Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;<\/p>\n\n\n\n
Lynis was designed for systems running Linux, macOS, or Unix-based operating system. It, however, doesn’t provide system hardening automatically but instead provide tips on how to harden your system.<\/p>\n\n\n\n
In this tutorial, we are going to learn how to install and setup Lynis on Ubuntu 18.04 for system auditing.<\/p>\n\n\n\n
There are several ways in which Lynis can be installed;<\/p>\n\n\n\n
In this tutorial, we are going to install Lynis via the package manager.<\/p>\n\n\n\n
Lynis is usually available by default on Ubuntu repositories. However, to get the latest version of it, you need to add the software repositories.<\/p>\n\n\n\n
Run either of the commands below to download the Lynis repository signing key from the central key server.<\/p>\n\n\n\n
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F<\/pre>\n\n\n\nor<\/p>\n\n\n\n
# wget -O - https:\/\/packages.cisofy.com\/keys\/cisofy-software-public.key | sudo apt-key add -<\/pre>\n\n\n\nAdd software repository<\/h4>\n\n\n\n
The Lynis software repository uses HTTPS for secure transport.Therefore you need to enable https transport method for APT as shown below if it is not already enabled.<\/p>\n\n\n\n
# apt install apt-transport-https<\/pre>\n\n\n\nConfigure APT to skip downloading software translations if you are using your software in English.<\/p>\n\n\n\n
# echo 'Acquire::Languages \"none\";' > \/etc\/apt\/apt.conf.d\/99disable-translations<\/pre>\n\n\n\nOnce that is done, run the command below to add the software repository.<\/p>\n\n\n\n
# echo \"deb https:\/\/packages.cisofy.com\/community\/lynis\/deb\/ stable main\" > \/etc\/apt\/sources.list.d\/cisofy-lynis.list<\/pre>\n\n\n\nOnce you have the software repository set, update you system to re-synchronize the package index files from their sources.<\/p>\n\n\n\n
# apt update<\/pre>\n\n\n\nInstall Lynis<\/h4>\n\n\n\n
Now that we have the software repositories and the local package database has been refreshed, run the command below to install Lynis.<\/p>\n\n\n\n
# apt install lynis -y<\/pre>\n\n\n\nOnce the installation is done, you can verify the version using the command below;<\/p>\n\n\n\n
# lynis show version\n2.7.0<\/pre>\n\n\n\nYou can also run the command below verify whether a new version is available.<\/p>\n\n\n\n
# lynis update info\n\n == Lynis ==\n\n Version : 2.7.0\n Status : Up-to-date<\/strong>\n Release date : 2018-10-26\n Update location : https:\/\/cisofy.com\/lynis\/\n\n\n2007-2018, CISOfy - https:\/\/cisofy.com\/lynis\/<\/pre>\n\n\n\nSo you got the latest version of Lynis program.<\/p>\n\n\n\n
Lynis Commands<\/h3>\n\n\n\n
The Lynis command syntax is
lynis [scan mode] [other options]<\/code><\/strong><\/p>\n\n\n\n\n
- To show Lynis command, run
lynis show commands<\/code><\/strong><\/li>\n\n\n\n- To show Lynis Settings run;
lynis show settings<\/code><\/strong><\/li>\n\n\n\n- To show discovered audit profiles;
lynis show profiles<\/code><\/strong><\/li>\n<\/ul>\n\n\n\nFor a comprehensive list of options, check
man lynis<\/code><\/strong><\/p>\n\n\n\nRun System Audit<\/h2>\n\n\n\n
To run system audit, execute;
lynis audit system<\/code><\/strong><\/p>\n\n\n\nWhen Lynis run, it audits various parts of the system including;<\/p>\n\n\n\n
\n
- Boot loader files<\/li>\n\n\n\n
- Configuration files<\/li>\n\n\n\n
- Software packages<\/li>\n\n\n\n
- Directories and files related to logging and auditing<\/li>\n<\/ul>\n\n\n\n
The test and debug information is found in:
\/var\/log\/lynis.log<\/code> <\/strong>while the audit report data is found on:\/var\/log\/lynis-report.dat<\/code><\/strong>.<\/p>\n\n\n\n
\/var\/log\/lynis.log<\/code><\/strong> is the file an auditor has to check and intepret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.<\/p>\n\n\n\nLynis Warnings<\/h3>\n\n\n\n
The output of the Lynis may show OK or WARNING with OK meaning good while WARNING shows an identified issue in the system that requires attention. Sometimes what may be flagged as OK may not actually be good to the best practice and what is flagged as WARNING may actually be nothing and can be ignored.<\/p>\n\n\n\n
Sample output of the warnings;<\/p>\n\n\n\n
================================================================================\n...output-cut...<\/strong>\n -[ Lynis 2.7.0 Results ]-\n\n Warnings (2):\n ----------------------------\n ! Found BIND version in banner [NAME-4210] \n https:\/\/cisofy.com\/lynis\/controls\/NAME-4210\/\n\n ! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] \n https:\/\/cisofy.com\/lynis\/controls\/MAIL-8818\/\n...output-cut...<\/strong><\/pre>\n\n\n\nTo get more information about a warning, you can use the command;
lynis show details TEST-ID<\/code> <\/strong>for example to show more details about BIND warning, run the command;<\/p>\n\n\n\n# lynis show details NAME-4210\n2018-10-28 20:07:58 Performing test ID NAME-4210 (Check DNS banner)\n2018-10-28 20:07:58 Test: Trying to determine version from banner\n2018-10-28 20:07:58 Result: possible BIND version available in version banner\n2018-10-28 20:07:58 Warning: Found BIND version in banner [test:NAME-4210] [details:-] [solution:-]\n2018-10-28 20:07:58 Suggestion: The version in BIND can be masked by defining 'version none' in the configuration file [test:NAME-4210] [details:-] [solution:-]\n2018-10-28 20:07:58 Hardening: assigned partial number of hardening points (0 of 2). Currently having 92 points (out of 128)\n2018-10-28 20:07:58 ===---------------------------------------------------------------===<\/pre>\n\n\n\nThis at least shades light on the identified warnings.<\/p>\n\n\n\n
