Professional Hardening

Virtually nobody uses a computer without Internet access. Unfortunately, the network of networks is teeming with malicious programs that exploit vulnerabilities in operating systems, firmware, and application programs looking to inject malware or steal personal data.

Sys admins protect their systems against these attacks as part of their daily grind. Home users also need to protect their systems by keeping their computers up to date and running an occasional security scan to detect any vulnerabilities. Lynis [1], a free software tool from CISOfy, covers a wide range of problem scenarios and lets you perform regular system checks in no time at all.

First Launch

Lynis, a command-line program, comes with a collection of scripts for Unix-style systems. These scripts check various vulnerable system components for insecure settings and display color-coded results.

You will find Lynis in the repositories of many distributions and can install it using any of the popular package management tools. You also can download Lynis from the CISOfy website. I recommend this approach because you will always find the latest version there [2]. CISOfy (located in Vlijmen, Netherlands) offers the community variant of Lynis free of charge. The download contains the actual application, but some additional programs and the Collector are missing. Lynis comes with some community plugins out of the box.

Lynis Enterprise

For companies that need to monitor more than 10 workstations, CISOfy offers Lynis Enterprise, which is available as a software as a service (SaaS, a licensing and sales model where the provider operates software on their own infrastructure and offers a subscription model for use). Lynis Enterprise comes with numerous plugins and additionally generates web-based reports in line with various standards. The Enterprise variant also lets you check Docker files in container environments and monitor remote computer systems.

CISOfy offers the SaaS version of Lynis Enterprise as a subscription for $3 per month. For larger organizations that require monitoring of more than 100 workstations, a self-hosted package is available for setting up a local Lynis instance on the intranet. The self-hosted Enterprise variant also includes all of the additional packages and is suitable for services that provide security audits for other companies [3].

At Your Command

You will find detailed instructions for installing the Lynis community variant on various distributions [4] on the CISOfy website. You then execute the program by typing lynis <parameter> in a terminal window. To access the available command parameters, type lynis show.

The central command for auditing the local system is lynis audit system. The application now runs over 200 test parameters and displays the results in a simple table after a short wait (Figure 1). To the right of each test category, the results appear in green, yellow, or red. If the results are displayed in yellow, you need to check the setting, but if the text color is red, you will want to reconfigure the service in question. Lynis grays out components that are not available on the system, provided that their absence does not affect the security of the system as a whole.

Figure 1: Lynis displays the color-coded test results in groups on the terminal.

The individual tests are divided into categories. If you launch the software as a normal user, Lynis skips some checks that can only be executed if you are root. The program outputs messages to point out the skipped test routines. After the test results, Lynis also displays a hardening index and shows potential for improvement. Lynis makes suggestions based on the individual test categories on how you can upgrade problematic settings to improve your system's security. You can open these tips by following the links in your web browser (Figure 2).

Figure 2: Lynis suggests potential improvements to the configuration in the form of URLs (shown in gray).

Logger

Lynis generates multiple logs. Besides a profile containing the respective test scenario, it generates a logfile and a report. Lynis shows you the search paths for the individual files after starting the tests.

The report is the most important of these files. It not only contains a detailed list of all loaded kernel modules, data on the network interfaces, and the directory structures, but it also includes all of the installed packages, cron jobs, and the tests that have been run. These do not appear in plain text like in the program output, but with their internal designations. Lynis also outputs detailed information about the services loaded by the init system.

The report also contains several suggestions on how to harden the current system against attacks. However, these suggestions are somewhat cluttered and unstructured in the report. The suggestion tag at the beginning of each line marks the individual suggestions.

Profiles

Lynis supports the use of different profiles. You can view a list of all existing profiles with lynis show profiles. The preset profile uses all available options. If you only want to test certain components or services, you can create an additional profile for this purpose. There are no restrictions on the number of profiles.

The profiles are simple text files, which can be managed with any text editor. However, be careful not to modify the original profile. To use a specific profile during a test run, specify its name as an option when calling Lynis. To perform a test run with a specific profile, type the following at the prompt:

lynis audit --profile <profile>

When you assign names to new profiles that you generate from the default profile as a template, you should include the components to be tested in the name. For example, you can create specific profiles for different installations, but also group different server services, such as web or mail servers, into separate profiles. The security level can also be taken into account in individual profiles.

Regular Scanning

Especially in a corporate environment, you will want to run security scans regularly. A cron job gives you the ability to run Lynis at fixed intervals. To do this, the application offers the --cronjob call parameter, which does a complete scan of the system. You also need to generate a matching script and create the associated paths to be able to save the report.

Automated tests will then run at regular intervals without any user interaction. The software also removes all special characters from the report to facilitate processing downstream. Users of the Enterprise variant also have the option to use the --upload parameter to send the report to their own Lynis instance for auditing and documentation purposes [5].

Color Scheme

When you run Lynis, depending on the background color selected, the contrast of the console output can be too low, making the results difficult to read. To avoid this, start the application using the --reverse-colors parameter. This tells the tool to adapt the output to light terminal backgrounds. Color highlighting can also be turned off completely with the parameter --no-colors (Figure 3).

Figure 3: Lynis lets you customize the colors in the text output, including turning off the color highlighting.

Problems

By default, Lynis always saves the reports it generates in the /var/log/ directory, creating the lynis.log and lynis-report.dat files. If you need the test reports for documentation purposes over the long term, you should copy them to a separate data carrier or to another directory immediately after the test run. Otherwise, Lynis overwrites the existing logs on each new run without further ado.

Add-Ons

Thanks to its modular structure, Lynis can easily be extended with plugins to help you retrieve additional data from the systems you scan. Because Lynis's check routines consist of shell scripts, savvy administrators have the option of writing any plugins they need themselves. The developers provide detailed instructions for this [6].

Provided the plugins are explicitly enabled in the individual profiles, Lynis automatically processes any plugins you add during scans. By default, these extensions reside in the /usr/share/lynis/plugins/ directory. During a test run, they can be called at two phases; the results are displayed on the standard output and stored in the report file.

CISOfy also maintains a database of plugins that can be individually downloaded and integrated into a Lynis installation. However, to access these extensions, you first need to register with the provider and be an Enterprise customer.

Conclusions

Lynis is a powerful tool for finding vulnerabilities on computer systems. The Community version is suitable for home users and admins with a manageable number of computers, while the Enterprise version is recommended for larger installations. The Enterprise version also comes with additional features, such as a web-based control panel and plugins that let you check file integrity. With the help of an extension for pentesting, Lynis is also suitable for playing out attack scenarios like the ones that occur in real life. Every security-conscious user should have Lynis in their toolbox.