Lynis – Security Auditing and Hardening Tool for Linux/Unix Systems

First i want to tell you about system security before going deeper about Lynis. Every system administrator should know/understand about system security, Hardening, etc,. So that we can make our system up and running smoothly without any issues otherwise we have to face so many issues.

Maintaining servers is not a easy task, that to in banking sector where payment transaction are happening. I know how hard it is because i have faced so many challenges/issues when i was part of data center administrator.

By default all the systems comes with plain system and we need to secure/tune the systems based on our environment. Security is one of the major part in IT infrastructure that we need to consider as a high risk.

If anyone gain the access to your system, they can steal all your data then it will be a big problem. If it’s don’t want to happen on your environment, make sure you must maintain your environment with high security.

If you have a checklist, you can do the hardening manually but it takes lot of time, Lynis comes with handy to audit the system in much easier way.

Also read below security related articles.

Follow the below steps for basic hardening

  • Install minimal OS
  • Install necessary applications.
  • Remove unnecessary applications.
  • Don’t use outdated applications which leads to open backdoor.
  • Make sure the system is upto date (Push the updates regularly)
  • Install necessary security patches
  • Verify the logs daily basics

What’s Lynis

Lynis is a open source security auditing tool for UNIX derivatives like Linux, macOS, BSD, and others, and providing guidance for system hardening and compliance testing. It performs an in-depth security scan on varies aspect and provide tips for further system hardening & security defenses. It will also scan for general system information, vulnerable software packages, and possible configuration issues. It’s very useful for System administrators, Auditors, Security officers & Security professionals. Nowadays, penetration testers also have Lynis in their toolkit.

Lynis audit below things.

  • Checking System Information
  • Checking system binaries
  • Boot loader & startup services
  • Kernel
  • Memory & Process
  • Users & Groups Authentication
  • Shells information
  • File Systems
  • Storage
  • NFS
  • Name services
  • Ports and packages
  • Networking Information
  • Printers and Spools
    • Software
    • e-mail and messaging services
    • firewalls
    • webserver
    • file integrity
    • System tooling
    • Malware
  • SSH Support
  • SNMP Support
  • Databases
  • LDAP Services
  • PHP
  • Squid Support
  • Logging and files
  • Insecure services
  • Banners and identification
  • Scheduled tasks
  • Accounting
  • Time and Synchronization
  • Cryptography
  • Virtualization
  • Containers
  • Security frameworks
  • File Permissions
  • Home directories
  • Kernel Hardening
  • Hardening
  • Custom Tests

How to install lynis on Linux

Most of the distribution (Debian, Ubuntu, Mint, Fedora, suse, openSUSE, Arch Linux, Manjaro, Mageia, etc.) has the lynis package by default, so we can easily install it from distribution official repository with help of package manager.

[Install lynis on Debian/Ubuntu/LinuxMint]
$ sudo apt-get install lynis

[Install lynis on RHEL/CentOS]
$ sudo yum install lynis

[Install lynis on Fedora]
$ sudo dnf install lynis

[Install lynis on openSUSE]
$ sudo zypper install lynis

[Install lynis on Mageia]
$ sudo urpmi lynis

[Install lynis on Arch Linux based system]
$ sudo pacman -S lynis

If the distribution doesn’t have the latest lynis package better you can add the lynis repository to install.

[Install lynis on RHEL/CentOS/Fedora]
$ sudo yum update ca-certificates curl nss openssl

$ sudo nano /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1

[For RHEL/CentOS]
$ sudo yum install lynis

[For Fedora]
$ sudo dnf install lynis

Install lynis on Debian/Ubuntu/LinuxMint

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
$ sudo sh -c "echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' >> /etc/apt/sources.list.d/lynis.list"
$ sudo apt install apt-transport-https
$ sudo apt update
$ sudo apt install lynis

Install lynis on openSUSE

$ sudo rpm --import https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
$ sudo zypper addrepo --gpgcheck --name "CISOfy Lynis repository" --priority 1 --refresh --type rpm-md https://packages.cisofy.com/community/lynis/rpm/ lynis
$ sudo zypper refresh
$ sudo zypper install lynis

Run lynis without any option

Make a note, you have to run lynis as a privilege users either root or sudo. When you running lynis without any option, it will provide the basic parameters available.

