Lynis (How to find vulnerabilities and harden a Linux system)

Introduction:

In the security industry, there is so much emphasis on Windows server and workstation security with thousands of security products dedicated to finding vulnerabilities and hardening servers. A few products that we have in the market are Nessus,  Nexpose, and OpenVAS, one may say they do support Linux and I agree entirely, but they are not that integrated for Linux systems.

To tackle that we have CISOFY’s Lynis project. It is an open-source security tool that performs system hardening and compliance testing on Linux, macOS, or Unix-based operating systems. As per their official website, the typical use case for the project is Security auditing, Compliance testing (eg. PCI, HIPAA, Sox), Penetration Testing, Vulnerability Detection, and System hardening

The workings of these tools are described as such, Lynis scans target system tools and their libraries installed on the system and its scanning method is described as modular and opportunistic. Some of the benefits described on the website are that there are no external dependencies required to run the scan and it also does not require installation.

 Let’s look at the working of the Lynis typical scan:

  1. Initialization
  2. Perform basic checks, such as file ownership
  3. Determine operating system and tools
  4. Search for available software components
  5. Check the latest Lynis version
  6. Run enabled plugins
  7. Run security tests per category
  8. Perform execution of your custom tests (optional)
  9. Report status of security scan

Installation:

Installation can be done by multiple methods but the recommended one is by using a git clone. Multiple methods for installation can be found in reference link 2. Now we should jump on the installation of Lynis:

  1. Go to /usr/local/ and do git clone

git clone https://github.com/CISOfy/lynis

  1. Change directory to lynis git folder
  1. To run a default scan run the following command

./lynis audit system

After running a default it will provide a very detailed result on warning and suggestions as follow:

Help Menu:

Some common parameters that are available are with Lynis are:

[ Lynis 3.0.8 ]

################################################################################

  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

  welcome to redistribute it under the terms of the GNU General Public License.

  See the LICENSE file for details about using this software.

  2007-2021, CISOfy – https://cisofy.com/lynis/

  Enterprise support available (compliance, plugins, interface and tools)

################################################################################

[+] Initializing program

————————————

  Usage: lynis command [options]

  Command:

    audit

        audit system                  : Perform local security scan

        audit system remote <host>    : Remote security scan

        audit dockerfile <file>       : Analyze Dockerfile

    show

        show                          : Show all commands

        show version                  : Show Lynis version

        show help                     : Show help

    update

        update info                   : Show update details

  Options:

    Alternative system audit modes

    –forensics                       : Perform forensics on a running or mounted system

    –pentest                         : Non-privileged, show points of interest for pentesting

    Layout options

    –no-colors                       : Don’t use colors in output

    –quiet (-q)                      : No output

    –reverse-colors                  : Optimize color display for light backgrounds

    –reverse-colours                 : Optimize colour display for light backgrounds

    Misc options

    –debug                           : Debug logging to screen

    –no-log                          : Don’t create a log file

    –profile <profile>               : Scan the system with the given profile file

    –view-manpage (–man)            : View man page

    –verbose                         : Show more details on screen

    –version (-V)                    : Display version number and quit

    –wait                            : Wait between a set of tests

    –slow-warning <seconds>  : Threshold for slow test warning in seconds (default 10)

    Enterprise options

    –plugindir <path>                : Define path of available plugins

    –upload                          : Upload data to central node

    More options available. Run ‘./lynis show options’, or use the man page.

References:

  1. https://cisofy.com/lynis/
  2. https://cisofy.com/documentation/lynis/get-started/
  3. https://github.com/CISOfy/lynis
  4. https://opensource.com/article/20/5/linux-security-lynis

Leave a Comment