Lynis works on a variety of UNIX-based systems such as:
FreeBSD Linux MacOS OpenBSD NetBSD AIX HP-UX Solaris Raspberry Pi Backtrack Linux Kali Linux CentOS Linux Mint Debian Arch Linux Fedora Ubuntu Red Hat Enterprise Linux
Lynis can also be used to audit additional services such as:
Apache Nginx Oracle Database MySQL PostgreSQL
Lynis can be downloaded from https://cisofy.com/download/lynis/ An important feature of Lynis is its Opportunistic Scanning which means that it only scans for what it comes across. Say the system you are scanning has an Apache server running on it. Lynis will scan for only the vulnerabilities related to Apache. While doing so, if it comes across an SSL/TLS configuration, only then it will scan for additional vulnerabilities thus saving time. In short, it will always perform a customized scan depending on the system. Once downloaded, simply go into the folder and start by typing: $ ./lyins This will show us the various commands and options we can do with it:
To get further information, we can type: $ ./lynis show options
Mainly, Lynis is used for the following purposes:
System hardening Vulnerability detection and scanning Security auditing Compliance testing (PCI, HIPPA, SOx)
Additional plugins can be used to perform additional tests. To run a basic scan on your system with Lynis, simply type: $ ./lynis audit system Note: By adding the parameter –quick will enable Lynis to run without any pauses and would enable us to work on other things while it scans.
Lynis will show us any important warnings that we might need to be aware of
as well as the location of the log files generated along with the report data.
It starts off by detecting the Operating System It will then search for the available tools and utilities It will check whether Lynis needs to be updated It will run tests from enabled plugins It will run relevant tests for each category Finally, it will end by reporting the status of the scan
As you can see, Lynis includes impacts and suggestions (highlighted in blue) for anything that might be harmful to the system. Lynis also gives us the option to run specific tests on specific modules. However, we need to know the TEST ID of that tests. To do that, we do need to have a log file of the complete scan so that we can fetch the TEST ID’s from. Here’s a list of TEST ID’s available in Lynis:
BOOT KRNL (Kernel) PROC (Processor) AUTH (Authentication) SHELL FILE STRG (Storage) NAME (DNS) PKGC (Packages) NETW (Network) PRNT (Printer) MAIL FIRE (Firewall) HTTP (Web Server) SSH SNMP DBS (Database) PHP LDAP SQD (Squid Proxy) LOGG (Logging) INSE (Insecure Services – Inetd) SCHD (Scheduling – Cron Jobs) ACCT (Accounting) TIME (Time Protocol – NTP) CRYP (Cryptography) VIRT (Virtualization) HOME HRDN (Hardening) MALW (Malware) MACF (AppArmour – SELINUX)
By using a simple GREP command, we can fetch the relevant TEST ID from the log file and perform specific tests: $ cat /var/log/lynis.log | grep MALW
Moreover, as we can see, it shows us all the TEST ID’s associated with Malware scanning along with that they do. Now if we want to check for Rootkit Hunter, we will simply run: $ ./lynis –tests “MALW-3276” We can also run multiple specific tests say for Rootkit Hunter and LMD by: $ ./lynis –tests “MALW-3276 MALW-3278” We can do this with different test modules as well. We can also use the GREP command to filter out the Warnings and Suggestions from that long log file. It is always recommended to keep your scanners up-to-date, and Lynis is not an exception to that. A simple command can help us to do the same: $ ./lynis update info
We can create a simple bash script and make it run Lynis on a daily basis and save its report so as to be extra careful: #!/bin/sh AUDITOR=”automated” DATE=$(date +%Y%m%d) HOST=$(hostname) LOG_DIR=”/var/log/lynis” REPORT=”$LOG_DIR/report-${HOST}.${DATE}” DATA=”$LOG_DIR/report-data-${HOST}.${DATE}.txt” cd /opt/lynis ./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT} mv /var/log/lynis-report.dat ${DATA} Just save the above code in: $ vi /etc/cron.daily/lynis-scan.sh and give it the proper permissions by: $ sudo chmod 755 /etc/cron.daily/lynis-scan.sh
