Lynis: A Security Auditing Tool For Linux

Reading Time: 20 minutes

What is Lynis?

Lynis is a well known, seasoned security tool for Linux based systems (including macOS and/or other Unix-based operating systems. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open-source software with the GPL license and available since 2007.

What is Lynis used for?

  • Security vetting
  • Compliance evaluation (e.g. HIPAA, PCI, SOx)
  • Penetration evaluation
  • Vulnerability diagnostics
  • System integrity

Who uses Lynis?

  • Auditors
  • Sysadmin 
  • Developers
  • Pen Testers

Lynis Installation

Install Options

Operating Systems

CentOS/RedHat/Fedora

Prerequisites: Ensure that cURL, NSS, OpenSSL, and CA certificates are up-to-date.

root@host:~# yum update ca-certificates curl nss openssl

Next, we create the /etc/yum.repos.d/cisofy-lynis.repo file.

[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2

Now, we can install lynis.

root@host:~# yum makecache fast && yum install lynis

To start Lynis, use the command below.

root@host:~# lynis audit system

Debian/Ubuntu

On a Ubuntu or Debian server, we start by downloading the key from a central keyserver.

root@host:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

Executing: /tmp/apt-key-gpghome.NZrCKJSpNR/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

gpg: key 366C67DE91CA5D5F: 2 signatures not checked due to missing keys

gpg: key 366C67DE91CA5D5F: public key "CISOfy Software (signed software packages) <software@cisofy.com>" imported

gpg: Total number processed: 1

gpg:               imported: 1

root@host:~# 

We can also manually import the key.

root@host:~# wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
root@host:~# sudo apt install apt-transport-https
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1692 B of archives.
After this operation, 153 kB of additional disk space will be used.

Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 apt-transport-https all 1.6.12 [1692 B]
Fetched 1692 B in 0s (9909 B/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 102038 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.6.12_all.deb ...
Unpacking apt-transport-https (1.6.12) ...
Setting up apt-transport-https (1.6.12) ...
root@host:~# 

Next, we want to make sure to install Apt’s “HTTPS Secure Transport” module. This repo uses HTTPS for the secure transport of data. To Install the APT ‘https’ method if it not installed already on your system, run the following command.

root@host:~# apt install apt-transport-https
root@host:~# sudo apt install apt-transport-https
Reading package lists... Done
Building dependency tree       
Reading state information... Done
apt-transport-https is already the newest version (1.6.12).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@host:~#

Then, we can add the repo.

echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
deb https://packages.cisofy.com/community/lynis/deb/ stable main
root@host:~# 

Now, run an update and install Lynis.

root@host:~# apt update && apt install lynis

Let’s check the version.

root@host:~# lynis show version
2.7.5
root@host:~# 

To start Lynis, we run this command.

root@host:~# lynis audit system

Initial Run

Basic CentOS Server Audit

Listed below are all of the sections that are scanned with the base Lynis software on a new a CentOS 7 server install (minus the paid compliance, plugins, interface, and other tool options).

root@host:~# lynis audit system
[ Lynis 2.7.5 ]
#####################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2019, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
#####################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                 [ DONE ]
  - Checking profiles...                            [ DONE ]
  ---------------------------------------------------
  Program version:           2.7.5
  Operating system:          Linux
  Operating system name:     Ubuntu Linux
  Operating system version:  18.04
  Kernel version:            4.15.0
  Hardware platform:         x86_64
  Hostname:                  host
  ---------------------------------------------------
  Profiles:                  /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/share/lynis/plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Language:                  en
  Test category:             all
  Test group:                all
  ---------------------------------------------------
  - Program update status...                        [ NO UPDATE ]
=====================================================================
        Lynis update available
=====================================================================
        Current version is more than 4 months old
        Current version : 275   Latest version : 275
        Please update to the latest version.
        New releases include additional features, bug fixes, tests, and baselines.

        Download the latest version:
        Packages (DEB/RPM) -  https://packages.cisofy.com
        Website (TAR)      -  https://cisofy.com/downloads/
        GitHub (source)    -  https://github.com/CISOfy/lynis
=====================================================================

System Tools

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests and may take several minutes to complete
  
  - Plugins enabled                                 [ NONE ]

Boot and Services Options

[+] Boot and services
------------------------------------
  - Service Manager                                 [ systemd ]
  - Checking UEFI boot                              [ DISABLED ]
  - Checking presence GRUB                          [ OK ]
  - Checking presence GRUB2                         [ FOUND ]
  - Checking for password protection                [ NONE ]
  - Check running services (systemctl)              [ DONE ]
Result: found 24 running services Check enabled services at boot (systemctl)                                             [ DONE ]
Result: found 43 enabled services
  - Check startup files (permissions)               [ OK ]

Kernel Check

 [+] Kernel
------------------------------------
  - Checking default run level                      [ RUNLEVEL 5 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported     [ FOUND ]
  - Checking kernel version and release             [ DONE ]
  - Checking kernel type                            [ DONE ]
  - Checking loaded kernel modules                  [ DONE ]
      Found 62 active modules   
  - Checking Linux kernel configuration file        [ FOUND ]
  - Checking default I/O kernel scheduler           [ FOUND ]
  - Checking for available kernel update            [ OK ]
  - Checking core dumps configuration               [ DISABLED ]
    - Checking setuid core dumps configuration      [ PROTECTED ]
  - Check if reboot is needed                       [ NO ]

Memory/Processes Check

[+] Memory and Processes
------------------------------------
  - Checking /proc/meminfo                          [ FOUND ]
  - Searching for dead/zombie processes             [ OK ]
  - Searching for IO waiting processes              [ OK ]

Users, Groups, and Authentication Review

[+] Users, Groups and Authentication
------------------------------------
  - Administrator accounts                          [ OK ]
  - Unique UIDs                                     [ OK ]
  - Consistency of group files (grpck)              [ OK ]
  - Unique group IDs                                [ OK ]
  - Unique group names                              [ OK ]
  - Password file consistency                       [ OK ]
  - Query system users (non daemons)                [ DONE ]
  - NIS+ authentication support                     [ NOT ENABLED ]
  - NIS authentication support                      [ NOT ENABLED ]
  - sudoers file                                    [ FOUND ]
    - Permissions for directory: /etc/sudoers.d     [ WARNING ]
    - Permissions for: /etc/sudoers                 [ OK ]
    - Permissions for: /etc/sudoers.d/README        [ OK ]
  - PAM password strength tools                     [ SUGGESTION ]
  - PAM configuration files (pam.conf)              [ FOUND ]
  - PAM configuration files (pam.d)                 [ FOUND ]
  - PAM modules                                     [ FOUND ]
  - LDAP module in PAM                              [ NOT FOUND ]
  - Accounts without expire date                    [ OK ]
  - Accounts without password                       [ OK ]
  - Checking user password aging (minimum)          [ DISABLED ]
  - User password aging (maximum)                   [ DISABLED ]
  - Checking expired passwords                      [ OK ]
  - Checking Linux single user mode authentication  [ OK ]
  - Determining default umask
    - umask (/etc/profile)                          [ NOT FOUND ]
    - umask (/etc/login.defs)                       [ SUGGESTION ]
  - LDAP authentication support                     [ NOT ENABLED ]
  - Logging failed login attempts                   [ ENABLED ]

Shell Evaluation

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 6 shells (valid shells: 6).
    - Session timeout settings/tools                [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc    [ NONE ]
    - Checking default umask in /etc/profile        [ NONE ]

Shell Review

[+] Shells
------------------------------------
  - Checking shells from /etc/shells
    Result: found 6 shells (valid shells: 6).
    - Session timeout settings/tools                [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc    [ NONE ]
    - Checking default umask in /etc/profile        [ NONE ]

File System Analysis

[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                    [ SUGGESTION ]
    - Checking /tmp mount point                     [ SUGGESTION ]
    - Checking /var mount point                     [ SUGGESTION ]
  - Query swap partitions (fstab)                   [ OK ]
  - Testing swap partitions                         [ OK ]
  - Testing /proc mount (hidepid)                   [ SUGGESTION ]
  - Checking for old files in /tmp                  [ OK ]
  - Checking /tmp sticky bit                        [ OK ]
  - Checking /var/tmp sticky bit                    [ OK ]
  - ACL support root file system                    [ ENABLED ]
  - Mount options of /                              [ NON DEFAULT ]
  - Checking Locate database                        [ FOUND ]
  - Disable kernel support of some filesystems
    - Discovered kernel modules: udf 

USB

 [+] USB Devices
------------------------------------
  - Checking usb-storage driver (modprobe config)   [ NOT DISABLED ]
  - Checking USB devices authorization              [ ENABLED ]
  - Checking USBGuard                               [ NOT FOUND ]

Storage Options

[+] Storage
------------------------------------
  - Checking firewire ohci driver (modprobe config) [ DISABLED ]

NFS

NFS
[+] NFS
------------------------------------
  - Check running NFS daemon                        [ NOT FOUND ]

DNS Review

[+] Name services
------------------------------------
  - Checking /etc/resolv.conf options               [ FOUND ]
  - Searching DNS domain name                       [ FOUND ]
      Domain name: lwkb.com
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)              [ OK ]
    - Checking /etc/hosts (hostname)                [ OK ]
    - Checking /etc/hosts (localhost)               [ OK ]
    - Checking /etc/hosts (localhost to IP)         [ OK ]

Ports and Package Managers

[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                [ FOUND ]
      - Querying package manager
    - Query unpurged packages                       [ NONE ]
  - Checking security repository in sources.list file [ OK ]
  - Checking APT package database                   [ OK ]
  - Checking vulnerable packages                    [ OK ]
  - Checking upgradeable packages                   [ SKIPPED ]
  - Checking package audit tool                     [ INSTALLED ]
    Found: apt-check
 - Toolkit for automatic upgrades (unattended-upgrade)[ FOUND ] 

Networking

[+] Networking
------------------------------------
  - Checking IPv6 configuration                     [ ENABLED ]
      Configuration method                          [ AUTO ]
      IPv6 only                                     [ NO ]
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 127.0.0.53                      [ OK ]
  - Checking default gateway                        [ DONE ]
  - Getting listening ports (TCP/UDP)               [ DONE ]
  - Checking promiscuous interfaces                 [ OK ]
  - Checking waiting connections                    [ OK ]
  - Checking status DHCP client                     [ NOT ACTIVE ]
  - Checking for ARP monitoring software            [ NOT FOUND ]

Printers

[+] Printers and Spools
------------------------------------
  - Checking cups daemon                            [ NOT FOUND ]
  - Checking lp daemon                              [ NOT RUNNING ]

Email Software

[+] Software: e-mail and messaging
------------------------------------

Firewall Info

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                 [ FOUND ]
    - Checking iptables policies of chains          [ FOUND ]
    - Checking for empty ruleset                    [ WARNING ]
    - Checking for unused rules                     [ OK ]
  - Checking host based firewall                    [ ACTIVE ]

Webserver Software

 [+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/apache2)      [ FOUND ]
      Info: Configuration file found (/etc/apache2/apache2.conf)
      Info: No virtual hosts found
    * Loadable modules                              [ FOUND (114) ]
        - Found 114 loadable modules
          mod_evasive: anti-DoS/brute force         [ NOT FOUND ]
          mod_reqtimeout/mod_qos                    [ FOUND ]
          ModSecurity: web application firewall     [ NOT FOUND ]
  - Checking nginx                                  [ NOT FOUND ]

SSH Inspection

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                     [ FOUND ]
    - Searching SSH configuration                   [ FOUND ]
    - SSH option: AllowTcpForwarding                [ SUGGESTION ]
    - SSH option: ClientAliveCountMax               [ SUGGESTION ]
    - SSH option: ClientAliveInterval               [ OK ]
    - SSH option: Compression                       [ SUGGESTION ]
    - SSH option: FingerprintHash                   [ OK ]
    - SSH option: GatewayPorts                      [ OK ]
    - SSH option: IgnoreRhosts                      [ OK ]
    - SSH option: LoginGraceTime                    [ OK ]
    - SSH option: LogLevel                          [ SUGGESTION ]
    - SSH option: MaxAuthTries                      [ SUGGESTION ]
    - SSH option: MaxSessions                       [ SUGGESTION ]
    - SSH option: PermitRootLogin                   [ SUGGESTION ]
    - SSH option: PermitUserEnvironment             [ OK ]
    - SSH option: PermitTunnel                      [ OK ]
    - SSH option: Port                              [ SUGGESTION ]
    - SSH option: PrintLastLog                      [ OK ]
    - SSH option: StrictModes                       [ OK ]
    - SSH option: TCPKeepAlive                      [ SUGGESTION ]
    - SSH option: UseDNS                            [ OK ]
    - SSH option: VerifyReverseMapping              [ NOT FOUND ]
    - SSH option: X11Forwarding                     [ SUGGESTION ]
    - SSH option: AllowAgentForwarding              [ SUGGESTION ]
    - SSH option: AllowUsers                        [ NOT FOUND ]
    - SSH option: AllowGroups                       [ NOT FOUND ]

