
   modules listed in filename will be excluded
   from checks. Valid module names are the module
   names themselves without the check.
   (e.g. set not checkset)

Liste des modules présents dans le package (En anglais)

- Checks for boot loader password.
- Currently only for grub and lilo.

- This module is performed last
- RedHat specific. Just prints out /sbin/chkconfig --list so that
the user can perform a visual inspection.

- Looks for .forward, .exrc, .rhosts and .netrc files on the system.
- Does not span "other" filesystems.

- checks that /tmp and /var/tmp have sitcky bit set
- checks utmp, wtmp, motd, mtab for chmod 644.
- checks /usr, /var dirs/files for root ownership.

- checks that all accounts in /etc/passwd are in /etc/ftpusers.

- Reads /etc/hosts.allow and /etc/hosts.deny files
- Checkes deny for ALL:ALL statement.
- Checks allow for any ALL statements.

- Checks either /etc/inetd.conf or /etc/xinetd.d/*
- If inetd.conf, it checks for entries not hashed out.
(All entries should be commented out :)
- If xinetd.d it checks all files in that dir for disable = yes.

- Checks to see if default runlevel is 5. If it is, give the user a warning.

- Checks to see that common forwarding and ignoring are off/on in ipv4.

- checks to make sure that /etc/motd, /etc/issue and /etc/
do not exist, or if they do, warn the user.

- checks that ctrlaltdel function is disabled under linux.
- checks for KEYBOARD_DISABLE to be enabled under Solaris.

- performs simple check of limits.conf file

- performs a simple check to see if auth and authpriv logging facilities are on.
This is really for older linux versions/distros as I know that RedHat and
others now have this on by default.

- performs md5sum on all regular files on the system and saves in lsatmd5.out
- Only runs when -m switch is used
- if run more than once, old output is copied to lsatmd5.old

- checks to see if loadable kernel modules are enabled

- checks what ports the system is listening to.
- (may not check _all_ ports. I have to RTFM on this one)

- checks that ipv4 forwarding is disabled under linux
- checks that ipforwarding & source routing are disabled under Solaris
- checks that norouter & defaultrouter exist under Solaris

- checks to see if any interface is in promiscuous mode

- checks all open files on the system using lsof (if installed)

- checks /etc/passwd for unneeded accounts.
- checks that only root is SUID=0.

- checks /etc/password for user accounts
- prints out list of password expiration information on those accounts

- Checks list of packages (rpms, debs) installed on the system.
- Checks against a list of "should not have" rpms.
- (this list quite possibly needs to be expanded)

- checks system for available updates and prints out the list of updates
- does not work on Solaris on Mac OSX
- will also print out error (such as gentoo blocks, etc)

- checks /etc/rcn.d or /etc/rc.d/init.d and reports unneeded scripts.

checkrpm: (redhat specific)
- check to see if we are on redhat, and if we are...
- use the built in rpm -Va to verify rpms on the system.

- check to see if ttys other than tty[1-6] are in /etc/securetty

- Checks system for all setuid/setgid files.
- Also checks for block or char files in /dev/ that do not belong.

- check some security features of ssh for instance:
root logins, X11 forwarding and the like.

- checks that the default umask on the system is sensible.

- Checks system for world writable files.

- check to see if ExecCGIs are enabled.
- check to see who is running httpd/apache.

- checks for sommon security settings in the X window setup.

- checks for applications listening. This is an "extra" test
used in conjunction with ifconfig / ip testing.

Laisser un commentaire