There are many tools that are capable of running hundreds of automated tests and checks to identify potential vulnerabilities and in some unfortunate cases system compromises. However, not all of them are easy to use, most of them are usually very specialized tools that are targeted to be used mainly by security experts or professional pen-testers, and not by general system administrators. Nonetheless, there are still quite a few tools out there that are very powerful and yet quite accessible. One such tool is Lynis. Lynis is an auditing and hardening tool for Unix/Linux and you might even call it a compliance tool. It scans the system and all the installed software. Then it performs many individual security control checks. It determines the hardening state of the machine, detects security issues, and provides suggestions to improve the security defense of the system. To start using Lynis all you need is first installing the package and then possibly a few short and yet very handy commands that will provide you with quite a lot of information about the security state of your system.
1. Installation via package
Installing Lynis via a package manager is one option to get started with Lynis. For most operating systems and distributions, a port or package is available.
Since Lynis is available from the official CentOS repositories, you can use yum to install the package like this:
This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).$ yum install lynis
The repository versions are not always the latest versions, so in case you need the latest version you can either clone it from its official Github repository or by directly downloading the package.
2. Installation via Git
The first step is cloning the project. Before doing so, select the parent directory. Git will create a 'lynis' subdirectory with the full program in it.$ cd /usr/local$ git clone https://github.com/CISOfy/lynis Cloning into 'lynis'... remote: Counting objects: 1733, done. remote: Compressing objects: 100% (8/8), done. remote: Total 1733 (delta 3), reused 0 (delta 0), pack-reused 1725 Receiving objects: 100% (1733/1733), 886.18 KiB | 378.00 KiB/s, done. Resolving deltas: 100% (1204/1204), done. Checking connectivity... done.$ cd lynis
That is it. Now you can run Lynis commands.
3. Installation via direct download
Step 1. Create a directory
Lynis can be started from each directory. So choose a directory where you want to store Lynis. For our example we can use /usr/local/lynis, as the /usr/local directory exists on most distributions.$ mkdir -p /usr/local/lynis $ cd /usr/local
Step 2. Download
Next step is downloading the latest version of Lynis into the /usr/local directory. In this method we use the compressed tarball, which is an archive of all the files that makes uo the package.
Go to the Lynis download page. Copy the link to the Lynis tarball (ends with lynis-<version>.tar.gz).
Use this link together with wget (usually installed by default).$ wget https://cisofy.com/files/lynis-<version>.tar.gzor
$ curl https://cisofy.com/files/lynis-<version>.tar.gz -o lynis.tar.gz
Step 3. Unpack the tarball$ tar xfvz lynis-<version>.tar.gz
After unpacking, it is time to run Lynis for the first time.
Please refer to this link for more information on the installation processes.
Run Some Basic Audits:
Lynis can run without any preconfiguration. Configuration and fine-tuning are, of course, possible, but for basic security scanning, it's not usually required. These three commands for example run some basics security scans on your system.
lynis audit system --forensics
Perform the audit on a running or mounted system
lynis audit system --pentest
Run a non-privileged scan, usually used for penetration testing. Some of the tests will be skipped if they require root permissions.
lynis audit system --quick
Do a quick scan, does not wait for user input.
At the end of each scan, you will usually see on your screen a long list of results shown under different sections. While Lynis scans a system it will perform single target tests and output the result of every (performed) test to the screen. Every scan result has to be interpreted by the auditor and (re)checked what it means.
After most tests, it will either output [OK] or [WARNING], where the first one is considered an expected (good) result, the second one unexpected. However, keep in mind that a result saying "[OK]" does NOT always mean the scanned target is correctly configured, safe (security wise) or a best practice.
On the opposite, every "[WARNING]" doesn't have to be 'bad', since systems (and their requirements) are different. However, as auditor, you are advised to pay attention to them and check what influence the test has on your system or policy.
There are other results like "[ FOUND ]", "[ NOT RUNNING ]", "[ ENABLED ]", "[ DISABLED ]", "[ NOT FOUND ]", "[ NONE ]", "[ DIFFERENT ]", "[ SUGGESTION ]" and others which are self-explanatory and mostly informational.
Actions you can take after getting a warning:
- Fix the problem
Read the log file about the technical background (often it contains a suggestion at the test), consult internet sources and documentation about what the impact of the change can be.
- Disable the test (whitelisting)
Within the scan profile, tests can be completely disabled (option test_skip_always). When you have a test which gives a warning and you are not interested in the result of that particular test, you can ingore it.
You have only one DNS server configured on your workstation. A test shows a warning and reveals that it expects at least two working name servers. In such a case, you can choose not to get informed about it and disable the test. Extend the option test_skip_always in your scanning profile with the test number (which can be found in the log file or at the end of the Lynis screen output). These are mostly for advanced users and can be ignored for basic audits.
After every scan, you always have the option to consult the log file (/var/log/lynis.log) and interpret the results. If tests are displayed as a "[WARNING]", the log file will give the reason why a warning was displayed. In most cases a "Suggestion:" line will be present, to assist in resolving the issue or give more information on what was tested (or expected).
Suggestions and Warnings
The screen output, as outlined in the previous section, will provide the status of most tests on screen. During the audit process, Lynis will gather any possible suggestions or warnings. These results will be grouped and displayed at the bottom of the screen output. Usually, warnings are events that really need action.
Suggestions on the other hand could indicate room for improvement. It's common to find many more suggestions than warnings. This does not imply that because there are many suggestions (and no warnings) that a system is properly secured!
To determine what has been checked together with the related suggestion/warning, the test identifier is displayed on the same line (between brackets). Open the Lynis log file (/var/log/lynis.log) and search for this identifier.
Log file:Although the most important results are displayed on the screen during the system scan, additional details are logged in a separate file (default: /var/log/lynis.log). This information is useful for advanced testers, to see what the program did in the background, or where anomalies showed up.
Information in the log file:
- Time of an action/event
- Reason(s) why a test failed or was skipped
- Output of (internal) tests
- Suggestions about configuration options or how to fix/improve things
- Threat/impact score
Remark: the log file is purged every scan. If you need debugging or logging information for previous scans, schedule log rotation or make a backup before running Lynis again.
During the audit process, Lynis will gather findings and other data points. This information is stored in the report file, which is by default /var/log/lynis-report.dat.
Lynis supports one report format, which can be used to gather results and display them in a custom or (more) friendly presentation. The report file can also be used to compare scan results from the past with a current scan. Lynis Enterprise has many more possibilities to display data, including extended reports in several formats.
Contents of report file:
- Remarks = #<remark>
- Section = [<section name>]
- Option/value = <option name>=<value of option>
When an option could have multiple values (like installed packages for example), brackets () are added. Example: installed_package=Package-1.0.0. These functionalities are also more targeted toward advanced users and naturally beyond the scope of this guide.
For more information on more advanced options, you can always refer to Lynis' official documentation: