Lynis is an open source and much powerful auditing tool for Unix like operating systems. It scans system for
security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing etc.
Lynis is one of the most trusted automated auditing tool for s
oftware patch management, malware scanning and vulnerability detecting in Unix based systems. This tool is useful for
auditors, network and system administrators, security specialists and penetration testers.Installation of LynisLynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under /usr/local/lynis.
# mkdir /usr/local/lynis
# cd /usr/local/lynis
# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
# tar -xvf lynis-1.3.0.tar.gz
Running and Using Lynis# cd lynis-1.3.0
# ./lynis
By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell promt.
[+] Initializing program
------------------------------------
Scan options:
--auditor "<name>" : Auditor name
--check-all (-c) : Check system
--no-log : Don't create a log file
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
--tests "<tests>" : Run only tests defined by <tests>
--tests-category "<category>" : Run only tests defined by <category>
Layout options:
--no-colors : Don't use colors in output
--quiet (-q) : No output, except warnings
--reverse-colors : Optimize color display for light backgrounds
Misc options:
--check-update : Check for updates
--view-manpage (--man) : View man page
--version (-V) : Display version number and quit
Error: No parameters specified!
See man page and documentation for all available options.
Exiting..
To start Lynis process, you must define a –check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with paramerts as shown below.
# ./lynis --check-all
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Clearing log file (/var/log/lynis.log)... [ DONE ]
---------------------------------------------------
Program version: 1.3.0
Operating system: Linux
Operating system name: CentOS
Operating system version: CentOS release 6.5 (Final)
Kernel version: 2.6.32-042stab078.26
Hardware platform: x86_64
Hostname: vps-1124654-14950
Auditor: [Unknown]
Profile: ./default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
---------------------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
To prevent user acknowledgment (i.e. "
press enter to continue") from user while scanning, you need use -c and -Q parameters as shown below.
# ./lynis -c -Q
Lynis Scanning ResultsWhile scanning you will see output as
[OK] or
[WARNING]. Where
[OK] considered as good result and
[WARNING] as bad. But it doesn’t mean that
[OK] result is correctly configured and
[WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at
/var/log/lynis.log. See the snippet below that provides a list of suggestion to fix problems.
Suggestions:
----------------------------
- [12:52:12] Suggestion: update to the latest stable release.
- [12:52:21] Suggestion: Run grpck manually and check your group files [test:AUTH-9216]
- [12:52:22] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [12:52:22] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
- [12:52:22] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
- [12:52:23] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
- [12:52:23] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
- [12:52:23] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
- [12:52:23] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
- [12:52:29] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
- [12:52:33] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
- [12:52:37] Suggestion: Change the register_globals line to: register_globals = Off [test:PHP-2368]
- [12:52:37] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
- [12:52:37] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]
- [12:52:37] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
- [12:52:37] Suggestion: Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP [test:PHP-2378]
- [12:52:39] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
- [12:52:40] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
- [12:52:40] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
- [12:52:40] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [12:52:41] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
- [12:52:41] Suggestion: Install a file integrity tool [test:FINT-4350]
- [12:52:44] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
- [12:52:45] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
- [12:52:45] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]
================================================================================
That's all. Now give it a try