SNMP Check

[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                    [ NOT FOUND ]

Database Info

[+] Databases
------------------------------------
  - MySQL process status                            [ FOUND ]

LDAP Check

[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                      [ NOT FOUND ]

PHP Review

[+] PHP
------------------------------------
  - Checking PHP                                    [ FOUND ]
    - Checking PHP disabled functions               [ FOUND ]
    - Checking expose_php option                    [ ON ]
    - Checking enable_dl option                     [ OFF ]
    - Checking allow_url_fopen option               [ ON ]
    - Checking allow_url_include option             [ OFF ]

Squid

[+] Squid Support
------------------------------------
  - Checking running Squid daemon                   [ NOT FOUND ]

Log Information


[+] Logging and files
------------------------------------
  - Checking for a running log daemon               [ OK ]
    - Checking Syslog-NG status                     [ NOT FOUND ]
    - Checking systemd journal status               [ FOUND ]
    - Checking Metalog status                       [ NOT FOUND ]
    - Checking RSyslog status                       [ FOUND ]
    - Checking RFC 3195 daemon status               [ NOT FOUND ]
    - Checking minilogd instances                   [ NOT FOUND ]
  - Checking logrotate presence                     [ OK ]
  - Checking log directories (static list)          [ DONE ]
  - Checking open log files                         [ DONE ]
  - Checking deleted files in use                   [ FILES FOUND ]

Insecure 

[+] Insecure services
------------------------------------
  - Installed inetd package                         [ NOT FOUND ]
  - Installed xinetd package                        [ OK ]
    - xinetd status                                 [ NOT ACTIVE ]
  - Installed rsh client package                    [ OK ]
  - Installed rsh server package                    [ OK ]
  - Installed telnet client package                 [ OK ]
  - Installed telnet server package                 [ NOT FOUND ]

Banners

------------------------------------
  - /etc/issue                                      [ FOUND ]
    - /etc/issue contents                           [ WEAK ]
  - /etc/issue.net                                  [ FOUND ]
    - /etc/issue.net contents                       [ WEAK ]

Tasks

[+] Scheduled tasks
------------------------------------
  - Checking crontab and cronjob files              [ DONE ]
  - Checking atd status                             [ RUNNING ]
    - Checking at users                             [ DONE ]
    - Checking at jobs                              [ NONE ]

Auditing

[+] Accounting
------------------------------------
  - Checking accounting information                 [ NOT FOUND ]
  - Checking sysstat accounting data                [ NOT FOUND ]
  - Checking auditd                                 [ NOT FOUND ]

NTP

[+] Time and Synchronization
------------------------------------
  - NTP daemon found: systemd (timesyncd)           [ FOUND ]
  - Checking for a running NTP daemon or client     [ OK ]

Cryptography


[+] Cryptography
------------------------------------
  - Checking for expired SSL certificates [0/2]     [ NONE ]

Virtualization


[+] Virtualization
------------------------------------

Containers


[+] Containers
------------------------------------

Security frameworks

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                      [ FOUND ]
    - Checking AppArmor status                      [ ENABLED ]
  - Checking presence SELinux                       [ NOT FOUND ]
  - Checking presence TOMOYO Linux                  [ NOT FOUND ]
  - Checking presence grsecurity                    [ NOT FOUND ]
  - Checking for implemented MAC framework          [ OK ]

Software: File Integrity


[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
  - Checking presence integrity tool                [ NOT FOUND ]

Software: System Tooling

[+] Software: System tooling

------------------------------------

  - Checking automation tooling

  - Automation tooling                              [ NOT FOUND ]

  - Checking for IDS/IPS tooling                    [ NONE ]

Software: Malware

[+] Software: Malware

------------------------------------

File Permissions

[+] File Permissions

------------------------------------

  - Starting file permissions check

    /root/.ssh                                      [ WARNING ]

Home Directories

[+] Home directories

------------------------------------

  - Checking shell history files                    [ OK ]

