{"id":6636,"date":"2020-08-05T22:59:56","date_gmt":"2020-08-05T19:59:56","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6636"},"modified":"2024-03-14T22:42:03","modified_gmt":"2024-03-14T19:42:03","slug":"install-and-setup-lynis-security-auditing-tool-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-lynis-security-auditing-tool-on-centos-8\/","title":{"rendered":"Install and Setup Lynis Security Auditing tool on CentOS 8"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and setup Lynis security auditing tool on CentOS 8.&nbsp;<a href=\"https:\/\/cisofy.com\/lynis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lynis<\/a>&nbsp;is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system\u2019s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automated Security auditing<\/li>\n\n\n\n<li>Compliance testing (e.g. PCI, HIPAA, SOx)<\/li>\n\n\n\n<li>Penetration testing<\/li>\n\n\n\n<li>Vulnerability detection<\/li>\n\n\n\n<li>System hardening<\/li>\n\n\n\n<li>Configuration and asset management<\/li>\n\n\n\n<li>Software patch management<\/li>\n\n\n\n<li>Intrusion detection<\/li>\n<\/ul>\n\n\n\n<p>Lynis, however, doesn\u2019t provide system hardening automatically but instead provide tips on how to harden your system.<\/p>\n\n\n\n<p>It is a cross platform tool and it was designed for systems running Linux, macOS, or Unix-based operating system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Lynis Security Auditing tool on CentOS 8<\/h2>\n\n\n\n<p>Lynis can be installed on a CentOS system by cloning their Github repos, using the source tarball or by simply pulling it from the package repositories using the package manager.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Lynis from Software Repository<\/h3>\n\n\n\n<p>You can use EPEL repos or Lynis Software community repos for CentOS to install Lynis on CentOS 8.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Installing Lynis from EPEL Repos<\/h4>\n\n\n\n<p>Install EPEL repos by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install epel-release<\/code><\/pre>\n\n\n\n<p>Check what provides Lynis;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf provides lynis<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis-3.0.0-1.el8.noarch : Security and system auditing tool\nRepo        : epel\nMatched from:\nProvide    : lynis = 3.0.0-1.el8<\/code><\/pre>\n\n\n\n<p>Well, proceed to install Lynis on CentOS 8<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install lynis<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install Lynis Community repos for CentOS<\/h4>\n\n\n\n<p>Install Lynis Software community repos for Lynis on CentOS 8;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat &lt;&lt; 'EOL' &gt; \/etc\/yum.repos.d\/cisofy-lynis.repo\n[lynis]\nname=CISOfy Software - Lynis package\nbaseurl=https:\/\/packages.cisofy.com\/community\/lynis\/rpm\/\nenabled=1\ngpgkey=https:\/\/packages.cisofy.com\/keys\/cisofy-software-rpms-public.key\ngpgcheck=1\npriority=2\nEOL<\/code><\/pre>\n\n\n\n<p>Run package updates;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf update<\/code><\/pre>\n\n\n\n<p>Update the cURL, NSS, openssl, and CA-certificates&nbsp; packages;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf update curl nss openssl ca-certificates<\/code><\/pre>\n\n\n\n<p>Install Lynis;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install lynis<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Dependencies resolved.\n============================================================================================================================================================================\n Package                                 Architecture                             Version                                     Repository                               Size\n============================================================================================================================================================================\nInstalling:\n lynis                                   noarch                                   3.0.0-100                                   lynis                                   312 k\n\nTransaction Summary\n============================================================================================================================================================================\nInstall  1 Package\n\nTotal download size: 312 k\nInstalled size: 1.5 M\nIs this ok &#91;y\/N]: y<\/code><\/pre>\n\n\n\n<p>Check the version of installed Lynis;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis show version<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3.0.0<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Lynis