Disable the test (whitelisting)<\/h3>\n\n\n\n
If for some reasons you have a test which gives a warning and you are not interested in the result of that particular test, you can set it to be ignored. To achieve this, you need create a custom profile where you can define your test options.<\/p>\n\n\n\n
Lynis uses profiles to have a set of predefined options for your operating system and preferences. If you don’t provide a profile (–profile <name>), the default profile (default.prf) will be used. You can copy the default profile and edit it to define your custom test options.<\/p>\n\n\n\n
For instance, to skip the warnings shown above, create a custom profile and put the following contents.<\/p>\n\n\n\n
# vim \/etc\/lynis\/custom.prf<\/pre>\n\n\n\n#################################################################################\n#\n#\n# Lynis - Custom Scan Profile to ignore some warnings\n#\n# Ignore BIND version in the banner\nskip-test=NAME-4210<\/strong>\n\n# Ignore SMTP banner information disclosure\nskip-test=MAIL-8818<\/strong><\/pre>\n\n\n\nWhen you run system audit next time, these warnings will be ignored. See the output below;<\/p>\n\n\n\n
...<\/strong>\n================================================================================\n\n -[ Lynis 2.7.0 Results ]-\n\n Great, no warnings<\/strong>\n\n Suggestions (40):\n ----------------------------\n * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] \n https:\/\/cisofy.com\/lynis\/controls\/AUTH-9262\/\n\n * Configure minimum password age in \/etc\/login.defs [AUTH-9286] \n https:\/\/cisofy.com\/lynis\/controls\/AUTH-9286\/\n\n * Configure maximum password age in \/etc\/login.defs [AUTH-9286] \n https:\/\/cisofy.com\/lynis\/controls\/AUTH-9286\/\n...<\/strong><\/pre>\n\n\n\nLynis Suggestions<\/h3>\n\n\n\n
Apart from WARNINGS, there are also suggestions in the Lynis audit output. Basically, suggestions tells you how to go about fixing an identified issue. Take for example, the SSH hardening suggestions shown. It is made of the suggestion and the specific changes to make.<\/p>\n\n\n\n
Suggestions (42):<\/strong>\n ----------------------------\n * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] \n https:\/\/cisofy.com\/lynis\/controls\/HTTP-6643\/\n\n * Consider hardening SSH configuration [SSH-7408] <\/strong>\n - Details : AllowTcpForwarding (YES --> NO)<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/<\/strong>\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : ClientAliveCountMax (3 --> 2)<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : Compression (YES --> NO)<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : LogLevel (INFO --> VERBOSE)<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : MaxAuthTries (6 --> 2)<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : MaxSessions (10 --> 2)<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))<\/strong>\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : Port (22 --> )\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : TCPKeepAlive (YES --> NO)\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : X11Forwarding (YES --> NO)\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n\n * Consider hardening SSH configuration [SSH-7408] \n - Details : AllowAgentForwarding (YES --> NO)\n https:\/\/cisofy.com\/lynis\/controls\/SSH-7408\/\n...<\/strong><\/pre>\n\n\n\nLynis Hardening Index<\/h3>\n\n\n\n
Lynis system audit output also show the system hardening index. See part of the output below with a hardening index of 65%.<\/p>\n\n\n\n
...<\/strong>\n================================================================================\n\n Lynis security scan details:\n\n Hardening index : 65<\/strong> [############# ]\n Tests performed : 238\n Plugins enabled : 0\n...<\/strong><\/pre>\n\n\n\nThis basically shows the hardening index in percentage, the number of tests performed and the number of plugins enabled.<\/p>\n\n\n\n
The hardening index shows how secure your system is based on the Lynis tests. The more you carry out the fixes of the identified issues, the hardening index percentage will increase.<\/p>\n\n\n\n
Well, so far so good, we have seen and learnt how to install and perform system auditing with Lynis on Ubuntu 18.04. We hope you enjoyed.<\/p>\n\n\n\n
Reference;<\/p>\n\n\n\n
\n
- Get Started with Lynis<\/a><\/li>\n\n\n\n
- Lynis – Security auditing tool for Linux, macOS, and UNIX-based systems<\/span><\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34,218],"tags":[219,220],"class_list":["post-1129","post","type-post","status-publish","format-standard","hentry","category-howtos","category-security","category-system-auditing","tag-audit","tag-lynis","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1129"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1129"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1129\/revisions"}],"predecessor-version":[{"id":21018,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1129\/revisions\/21018"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}