$ sudo lynis

[ Lynis 2.4.0 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2016, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################

[+] Initializing program
------------------------------------
  Usage: lynis command [options]

  Command:

    audit
        audit system                  : Perform local security scan
        audit system remote     : Remote security scan
        audit dockerfile        : Analyze Dockerfile

    show
        show                          : Show all commands
        show version                  : Show Lynis version
        show help                     : Show help

    update
        update info                   : Show update details
        update release                : Update Lynis release

  Options:

    --no-log                          : Don't create a log file
    --pentest                         : Non-privileged scan (useful for pentest)
    --profile                : Scan the system with the given profile file
    --quick (-Q)                      : Quick mode, don't wait for user input

    Layout options
    --no-colors                       : Don't use colors in output
    --quiet (-q)                      : No output
    --reverse-colors                  : Optimize color display for light backgrounds

    Misc options
    --debug                           : Debug logging to screen
    --view-manpage (--man)            : View man page
    --verbose                         : Show more details on screen
    --version (-V)                    : Display version number and quit

    Enterprise options
    --plugin-dir ""             : Define path of available plugins
    --upload                          : Upload data to central node

    More options available. Run '/usr/sbin/lynis show options', or use the man page.

  No command provided. Exiting..

How to run lynis

If you new to lynis and want to check all the parameters, it is recommended to use audit system command which will scan entire system with all the defined parameters by lynis.

You can add the auditor name by including --auditor option with lynsi command followed by auditor name.

Checking System information :
It will detect system information such as OS Name, OS Version, Architecture, Kernel version & Hostname. Also show the lynis log file & report file locations.

$ sudo lynis audit system --auditor "Magi"

[ Lynis 2.4.0 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2016, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Checking profiles...                                      [ DONE ]

  ---------------------------------------------------
  Program version:           2.4.0
  Operating system:          Linux
  Operating system name:     Ubuntu Linux
  Operating system version:  16.10
  Kernel version:            4.8.0
  Hardware platform:         x86_64
  Hostname:                  daygeek
  ---------------------------------------------------
  Profiles:                  /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/share/lynis/plugins
  ---------------------------------------------------
  Auditor:                   Magi
  Test category:             all
  Test group:                all
  ---------------------------------------------------
  - Program update status...                                  [ NO UPDATE ]

System Tools : Scan available system tools & system binaries, Checking binaries in directory /bin then rest of the command like awk, cut, egrep, find, etc,., The similar way, it will scan other binaries such as /sbin, /usr/bin, /usr/sbin & /usr/local/bin, etc,.

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...

Plugins (phase 1) : Scanning phase 1 plugins test based on the installed plugins. If you want to install plugin for lynis, add it at /etc/lynis/plugins directory.

[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests and may take several minutes to complete
  
  - Plugins enabled                                           [ NONE ]

Boot loader & startup services : Scanning Boot loader files (UEFI, GRUB2), running services (auditd, kdump, sshd, sysstat, etc) & startup services.

[+] Boot and services
------------------------------------
  - Service Manager                                           [ UNKNOWN ]
  - Checking UEFI boot                                        [ DISABLED ]
  - Checking presence GRUB2                                   [ FOUND ]
    - Checking for password protection                        [ WARNING ]
  - Check running services (systemctl)                        [ DONE ]
        Result: found 30 running services
  - Check enabled services at boot (systemctl)                [ DONE ]
        Result: found 51 enabled services
  - Check startup files (permissions)                         [ OK ]

Kernel : Scanning run level, CPU support, kernel version, kernel type, /etc/inittab & loaded kernel modules.