Command Line Syntax and Options<\/h3>\n\n\n\n<p>The Lynis command syntax is<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis [scan mode] [other options]<\/code><\/pre>\n\n\n\n<p>To show Lynis commands, run;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis show commands<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Commands:\nlynis audit\nlynis configure\nlynis generate\nlynis show\nlynis update\nlynis upload-only<\/code><\/pre>\n\n\n\n<p>To show Lynis Settings run;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis show settings<\/code><\/pre>\n\n\n\n<p>To show discovered audit profiles;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis show profiles<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>\/etc\/lynis\/default.prf<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Perform System Audit using Lynis on CentOS 8<\/h3>\n\n\n\n<p>Lynis security auditing tool checks the system and the software configuration, to see if there is any room for improvement the security defenses.<\/p>\n\n\n\n<p>The Lynis test and debug information are logged in&nbsp;<strong><code>\/var\/log\/lynis.log<\/code>&nbsp;<\/strong>while the audit report data is stored in:&nbsp;<strong><code>\/var\/log\/lynis-report.dat<\/code><\/strong>.<\/p>\n\n\n\n<p><strong><code>\/var\/log\/lynis.log<\/code><\/strong>&nbsp;is the file an auditor has to check and interpret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.<\/p>\n\n\n\n<p>The following system areas may be checked by Lynis:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Boot loader files<\/li>\n\n\n\n<li>Configuration files<\/li>\n\n\n\n<li>Software packages<\/li>\n\n\n\n<li>Directories and files related to logging and auditing<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Perform System Audit with Lynis on CentOS 8<\/h4>\n\n\n\n<p>Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however they provide more details during the audit.<\/p>\n\n\n\n<p>To run a basic system audit with Lynis execute the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis audit system<\/code><\/pre>\n\n\n\n<p>When it runs, it display various checks and results to the standard output as well as writing to the log and reports file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n+] Software: e-mail and messaging\n------------------------------------\n\n&#91;+] Software: firewalls\n------------------------------------\n  - Checking iptables kernel module                           &#91; FOUND ]\n    - Checking iptables policies of chains                    &#91; FOUND ]\n    - Checking for empty ruleset                              &#91; WARNING ]\n    - Checking for unused rules                               &#91; OK ]\n  - Checking host based firewall                              &#91; ACTIVE ]\n\n&#91;+] Software: webserver\n------------------------------------\n  - Checking Apache (binary \/usr\/sbin\/httpd)                  &#91; FOUND ]\n      Info: Configuration file found (\/etc\/httpd\/conf\/httpd.conf)\n      Info: No virtual hosts found\n    * Loadable modules                                        &#91; FOUND (106) ]\n        - Found 106 loadable modules\n          mod_evasive: anti-DoS\/brute force                   &#91; NOT FOUND ]\n          mod_reqtimeout\/mod_qos                              &#91; FOUND ]\n          ModSecurity: web application firewall               &#91; NOT FOUND ]\n  - Checking nginx                                            &#91; NOT FOUND ]\n\n&#91;+] SSH Support\n------------------------------------\n  - Checking running SSH daemon                               &#91; FOUND ]\n    - Searching SSH configuration                             &#91; FOUND ]\n    - OpenSSH option: AllowTcpForwarding                      &#91; SUGGESTION ]\n    - OpenSSH option: ClientAliveCountMax                     &#91; SUGGESTION ]\n    - OpenSSH option: ClientAliveInterval                     &#91; OK ]\n    - OpenSSH option: Compression                             &#91; SUGGESTION ]\n    - OpenSSH option: FingerprintHash                         &#91; OK ]\n...<\/code><\/pre>\n\n\n\n<p>The output of the Lynis may show OK or WARNING with OK meaning the checks are okay while WARNING shows an identified issue in the system that requires attention.