User Tools

Site Tools


projects:security:lynis

How to scan Linux for vulnerabilities with lynis

Last updated on  Authored by Dan Nanni 1 Comment

As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.

One such vulnerability scanner on Linux is __"lynis"__. This tool is open-source (GPLv3), and actually supported on multiple platforms including Linux, FreeBSD, and Mac OS.

To install lynis on Linux, do the following.

$ wget http://cisofy.com/files/lynis-1.6.3.tar.gz
$ sudo tar xvfvz lynis-1.6.3.tar.gz -C /opt

To scan Linux for vulnerabilities with lynis”, run the following.

$ cd /opt/lynis-1.6.3/
$ sudo ./lynis –check-all -Q

Once ”lynis” starts scanning your system, it will perform auditing in a number of categories:

  • System tools: system binaries
  • Boot and services: boot loaders, startup services
  • Kernel: run level, loaded modules, kernel configuration, core dumps
  • Memory and processes: zombie processes, IO waiting processes
  • Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask
  • Shells
  • File systems: mount points, /tmp files, root file system
  • Storage: usb-storage, firewire ohci
  • NFS
  • Software: name services: DNS search domain, BIND
  • Ports and packages: vulnerable/upgradable packages, security repository
  • Networking: nameservers, promiscuous interfaces, connections
  • Printers and spools: cups configuration
  • Software: e-mail and messaging
  • Software: firewalls: iptables, pf
  • Software: webserver: Apache, nginx
  • SSH support: SSH configuration
  • SNMP support
  • Databases: MySQL root password
  • LDAP services
  • Software: php: php options
  • Squid support
  • Logging and files: syslog daemon, log directories
  • Insecure services: inetd
  • Banners and identification
  • Scheduled tasks: crontab/cronjob, atd
  • Accounting: sysstat data, auditd
  • Time and synchronization: ntp daemon
  • Cryptography: SSL certificate expiration
  • Virtualization
  • Security frameworks: AppArmor, SELinux, grsecurity status
  • Software: file integrity
  • Software: malware scanners
  • Home directories: shell history files

The screenshot of “lynis” in action is shown below:

Once scanning is completed, the auditing report of your system is generated and stored in /var/log/lynis.log.

The audit report contains warnings for potential vulnerabilities detected by the tool. For example:

$ sudo grep Warning /var/log/lynis.log

[20:20:04]
Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
[20:20:04]
Warning: PHP option expose_php is possibly turned on, which can
reveal useful information for attackers. [test:PHP-2372] [impact:M]
[20:20:06]
Warning: No running NTP daemon or available client found
[test:TIME-3104] [impact:M]

The audit report also contains a number of suggestions that can help harden your Linux system. For example:

$ sudo grep Suggestion /var/log/lynis.log

[20:19:41]
Suggestion: Install a PAM module for password strength testing like
pam_cracklib or pam_passwdqc [test:AUTH-9262]
[20:19:41]
Suggestion: When possible set expire dates for all password protected
accounts [test:AUTH-9282]
[20:19:41]
Suggestion: Configure password aging limits to enforce password
changing on a regular base [test:AUTH-9286]
[20:19:41]
Suggestion: Default umask in /etc/profile could be more strict like
027 [test:AUTH-9328]
[20:19:42]
Suggestion: Default umask in /etc/login.defs could be more strict
like 027 [test:AUTH-9328]
[20:19:42]
Suggestion: Default umask in /etc/init.d/rc could be more strict like
027 [test:AUTH-9328]
[20:19:42]
Suggestion: To decrease the impact of a full /tmp file system, place
/tmp on a separated partition [test:FILE-6310]
[20:19:42]
Suggestion: Disable drivers like USB storage when not used, to
prevent unauthorized storage or data theft [test:STRG-1840]
[20:19:42]
Suggestion: Disable drivers like firewire storage when not used, to
prevent unauthorized storage or data theft [test:STRG-1846]
[20:20:03]
Suggestion: Install package apt-show-versions for patch management
purposes [test:PKGS-7394]
.
. . .

**Scan Your System for Vulnerabilities as a Daily Cron Job**

To get the most out of “lynis”, it’s recommended to run it on a regular basis, for example, as a daily cronjob. When run with “–cronjob” option, “lynis” runs in automatic, non-interactive scan mode.

The following is a daily cronjob script that runs “lynis” in automatic mode to audit your system, and archives daily scan reports.

$ sudo vi /etc/cron.daily/scan.sh

#!/bin/sh
\\ \\
AUDITOR="automated"
DATE=$(date
+%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"
\\ \\
cd
/opt/lynis-1.6.3
./lynis
-c --auditor "${AUDITOR}" --cronjob > ${REPORT}
\\ \\
mv
/var/log/lynis-report.dat ${DATA}

$ sudo chmod 755 /etc/cron.daily/scan.sh


projects/security/lynis.txt · Last modified: 2017/06/27 15:41 by 127.0.0.1