[+] Kernel
------------------------------------
  - Checking default run level                                [ RUNLEVEL 5 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported               [ FOUND ]
  - Checking kernel version and release                       [ DONE ]
  - Checking kernel type                                      [ DONE ]
  - Checking loaded kernel modules                            [ DONE ]
      Found 67 active modules
  - Checking Linux kernel configuration file                  [ FOUND ]
  - Checking default I/O kernel scheduler                     [ FOUND ]
  - Checking for available kernel update                      [ OK ]
  - Checking core dumps configuration                         [ DISABLED ]
    - Checking setuid core dumps configuration                [ PROTECTED ]
  - Check if reboot is needed                                 [ YES ]

Memory and Processes : Scanning memory information from /proc/meminfo, dead processes & IO processes.

[+] Memory and Processes
------------------------------------
  - Checking /proc/meminfo                                    [ FOUND ]
  - Searching for dead/zombie processes                       [ OK ]
  - Searching for IO waiting processes                        [ OK ]

Users, Groups and Authentication : Scanning admin accounts, UIDs, GIDs, /etc/passwd, sudoers & PAM files, password aging, single user mode, failed login & umask.

[+] Users, Groups and Authentication
------------------------------------
  - Administrator accounts                                    [ OK ]
  - Unique UIDs                                               [ OK ]
  - Consistency of group files (grpck)                        [ OK ]
  - Unique group IDs                                          [ OK ]
  - Unique group names                                        [ OK ]
  - Password file consistency                                 [ OK ]
  - Query system users (non daemons)                          [ DONE ]
  - NIS+ authentication support                               [ NOT ENABLED ]
  - NIS authentication support                                [ NOT ENABLED ]
  - sudoers file                                              [ FOUND ]
    - Check sudoers file permissions                          [ OK ]
  - PAM password strength tools                               [ SUGGESTION ]
  - PAM configuration files (pam.conf)                        [ FOUND ]
  - PAM configuration files (pam.d)                           [ FOUND ]
  - PAM modules                                               [ FOUND ]
  - LDAP module in PAM                                        [ NOT FOUND ]
  - Accounts without expire date                              [ OK ]
  - Accounts without password                                 [ OK ]
  - Checking user password aging (minimum)                    [ DISABLED ]
  - User password aging (maximum)                             [ DISABLED ]
  - Checking expired passwords                                [ OK ]
  - Checking Linux single user mode authentication            [ OK ]
  - Determining default umask
    - umask (/etc/profile)                                    [ NOT FOUND ]
    - umask (/etc/login.defs)                                 [ SUGGESTION ]
  - LDAP authentication support                               [ NOT ENABLED ]
  - Logging failed login attempts                             [ ENABLED ]

Shells : Scanning available shells and checking whether its vulnerable.

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 4 shells (valid shells: 4).
    - Session timeout settings/tools                          [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc              [ NONE ]
    - Checking default umask in /etc/profile                  [ NONE ]

File systems : Scanning available mount points and check if it’s mounted separately or mounted on / file system. Also checking the mount point flags and added properly. fstab file, swap partition, /proc, /tmp and /tmp sticky bit.

[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                              [ SUGGESTION ]
    - Checking /tmp mount point                               [ SUGGESTION ]
    - Checking /var mount point                               [ SUGGESTION ]
  - Query swap partitions (fstab)                             [ OK ]
  - Testing swap partitions                                   [ OK ]
  - Testing /proc mount (hidepid)                             [ SUGGESTION ]
  - Checking for old files in /tmp                            [ OK ]
  - Checking /tmp sticky bit                                  [ OK ]
  - ACL support root file system                              [ ENABLED ]
  - Mount options of /                                        [ NON DEFAULT ]
  - Checking Locate database                                  [ FOUND ]
  - Disable kernel support of some filesystems
    - Discovered kernel modules: cramfs freevxfs jffs2 udf 

Storage : Scanning, if USB storage is disabled, checking USB devices authorization. Also check if firewire storage is disabled.

