issue81:securite_ubuntu
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
issue81:securite_ubuntu [2014/05/09 21:22] – lecastillan | issue81:securite_ubuntu [2014/05/14 14:53] (Version actuelle) – andre_domenech | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
Systems based on Linux are relatively secure by default. Not only is the amount of malware just a fraction compared with Microsoft Windows, but the architecture of the operating system helps in defending against common attacks. Still, whatever operating system is in use, weaknesses are introduced quickly. In this article we look at some common practices to improve the security of an Ubuntu system and how we can check it ourselves. | Systems based on Linux are relatively secure by default. Not only is the amount of malware just a fraction compared with Microsoft Windows, but the architecture of the operating system helps in defending against common attacks. Still, whatever operating system is in use, weaknesses are introduced quickly. In this article we look at some common practices to improve the security of an Ubuntu system and how we can check it ourselves. | ||
- | **Les systèmes basés sur Linux sont, par défaut, relativement sécurisés. Non seulement par la quantité très minime de logiciels malveillants qui touche ce système d' | + | **Les systèmes basés sur Linux sont, par défaut, relativement sécurisés. Non seulement par la quantité, très minime, de logiciels malveillants qui touche ce système d' |
It all starts with data | It all starts with data | ||
Ligne 9: | Ligne 9: | ||
Usually it's not the operating system nor the application software which is vital to us as users of the system. What really matters to us is the data we create. Photos, written documents, or simply some notes we put into a text file. Security professionals have their holy CIA triad, with Confidentiality, | Usually it's not the operating system nor the application software which is vital to us as users of the system. What really matters to us is the data we create. Photos, written documents, or simply some notes we put into a text file. Security professionals have their holy CIA triad, with Confidentiality, | ||
- | **Habituellement ce n'est pas le système d' | + | **Habituellement ce n'est pas le système d' |
** | ** | ||
Who is Lynis and what does she do? | Who is Lynis and what does she do? | ||
- | **Qu'est ce que Lynis et comment ça marche | + | **Qui est Lynis et que fait-elle |
Lynis is six years old, and helps us by performing a security scan of our system. With all the magic involved, we might almost call her a sorcerer. For now, let's call it an audit and hardening tool. The software is open source, free to use and consists of a set of shell scripts. Each script has a specific goal to fulfill, like scanning the available software, performing tests, or providing specific functions to main Lynis script. | Lynis is six years old, and helps us by performing a security scan of our system. With all the magic involved, we might almost call her a sorcerer. For now, let's call it an audit and hardening tool. The software is open source, free to use and consists of a set of shell scripts. Each script has a specific goal to fulfill, like scanning the available software, performing tests, or providing specific functions to main Lynis script. | ||
- | **Lynis est un projet qui a six ans et qui nous aide en effectuant une analyse de la sécurité de notre système. On pourrait presque l' | + | **Lynis est un projet qui a six ans et qui nous aide en effectuant une analyse de la sécurité de notre système. On pourrait presque l' |
Installation | Installation | ||
+ | |||
+ | **Installation** | ||
When it comes to installation, | When it comes to installation, | ||
+ | |||
+ | **La plupart des utilisateurs d' | ||
+ | ** | ||
To find the latest version, visit to the project website http:// | To find the latest version, visit to the project website http:// | ||
+ | |||
+ | **Pour trouver la dernière version, visitez le site Web du projet http:// | ||
Commands: | Commands: | ||
+ | |||
+ | **Commandes | ||
wget http:// | wget http:// | ||
Ligne 33: | Ligne 42: | ||
sha1sum lynis-1.3.7.tar.gz | sha1sum lynis-1.3.7.tar.gz | ||
- | tar xfvz lynis-1.3.7.tar.gz | + | tar xfvz lynis-1.3.7.tar.gz** |
First run | First run | ||
+ | |||
+ | **Premier lancement** | ||
It is time for our first Lynis run and to determine how well this particular system is secured. Move into the directory (cd lynis-1.3.7) and run it from the local directory (./lynis). Lynis will provide the available parameters. The most common ones are -c (check) and -Q (quick). The first one instructs Lynis to run all tests, and the latter is used to skip waiting after each section. If you prefer to check section by section, then use only -c. | It is time for our first Lynis run and to determine how well this particular system is secured. Move into the directory (cd lynis-1.3.7) and run it from the local directory (./lynis). Lynis will provide the available parameters. The most common ones are -c (check) and -Q (quick). The first one instructs Lynis to run all tests, and the latter is used to skip waiting after each section. If you prefer to check section by section, then use only -c. | ||
