Lynis - Security Tool for Audit and Hardening Linux / Unix Systems

System administrator must have known about the importance of security. Maintaining servers are not just make the server is up and running but it should be secure too. Security is not coming by default. We need to tune-up the systems to fit our needs. Since security has a wide coverage, sometimes its easy for us to miss something. Because of that, there is a security tool that can remind system administrators what should they do to secure and harden their systems.

What is Lynis

Lynis is a security tool for audit and hardening Linux / Unix systems. This tool scan our systems, do some tests and gather information about it. At the end, Lynis will provide us a report with suggestions and security related warning to increase the security of the system. The tests are technical by nature, so Lynis intended for system administrators, auditor or security professional.

Lynis is compatible for many Operating Systems, such as :

  • AIX
  • Arch Linux
  • BackTrack Linux
  • CentOS
  • Debian, DragonFlyBSD
  • Fedora Core, FreeBSD
  • Gentoo
  • HPUX
  • Kali, Knoppix
  • Linux Mint
  • MacOS X, Mageia, Mandriva
  • NetBSD
  • OpenBSD, OpenSolaris, openSUSE, Oracle Linux
  • PcBSD, PCLinuxOS
  • Red Hat Enterprise Linux (RHEL) and derivatives
  • Sabayon, Scientific Linux, Slackware, Solaris 10, SuSE
  • TrueOS
  • Ubuntu and derivatives
    1. Lynis can also auditing software such as :

    2. Database servers: MySQL, Oracle, PostgreSQL
    3. Time daemons: dntpd, ntpd, timed
    4. Web servers: Apache, Nginx
    5. Installation

      There are two type of Lynis installation.

      Method 1 : Install from package

      Both methods are equally easy. Lynis is available in .deb and .rpm package. So we can install it from your Linux repository.

      On Debian / Ubuntu and its derivates

      $ sudo apt-get install lynis

      On RedHat / CentOS and Fedora

      $ yum install lynis

      Once Lynis installed, you can run it by typing lynis from your console.
      Please notice that Lynis will need root privilege (or equal) to run.

      Start Lynis

      Method 2 : Install from source

      With this method, we will need to download the source manually. You can go to Lynis download page to download the source. At the time the article was written, the latest version of Lynis is 1.3.8.

      Actually Lynis don’t need to be install. You just download the source files, extract it and run it. Here are the steps :

      Download the source. You can use wget to download it.

      $ wget http://cisofy.com/files/lynis-1.3.8.tar.gz

      Extract it

      $ tar zxfv lynis-1.3.8.tar.gz

      Go to the Lynis folder and run it

      $ cd lynis-1.3.8
      # ./lynis

      Lynis ver 1.3.8 start

      Please notice that Lynis will need a root privilege (or equal) to run.

      How to run Lynis

      To run it at the first time, it is recommended to use -c paramater. -c parameter means doing all tests to check the systems. If you want to put the Auditor name, just add --auditor parameter there. Here’s some samples output :

      # lynis -c --auditor “Pungki Arianto”

      Initialize
      Figure 1. Initialize

      System Tools
      Figure 2. System Tools

      Boot and Services
      Figure 3. Boot & Services and Kernel

      Users and Group
      Figure 4. Users and Group

      Shell and Storage
      Figure 5. Shell and storage

      Software, Ports and Packages
      Figure 6. Software, Ports and Packages

      Networking and Printer
      Figure 7. Networking and Printer

      Email, Firewalls and Web Server
      Figure 8. Email, Firewalls and Web Server

      SSH, SNMP and Databases
      Figure 9. SSH, SNMP and Databases

      PHP, Squid and Logging
      Figure 10. PHP, Squid Proxy and Logging

      Inetd, Banner and Cron
      Figure 11. Inetd, Banner and Cron

      Accounting, NTP and Cryptography
      Figure 12. Accounting, NTP and Cryptography

      Virtualization, Secframeworks and File Integrity
      Figure 13. Virtualization, Security Frameworks and File Integrity

      Malware Scanners, System Tool and Home directory
      Figure 14. Malware Scanners, System Tool and Home directory

      Kernel Hardening
      Figure 15. Kernel Hardening

      Hardening, Custom Tests and Result
      Figure 16. Hardening, Custom Tests and Result

      Hardening Index
      Figure 17. Hardening Index

      Run Lynis with Custom Tests

      Your system may not need to run all the tests. If your server not running a web server, you don’t need to test it. For this purpose, we can use --tests parameter. The syntax is :

      # lynis --tests “Test-IDs”

      For version 1.3.8 , there are more than 100 tests that we can do. Here are some list of Lynis Tests-ID.

