Seguro que a quienes os ha tocado administrar y securizar máquinas Linux, tenéis a Lynis como una de las herramientas de cabecera, para poder comprobar si os habéis dejado algún agujero por tapar. De hecho, en los inicios de SbD, ya hablábamos sobre esta fantástica herramienta. Pero no Michael no sólo es conocido por Lynis, sino por haber desarrollado tiempo atrás otra herramienta que no puede faltar cuando se analiza un incidente de seguridad en Linux, en el que hay una máquina comprometida: RKHunter.
Pues hoy os traigo una entrevista al padre de ambas criaturas: Michael Boelen. Holandés y un auténtico experto en Linux. Sin duda una persona de la que aprender, tanto a nivel técnico como por desarrollar Lynis, su proyecto personal, y potenciarlo hasta dedicarse profesionalmente en cuerpo y alma a él.
La entrevista está en inglés. Pensé en traducirla al español, pero creo que así como lo he hecho en otras, el resultado ha perdido su esencia. Creo que es mejor dejarla en el idioma original y, a no ser que me lo pidáis en los comentarios, la dejamos así.
SbD - Michael, you are the developer or Lynis, one of the main automated internal auditing tools for GNU/Linux systems. What did make you to start developing this useful tool?
Michael Boelen The best tools or apps are usually created because of a specific need. I needed a quick way to replace hardening guides (like the CIS benchmarks) during my years as a system administrator. Reading the documents simply take too much time. And instead of just checking the boxes, I wanted a tool that could test systems on a daily basis and tell me what could be improved.
- I guess you use CIS Benchmarks Guides to adjust the checks they recommend to improve your tool. Which any other sources do you have in mind?
That is the beauty of a tool like Lynis. It is not limited to one single standard or a set of best practices. Instead, we take the most important best practices and combine them into a set of smaller tests. We group them by their focus area, like cryptography, database, mail, web, etc.
- Lynis also has plugins developed by the community, can you talk us about them?
The plugin system of Lynis extends the normal set of tests. Where normal tests have a clear outcome (good, bad, or could be better), plugins are mainly focused on collecting data. This data could then be used during the tests later on, or their output could be stored in a data report. This data report could then be fed into a SIEM, or a management interface.
- Have you ever thought about creating profiles to be able to measure a
system security level depending on the checks that standards like PCI-DSS requires?
We definitely have. In 2013 we started actually a company (CISOfy) to put more development into Lynis. For companies that have specific requirements (like being compliant with PCI-DSS, HIPAA, or ISO27001), we offer a management interface. It leverages the Lynis client tool and adds a web-based interface where all data is stored. And when you have all data in one place, the sum and value of all data from all individual systems become much higher. For example finding the questions to how do systems compare? Are similar systems also similarly configured? And for those with a need of compliance checking, the Enterprise version can do a quick scan in this area. Simply add a machine and add a compliance standard, and it will be checked.
- Although Lynis is free, you have this Enterprise version you mentioned. Do you earn your life with this project or do you work somewhere else and Lynis is a hobby or a complementary job for you?
Lynis started as a hobby project in 2007. With the business support from CISOfy in 2013, the project has seen a great increase in number of users and contributors. I'm full-time involved with business and software development, and that is for us our main stream of income.
- There are other tools that says to do the same as Lynis, like Linux Check list or LSAT. Why is Lynis better than the rest?
During the last 10 years, several tools have seen the light. The big problem with all the tools: they are badly maintained. Still, I see occasionally new projects show up and after 6-12 months stop. With Lynis celebrating its 10th anniversary, you can be assured that it is well-known and still being maintained. Compared to commercial solutions, Lynis is open-source and vendor-neutral. That is another important aspect of our tool. The last one might be surprising, but Lynis is written in shell script. Not in bash, but bourne shell (/bin/sh). This makes it perfect for people to create their own tests, even if you would use something like Python. Simply fetch the output of your script and embed into your own test. Another benefit is that Lynis runs on AIX, FreeBSD, OpenBSD, Linux, macOS, and others. As long as you have that basic /bin/sh shell available.
- Do you have any tips for people that like to contribute to open source projects?
Maybe the most important tip is that your involvement with a project could result in the most unbelievable things. Think of finding a job, a mentor, or a friendship. Even if you can't program, you can help making any project better by contributing to the documentation by sharing areas that could be improved. Even if you find a small typo, that is already worth sharing.
- For those who can do programming, any tips?
If you have the gift of being a developer, then I suggest valuing your time. In my opinion, it is better to make one very good tool, than three mediocre tools. Focus on easy of use, documentation, design, sane defaults, contributor guidelines and regular program updates. Last but not least, learn the skill of marketing. Even the best open source tools need marketing.
- Besides Lynis, are there any projects that you are involved in?
People might know me from my first big project in the past, named rkhunter (Rootkit Hunter). While I still read about malware, I don't do as much research nowadays. The time of dissecting rootkits is over. Instead, I put in a lot of time to share knowledge regarding Linux security (like 'The state of Linux security' --> https://linux-audit.com/the-state-of-linux-security/). The blog Linux Audit is one of these places where I share such knowledge. As a technical founder, I find it important to help making the digital world a little bit more secure. By sharing tips and ideas, we can inspire others to take action. Another area includes giving presentations at meetups and conferences. Last year about 10 presentations, of which most are available online. Speaking about conferences, I help to organize one in The Netherlands. It is a Dutch UNIX user group (NLUUG), focused on open standards like open source and GNU/Linux. Besides being a board member, I provide my guidance in the program committee to select the right speakers. And another small side project I'm running, is the Twitter handle @infosec_cfp. It helps security specialists to get involved in call for papers/proposals of any security conference they like to speak.
- If we like to know more about you, what is a good place to look?