Ligne 42: | Ligne 53: | ||
lynis -c -Q | lynis -c -Q | ||
+ | |||
+ | **Il est temps de faire un premier lancement de Lynis pour découvrir jusqu' | ||
+ | |||
+ | **Pour nous lancer, nous allons utiliser les paramètres « tous les contrôles » et « rapide », | ||
+ | |||
+ | **lynis -c -Q** | ||
Depending on the software installed and the related configurations, | Depending on the software installed and the related configurations, | ||
+ | |||
+ | **Selon les logiciels installés et leur configuration, | ||
Hardening the system | Hardening the system | ||
+ | |||
+ | **La sécurisation du système** | ||
Now that we have a first impression on how well our system is hardened (or the lack of) the next step is to determine what actions are suitable for our system. As with all changes to a system, there is some risk involved that it may break something, expected or unexpected. So don't try to fix everything in one go, but apply changes in small steps. As usual, start with the quick wins and then move towards the ones which take more time to implement. | Now that we have a first impression on how well our system is hardened (or the lack of) the next step is to determine what actions are suitable for our system. As with all changes to a system, there is some risk involved that it may break something, expected or unexpected. So don't try to fix everything in one go, but apply changes in small steps. As usual, start with the quick wins and then move towards the ones which take more time to implement. | ||
+ | |||
+ | **Maintenant que nous avons une première estimation sur la sécurisation (ou pas) de notre système, la prochaine étape consiste à déterminer les actions qui pourront lui être appliquées. Comme c'est le cas pour toute modification apportée à un système, il y a un certain risque de casser quelque chose, attendu ou inattendu. Ainsi, il ne faut pas essayer de tout corriger en une seule fois, mais plutôt d' | ||
In this case the system seems to be missing security patches, as Lynis found vulnerable packages. As it is a warning, and usually easy to fix, we start with that. When clicking on the Software updater, it notifies us that security patches are available (as expected). That's already something easy to fix, yet very important. | In this case the system seems to be missing security patches, as Lynis found vulnerable packages. As it is a warning, and usually easy to fix, we start with that. When clicking on the Software updater, it notifies us that security patches are available (as expected). That's already something easy to fix, yet very important. | ||
+ | |||
+ | **Dans notre cas, Lynis nous indique que que certains correctifs de sécurité manquent dans notre système, Lynis ayant trouvé des paquets vulnérables. Comme il s'agit d'un avertissement et que c'est généralement facile à résoudre, nous commençons par cela. Un clic sur le gestionnaire de mises à jour et il nous informe que des correctifs de sécurité sont disponibles (comme prévu). Voilà quelque chose de facile à corriger et qui est quand même très important.** | ||
+ | |||
The second warning indicates that Lynis found only one nameserver (or DNS server) configured, or just one that actually works. These servers are used for DNS, which is the engine behind resolving domain names to IP addresses for network communication. While this might be a more serious risk on a server, for our simple desktop one DNS server is fine. If that one stops working, we quickly find out anyways, as we won't be able to browse the web anymore. Servers on the other hand might act in an unexpected way, while we won't always be able to see it. So depending on the role of the system, the warning may be something to seriously consider fixing. In this case we don't mind, and to avoid this warning showing up each time, we can ignore the test in the scan profile. | The second warning indicates that Lynis found only one nameserver (or DNS server) configured, or just one that actually works. These servers are used for DNS, which is the engine behind resolving domain names to IP addresses for network communication. While this might be a more serious risk on a server, for our simple desktop one DNS server is fine. If that one stops working, we quickly find out anyways, as we won't be able to browse the web anymore. Servers on the other hand might act in an unexpected way, while we won't always be able to see it. So depending on the role of the system, the warning may be something to seriously consider fixing. In this case we don't mind, and to avoid this warning showing up each time, we can ignore the test in the scan profile. | ||
+ | |||
+ | **Le deuxième avertissement de Lynis indique qu'un seul serveur de noms (ou serveur DNS) est configuré, ou tout simplement qu'il n'y en a qu'un qui fonctionne réellement. Ces serveurs sont utilisés pour la résolution des noms de domaine en adresses IP pour les communications réseau. Cela représente sans doute un risque plus grave pour un serveur, mais, pour notre simple machine de bureau, cela ira comme ça. Si cet unique serveur DNS s' | ||