      FILE-7502 (Check all system binaries)

      BOOT-5121 (Check for GRUB boot loader presence)
      BOOT-5124 (Check for FreeBSD boot loader presence)
      BOOT-5139 (Check for LILO boot loader presence)
      BOOT-5142 (Check SPARC Improved boot loader (SILO))
      BOOT-5155 (Check for YABOOT boot loader configuration file)
      BOOT-5159 (Check for OpenBSD i386 boot loader presence)
      BOOT-5165 (Check for FreeBSD boot services)
      BOOT-5177 (Check for Linux boot and running services)
      BOOT-5180 (Check for Linux boot services (Debian style))
      BOOT-5184 (Check permissions for boot files/scripts)
      BOOT-5202 (Check uptime of system)

      KRNL-5622 (Determine Linux default run level)
      KRNL-5677 (Check CPU options and support)
      KRNL-5695 (Determine Linux kernel version and release number)
      KRNL-5723 (Determining if Linux kernel is monolithic)
      KRNL-5726 (Checking Linux loaded kernel modules)
      KRNL-5728 (Checking Linux kernel config)
      KRNL-5745 (Checking FreeBSD loaded kernel modules)
      [04:57:04] Reason to skip: Test not in list of tests to perform
      KRNL-5770 (Checking active kernel modules)
      KRNL-5788 (Checking availability new kernel)
      KRNL-5820 (Checking core dumps configuration)

      Below is a sample command to run Check uptime of system and Checking core dumps configuration tests. If you want to add more tests, just add more Test-ID separated by space.

      # ./lynis --tests “BOOT-5202 KRNL-5820”

      Run specific Test-ID

      To get more Tests-IDs, you can find it inside /var/log/lynis.log. Here’s a trick how to do it.
      1. First, we need to run lynis with -c (check-all) parameter.

      # ./lynis -c -Q

      2. Then look at inside /var/log/lynis.log file. Use cat command and combine it with grep. Let say you want to search Test-ID which related to Kernel. Use keyword KRNL to find it.

      # cat /var/log/lynis.log | grep KRNL

      Search Test ID

      Below is a complete keywords of Test-IDs that available in Lynis.

      BOOT
      KRNL (kernel)
      PROC (processor)
      AUTH (authentication)
      SHLL (shell)
      FILE
      STRG (storage)
      NAME (dns)
      PKGS (packaging)
      NETW (network)
      PRNT (printer)
      MAIL
      FIRE (firewall)
      HTTP (webserver)
      SSH
      SNMP
      DBS (database)
      PHP
      LDAP
      SQD (squid proxy)
      LOGG (logging)
      INSE (insecure services - inetd)
      SCHD (scheduling - cron job)
      ACCT (accounting)
      TIME (time protocol - NTP)
      CRYP (cryptography)
      VIRT (virtualization)
      MACF (AppArmor - SELINUX)
      MALW (malware)
      HOME
      HRDN (hardening)

      Run lynis with categories

      If you feel that put a lot of Test-IDs is painful, you can use --test-category parameter. With this option, Lynis will run Test-IDs which included inside specific category. For example, you want to run Firewall and Kernel tests. Then you can do this :

      # ./lynis --tests-category “firewalls kernel”

      Lynis Test Categories

      To see a full list of the available categories, run :

      # ./lynis --view-categories

      Run Lynis as Cronjob

      Since security need to be consistent, you can automate Lynis to run periodically. Let say, you want to run it every month to see is there any improvement since the last Lynis run.

      To do this, we can run Lynis as cronjob. Here’s a sample cronjob to run it every month.

      #!/bin/sh

      AUDITOR="automated"
      DATE=$(date +%Y%m%d)
      HOST=$(hostname)
      LOG_DIR="/var/log/lynis"
      REPORT="$LOG_DIR/report-${HOST}.${DATE}"
      DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

      cd /usr/local/lynis
      ./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}

      mv /var/log/lynis-report.dat ${DATA}

      # End

      Save the script into /etc/cron.monthly/lynis. Don’t forget to add related paths (/usr/local/lynis and /var/log/lynis), otherwise the script will not work properly.

      Check the latest version of Lynis

      We can use --check-update parameter to do this.

      # lynis --check-update

      If it outdated, Lynis only tell us about it. We have to download the update manually.

      Lynis check update

      Once we install the latest update, we will see the information.

      Lynis up-to-date

      Conclusion

      Security need to be consistent. Lynis can remind us to stay consistent. Lynis will scan your system and warn you for any security holes. Don’t forget to maintain Lynis always in the latest version to get more updates and more tests routine. As usual, we can always type man lynis or lynis --view-manpage to display Lynis manual page and explore it more detail. Or if you are connected to Internet, you can also go to Lynis documentation page.

      About Pungki Arianto

      Pungki , currently working as a Linux / Unix administrator for a banking company. He love to work in Linux / Unix since it's fun for him. He is also interested in information technology, information security and writing.

      Author Archive Page

      Have anything to say?

      Your email address will not be published. Required fields are marked *

      All comments are subject to moderation.

      3 Comments

      1. Hi
        I noticed the output had a mention of PCI comfortability. I can find no mention of it in the Doc.
        Can you please tell me how to use it.
        Regards
        Paul
        Great tool.

      2. Hi is there any current way you're aware of to summarize and correlate multiple Lynis report into one report?

        Thanks

        Arsene