<\/p>\n\n\n\n<p>Summary of the system audit checks;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n================================================================================\n\n  -&#91; Lynis 3.0.0 Results ]-\n\n  Warnings (2):\n  ----------------------------\n  ! Reboot of system is most likely needed &#91;KRNL-5830] \n    - Solution : reboot\n      https:&#47;&#47;cisofy.com\/lynis\/controls\/KRNL-5830\/\n\n  ! iptables module(s) loaded, but no rules active &#91;FIRE-4512] \n      https:\/\/cisofy.com\/lynis\/controls\/FIRE-4512\/\n\n  Suggestions (46):\n  ----------------------------\n  * This release is more than 4 months old. Consider upgrading &#91;LYNIS] \n      https:\/\/cisofy.com\/lynis\/controls\/LYNIS\/\n\n  * If not required, consider explicit disabling of core dump in \/etc\/security\/limits.conf file &#91;KRNL-5820] \n      https:\/\/cisofy.com\/lynis\/controls\/KRNL-5820\/\n...<\/code><\/pre>\n\n\n\n<p>As you can see, we have two warnings and 46 other suggestions.<\/p>\n\n\n\n<p>Go through the suggested solutions to find how to implement various system hardenings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lynis security scan details<\/h3>\n\n\n\n<p>From this section, you will see;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>your system hardening percentage<\/li>\n\n\n\n<li>number of tests run against the system<\/li>\n\n\n\n<li>Lynis plugins enabled, if any<\/li>\n\n\n\n<li>Lynis modules enabled<\/li>\n\n\n\n<li>Log\/Report files<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>================================================================================\n\n  Lynis security scan details:\n\n  Hardening index : 63 &#91;############        ]\n  Tests performed : 241\n  Plugins enabled : 0\n\n  Components:\n  - Firewall               &#91;V]\n  - Malware scanner        &#91;X]\n\n  Scan mode:\n  Normal &#91;V]  Forensics &#91; ]  Integration &#91; ]  Pentest &#91; ]\n\n  Lynis modules:\n  - Compliance status      &#91;?]\n  - Security audit         &#91;V]\n  - Vulnerability scan     &#91;V]\n\n  Files:\n  - Test and debug information      : \/var\/log\/lynis.log\n  - Report data                     : \/var\/log\/lynis-report.dat\n\n================================================================================<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Check Hardening Warnings and Suggestions from Lynis Audit report<\/h4>\n\n\n\n<p>Apart from being written to the stdout, the Lynis scan report is also written to <code><strong>\/var\/log\/lynis-report.dat<\/strong><\/code>&nbsp;report.<\/p>\n\n\n\n<p>From this report, you can read the warnings and suggestions given<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>grep -i \"^warning\" \/var\/log\/lynis-report.dat<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>warning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot|\nwarning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-|<\/code><\/pre>\n\n\n\n<p>To check the suggestions;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>grep -i \"^suggestion\" \/var\/log\/lynis-report.dat<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nsuggestion&#91;]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|\nsuggestion&#91;]=KRNL-5820|If not required, consider explicit disabling of core dump in \/etc\/security\/limits.conf file|-|-|\nsuggestion&#91;]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|\nsuggestion&#91;]=AUTH-9230|Configure minimum encryption algorithm rounds in \/etc\/login.defs|-|-|\nsuggestion&#91;]=AUTH-9230|Configure maximum encryption algorithm rounds in \/etc\/login.defs|-|-|\nsuggestion&#91;]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|\n...<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Showing Details of a Specific Test<\/h4>\n\n\n\n<p>Every Lynis system check has an associated test ID. To find more about an specific check, you can show the details using the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis show details TEST-ID<\/code><\/pre>\n\n\n\n<p>Take for example, let us check more about the system reboot warning above;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis show details KRNL-5830<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-08-05 22:28:05 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)\n2020-08-05 22:28:05 Test: Checking presence \/var\/run\/reboot-required.pkgs\n2020-08-05 22:28:05 Result: file \/var\/run\/reboot-required.pkgs not found\n2020-08-05 22:28:05 Result: \/boot exists, performing more tests from here\n2020-08-05 22:28:05 Result: found \/boot\/vmlinuz-4.18.0-193.14.2.el8_2.x86_64\n2020-08-05 22:28:05 Test: checking kernel version on disk\n2020-08-05 22:28:05 Result: found version 4.18.0-193.14.2.el8_2.x86_64\n2020-08-05 22:28:05 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64\n2020-08-05 22:28:05 Result: reboot needed, as there is a difference between active kernel and the one on disk\n2020-08-05 22:28:05 Result: \/var\/cache\/apt\/archives\/ does not exist\n2020-08-05 22:28:05 Warning: