Tujuan Pembelajaran
Setelah menyelesaikan praktikum ini, mahasiswa mampu:
- Memahami konsep dan metodologi audit keamanan sistem
- Menggunakan tools audit keamanan seperti Lynis, chkrootkit, dan rkhunter
- Melakukan scanning kerentanan dengan OpenVAS dan Nikto
- Menganalisis log sistem untuk deteksi anomaly
- Membuat laporan audit keamanan yang komprehensif
Teori Pendukung
Security Scanning
Identifikasi kerentanan known vulnerability pada sistem dan aplikasi
Penetration Testing
Simulasi serangan untuk menguji pertahanan sistem secara aktif
Compliance Audit
Verifikasi terhadap standar keamanan (CIS, NIST, ISO 27001)
Log Analysis
Analisis log sistem untuk deteksi anomaly dan aktivitas mencurigakan
OWASP Top 10
Web application security risks yang paling kritis
CIS Benchmarks
Security configuration benchmarks untuk berbagai platform
NIST Cybersecurity Framework
Standard keamanan nasional Amerika Serikat
ISO 27001
International standard untuk information security management
Metodologi Audit Keamanan
Phases of Security Audit:
- Planning - Scope definition dan authorization
- Discovery - Information gathering dan vulnerability scanning
- Assessment - Penetration testing dan risk analysis
- Reporting - Documentation dan recommendation
- Remediation - Fix implementation dan verification
System Hardening Assessment dengan Lynis
1. Install Lynis
sudo apt update && sudo apt upgrade -y
sudo apt install git -y
cd /opt
sudo git clone https://github.com/CISOfy/lynis
cd lynis
2. Jalankan Audit Sistem Lengkap
sudo mkdir -p /audit/{reports,logs,tools}
sudo chmod 755 /audit
sudo ./lynis audit system --verbose --logfile /audit/logs/lynis.log
sudo ./lynis audit system --tests-from-category "authentication"
sudo ./lynis audit system --tests-from-category "networking"
3. Analisis Hasil Audit
sudo cat /var/log/lynis.log | grep -E "(warning|suggestion)"
sudo ./lynis show report > /audit/reports/lynis_report.txt
sudo ./lynis show details | grep -i cis
sudo ./lynis show hardening
4. Interpretasi Hasil Lynis
| Level |
Arti |
Tindakan |
| Warnings |
Isu keamanan kritis yang perlu segera ditangani |
Immediate action required |
| Suggestions |
Rekomendasi untuk meningkatkan keamanan |
Schedule for implementation |
| Hardening Index |
Skor keamanan sistem (0-100) |
Benchmark against standards |
Malware Detection dengan chkrootkit dan rkhunter
1. Install dan Jalankan chkrootkit
sudo apt install chkrootkit -y
sudo chkrootkit -q > /audit/logs/chkrootkit.log
sudo cat /audit/logs/chkrootkit.log | grep -i "infected"
sudo cat /audit/logs/chkrootkit.log | grep -i "warning"
sudo cat /audit/logs/chkrootkit.log | grep -i "suspicious"
2. Install dan Jalankan rkhunter
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --check --sk --vl > /audit/logs/rkhunter.log
sudo cat /audit/logs/rkhunter.log | grep -i "warning"
sudo cat /audit/logs/rkhunter.log | grep -i "suspicious"
3. Automated Monitoring dengan rkhunter
sudo nano /etc/default/rkhunter
CRON_DAILY_RUN="true"
APT_AUTOGEN="true"
sudo rkhunter --propupd
echo "0 2 * * 0 root /usr/bin/rkhunter --cronjob --update --quiet" | sudo tee -a /etc/crontab
Vulnerability Scanning dengan OpenVAS
1. Install OpenVAS (Greenbone Vulnerability Management)
sudo apt install redis-server -y
sudo add-apt-repository ppa:mrazavi/gvm
sudo apt update
sudo apt install gvm -y
sudo gvm-setup
2. Jalankan Vulnerability Scan
sudo gvm-target-create --name "Local Host" --host 127.0.0.1
sudo gvm-task-create --name "Local Scan" --target "Local Host"
sudo gvm-task-start --task "Local Scan"
sudo gvm-task-get --task "Local Scan"
3. Analisis Hasil Vulnerability Scan
sudo gvm-report-get --task "Local Scan" --format pdf > /audit/reports/openvas_scan.pdf
sudo gvm-report-get --task "Local Scan" --format html > /audit/reports/openvas_scan.html
sudo gvm-report-get --task "Local Scan" --format xml > /audit/reports/openvas_scan.xml
sudo gvm-report-parse --task "Local Scan" | grep -i "critical"
sudo gvm-report-parse --task "Local Scan" | grep -i "high"
4. Vulnerability Severity Levels
| Severity |
CVSS Score |
Response Time |
Contoh |
| Critical |
9.0 - 10.0 |
24-48 hours |
Remote Code Execution |
| High |
7.0 - 8.9 |
3-7 days |
Privilege Escalation |
| Medium |
4.0 - 6.9 |
30 days |
Information Disclosure |
| Low |
0.1 - 3.9 |
90 days |
Version Disclosure |
Web Application Scanning dengan Nikto
1. Install dan Konfigurasi Nikto
sudo apt install nikto -y
sudo apt install apache2 -y
sudo systemctl start apache2
sudo systemctl enable apache2
2. Jalankan Web Vulnerability Scan
sudo nikto -h http://localhost -o /audit/reports/nikto_scan.html -Format htm
sudo nikto -h http://localhost -C all -o /audit/reports/nikto_detailed.html -Format htm