Kernel Hardening

[+] Kernel Hardening

------------------------------------

  - Comparing sysctl key pairs with scan profile

    - fs.protected_hardlinks (exp: 1)               [ OK ]
    - fs.protected_symlinks (exp: 1)                [ OK ]
    - fs.suid_dumpable (exp: 0)                     [ DIFFERENT ]
    - kernel.core_uses_pid (exp: 1)                 [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                  [ OK ]
    - kernel.dmesg_restrict (exp: 1)                [ DIFFERENT ]
    - kernel.kptr_restrict (exp: 2)                 [ DIFFERENT ]
    - kernel.randomize_va_space (exp: 2)            [ OK ]
    - kernel.sysrq (exp: 0)                         [ DIFFERENT ]
    - kernel.yama.ptrace_scope (exp: 1 2 3)         [ OK ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)[ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)        [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)         [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)       [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)      [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)          [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)          [ OK ]
    - net.ipv4.conf.all.send_redirects (exp: 0)     [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects        [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route     [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)   [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses    [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)              [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0 1)            [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)   [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)[ OK ]
    - net.ipv6.conf.default.accept_redirects        [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route     [ OK ]

Hardening

[+] Hardening

------------------------------------

    - Installed compiler(s)                         [ NOT FOUND ]
    - Installed malware scanner                     [ NOT FOUND ]

Custom Tests

[+] Custom Tests
------------------------------------
  - Running custom tests...                         [ NONE ]

Plugins

[+] Plugins (phase 2)
------------------------------------

Results

=====================================================================
  -[ Lynis 2.7.5 Results ]-
=====================================================================

 Warnings (2):

  ----------------------------
  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

  ! Incorrect permissions for file /root/.ssh [FILE-7524] 
      https://cisofy.com/lynis/controls/FILE-7524/

  Suggestions (38):

  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] https://cisofy.com/lynis/controls/BOOT-5122/

  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]      https://cisofy.com/lynis/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] https://cisofy.com/lynis/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310] 
https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/lynis/controls/STRG-1840/

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      https://cisofy.com/lynis/controls/PKGS-7370/

  * Install package apt-show-versions for patch management purposes [PKGS-7394] https://cisofy.com/lynis/controls/PKGS-7394/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/lynis/controls/NETW-3032/

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]  https://cisofy.com/lynis/controls/HTTP-6640/

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
      https://cisofy.com/lynis/controls/HTTP-6643/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 3)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Turn off PHP information exposure [PHP-2372] 
    - Details  : expose_php = Off
      https://cisofy.com/lynis/controls/PHP-2372/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] https://cisofy.com/lynis/controls/PHP-2376/

  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/lynis/controls/LOGG-2190/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/lynis/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/lynis/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/lynis/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/lynis/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/lynis/controls/ACCT-9628/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/lynis/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/lynis/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)https://cisofy.com/lynis/controls/KRNL-6000/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/lynis/controls/HRDN-7230/

  Follow-up:

  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)
=====================================================================

  Lynis security scan details:

  Hardening index : 66 [#############       ]
  Tests performed : 233
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

=====================================================================

  Lynis 2.7.5

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2019, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

=====================================================================

  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

root@host:~# 

As you can see, the output of these reports takes the form of keywords like:

  • [ NONE ] [ WEAK ] [ OK ] [ PROTECTED ]
  • [ NON DEFAULT ] [ DIFFERENT ] [ SUGGESTION ] [ WARNING ]
  • [ NOT ACTIVE ] [ ACTIVE ] [ RUNNING ]
  • [ NOT FOUND ] [ INSTALLED ] [ FOUND ]
  • [ DISABLED ] [ ENABLED ] [ NOT DISABLED ]
  • [ SKIPPED ] [ RUNLEVEL X ] [ DONE ]

This allows you to better define and act on the provided suggestions.

Command Examples

Here are a few command examples you can use right away to start getting the info you need quickly.

root@host:~# lynis --warnings-only
    - Permissions for directory: /etc/sudoers.d     [ WARNING ]
    - Checking for empty ruleset                    [ WARNING ]
    /root/.ssh                                      [ WARNING ]

This command lists all of the tests that Lynis runs.

lynis show tests

To show the details of a specific test run this command.

lynis show details TEST-ID
root@host:~# lynis show commands

Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only
root@host:~# lynis show logfile
/var/log/lynis.log
root@host:~#
root@host:~# lynis show report
/var/log/lynis-report.dat
root@host:~#

You can enhance Lynis audits by adding your settings to custom.prf
(see /etc/lynis/default.prf for all settings or run the following command).

lynis show settings

As you can see, Lynis is an excellent tool to utilize for the review of your server’s systems especially if you are running HIPAA compliant server hosting. For more information, visit the main Lynis page or the Lynis documentation page.

Give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Solutions or Experienced Hosting advisors to learn how you can take advantage of this software today!

Author Bio

About the Author: David Singer

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Refer a friend and get a $50 hosting credit!