====== How to scan Linux for vulnerabilities with lynis ====== Last updated on  Authored by [[http://xmodulo.com/author/nanni|Dan Nanni]] [[http://xmodulo.com/how-to-scan-linux-for-vulnerabilities.html#comments|1 Comment]] As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues. One such vulnerability scanner on Linux is [[http://cisofy.com/lynis/|__"lynis"__]]. This tool is open-source (GPLv3), and actually supported on multiple platforms including Linux, FreeBSD, and Mac OS. To ****install ****"**lynis**"**** on Linux****, do the following. $ wget http://cisofy.com/files/lynis-1.6.3.tar.gz\\ $ sudo tar xvfvz lynis-1.6.3.tar.gz -C /opt To ****scan Linux for vulnerabilities with ****"**lynis**", run the following. $ cd /opt/lynis-1.6.3/\\ $ sudo ./lynis --check-all -Q Once "lynis" starts scanning your system, it will perform auditing in a number of categories: * ****System tools:**** system binaries * ****Boot and services:**** boot loaders, startup services * ****Kernel:**** run level, loaded modules, kernel configuration, core dumps * ****Memory and processes:**** zombie processes, IO waiting processes * ****Users, groups and authentication:**** group IDs, sudoers, PAM configuration, password aging, default mask * ****Shells**** * ****File systems:**** mount points, /tmp files, root file system * ****Storage:**** usb-storage, firewire ohci * ****NFS**** * ****Software: name services:**** DNS search domain, BIND * ****Ports and packages:**** vulnerable/upgradable packages, security repository * ****Networking:**** nameservers, promiscuous interfaces, connections * ****Printers and spools:**** cups configuration * ****Software: e-mail and messaging**** * ****Software: firewalls:**** iptables, pf * ****Software: webserver:**** Apache, nginx * ****SSH support:**** SSH configuration * ****SNMP support**** * ****Databases:**** MySQL root password * ****LDAP services**** * ****Software: php:**** php options * ****Squid support**** * ****Logging and files:**** syslog daemon, log directories * ****Insecure services:**** inetd * ****Banners and identification**** * ****Scheduled tasks:**** crontab/cronjob, atd * ****Accounting:**** sysstat data, auditd * ****Time and synchronization:**** ntp daemon * ****Cryptography:**** SSL certificate expiration * ****Virtualization**** * ****Security frameworks:**** AppArmor, SELinux, grsecurity status * ****Software: file integrity**** * ****Software: malware scanners**** * ****Home directories:**** shell history files The screenshot of "lynis" in action is shown below: Once scanning is completed, the auditing report of your system is generated and stored in /var/log/lynis.log. The audit report contains warnings for potential vulnerabilities detected by the tool. For example: $ sudo grep Warning /var/log/lynis.log [20:20:04] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M] [20:20:04] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M] [20:20:06] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M] The audit report also contains a number of suggestions that can help harden your Linux system. For example: $ sudo grep Suggestion /var/log/lynis.log [20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262] [20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282] [20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286] [20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328] [20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328] [20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] [20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] [20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846] [20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394] . . . . ==== **Scan Your System for Vulnerabilities as a Daily Cron Job** ==== To get the most out of "lynis", it’s recommended to run it on a regular basis, for example, as a daily cronjob. When run with "--cronjob" option, "lynis" runs in automatic, non-interactive scan mode. The following is a daily cronjob script that runs "lynis" in automatic mode to audit your system, and archives daily scan reports. $ sudo vi /etc/cron.daily/scan.sh #!/bin/sh \\ \\ AUDITOR="automated" DATE=$(date +%Y%m%d) HOST=$(hostname) LOG_DIR="/var/log/lynis" REPORT="$LOG_DIR/report-${HOST}.${DATE}" DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt" \\ \\ cd /opt/lynis-1.6.3 ./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT} \\ \\ mv /var/log/lynis-report.dat ${DATA} $ sudo chmod 755 /etc/cron.daily/scan.sh \\