May 222015

All good things of life must end sooner rather than later given human imperfection.

Ditto with Linux.

Long considered one of the most secure operating systems thanks to its open source nature, Linux’s growing popularity is drawing the attention of hackers around the world.

In what must be extremely distressing news for system administrators, new malware does not spare even Linux systems.

Besides malware, configuration errors too can leave Linux system vulnerable.

Linux systems have grown so complex that even seasoned administrators can be befuddled by the various processes and options. Configuration errors can easily creep in during installation, updates and/or maintenance.

Here’s where the free security auditing software Lynis comes in.

While vulnerability scanners typically look into a Linux server from the outside, Lynis runs on the system itself, is faster and does more security scans than vulnerability scanners.

Besides Linux, Lynis runs on FreeBSD, MacOS, HP-UX and NetBSD.

Where to Download Lynis

You can get Lynis in multiple ways.

Lynis comes as part of the suite of security packages in the penetration testing distribution Kali Linux.

If you’re tinkering with Kali, just head to the command line and type lynis. Voila, the application initializes and you can try out various options of Lynis.

If you’re NOT running Kali, you can download Lynis from the Ubuntu or CentOS repositories.

1. Installing Lynis on Fedora, CentOS and RedHat

$ yum install lynis

2. Installing Lynis on Debian, Ubunutu, Linux Mint, Kubuntu

$ apt-get install lynis

Warning: Since the Lynis version on Kali and on the Ubuntu and CentOS repositories are very old, you might want to consider directly downloading the latest version of Lynis (2.1.0) and installing it on your Linux server or desktop.

3. Direct Download from Lynis developer Cisofy:

$ wget

(Install lynis in the usr/local folder.)

Unpack the Tarball

$ tar xfvz lynis-.tar.gz

Running Lynis

Getting lynis started on Kali or when it’s downloaded from a repository is easy (just type lynis audit system or lynis -Q).

But if you’ve downloaded the package and installed it yourself, then you must run it from the directory where it was installed. As we noted above, lynis is usually installed and run from the /usr/local directory.

If you’ve downloaded and installed it directly without using a package management system, go with the following command:

$ ./lynis audit system

Lynis does a huge bunch of security tests of your system and outputs them to the screen, a log file and a report file.

Technical details about the scan are stored in a log file while the findings including warnings, suggestions and data collection go into the report file.

Both the lynis-report.dat and lynis.log are stored in the /var/log folder.

Lynis Scan Steps

Here’s how a lynis scan proceeds.

* Determines operating system
* Searches for available tools and utilities
* Checks for Lynis update
* Runs tests from enabled plugins
* Runs security tests per category
* Reports status of security scan

Lynis’ developer Cisofy describes the tool’s scanning as “opportunistic”, meaning it will use what it can find to do more tests. If lynis finds Apache, it will perform an initial round of Apache related tests and depending on what it finds will do more tests. For instance, if it finds a SSL/TLS configuration during the Apache tests, it will perform additional auditing steps on that.

Examples of Lynis Output

Lynis makes several security related suggestions as part of its scanning process.

So what did lynis recommend for my Linux system?

Let me share some of the ‘suggestions’ made by Lynis in the report after it completed the scan of my system:

# Lynis Report
report_datetime_start=2015-05-15 23:35:09
ssuggestion[]=BOOT-5122|Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)|
suggestion[]=AUTH-9262|Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc|
suggestion[]=AUTH-9286|Configure password aging limits to enforce password changing on a regular base|
suggestion[]=AUTH-9328|Default umask in /etc/login.defs could be more strict like 027|
suggestion[]=AUTH-9328|Default umask in /etc/init.d/rc could be more strict like 027|
suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separated partition|
suggestion[]=STRG-1840|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|
suggestion[]=PKGS-7346|Purge old/removed packages (6 found) with aptitude purge or dpkg –purge command. This will cleanup old configuration files, cron jobs and startup scripts.|
suggestion[]=PRNT-2307|Access to CUPS configuration could be more strict.|
suggestion[]=FIRE-4513|Check iptables rules to see which rules are currently not used|
suggestion[]=LOGG-2190|Check what deleted files are still in use and why.|
suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|
suggestion[]=BANN-7130|Add legal banner to /etc/, to warn unauthorized users|
suggestion[]=ACCT-9622|Enable process accounting|
suggestion[]=ACCT-9628|Enable auditd to collect audit information|
suggestion[]=FINT-4350|Install a file integrity tool|
suggestion[]=TOOL-5002|Determine if automation tools are present for system management|
suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked|
suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only

If you’re in a rush and want to quickly look at the ‘suggestions’ from the lynis report, just grep it.

sudo cat /var/log/lynis-report.dat | grep suggestion

The lynis scan also outputs to a log file.

Here is an excerpt from a lynis.log file:

[23:35:09] ### Starting Lynis 2.1.0 with PID 6585, build date 16 April 2015 ###
[23:35:09] ===—————————————————————===
[23:35:09] ### Copyright 2007-2015 – CISOfy, ###
[23:35:09] Program version: 2.1.0
[23:35:09] Operating system: Linux
[23:35:09] Operating system name: Debian
[23:35:09] Operating system version: jessie/sid
[23:35:09] Kernel version: 3.13.0
[23:35:09] Kernel version (full): 3.13.0-37-generic
[23:35:09] Hardware platform: x86_64
[23:35:09] Hostname: michael
[23:35:09] Auditor: [Unknown]
[23:35:09] Profile: ./default.prf
[23:35:09] Log file: /var/log/lynis.log
[23:35:09] Report file: /var/log/lynis-report.dat
[23:35:09] Report version: 1.0
[23:35:09] —————————————————–
[23:35:09] Include directory: ./include
[23:35:09] Plugin directory: ./plugins
[23:35:09] Database directory: ./db
[23:35:09] ===—————————————————————===
[23:35:09] Checking permissions of ./include/profiles
[23:35:09] File permissions are OK
[23:37:01] Performing test ID HRDN-7222 (Check compiler permissions)
[23:37:01] Test: Check if one or more compilers can be found on the system
[23:37:01] Test: Check file permissions for as (Assembler)
[23:37:01] Binary: found /usr/bin/as (world executable)
[23:37:01] Hardening: assigned 2 hardening points (max for this item: 3), current: 111, total: 153
[23:37:01] Test: Check file permissions for GCC compiler
[23:37:01] Result: symlink found, pointing to file /usr/bin/gcc-4.8
[23:37:01] Binary: found /usr/bin/gcc (world executable)
[23:37:01] Hardening: assigned 2 hardening points (max for this item: 3), current: 113, total: 156
[23:37:01] Result: at least one compiler could be better hardened by restricting executable access to root or group only
[23:37:01] Suggestion: Harden compilers like restricting access to root user only [HRDN-7222]
[23:37:01] ===—————————————————————===
[23:37:01] Performing test ID HRDN-7230 (Check for malware scanner)
[23:37:01] Test: Check if one or more compilers can be found on the system
[23:37:01] Result: found at least one malware scanner
[23:37:01] Hardening: assigned 3 hardening points (max for this item: 3), current: 116, total: 159
[23:37:04] File permissions are OK
[23:37:04] ===—————————————————————===
[23:37:04] Hardening index : [72] [############## ]
[23:37:04] Hardening strength: System has been hardened, but could use additional hardening
[23:37:04] ================================================================================
[23:37:04] Tests performed: 171
[23:37:04] Total tests: 316
[23:37:04] Active plugins: 0
[23:37:04] Total plugins: 0
[23:37:04] ================================================================================
[23:37:04] Lynis 2.1.0
[23:37:04] Copyright 2007-2015 – CISOfy,
[23:37:04] Enterprise support and plugins available via CISOfy
[23:37:04] Program ended successfully

At the end of the scan, lynis provides a Hardening Index of your system. Linux server administrators must strive to boost that Hardening Index based on the ‘suggestions’ in the scan report.

Lynis is a great security auditing tool for Linux and Unix systems.

The output provides the required tips to fix security issues and harden your Linux system.

I strongly encourage you to install Lynis today on your Linux system and take it for a test drive.

More Information on Lynis
Lynis Audit Tool

Sorry, the comment form is closed at this time.