Lynis is a hardening and security auditing tool for Unix/Linux-based systems. It performs an in-depth scan of your system to detect security issues, misconfigurations, and potential vulnerabilities. It does not fix the issues itself, but provides suggestions and links to help you harden your system.
Why use Lynis?
- Comprehensive Audit: Checks hundreds of control points (kernel, authentication, firewall, services, etc.).
- Hardening-Oriented: Helps you harden your system by following security best practices.
- Compliance: Can help verify compliance with standards such as PCI-DSS or HIPAA.
- Open-Source: Free and transparent, with an active community.
Prerequisites
- A Linux system (Ubuntu/Debian, CentOS/RHEL, etc.).
- Root access or sudo privileges.
Installation
There are two main methods to install Lynis:
Method 1: Via the repositories (recommended for ease of updates)
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y lynis
# On CentOS / RHEL
sudo yum install -y epel-release
sudo yum install -y lynisMethod 2: Via Git (to get the latest version)
cd /opt/
sudo git clone https://github.com/CISOfy/lynis.git
cd lynisWith this method, you will run lynis from the /opt/lynis/ directory.
Running an audit
The main command is simple:
sudo lynis audit systemLynis will scan your system. The audit can take a few minutes. During the scan, it displays the tests performed in real time. At the end of the audit, two important things are shown on screen:
- The scan report: A summary of the Warnings and Suggestions.
- The paths to the log and report files:
/var/log/lynis.log: The full audit log./var/log/lynis-report.dat: A data file containing the results, for automated processing.
At the end of the report, Lynis calculates a "Hardening Index", a score out of 100 that gives you a general idea of your system's security level. It is a good indicator for tracking your progress.
Understanding and using the report
The most important part is the "Suggestions" section at the end of the output. Each suggestion is listed with a test ID (e.g.: `[TEST-1234]`).
Suggestions
----------------------------
* Harden the system by installing a file integrity tool. [TEST-7708]
- Solution : Install a file integrity tool like AIDE, Tripwire, or Samhain.
- Details : https://cisofy.com/lynis/controls/TEST-7708/
* Consider tweaking permissions for umask in /etc/login.defs. [AUTH-9328]
- Solution : Set the umask value to 027.
- Details : https://cisofy.com/lynis/controls/AUTH-9328/
For each suggestion, Lynis gives you:
- A description of the issue.
- A suggested solution.
- A link to the CISOfy website (the creators of Lynis) with details about the control and how to fix it.
Your job is to review these suggestions, understand their impact, and apply them if they are relevant to your environment.
Automating audits with Cron
It is recommended to run Lynis regularly to detect new vulnerabilities or configuration changes. You can use cron for this.
# Create a cron script for Lynis
sudo nano /etc/cron.daily/lynis-audit
Add the following content:
#!/bin/sh
# Run a cronjob audit (less verbose) and send the report by email
lynis audit system --cronjob | mail -s "Lynis audit report for $(hostname)" [email protected]
Make the script executable:
sudo chmod +x /etc/cron.daily/lynis-auditNot all of Lynis's suggestions are necessarily applicable to your use case. For example, it may suggest disabling USB drives, which is not relevant for a virtual server in a datacenter. Analyze each suggestion before applying it.
Conclusion
Lynis is a fantastic tool for getting a health check of your Linux system's security. It guides you through the hardening process and helps you identify weaknesses you might have missed. Running an audit with Lynis should be one of the first steps after installing a new server, and its regular audits are an essential part of good security hygiene.
Comments