Reboot of system is most likely needed &#91;test:KRNL-5830] &#91;details:] &#91;solution:text:reboot]\n2020-08-05 22:28:05 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)\n2020-08-05 22:28:05 Security check: file is normal\n2020-08-05 22:28:05 Checking permissions of \/usr\/share\/lynis\/include\/tests_memory_processes\n2020-08-05 22:28:05 File permissions are OK\n2020-08-05 22:28:05 ====<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Lynis Audit Scanning Profiles<\/h4>\n\n\n\n<p>Lynis uses profiles to have a set of predefined options for your operating system and preferences. The default profiles are stored under&nbsp;<code><strong>\/etc\/lynis<\/strong><\/code>&nbsp;directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls \/etc\/lynis<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>default.prf<\/code><\/pre>\n\n\n\n<p>If you want to use a custom profile, use the&nbsp;<code><strong>\u2013profile &lt;name&gt;&nbsp;<\/strong><\/code>option with <code><strong>lynis audit system<\/strong><\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>lynis audit system --profile \/path\/to\/custom\/profile.prf<\/code><\/pre>\n\n\n\n<p>To create your own custom profile, you can copy the default profile and edit it to define your custom test options.<\/p>\n\n\n\n<p>When run with no further options defined, the default profile,&nbsp;<code>\/etc\/lynis\/default.prf<\/code>&nbsp;will be used.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Disabling Specific Checks<\/h4>\n\n\n\n<p>If you consider some checks as false positives,  you can create a custom profile where you can define the test ID that Lynis should skip while running the system scan<\/p>\n\n\n\n<p>For instance, to skip the suggestion below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in \/etc\/security\/limits.conf file|-|-|<\/code><\/pre>\n\n\n\n<p>Create a custom profile and put the following contents.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/lynis\/custom.prf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code># Lynis - Custom Scan Profile to ignore some warnings\n#\n# Ignore Vulnerable packages Warnings\nskip-test=KRNL-5820<\/code><\/pre>\n\n\n\n<p>When you run the Lynis audit scan next time, the specified checks will be skipped.<\/p>\n\n\n\n<p>Lynis is a useful tool. Go through all the fixes and suggestions provided to harden your system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/cisofy.com\/documentation\/lynis\/get-started\/\" target=\"_blank\" rel=\"noreferrer noopener\">Get Started with Lynis<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/CISOfy\/lynis\" target=\"_blank\" rel=\"noreferrer noopener\">Lynis \u2013 Security auditing tool for Linux, macOS, and UNIX-based systems<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-lynis-security-auditing-tool-on-ubuntu-20-04\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Install and Setup Lynis Security Auditing tool on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-perform-system-security-auditing-with-lynis-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Perform System Security Auditing with Lynis on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/restrict-access-to-wordpress-login-page-to-specific-ips-with-libmodsecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-use-clamav-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and use ClamAV on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-maltrail-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Install and Configure Maltrail on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-rkhunter-rootkit-hunter-on-ubuntu-18-04\/\">How to Install RKHunter (RootKit Hunter) On Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and setup Lynis security auditing tool on CentOS 8.&nbsp;Lynis&nbsp;is an open-source security tool that can perform<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34],"tags":[1142,1880,1878,1882,1883,220,1879,1881],"class_list":["post-6636","post","type-post","status-publish","format-standard","hentry","category-howtos","category-security","tag-centos-8","tag-hardening-centos-8-with-lynis","tag-install-lynis-auditing-tool-on-centos-8","tag-linux-security-hardening","tag-linux-system-auditing","tag-lynis","tag-setup-lynis-on-centos-8","tag-system-hardening","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6636"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6636"}],"version-history":[{"count":3,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6636\/revisions"}],"predecessor-version":[{"id":21496,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6636\/revisions\/21496"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}