Auditor

Security is on everybody's mind these days, but where do you start? For that matter, how do you know when your precautions are complete? One answer to both of these questions is Lynis [1], which audits the security of a system by running more than 200 tests in a matter of a few minutes.

Lynis was created by Michael Boelen in 2007 and is now maintained by CISOfy [2], which uses Lynis as the back end for its commercial desktop application Lynis Enterprise [3]. It was inspired by Bastille Linux [4], which a decade ago was a standard Linux security tool but now is semi-moribund and no longer available in most distributions. The main difference between Bastille and Lynis is that Bastille included a system audit tool and a hardening wizard, which among other things could configure a firewall, whereas Lynis offers only an audit, leaving users to make changes for themselves. Another difference is that Bastille focused on specific releases of a few Linux distributions, whereas Lynis runs on most Unix-like systems without concern for the release number – a difference that is especially welcome with distributions that have rolling releases. In general, Lynis offers a more flexible and thorough audit than Bastille, reporting facts and leaving you to make the decisions.

Basic Syntax

Lynis is a shell script available as a package or tarball or as a GitHub clone [5]. Running it requires access to /tmp. For a complete system audit, Lynis should be run as root, but it can also be run from an ordinary user account for penetration testing. Documentation is available online [6] or from the man page, but it is written to include Lynis Enterprise, which means that not all the options listed are available in the free version. At times, the only way to know which options are available is to try them; fortunately, the unavailable options simply will not run and cannot harm your system.

Lynis runs from a profile located in /etc/lynis/default.prf that includes the tests to run (Figure 1). Other profiles for specific distributions like Debian or Red Hat Enterprise Linux will be run if Lynis detects that they are relevant. Users can also create their own profiles, although most will probably be content with the default.

Figure 1: Lynis runs from a detailed, customizable profile.

Lynis's basic syntax is:

lynis AUDIT OPTIONS

The three major audit options are audit system, audit system remote HOST, and system dockerfile FILE. However, Lynis also has what the documentation calls "helper options," which are entered in the same position as the audit options. In particular, the show helper option displays information about the work directory and file locations. The tests (Figure 2) that Lynis runs are listed with the command:

lynis show tests

Figure 2: Lynis runs more than 200 tests, including some specific to a distribution or operating system.

Most of Lynis' regular options affect how an audit is run. The option --test TEST-ID can limit the audit to specified tests, whereas --pentest runs a penetration test from a regular user account. For ease of reading, you might want to use --wait, which pauses between sections of the audit, giving you more time to read. You can also add --quiet (-Q) to run an audit without any user input. Other options change the default components: --logfile PATH, --plugin-dir PATH, and --profile FILE all being self-explanatory. For security reasons, you might prefer --no-log to prevent sensitive information from being written to disk.

Other options format the report that is output to the screen. With --no-color, the report uses only the foreground color set for the terminal, whereas --reverse-colors is useful against a light background.

If you do not add any options, or a circumstance arises not covered by the options added to the basic command, the output will add brief help notices as needed.

Running an Audit

As you gain experience with Lynis, you might want to experiment with some of its options. However, you can make quick, practical use of Lynis with the bare command:

lynis audit system

The audit outputs to the screen, writing the information to /var/log/lynis-report.dat. To get a more exhaustive view of the audit, view /var/log/lynis.log (Figure 3). Both the report data and the logfile are overwritten when the next audit is run, so you need to rename these files if you regularly audit the system. You might also copy and paste the report directly from the screen into a file.

Figure 3: The Lynis logfile gives a thorough description of each audit.

So far as possible, the report remains neutral. It reports whether useful resources are available or not and offers detailed warnings only at the end. So far as I can see, it recognizes Systemd as a service manager but does not check for its security particulars. Nor does it mention Firejail [7], which provides a measure of security by containerizing standard applications. The audit takes a classic architectural stance, focusing on the security built in to the system rather than features like antivirus software.

The report begins with general information about the system and the Lynis settings used and checks for key files and configurations, including those specific to Debian or another popular distribution. These resources are reported variously as FOUND, NOT INSTALLED, DISABLED, NONE, NON-DEFAULT, DIFFERENT, NOT RUNNING, or WARNING (Figure 4). Ordinarily, only WARNING is an immediate concern, since a file or setting may be not installed or disabled without necessarily being a security risk. Possibly, too, where there is a choice, as with the boot manager, only one is installed. Still, you might want to check these results, just to be sure, after you deal with the more urgent results.

Figure 4: Lynis reports on a system's resources in depth with various summaries.

For example, the maximum age for a password before it must be replaced is usually disabled in most major distributions without major consequences. However, if you are security conscious or the system is networked, enabling this feature adds security with minimal effort. Similarly, not having a default umask – the default permissions for a new file or directory – might seem minor, but it is a bit of hardening generally worth implementing. By contrast, non-default mount options for your partitions probably means nothing more than that you have customized them; in fact, altering them will probably reduce overall performance. In the same way, if a service like CUPS is not running, then you need to turn it on and rerun the audit so that it can be accessed.

The report finishes by summarizing warnings and suggestions (Figure 5). The warnings will include both lax configurations and vulnerable packages, whereas the suggestions spell out a concrete action that either you need to do only once or recommend the addition of a tool that will help with ongoing security. Both warnings and suggestions are accompanied by a link to more detailed information on a CISOfy page (Figure 6), worded in such a way as to help you decide whether you should implement it or not. However, in a few cases, you might want to search for more information; although this can be a tedious process, it at least organizes and makes sense of the complicated subject matter and reduces much of the uncertainty.

Figure 5: The suggestions and warnings in the report link to web pages with more detailed information.

Figure 6: The final payoff: Concrete suggestions about how to improve the system.

After the First Report

Lynis should be run as soon as it is installed and then acted on as necessary. It should also be run again after you have acted on the warnings and suggestions. However, that is just the start. Running Lynis regularly is a convenient way to spot unexpected changes in a system that might indicate intrusions. Moreover, your needs might change over time, and Lynis' report can help you decide what adjustments are necessary.

Those who once depended on Bastille are likely to find Lynis a less complete solution. If nothing else, Bastille did a more thorough job of explaining the pros and cons of possible actions. Yet, despite this shortcoming, Lynis remains a quick and convenient update of the Bastille concept and an education in itself. So long as you are willing to put in the time, you can benefit without being a security expert. If you have never run Lynis on a system that you administer, you owe yourself the favor of doing so immediately.