Linux Auditing Tool

[Vinil]

Lynis is an open source and much powerful auditing tool for Unix like operating systems. It scans system for security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing etc.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.


Installation of Lynis

Lynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under /usr/local/lynis.

Code: [Select]

# mkdir /usr/local/lynis

# cd /usr/local/lynis
# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
# tar -xvf lynis-1.3.0.tar.gz

Running and Using Lynis

# cd lynis-1.3.0
# ./lynis

By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell promt.

Code: [Select]

[+] Initializing program
------------------------------------
  Scan options:
    --auditor "<name>"            : Auditor name
    --check-all (-c)              : Check system
    --no-log                      : Don't create a log file
    --profile <profile>           : Scan the system with the given profile file
    --quick (-Q)                  : Quick mode, don't wait for user input
    --tests "<tests>"             : Run only tests defined by <tests>
    --tests-category "<category>" : Run only tests defined by <category>

  Layout options:
    --no-colors                   : Don't use colors in output
    --quiet (-q)                  : No output, except warnings
    --reverse-colors              : Optimize color display for light backgrounds

  Misc options:
    --check-update                : Check for updates
    --view-manpage (--man)        : View man page
    --version (-V)                : Display version number and quit

  Error: No parameters specified!
  See man page and documentation for all available options.

Exiting..
To start Lynis process, you must define a –check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with paramerts as shown below.

# ./lynis --check-all

Code: [Select]

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.3.0
  Operating system:          Linux
  Operating system name:     CentOS
  Operating system version:  CentOS release 6.5 (Final)
  Kernel version:            2.6.32-042stab078.26
  Hardware platform:         x86_64
  Hostname:                  vps-1124654-14950
  Auditor:                   [Unknown]
  Profile:                   ./default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

To prevent user acknowledgment (i.e. "press enter to continue") from user while scanning, you need use -c and -Q parameters as shown below.

# ./lynis -c -Q

Lynis Scanning Results


While scanning you will see output as [OK] or [WARNING]. Where [OK] considered as good result and [WARNING] as bad. But it doesn’t mean that [OK] result is correctly configured and [WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log. See the snippet below that provides a list of suggestion to fix problems.

Suggestions:
  ----------------------------
   - [12:52:12] Suggestion: update to the latest stable release.
   - [12:52:21] Suggestion: Run grpck manually and check your group files [test:AUTH-9216]
   - [12:52:22] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
   - [12:52:22] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
   - [12:52:22] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
   - [12:52:23] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
   - [12:52:23] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
   - [12:52:23] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
   - [12:52:23] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
   - [12:52:29] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
   - [12:52:33] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
   - [12:52:37] Suggestion: Change the register_globals line to: register_globals = Off [test:PHP-2368]
   - [12:52:37] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
   - [12:52:37] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]
   - [12:52:37] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
   - [12:52:37] Suggestion: Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP [test:PHP-2378]
   - [12:52:39] Suggestion: Add legal banner to /etc/motd, to warn unauthorized users [test:BANN-7122]
   - [12:52:40] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
   - [12:52:40] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
   - [12:52:40] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
   - [12:52:41] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
   - [12:52:41] Suggestion: Install a file integrity tool [test:FINT-4350]
   - [12:52:44] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
   - [12:52:45] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
   - [12:52:45] Suggestion: Harden compilers and restrict access to world [test:HRDN-7222]
================================================================================

That's all. Now give it a try