10.FingerPrint Locks

Auditing tools are used to provide information about a system. These tools look at file systems, file permissions, running processes, configuration files, and more, to determine the security posture of the system. Auditing tools can help identify areas on the system where security can be improved and provide information on how to improve it.

Lynis is an open-source auditing tool for Unix-based operating systems such as Linux. It performs extensive health scans of systems that support system hardening and compliance testing. Lynis scans for general system information, vulnerable software packages, and configuration issues.

Lynis can detect vulnerabilities and configuration flaws. Moreover, what differentiates Lynis from other auditing tools is that rather than just pointing out vulnerabilities, Lynis aims for an in-depth audit and continuous improvement. However, this would mean that the audit needs to be executed on the host system itself; Therefore, it can provide more detailed information than an average auditing tool.

While Lynis’s main goals are automated security auditing, compliance testing, and vulnerability detection, it also assists with multiple other things such as configuration and asset management, software patch management, system hardening, pentesting, and intrusion detection. Lynis’s main target audience is system administrators, auditors, security officers, pentesters, and security professionals, as it helps with hardening with web application deployment, it runs daily scans to discover new weaknesses, shows what can be done to improve security, and discovers security weaknesses that can be exploited. 

This article will explain how Lynis can be installed and run to audit Linux systems and generate reports. It will also discuss other Lynis options available, including running custom tests and category tests.

Auditing

Steps

Lynis scans systems in a modular and opportunistic way, meaning that it will use and test components that it can find. The more it discovers, the more extensive the scan and audit is. Moreover, it does not require installation of other tools. There are 9 steps when doing auditing with Lynis, and these steps are initialization, performing basic checks, determining operating system and tools, searching for available software components, checking latest Lynis version, run enabled plug ins if there are any, run security tests per category, perform execution of your custom tests (optional), and finally report the status of the security scan. Additionally, all information found in the scan is stored in a log file called lynis.log. There is also a separate file containing suggestions and warnings called lynis-report.dat.

Installation & Running

To start with Lynis the first step would be to install it. Start with:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

Then run:

sudo apt install apt-transport-https

Followed by:

echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

Followed by:

apt update

And finally:

apt install lynis

Once that is complete you can run lynis show version to make sure it is installed and up to date. Once the installation is complete you can run Lynis on the system. First run:

cd lynis

followed by:

./lynis

The second command will display a list of available options. To run an audit on the whole system, you can run:

lynis audit system.

Once the audit starts, Lynis will ask the user to press enter to continue or ctrl+C to stop after each process that is audited.

Some of the other available options are a remote security scan, done by running lynis audit system remote <host>, analyzing a docker file by running:

lynis audit dockerfile <file> lynis --forensics

for performing forensics on either a running or mounted system,

lynis --pentest

for showing points of interest for pen testing, and more.

Furthermore, cronjobs can be set up to run daily scans on the system. To do that, run:

crontab -e

Followed by:

30      22        *          *            *          root    /path/to/lynis -c -Q --auditor "automated" --cronjob

This example will have the cronjob running at 10:30pm daily, and outputting results to the log file lynis.log.

Lynis2

About the Reports

Once an audit is complete, there are multiple types of output that Lynis will show. The first one is that the screen will output a result. These results could be one of the following options which are ok or warning, found or not found, weak, and none or done, all depending on the command you run. As for another type of output, one would be the log file. Information in this file include times of action or event, why a test failed or was skipped, output of internal tests, suggestions about configuration options, and threat/impact score. Lynis also outputs information to report files. The report files have information that Lynis gathered and other data points.  The report file is used to compare past scans with the current scan. The contents of the report file include remarks, sections, and option/value. Additionally, Debian plugins are scanned, and Lynis generates details on package installations, as well as running Debian tests for more information on system installations. Furthermore, system boot and services are scanned, and Lynis shows whether there are issues present in the system.Lynis3

There are many other tests results that Lynis shows such as printers and spools, a few options within software such as e-mail and messaging or firewalls, insecure services, SSH support, SNMP support, databases, LDAP services, kernel, memory and processes, kernel hardening, users, groups and authentication, shells, file systems, file permissions, and more. This shows how thorough Lynis auditing is.

Lynis4Lynis has color coded results to better understand screen output. Green means that it is either fine or disabled, yellow refers to skipped, not found, or a suggestion, and red means that it is unsafe or needs attention. Therefore, Lynis also makes it simple to understand what is not secure, what needs attention, and what is fine.

The Lynis reports are very comprehensive and are split up into these sections mentioned above, along with all the rest that are not mentioned. Each section has a + symbol so that you can expand them and look at the reports and see what is green, what is yellow, and what is red.

Moreover, it does not just tell users that something is wrong, but they also give suggestions on how to secure it. Additionally, Lynis has a show details command that can be used to give additional information on all the suggestions.

Lynis1Other Lynis Options

Custom Tests

Lynis also allows particular tests to be scanned. Start with running:

lynis show tests

This command will show all the tests with the OS where it is available, and a description. The test ID is then used by running:

lynis show tests <test ID>

Then, users can run:

./lynis update info

to know the updated details of Lynis. More test IDs can also be found in the log file, which is found in the directory /var/log/lynis.log. If users still are not able to find the desired test ID, then they can run either:

cat /var/log/lynis.log | grep KRNL

or

./lynis -c -Q

Checking the uptime of the system is also an available option by running:

./lynis –tests “<test ID> <test ID>” 

Users can also add more than two test IDs.

Lynis with Categories

If users do not want to use test IDs, they can run category tests, such as firewalls for example, by running:

/lynis --tests-from-category “firewalls” 

Our Thoughts on Lynis

It is important to always keep your system secure and up to date. As I have mentioned, auditing tools are a great way to know if a system is healthy or not, and Lynis is one of the best auditing tools available. It offers comprehensive and thorough auditing, with suggestions on how to improve as well. The reports are very detailed and cover everything in the system, therefore making it easier to know where the system stands in terms of health and how to improve the necessary categories.

Lynis is also easy to install and even the very detailed reports are easy to understand with color coding and other available options that Lynis offers. Lynis can even be run with plug-ins making it somewhat customizable. Moreover, it is easy to set up cronjobs to automatically scan the system daily, keeping users up to date on any vulnerabilities or security flaws.

Do you use an auditing tool to maintain the health of your systems? If not, try out Lynis! We’d love to hear your thoughts in the Comments below.