Last week we passed along some information on a Unix audit tool called Lynis, maintained by Michael Boelen (https://cisofy.com/lynis/). The value of this tool is that it is an open script that auditors can give to system administrators to run on their Unix servers in order to assess specific technical security controls on the system.
If an auditor chose to use this tool to gather data, likely the process would look something like this:
- The auditor gives a copy of the script to the data custodian (system administrator).
- The system administrator runs the script on the target machine (note, it does not work across the network).
- Lynis produces an output file: /var/log/lynis-report.dat (location can be customized).
- The system administrator gives the auditor a copy of this output file.
- The auditor parses the file for relevant information to include in their findings report.
Unfortunately the output report isn’t quite as pretty as you might hope. The auditor will need to plan on spending some time parsing the outputs of the report file in order to gather useful information that can be included in their audit report. The data can most certainly be copy and pasted and manually edited, but why not use a little command line scripting to make our lives easier.
At a minimum, an auditor will want to parse a list of all the warnings and suggestions automatically made by the tool. Let’s use built in commands, like the Linux cat, grep, and sed commands. A simple command line command that will give an auditor the ability to parse out only the warnings made in the report file is the following:
cat /var/log/lynis-report.dat | grep warning | sed –e ‘s/warning\[\]\=//g’
The same can be done with the suggestions as well using the following command line syntax:
cat /var/log/lynis-report.dat | grep suggestion | sed –e ‘s/suggestion\[\]\=//g’
A couple other commands that you might want to play with to parse this file are the following commands as well. The following gathers a list of all installed software packages on the system:
cat /var/log/lynis-report.dat | grep installed_package | sed –e ‘s/installed_package\[\]\=//g’
The following command gathers a list of all the installed shells on the system from the report:
cat /var/log/lynis-report.dat | grep available_shell | sed –e ‘s/available_shell\[\]\=//g’
You get the idea. The system administrator can provide the auditor one output file, and the auditor could easily write a parsing script based on this syntax to completely parse the file into a manageable output that is a little more friendly to read.
We hope this inspires you to continue writing your own scripts to automate the audit process. The more we can automate, the faster our audit analysis. The faster our audit analysis, the more technical audits we can perform and the more likely our systems will be properly secured. Until next time…