search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.46k stars 1.49k forks source link

Consider to add MFA checking on Lynis #1476

Open Constacalm opened 7 months ago

Constacalm commented 7 months ago

Is your feature request related to a problem? Please describe.

All users may have a problem on ranking when MFA. I.e., for example, if a system already had a strong password policy (via pam_pwquality, for example) on checked system, but also admin adds TOTP MFA support (via google authenticator PAM modue TOTP) or even strong MFA (FIDO2\U2F yubikey PAM module), like Yubico Yubikey\Google Titan\Rutoken MFA, etc, Lynis security scanner doesn't check such functionality. And that's why Lynis doesn't rank these MFA capabilities at all.

Describe the solution you'd like

Maybe a solution would be to write some checks on Linux (maybe not only Linux) PAM modules configuration. To check in those PAM configurations someting like:

_auth required pam_googleauthenticator.so (for google auth PAM)

or

_auth required pamu2f.so (for pam modiles related on strong hadrware MFA based on Yubikey)

and rating them after all

Required changes

Probably consider to develop a new tests in

https://github.com/CISOfy/lynis/blob/master/include/tests_authentication

to check these MFA additions. Or even to develop a completely new script? I.e.:

https://github.com/CISOfy/lynis/blob/master/include/tests_mfa

Additional context

In one hand these checks may take a lot of variants for each operating system and its PAM modules config. In the other hand, it also may vary for system-wide PAM module or, for example, for TTY login only. But It can be also variety ranked for some system-wide MFA and not system-wide MFA configurations.

mboelen commented 6 months ago

Thanks for your suggestion. We do have some PAM checks in a plugin, but that does not provide suggestions to enable it.

Although I see the benefit of adding it and encourage users to enable MFA, there is as you also noticed a wide range of options. One could even argue that time is better spent on securing your SSH configuration and making that part MFA.

What I will do is mark this suggestion and see if there are more people who want to help drafting up a set of tests.

Constacalm commented 5 months ago

Ok, Mark, I'll try to write some checks on ssh with mfa, as soon as I have some more time.

Do you think that ssh hardening with MFA is more important for some people, or more universal in case of developing?

mboelen commented 5 months ago

Sure, sounds good.

Hard to say as a general statement. It strongly depends on the risk involved. After all, systems can be protected via different security measures.

Constacalm commented 5 months ago

I'm starting to make some first drafts for checking sshd+MFA.

I'm sure enough without MFA its impossible to get secure Linux system at all. In case of X11 xinput leaks, or escapes from su\sudo with shell function capabilities, for example.

And checking and enabling ssh+TOTP seems to be a very first step. At least for all privileged accounts.

vk6xebec commented 2 days ago

+1 strong support to see this implemented. Having such a check in place allows system admins and newbies investigate the possibility of hardening a system as best as they can and a test will trigger a check they can look into. If they choose not to implement them, that's their call, but at least the trigger is there. I would suggest that having the Yubikey option generates a higher hardening points than the TOTP as even the best proponents of network security (David Bombal) had fallen victim to TOTP.