[+] Storage
------------------------------------
  - Checking usb-storage driver (modprobe config)             [ NOT DISABLED ]
  - Checking USB devices authorization                        [ ENABLED ]
  - Checking firewire ohci driver (modprobe config)           [ DISABLED ]

NFS : Scanning NFS information like rpcinfo registered programs, NFS registered versions, NFS registered protocols and NFS daemon running.

[+] NFS
------------------------------------
  - Check running NFS daemon                                  [ NOT FOUND ]

Name Services : Scanning /etc/resolve.conf file for Name services information like, dnsdomainname command, nscd status, named status (BIND), Unbound daemon status and verify /etc/hosts have a hostname entry.

[+] Name services
------------------------------------
  - Searching DNS domain name                                 [ UNKNOWN ]
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)                        [ OK ]
    - Checking /etc/hosts (hostname)                          [ OK ]
    - Checking /etc/hosts (localhost)                         [ OK ]

Ports and packages : First scanning package manager, if its found the package manager (rpm, deb, etc) then it will query the list of installed packages and check package vulnerability, package updates. Finally checks GPG signature for package security.

[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                          [ FOUND ]
      - Querying package manager
    - Query unpurged packages                                 [ NONE ]
  - Checking security repository in sources.list file         [ OK ]
  - Checking APT package database                             [ OK ]
  - Checking vulnerable packages                              [ WARNING ]
  - Checking upgradeable packages                             [ SKIPPED ]
  - Checking package audit tool                               [ INSTALLED ]
    Found: apt-get

Networking : Scan IPv6 enabled or not, name server configuration test, search available network interfaces, MAC addresses, network IP addresses, DHCP status.

[+] Networking
------------------------------------
  - Checking IPv6 configuration                               [ ENABLED ]
      Configuration method                                    [ AUTO ]
      IPv6 only                                               [ NO ]
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 127.0.1.1                                 [ OK ]
    - Minimal of 2 responsive nameservers                     [ WARNING ]
  - Checking default gateway                                  [ DONE ]
  - Getting listening ports (TCP/UDP)                         [ DONE ]
      * Found 18 ports
  - Checking promiscuous interfaces                           [ OK ]
  - Checking waiting connections                              [ OK ]
  - Checking status DHCP client                               [ RUNNING ]
  - Checking for ARP monitoring software                      [ NOT FOUND ]

Printers and Spools : Check cupsd status and related configuration files. lpd status, qdaemon printer spooler status & old print jobs.

[+] Printers and Spools
------------------------------------
  - Checking cups daemon                                      [ RUNNING ]
  - Checking CUPS configuration file                          [ OK ]
    - File permissions                                        [ WARNING ]
  - Checking CUPS addresses/sockets                           [ FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]

Software: e-mail and messaging : Scanning available mail server status and related configuration files.

[+] Software: e-mail and messaging
------------------------------------
  - Checking Exim status                                      [ NOT FOUND ]
  - Checking Postfix status                                   [ NOT FOUND ]
  - Checking Dovecot status                                   [ NOT FOUND ]
  - Checking Qmail status                                     [ NOT FOUND ]
  - Checking Sendmail status                                  [ NOT FOUND ]

Software: firewalls : Checking iptables kernel module, used policies of iptables chains. Also verify software firewalls like CSF, UCF, etc.

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ FOUND ]
    - Checking iptables policies of chains                    [ FOUND ]
    - Checking for empty ruleset                              [ WARNING ]
    - Checking for unused rules                               [ OK ]
  - Checking host based firewall                              [ ACTIVE ]

Software: webserver : Scanning installed webservers (apache or enginx), virtual hosts, loaded modules, mod_evasive, mod_qos & ModSecurity.

[+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/apache2)                [ FOUND ]
      Info: No virtual hosts found
    * Loadable modules                                        [ FOUND ]
        - Found 106 loadable modules
          mod_evasive: anti-DoS/brute force                   [ NOT FOUND ]
          mod_qos: anti-Slowloris                             [ NOT FOUND ]
          ModSecurity: web application firewall               [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

SSH Support : Scanning SSH daemon status and other tweaks of SSH on /etc/ssh/sshd_config for secure login.