We edit default.prf and tell Lynis to skip test NETW-2705, which is the ID found at the end of each warning or suggestion line. | We edit default.prf and tell Lynis to skip test NETW-2705, which is the ID found at the end of each warning or suggestion line. | ||
+ | |||
+ | **Nous éditons Default.prf et nous disons à Lynis de sauter le test NETW-2705, ce qui est l'ID trouvée à la fin de chaque avertissement ou d'une ligne de suggestion.** | ||
default.prf: | default.prf: | ||
- | # ** Skip one or more specific tests ** | + | # Skip one or more specific tests |
# (always ignores scan mode and will make sure the test is skipped) | # (always ignores scan mode and will make sure the test is skipped) | ||
Ligne 63: | Ligne 93: | ||
config: | config: | ||
+ | |||
+ | **default.prf : | ||
+ | # Sauter un ou plusieurs tests précis | ||
+ | |||
+ | # (ignore toujours le mode scan et fera en sorte que le test n'est jamais fait) | ||
+ | |||
+ | # config: | ||
+ | |||
+ | config: | ||
So now we installed our security updates and told Lynis that we are fine with only one working DNS server, let's do another run. | So now we installed our security updates and told Lynis that we are fine with only one working DNS server, let's do another run. | ||
+ | |||
+ | **Maintenant que nous avons installé nos mises à jour de sécurité et avons dit à Lynis qu'un seul serveur DNS nous convient, lançons un nouvel audit.** | ||
That is already looking much better! The index not only turned yellow instead of red, it also provided us with additional security due to installing the patches. Since software is usually the weakest link, staying up-to-date with patches from the security repository is important. Ignoring tests won't make a system more secure, but at least it helps us to focus on the things we can really improve. | That is already looking much better! The index not only turned yellow instead of red, it also provided us with additional security due to installing the patches. Since software is usually the weakest link, staying up-to-date with patches from the security repository is important. Ignoring tests won't make a system more secure, but at least it helps us to focus on the things we can really improve. | ||
+ | |||
+ | **C' | ||
+ | ** | ||
As dealing with each individual result would make this a very long article, it is more useful to have a look at dealing with suggestions in general. With each suggestion, the primary focus should be on understanding the meaning behind each suggestion. Secondly, the impact and risk of changing pieces of the configuration. Last, but not least, proper testing and making sure the adjustment has no bad influence on the goal of the machine. For example, blocking access to a web server may result in possibly a more secure system, but it won't be able to handle web requests. | As dealing with each individual result would make this a very long article, it is more useful to have a look at dealing with suggestions in general. With each suggestion, the primary focus should be on understanding the meaning behind each suggestion. Secondly, the impact and risk of changing pieces of the configuration. Last, but not least, proper testing and making sure the adjustment has no bad influence on the goal of the machine. For example, blocking access to a web server may result in possibly a more secure system, but it won't be able to handle web requests. | ||
+ | |||
+ | **Analyser le traitement de chaque résultat individuel rendrait cet article extrêmement long et il est donc plus utile de s' | ||
Since each system has a completely different purpose, some suggestions might be more suitable for servers, while others apply both to desktops and servers. It is up to you, the user, to decide what suggestions are worth investigating. Others can be ignored in the scanning profile, as shown above. | Since each system has a completely different purpose, some suggestions might be more suitable for servers, while others apply both to desktops and servers. It is up to you, the user, to decide what suggestions are worth investigating. Others can be ignored in the scanning profile, as shown above. | ||
+ | |||
+ | **Étant donné que chaque système a un rôle distinct, certaines suggestions pourraient être plus appropriées pour les serveurs, tandis que d' | ||
+ | ** | ||
Useful hints behind each test can be found in the log file (/ | Useful hints behind each test can be found in the log file (/ | ||
+ | |||
+ | **Toutes les suggestions liées à chaque test se trouvent dans le fichier de log (/ | ||
+ | ** | ||
Happy hardening and stay secure! | Happy hardening and stay secure! | ||
+ | **Alors bonne « sécurisation » et restez protégés !** | ||
+ | For more security advice, check out Michael' | ||
- | For more security advice, check out Michaels new monthly security column for FCM. | + | **Pour plus de conseils sur la sécurité, consultez la nouvelle rubrique mensuelle de Michael dans le FCM.** |
issue81/securite_ubuntu.1399663374.txt.gz · Dernière modification : 2014/05/09 21:22 de lecastillan