Security audits with Lynis
Auditor
Running a security audit periodically on your system lets you spot unexpected changes and possible weak points.
Security is on everybody's mind these days, but where do you start? For that matter, how do you know when your precautions are complete? One answer to both of these questions is Lynis [1], which audits the security of a system by running more than 200 tests in a matter of a few minutes.
Lynis was created by Michael Boelen in 2007 and is now maintained by CISOfy [2], which uses Lynis as the back end for its commercial desktop application Lynis Enterprise [3]. It was inspired by Bastille Linux [4], which a decade ago was a standard Linux security tool but now is semi-moribund and no longer available in most distributions. The main difference between Bastille and Lynis is that Bastille included a system audit tool and a hardening wizard, which among other things could configure a firewall, whereas Lynis offers only an audit, leaving users to make changes for themselves. Another difference is that Bastille focused on specific releases of a few Linux distributions, whereas Lynis runs on most Unix-like systems without concern for the release number – a difference that is especially welcome with distributions that have rolling releases. In general, Lynis offers a more flexible and thorough audit than Bastille, reporting facts and leaving you to make the decisions.
Basic Syntax
Lynis is a shell script available as a package or tarball or as a GitHub clone [5]. Running it requires access to /tmp
. For a complete system audit, Lynis should be run as root, but it can also be run from an ordinary user account for penetration testing. Documentation is available online [6] or from the man page, but it is written to include Lynis Enterprise, which means that not all the options listed are available in the free version. At times, the only way to know which options are available is to try them; fortunately, the unavailable options simply will not run and cannot harm your system.
Lynis runs from a profile located in /etc/lynis/default.prf
that includes the tests to run (Figure 1). Other profiles for specific distributions like Debian or Red Hat Enterprise Linux will be run if Lynis detects that they are relevant. Users can also create their own profiles, although most will probably be content with the default.
Lynis's basic syntax is:
lynis AUDIT OPTIONS
The three major audit options are audit system
, audit system remote HOST
, and system dockerfile FILE
. However, Lynis also has what the documentation calls "helper options," which are entered in the same position as the audit options. In particular, the show helper
option displays information about the work directory and file locations. The tests (Figure 2) that Lynis runs are listed with the command:
lynis show tests
Most of Lynis' regular options affect how an audit is run. The option --test TEST-ID
can limit the audit to specified tests, whereas --pentest
runs a penetration test from a regular user account. For ease of reading, you might want to use --wait
, which pauses between sections of the audit, giving you more time to read. You can also add --quiet
(-Q
) to run an audit without any user input. Other options change the default components: --logfile PATH
, --plugin-dir PATH
, and --profile FILE
all being self-explanatory. For security reasons, you might prefer --no-log
to prevent sensitive information from being written to disk.
Other options format the report that is output to the screen. With --no-color
, the report uses only the foreground color set for the terminal, whereas --reverse-colors
is useful against a light background.
If you do not add any options, or a circumstance arises not covered by the options added to the basic command, the output will add brief help notices as needed.
Running an Audit
As you gain experience with Lynis, you might want to experiment with some of its options. However, you can make quick, practical use of Lynis with the bare command:
lynis audit system
The audit outputs to the screen, writing the information to /var/log/lynis-report.dat
. To get a more exhaustive view of the audit, view /var/log/lynis.log
(Figure 3). Both the report data and the logfile are overwritten when the next audit is run, so you need to rename these files if you regularly audit the system. You might also copy and paste the report directly from the screen into a file.
So far as possible, the report remains neutral. It reports whether useful resources are available or not and offers detailed warnings only at the end. So far as I can see, it recognizes Systemd as a service manager but does not check for its security particulars. Nor does it mention Firejail [7], which provides a measure of security by containerizing standard applications. The audit takes a classic architectural stance, focusing on the security built in to the system rather than features like antivirus software.
The report begins with general information about the system and the Lynis settings used and checks for key files and configurations, including those specific to Debian or another popular distribution. These resources are reported variously as FOUND, NOT INSTALLED, DISABLED, NONE, NON-DEFAULT, DIFFERENT, NOT RUNNING, or WARNING (Figure 4). Ordinarily, only WARNING is an immediate concern, since a file or setting may be not installed or disabled without necessarily being a security risk. Possibly, too, where there is a choice, as with the boot manager, only one is installed. Still, you might want to check these results, just to be sure, after you deal with the more urgent results.
For example, the maximum age for a password before it must be replaced is usually disabled in most major distributions without major consequences. However, if you are security conscious or the system is networked, enabling this feature adds security with minimal effort. Similarly, not having a default umask
– the default permissions for a new file or directory – might seem minor, but it is a bit of hardening generally worth implementing. By contrast, non-default mount
options for your partitions probably means nothing more than that you have customized them; in fact, altering them will probably reduce overall performance. In the same way, if a service like CUPS is not running, then you need to turn it on and rerun the audit so that it can be accessed.
The report finishes by summarizing warnings and suggestions (Figure 5). The warnings will include both lax configurations and vulnerable packages, whereas the suggestions spell out a concrete action that either you need to do only once or recommend the addition of a tool that will help with ongoing security. Both warnings and suggestions are accompanied by a link to more detailed information on a CISOfy page (Figure 6), worded in such a way as to help you decide whether you should implement it or not. However, in a few cases, you might want to search for more information; although this can be a tedious process, it at least organizes and makes sense of the complicated subject matter and reduces much of the uncertainty.
After the First Report
Lynis should be run as soon as it is installed and then acted on as necessary. It should also be run again after you have acted on the warnings and suggestions. However, that is just the start. Running Lynis regularly is a convenient way to spot unexpected changes in a system that might indicate intrusions. Moreover, your needs might change over time, and Lynis' report can help you decide what adjustments are necessary.
Those who once depended on Bastille are likely to find Lynis a less complete solution. If nothing else, Bastille did a more thorough job of explaining the pros and cons of possible actions. Yet, despite this shortcoming, Lynis remains a quick and convenient update of the Bastille concept and an education in itself. So long as you are willing to put in the time, you can benefit without being a security expert. If you have never run Lynis on a system that you administer, you owe yourself the favor of doing so immediately.
Infos
- Lynis: https://cisofy.com/lynis/
- CISOfy: https://cisofy.com/
- Lynis Enterprise pricing: https://cisofy.com/pricing/
- Bastille: http://bastille-linux.sourceforge.net/
- Lynis on GitHub: https://github.com/CISOfy/Lynis
- Documentation: https://cisofy.com/documentation/lynis/
- Firejail: https://firejail.wordpress.com/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.