Pues hoy os traigo una entrevista al padre de ambas criaturas: Michael Boelen. Holandés y un auténtico experto en Linux. Sin duda una persona de la que aprender, tanto a nivel técnico como por desarrollar Lynis, su proyecto personal, y potenciarlo hasta dedicarse profesionalmente en cuerpo y alma a él.
La entrevista está en inglés. Pensé en traducirla al español, pero creo que así como lo he hecho en otras, el resultado ha perdido su esencia. Creo que es mejor dejarla en el idioma original y, a no ser que me lo pidáis en los comentarios, la dejamos así.
SbD - Michael, you are the developer or Lynis, one of the main automated internal auditing tools for GNU/Linux systems. What did make you to start developing this useful tool?
Michael Boelen The
best tools or apps are usually created because of a specific need. I
needed a quick way to replace hardening guides (like the CIS benchmarks)
during my years as a system administrator. Reading the documents simply
take too much time. And instead of just checking the boxes, I wanted a
tool that could test systems on a daily basis and tell me what could be
improved.
- I guess you use CIS Benchmarks Guides to adjust the checks they recommend to improve your tool. Which any other sources do you have in mind?
That
is the beauty of a tool like Lynis. It is not limited to one single
standard or a set of best practices. Instead, we take the most important
best practices and combine them into a set of smaller tests. We group
them by their focus area, like cryptography, database, mail, web, etc.
- Lynis also has plugins developed by the community, can you talk us about them?
The
plugin system of Lynis extends the normal set of tests. Where normal
tests have a clear outcome (good, bad, or could be better), plugins are
mainly focused on collecting data. This data could then be used during
the tests later on, or their output could be stored in a data report.
This data report could then be fed into a SIEM, or a management
interface.
- Have you ever thought about creating profiles to be able to measure a
system security level depending on the checks that standards like PCI-DSS requires?
We
definitely have. In 2013 we started actually a company (CISOfy) to put
more development into Lynis. For companies that have specific
requirements (like being compliant with PCI-DSS, HIPAA, or ISO27001), we
offer a management interface. It leverages the Lynis client tool and
adds a web-based interface where all data is stored. And when you have
all data in one place, the sum and value of all data from all individual
systems become much higher. For example finding the questions to how do
systems compare? Are similar systems also similarly configured? And for
those with a need of compliance checking, the Enterprise version can do
a quick scan in this area. Simply add a machine and add a compliance
standard, and it will be checked.
- Although Lynis is free, you have this Enterprise version you mentioned. Do you earn your life with this project or do you work somewhere else and Lynis is a hobby or a complementary job for you?
Lynis
started as a hobby project in 2007. With the business support from
CISOfy in 2013, the project has seen a great increase in number of users
and contributors. I'm full-time involved with business and software
development, and that is for us our main stream of income.
- There are other tools that says to do the same as Lynis, like Linux Check list or LSAT. Why is Lynis better than the rest?
During
the last 10 years, several tools have seen the light. The big problem
with all the tools: they are badly maintained. Still, I see occasionally
new projects show up and after 6-12 months stop. With Lynis celebrating
its 10th anniversary, you can be assured that it is well-known and
still being maintained. Compared to commercial solutions, Lynis is
open-source and vendor-neutral. That is another important aspect of our
tool. The last one might be surprising, but Lynis is written in shell
script. Not in bash, but bourne shell (/bin/sh). This makes it perfect
for people to create their own tests, even if you would use something
like Python. Simply fetch the output of your script and embed into your
own test. Another benefit is that Lynis runs on AIX, FreeBSD, OpenBSD,
Linux, macOS, and others. As long as you have that basic /bin/sh shell
available.
- Do you have any tips for people that like to contribute to open source projects?
Maybe
the most important tip is that your involvement with a project could
result in the most unbelievable things. Think of finding a job, a
mentor, or a friendship. Even if you can't program, you can help making
any project better by contributing to the documentation by sharing areas
that could be improved. Even if you find a small typo, that is already
worth sharing.
- For those who can do programming, any tips?
If
you have the gift of being a developer, then I suggest valuing your
time. In my opinion, it is better to make one very good tool, than three
mediocre tools. Focus on easy of use, documentation, design, sane
defaults, contributor guidelines and regular program updates. Last but
not least, learn the skill of marketing. Even the best open source tools
need marketing.
- Besides Lynis, are there any projects that you are involved in?
People
might know me from my first big project in the past, named rkhunter
(Rootkit Hunter). While I still read about malware, I don't do as much
research nowadays. The time of dissecting rootkits is over. Instead, I
put in a lot of time to share knowledge regarding Linux security (like
'The state of Linux security' --> https://linux-audit.com/the-state-of-linux-security/).
The blog Linux Audit is one of these places where I share such
knowledge. As a technical founder, I find it important to help making
the digital world a little bit more secure. By sharing tips and ideas,
we can inspire others to take action. Another area includes giving
presentations at meetups and conferences. Last year about 10
presentations, of which most are available online. Speaking about
conferences, I help to organize one in The Netherlands. It is a Dutch
UNIX user group (NLUUG), focused on open standards like open source and
GNU/Linux. Besides being a board member, I provide my guidance in the
program committee to select the right speakers. And another small side
project I'm running, is the Twitter handle @infosec_cfp. It helps
security specialists to get involved in call for papers/proposals of any
security conference they like to speak.
- If we like to know more about you, what is a good place to look?