sudo nikto -h http://localhost -plugins "apache_expect_xss" -o /audit/reports/nikto_xss.html
sudo nikto -h http://localhost -id admin:password -o /audit/reports/nikto_auth.html
3. Analisis Hasil Nikto Scan
sudo cat /audit/reports/nikto_scan.html | grep -i "high"
sudo cat /audit/reports/nikto_scan.html | grep -i "risk"
sudo grep -E "(injection|XSS|cross-site|security)" /audit/reports/nikto_scan.html
Log Analysis dan Intrusion Detection
1. Konfigurasi auditd untuk Monitoring
sudo apt install auditd -y
sudo nano /etc/audit/audit.rules
# Monitor file changes in critical directories
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege
-w /var/log/auth.log -p wa -k authentication
-a always,exit -F arch=b64 -S execve -k execution
-a always,exit -F arch=b64 -S connect -k network
2. Analisis Log Sistem
sudo grep "Failed password" /var/log/auth.log
sudo grep "authentication failure" /var/log/auth.log
sudo grep -i "error\|warning\|critical" /var/log/syslog
sudo grep "sshd" /var/log/auth.log | grep -i "invalid\|failed"
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr
3. Setup Log Monitoring dengan logwatch
sudo apt install logwatch -y
sudo logwatch --output mail --format html --mailto admin@localhost
sudo logwatch --range Today --output stdout
sudo logwatch --range "between -7 days and -1 days" --output stdout
File Integrity Checking dengan AIDE
1. Install dan Konfigurasi AIDE
sudo apt install aide -y
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo nano /etc/aide/aide.conf
2. Jalankan Integrity Check
sudo aide --check
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
echo "0 2 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab
Network Security Monitoring
1. Analyze Network Traffic
sudo apt install tcpdump wireshark-cli -y
sudo tcpdump -i ens33 -w /audit/logs/network_capture.pcap
sudo tshark -r /audit/logs/network_capture.pcap -Y "http"
sudo tshark -r /audit/logs/network_capture.pcap -Y "dns"
2. Check for Open Ports and Services
sudo netstat -tulnp
sudo ss -tulnp
sudo nmap -sS -sV -O localhost
sudo nmap -p- --min-rate 1000 localhost
sudo nmap --script vuln localhost
Compliance Checking dengan OpenSCAP
1. Install OpenSCAP
sudo apt install openscap-scanner scap-security-guide -y
2. Jalankan Compliance Scan
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \
--results /audit/reports/openscap-report.xml \
--report /audit/reports/openscap-report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml
sudo oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis \
/audit/reports/openscap-report.xml > /audit/reports/remediation.sh
Incident Response dan Forensic Analysis
echo "Starting incident response procedures..."
INCIDENT_DIR="/audit/incident_$(date +%Y%m%d_%H%M%S)"
mkdir -p $INCIDENT_DIR
echo "=== SYSTEM SNAPSHOT ===" > $INCIDENT_DIR/system_snapshot.txt
date >> $INCIDENT_DIR/system_snapshot.txt
uname -a >> $INCIDENT_DIR/system_snapshot.txt
echo "=== RUNNING PROCESSES ===" >> $INCIDENT_DIR/system_snapshot.txt
ps aux >> $INCIDENT_DIR/system_snapshot.txt
echo "=== NETWORK CONNECTIONS ===" >> $INCIDENT_DIR/system_snapshot.txt
netstat -tulnp >> $INCIDENT_DIR/system_snapshot.txt
echo "=== RECENT LOGINS ===" >> $INCIDENT_DIR/system_snapshot.txt
last >> $INCIDENT_DIR/system_snapshot.txt
echo "=== SUSPICIOUS FILES ===" >> $INCIDENT_DIR/system_snapshot.txt
find / -name "*.php" -mtime -1 2>/dev/null >> $INCIDENT_DIR/system_snapshot.txt
echo "Incident response data collected to $INCIDENT_DIR"
Tugas dan Evaluasi
- Jelaskan perbedaan antara vulnerability assessment dan penetration testing!
- Apa kelebihan dan kekurangan tools Lynis dibandingkan OpenVAS?
- Bagaimana cara membedakan antara false positive dan true positive dalam hasil audit?
- Mengapa file integrity checking penting dalam audit keamanan?
- Buat skenario: Perusahaan membutuhkan audit keamanan komprehensif untuk server web. Tulis rencana audit lengkap termasuk tools dan metodologi!
Security Audit Report Template
1. Executive Summary
Ringkasan temuan kritikal dan rekomendasi utama
2. Methodology
Tools dan teknik yang digunakan dalam audit
3. Findings
Detail temuan berdasarkan severity level
4. Risk Assessment
Analisis dampak dan risiko setiap temuan
5. Recommendations
Rekomendasi perbaikan dengan timeline
6. Conclusion
Kesimpulan overall dan follow-up actions
Template Findings Table
| Severity |
Vulnerability |
Location |
Impact |
Recommendation |
| Critical |
SSH Weak Encryption |
/etc/ssh/sshd_config |
Remote compromise |
Upgrade to stronger ciphers |
| High |
Unpatched Software |
Apache 2.4.29 |
RCE vulnerability |
Update to latest version |
| Medium |
Weak File Permissions |
/etc/passwd |
Privilege escalation |
Set proper permissions |