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - SSH option: AllowTcpForwarding                          [ SUGGESTION ]
    - SSH option: ClientAliveCountMax                         [ SUGGESTION ]
    - SSH option: ClientAliveInterval                         [ OK ]
    - SSH option: Compression                                 [ SUGGESTION ]
    - SSH option: FingerprintHash                             [ NOT FOUND ]
    - SSH option: GatewayPorts                                [ OK ]
    - SSH option: IgnoreRhosts                                [ OK ]
    - SSH option: LoginGraceTime                              [ OK ]
    - SSH option: LogLevel                                    [ SUGGESTION ]
    - SSH option: MaxAuthTries                                [ SUGGESTION ]
    - SSH option: MaxSessions                                 [ SUGGESTION ]
    - SSH option: PermitRootLogin                             [ SUGGESTION ]
    - SSH option: PermitUserEnvironment                       [ OK ]
    - SSH option: PermitTunnel                                [ OK ]
    - SSH option: Port                                        [ SUGGESTION ]
--Mo- SSH option: PrintLastLog                                [ OK ]
    - SSH option: Protocol                                    [ OK ]
    - SSH option: StrictModes                                 [ OK ]
    - SSH option: TCPKeepAlive                                [ SUGGESTION ]
    - SSH option: UseDNS                                      [ SUGGESTION ]
    - SSH option: UsePrivilegeSeparation                      [ SUGGESTION ]
    - SSH option: VerifyReverseMapping                        [ NOT FOUND ]
    - SSH option: X11Forwarding                               [ SUGGESTION ]
    - SSH option: AllowAgentForwarding                        [ SUGGESTION ]
    - SSH option: AllowUsers                                  [ NOT FOUND ]
    - SSH option: AllowGroups                                 [ NOT FOUND ]

SNMP Support : Checking SNMP daemon is running, daemon file location, SNMP communications.

[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                              [ NOT FOUND ]

Databases : Checking installed databases like MySQL, PostgreSQL, Oracle, DB2 & Redis and related processes, configuration files.

[+] Databases
------------------------------------
    No database engines found

LDAP Services : Checking OpenLDAP instance is running or not and its configuration file.

[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                                [ NOT FOUND ]

PHP : Checking whether PHP installed or not, php.ini file and other php related files. PHP disabled function, PHP register_globals option, PHP enable_dl option, PHP allow_url_fopen option.

[+] PHP
------------------------------------
  - Checking PHP                                              [ NOT FOUND ]

Squid Support : Scanning squid daemon status, squid version, squild daemon file location, authentication methods, squid acl & safe ports.

[+] Squid Support
------------------------------------
  - Checking running Squid daemon                             [ NOT FOUND ]

Logging and files : Scan whether syslog daemon is running or not and its configuration files.

[+] Logging and files
------------------------------------
  - Checking for a running log daemon                         [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking systemd journal status                         [ FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
    - Checking minilogd instances                             [ NOT FOUND ]
  - Checking logrotate presence                               [ OK ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ FILES FOUND ]

Insecure services : Scanning inet daemon status and checks configuration file when it’s disabled.

[+] Insecure services
------------------------------------
  - Checking inetd status                                     [ NOT ACTIVE ]

Banners and identification : Scanning copyright banner files, check issue banner file & contents & check issue.net banner file & its contents.

[+] Banners and identification
------------------------------------
  - /etc/issue                                                [ FOUND ]
    - /etc/issue contents                                     [ WEAK ]
  - /etc/issue.net                                            [ FOUND ]
    - /etc/issue.net contents                                 [ WEAK ]

Scheduled tasks : Scanning cron daemon stats then it will check cronjob/crontab lists.

[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]

Accounting : Scanning accounting software information and it’s configuration files.

[+] Accounting
------------------------------------
  - Checking accounting information                           [ NOT FOUND ]
  - Checking sysstat accounting data                          [ NOT FOUND ]
  - Checking auditd                                           [ NOT FOUND ]

Time and Synchronization : Scanning NTP daemon or client status and checks NTP time synchronization status.

