Lynis – Security Auditing and Hardening Tool for Linux/Unix Systems

First i want to tell you about system security before going deeper about Lynis. Every system administrator should know/understand about system security, Hardening, etc,. So that we can make our system up and running smoothly without any issues otherwise we have to face so many issues.

Maintaining servers is not a easy task, that to in banking sector where payment transaction are happening. I know how hard it is because i have faced so many challenges/issues when i was part of data center administrator.

By default all the systems comes with plain system and we need to secure/tune the systems based on our environment. Security is one of the major part in IT infrastructure that we need to consider as a high risk.

If anyone gain the access to your system, they can steal all your data then it will be a big problem. If it’s don’t want to happen on your environment, make sure you must maintain your environment with high security.

If you have a checklist, you can do the hardening manually but it takes lot of time, Lynis comes with handy to audit the system in much easier way.

Also read below security related articles.

Follow the below steps for basic hardening

  • Install minimal OS
  • Install necessary applications.
  • Remove unnecessary applications.
  • Don’t use outdated applications which leads to open backdoor.
  • Make sure the system is upto date (Push the updates regularly)
  • Install necessary security patches
  • Verify the logs daily basics

What’s Lynis

Lynis is a open source security auditing tool for UNIX derivatives like Linux, macOS, BSD, and others, and providing guidance for system hardening and compliance testing. It performs an in-depth security scan on varies aspect and provide tips for further system hardening & security defenses. It will also scan for general system information, vulnerable software packages, and possible configuration issues. It’s very useful for System administrators, Auditors, Security officers & Security professionals. Nowadays, penetration testers also have Lynis in their toolkit.

Lynis audit below things.

  • Checking System Information
  • Checking system binaries
  • Boot loader & startup services
  • Kernel
  • Memory & Process
  • Users & Groups Authentication
  • Shells information
  • File Systems
  • Storage
  • NFS
  • Name services
  • Ports and packages
  • Networking Information
  • Printers and Spools
    • Software
    • e-mail and messaging services
    • firewalls
    • webserver
    • file integrity
    • System tooling
    • Malware
  • SSH Support
  • SNMP Support
  • Databases
  • LDAP Services
  • PHP
  • Squid Support
  • Logging and files
  • Insecure services
  • Banners and identification
  • Scheduled tasks
  • Accounting
  • Time and Synchronization
  • Cryptography
  • Virtualization
  • Containers
  • Security frameworks
  • File Permissions
  • Home directories
  • Kernel Hardening
  • Hardening
  • Custom Tests

How to install lynis on Linux

Most of the distribution (Debian, Ubuntu, Mint, Fedora, suse, openSUSE, Arch Linux, Manjaro, Mageia, etc.) has the lynis package by default, so we can easily install it from distribution official repository with help of package manager.

[Install lynis on Debian/Ubuntu/LinuxMint]
$ sudo apt-get install lynis

[Install lynis on RHEL/CentOS]
$ sudo yum install lynis

[Install lynis on Fedora]
$ sudo dnf install lynis

[Install lynis on openSUSE]
$ sudo zypper install lynis

[Install lynis on Mageia]
$ sudo urpmi lynis

[Install lynis on Arch Linux based system]
$ sudo pacman -S lynis

If the distribution doesn’t have the latest lynis package better you can add the lynis repository to install.

[Install lynis on RHEL/CentOS/Fedora]
$ sudo yum update ca-certificates curl nss openssl

$ sudo nano /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1

[For RHEL/CentOS]
$ sudo yum install lynis

[For Fedora]
$ sudo dnf install lynis

Install lynis on Debian/Ubuntu/LinuxMint

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
$ sudo sh -c "echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' >> /etc/apt/sources.list.d/lynis.list"
$ sudo apt install apt-transport-https
$ sudo apt update
$ sudo apt install lynis

Install lynis on openSUSE

$ sudo rpm --import https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
$ sudo zypper addrepo --gpgcheck --name "CISOfy Lynis repository" --priority 1 --refresh --type rpm-md https://packages.cisofy.com/community/lynis/rpm/ lynis
$ sudo zypper refresh
$ sudo zypper install lynis

Run lynis without any option

Make a note, you have to run lynis as a privilege users either root or sudo. When you running lynis without any option, it will provide the basic parameters available.

$ sudo lynis

[ Lynis 2.4.0 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2016, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################

[+] Initializing program
------------------------------------
  Usage: lynis command [options]

  Command:

    audit
        audit system                  : Perform local security scan
        audit system remote     : Remote security scan
        audit dockerfile        : Analyze Dockerfile

    show
        show                          : Show all commands
        show version                  : Show Lynis version
        show help                     : Show help

    update
        update info                   : Show update details
        update release                : Update Lynis release

  Options:

    --no-log                          : Don't create a log file
    --pentest                         : Non-privileged scan (useful for pentest)
    --profile                : Scan the system with the given profile file
    --quick (-Q)                      : Quick mode, don't wait for user input

    Layout options
    --no-colors                       : Don't use colors in output
    --quiet (-q)                      : No output
    --reverse-colors                  : Optimize color display for light backgrounds

    Misc options
    --debug                           : Debug logging to screen
    --view-manpage (--man)            : View man page
    --verbose                         : Show more details on screen
    --version (-V)                    : Display version number and quit

    Enterprise options
    --plugin-dir ""             : Define path of available plugins
    --upload                          : Upload data to central node

    More options available. Run '/usr/sbin/lynis show options', or use the man page.

  No command provided. Exiting..

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...

Close
Please support the site
By clicking any of these buttons you help our site to get better