Security audits with Lynis
Auditor
Running a security audit periodically on your system lets you spot unexpected changes and possible weak points.
Security is on everybody's mind these days, but where do you start? For that matter, how do you know when your precautions are complete? One answer to both of these questions is Lynis [1], which audits the security of a system by running more than 200 tests in a matter of a few minutes.
Lynis was created by Michael Boelen in 2007 and is now maintained by CISOfy [2], which uses Lynis as the back end for its commercial desktop application Lynis Enterprise [3]. It was inspired by Bastille Linux [4], which a decade ago was a standard Linux security tool but now is semi-moribund and no longer available in most distributions. The main difference between Bastille and Lynis is that Bastille included a system audit tool and a hardening wizard, which among other things could configure a firewall, whereas Lynis offers only an audit, leaving users to make changes for themselves. Another difference is that Bastille focused on specific releases of a few Linux distributions, whereas Lynis runs on most Unix-like systems without concern for the release number – a difference that is especially welcome with distributions that have rolling releases. In general, Lynis offers a more flexible and thorough audit than Bastille, reporting facts and leaving you to make the decisions.
Basic Syntax
Lynis is a shell script available as a package or tarball or as a GitHub clone [5]. Running it requires access to /tmp
. For a complete system audit, Lynis should be run as root, but it can also be run from an ordinary user account for penetration testing. Documentation is available online [6] or from the man page, but it is written to include Lynis Enterprise, which means that not all the options listed are available in the free version. At times, the only way to know which options are available is to try them; fortunately, the unavailable options simply will not run and cannot harm your system.
Lynis runs from a profile located in /etc/lynis/default.prf
that includes the tests to run (Figure 1). Other profiles for specific distributions like Debian or Red Hat Enterprise Linux will be run if Lynis detects that they are relevant. Users can also create their own profiles, although most will probably be content with the default.
Lynis's basic syntax is:
lynis AUDIT OPTIONS
The three major audit options are audit system
, audit system remote HOST
, and system dockerfile FILE
. However, Lynis also has what the documentation calls "helper options," which are entered in the same position as the audit options. In particular, the show helper
option displays information about the work directory and file locations. The tests (Figure 2) that Lynis runs are listed with the command:
lynis show tests
Most of Lynis' regular options affect how an audit is run. The option --test TEST-ID
can limit the audit to specified tests, whereas --pentest
runs a penetration test from a regular user account. For ease of reading, you might want to use --wait
, which pauses between sections of the audit, giving you more time to read. You can also add --quiet
(-Q
) to run an audit without any user input. Other options change the default components: --logfile PATH
, --plugin-dir PATH
, and --profile FILE
all being self-explanatory. For security reasons, you might prefer --no-log
to prevent sensitive information from being written to disk.
Other options format the report that is output to the screen. With --no-color
, the report uses only the foreground color set for the terminal, whereas --reverse-colors
is useful against a light background.
If you do not add any options, or a circumstance arises not covered by the options added to the basic command, the output will add brief help notices as needed.
Running an Audit
As you gain experience with Lynis, you might want to experiment with some of its options. However, you can make quick, practical use of Lynis with the bare command:
lynis audit system
The audit outputs to the screen, writing the information to /var/log/lynis-report.dat
. To get a more exhaustive view of the audit, view /var/log/lynis.log
(Figure 3). Both the report data and the logfile are overwritten when the next audit is run, so you need to rename these files if you regularly audit the system. You might also copy and paste the report directly from the screen into a file.
So far as possible, the report remains neutral. It reports whether useful resources are available or not and offers detailed warnings only at the end. So far as I can see, it recognizes Systemd as a service manager but does not check for its security particulars. Nor does it mention Firejail [7], which provides a measure of security by containerizing standard applications. The audit takes a classic architectural stance, focusing on the security built in to the system rather than features like antivirus software.
The report begins with general information about the system and the Lynis settings used and checks for key files and configurations, including those specific to Debian or another popular distribution. These resources are reported variously as FOUND, NOT INSTALLED, DISABLED, NONE, NON-DEFAULT, DIFFERENT, NOT RUNNING, or WARNING (Figure 4). Ordinarily, only WARNING is an immediate concern, since a file or setting may be not installed or disabled without necessarily being a security risk. Possibly, too, where there is a choice, as with the boot manager, only one is installed. Still, you might want to check these results, just to be sure, after you deal with the more urgent results.
For example, the maximum age for a password before it must be replaced is usually disabled in most major distributions without major consequences. However, if you are security conscious or the system is networked, enabling this feature adds security with minimal effort. Similarly, not having a default umask
– the default permissions for a new file or directory – might seem minor, but it is a bit of hardening generally worth implementing. By contrast, non-default mount
options for your partitions probably means nothing more than that you have customized them; in fact, altering them will probably reduce overall performance. In the same way, if a service like CUPS is not running, then you need to turn it on and rerun the audit so that it can be accessed.
The report finishes by summarizing warnings and suggestions (Figure 5). The warnings will include both lax configurations and vulnerable packages, whereas the suggestions spell out a concrete action that either you need to do only once or recommend the addition of a tool that will help with ongoing security. Both warnings and suggestions are accompanied by a link to more detailed information on a CISOfy page (Figure 6), worded in such a way as to help you decide whether you should implement it or not. However, in a few cases, you might want to search for more information; although this can be a tedious process, it at least organizes and makes sense of the complicated subject matter and reduces much of the uncertainty.
After the First Report
Lynis should be run as soon as it is installed and then acted on as necessary. It should also be run again after you have acted on the warnings and suggestions. However, that is just the start. Running Lynis regularly is a convenient way to spot unexpected changes in a system that might indicate intrusions. Moreover, your needs might change over time, and Lynis' report can help you decide what adjustments are necessary.
Those who once depended on Bastille are likely to find Lynis a less complete solution. If nothing else, Bastille did a more thorough job of explaining the pros and cons of possible actions. Yet, despite this shortcoming, Lynis remains a quick and convenient update of the Bastille concept and an education in itself. So long as you are willing to put in the time, you can benefit without being a security expert. If you have never run Lynis on a system that you administer, you owe yourself the favor of doing so immediately.
Infos
- Lynis: https://cisofy.com/lynis/
- CISOfy: https://cisofy.com/
- Lynis Enterprise pricing: https://cisofy.com/pricing/
- Bastille: http://bastille-linux.sourceforge.net/
- Lynis on GitHub: https://github.com/CISOfy/Lynis
- Documentation: https://cisofy.com/documentation/lynis/
- Firejail: https://firejail.wordpress.com/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.