[+] Time and Synchronization
------------------------------------
  - NTP daemon found: systemd (timesyncd)                     [ FOUND ]
  - Checking for a running NTP daemon or client               [ OK ]

Cryptography: Check expire date of SSL certificates.

[+] Cryptography
------------------------------------
  - Checking for expired SSL certificates                     [ NONE ]

Virtualization : Checking virtualization technology.

[+] Virtualization
------------------------------------

Containers : Checking Docker status and information, checks docker info for any warnings & checking no of docker containers.

[+] Containers
------------------------------------

Security frameworks : Scanning AppArmor, SELinux, grsecurity are enabled. if yes, it will check the daemon status & presence.

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ FOUND ]
    - Checking AppArmor status                                [ UNKNOWN ]
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
  - Checking for implemented MAC framework                    [ NONE ]

file integrity : Checking file integrity to all the files.

[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
  - Checking presence integrity tool                          [ NOT FOUND ]

System tooling : Checking system automation tools, fail2ban, IDS/IPS, etc.

[+] Software: System tooling
------------------------------------
  - Checking automation tooling
  - Automation tooling                                        [ NOT FOUND ]
  - Checking for IDS/IPS tooling                              [ NONE ]

Malware : Scanning malware related tools like chkrootkit, Rootkit Hunter, LMD & clamscan.

[+] Software: Malware
------------------------------------

File Permissions : Scanning all kind of file permission.

[+] File Permissions
------------------------------------
  - Starting file permissions check
    /etc/lilo.conf                                            [ NOT FOUND ]
    /root/.ssh                                                [ NOT FOUND ]

Home directories : Checking home directory files & directory information.

[+] Home directories
------------------------------------
  - Checking shell history files                              [ OK ]

Kernel Hardening : Scan sysctl key pairs with profile to verify the kernel parameters hardening.

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.kptr_restrict (exp: 2)                           [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)                      [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ OK ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0)                        [ DIFFERENT ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]

Hardening : Checking kernel hardening parameters, if it’s week then giving tips for hardening. Scan kernel compilers are installed properly, checks compiler permission, malware scan & custom test.

[+] Hardening
------------------------------------
    - Installed compiler(s)                                   [ FOUND ]
    - Installed malware scanner                               [ NOT FOUND ]
    - Installed malware scanner                               [ NOT FOUND ]

Custom Tests : Performing some custom tests to check system security.

[+] Custom Tests
------------------------------------
  - Running custom tests...                                   [ NONE ]

Plugins (phase 2) : Scanning phase 2 plugins test based on the installed plugins. If you want to install plugin for lynis, add it at /etc/lynis/plugins directory.

[+] Plugins (phase 2)
------------------------------------

Lynis results Warnings : After successfully completed scanning, it will shows the Warnings & Suggestions details.

  -[ Lynis 2.4.0 Results ]-

  Warnings (4):
  ----------------------------
  ! Reboot of system is most likely needed [KRNL-5830] 
      https://cisofy.com/controls/KRNL-5830/

  ! Found one or more vulnerable packages. [PKGS-7392] 
      https://cisofy.com/controls/PKGS-7392/

  ! Couldn't find 2 responsive nameservers [NETW-2705] 
      https://cisofy.com/controls/NETW-2705/

  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/controls/FIRE-4512/

Lynis results Suggestions : Suggestions details.

  Suggestions (31):
  ----------------------------
  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/controls/BOOT-5122/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      https://cisofy.com/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/
.
.

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

Lynis security scan details : See below for Lynis security scan details (Hardening index, Tests performed, plugins enabled, firewall, malware scanner & lynis modules).

While scanning you will see in each parameters output OK or WARNING, where OK is considered an expected (good) result and WARNING is unexpected. However, keep in mind that a result saying OK does NOT always mean the scanned target is correctly configured, safe (security wise) or a best practice. On the opposite, every WARNING doesn’t have to be ‘bad’. So pay attention to WARNING to avoid potential damage on server.

  Lynis security scan details:

  Hardening index : 58 [###########         ]
  Tests performed : 204
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Lynis Modules:
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Exceptions found
  Some exceptional events or information was found!

  What to do:
  You can help by providing your log file (/var/log/lynis.log).
  Go to https://cisofy.com/contact/ and send your file to the e-mail address listed

================================================================================

  Lynis 2.4.0

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2016, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

Run lynis show to get a additional argument.

$ sudo lynis show

  Provide an additional argument

    lynis show categories
    lynis show changelog
    lynis show commands
    lynis show dbdir
    lynis show details
    lynis show environment
    lynis show groups
    lynis show help
    lynis show hostids
    lynis show includedir
    lynis show language
    lynis show license
    lynis show logfile
    lynis show man
    lynis show options
    lynis show os
    lynis show pidfile
    lynis show plugindir
    lynis show profiles
    lynis show release
    lynis show releasedate
    lynis show report
    lynis show settings
    lynis show tests
    lynis show version
    lynis show workdir

If you want to scan any particular test, first check the Test ID by running below command.

$ lynis show tests | more 

# Test       OS         Description
# ======================================================================================
ACCT-2754  FreeBSD    Check for available FreeBSD accounting information (security)
ACCT-2760  OpenBSD    Check for available OpenBSD accounting information (security)
ACCT-9622  Linux      Check for available Linux accounting information (security)
ACCT-9626  Linux      Check for sysstat accounting data (security)
ACCT-9628  Linux      Check for auditd (security)
ACCT-9630  Linux      Check for auditd rules (security)
ACCT-9632  Linux      Check for auditd configuration file (security)
ACCT-9634  Linux      Check for auditd log file (security)
ACCT-9636  Linux      Check for Snoopy wrapper and logger (security)
ACCT-9650  Solaris    Check Solaris audit daemon (security)
ACCT-9652  Solaris    Check auditd SMF status (security)
ACCT-9654  Solaris    Check BSM auditing in /etc/system (security)
ACCT-9656  Solaris    Check BSM auditing in module list (security)
ACCT-9660  Solaris    Check location of audit events (security)
ACCT-9662  Solaris    Check Solaris auditing stats (security)
AUTH-9204             Check users with an UID of zero (security)
AUTH-9208             Check non-unique accounts in passwd file (security)
AUTH-9212             Test group file (security)
AUTH-9216             Check group and shadow group files (security)
AUTH-9218  FreeBSD    Check harmful login shells (security)
AUTH-9222             Check for non unique groups (security)
AUTH-9226             Check non unique group names (security)
AUTH-9228             Check password file consistency with pwck (security)
AUTH-9234             Query user accounts (security)
AUTH-9240             Query NIS+ authentication support (security)
AUTH-9242             Query NIS authentication support (security)
AUTH-9250             Checking sudoers file (security)
AUTH-9252             Check sudoers file (security)
AUTH-9254  Solaris    Solaris passwordless accounts (security)
--More--

To check the particular tests, use the below command followed by the test ID.

$ sudo lynis --tests "AUTH-9222"

To know more option about lynis, just fire the following command.

$ lynis show help

Check lynis update info, if its available then run the update release command to update.

$ sudo lynis update info

 == Lynis ==

  Version         : 2.4.0
  Status          : Up-to-date
  Release date    : 2016-10-27
  Update location : https://cisofy.com/lynis/

2007-2016, CISOfy - https://cisofy.com/lynis/

Automating Lynis with cronjob

This is not a daily or weekly task, So better to run once in a month. Junst open the below file and add the below content to run the lynis audit once in a month. Create the related paths in the script (/usr/local/lynis and /var/log/lynis).

$ sudo nano /etc/cron.monthly/lynis

#!/bin/sh
AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

# Run Lynis
lynis audit system --auditor "${AUDITOR}" --cronjob > ${REPORT}

# Optional step: Move report file if it exists
if [ -f /var/log/lynis-report.dat ]; then
    mv /var/log/lynis-report.dat ${DATA}
fi

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...