Harden your systems with Lynis
The Tester
The Lynis testing tool looks for potential security problems and even suggests possibly remedies.
To safeguard your system from attack, you'll need to check many components and configuration files for vulnerabilities. This task is worthy of Sisyphus, but never fear – a small tool named Lynis can help you roll that rock. In addition to identifying problems, Lynis offers tips for how to resolve them.
When launched, Lynis [1] performs several hundred individual tests. In each test, the software checks the security of many components. Lynis takes a close look at the configuration files of the installed programs, checks the firewall rules, discovers expired SSL certificates, reports user accounts without a password, and more. According to the company behind Lynis, CISOfy, the tool follows generally accepted security guidelines and standards.
At the end of these tests, Lynis outputs a test report in which it points to the problems it has identified and gives the administrator tips on how to harden the system more effectively. Lynis thus identifies security problems, but it cannot resolve them autonomously; the interpretation of the results is left to the administrator. CISOfy sees the main applications for the tool as security audits, vulnerability scanning, and the first step toward system hardening.
You can launch Lynis directly; there is no need to install. Administrators can thus easily add it to a collection of tools on a rescue USB stick. Lynis also supports plugins to extend the feature scope. In addition to Linux, Lynis runs on other Unix-style systems, including OS X.
Choosing a License
Lynis is available under the GPLv3 and can thus be used without charge in the enterprise. CISOfy also offers a commercial version called Lynis Enterprise, which extends Lynis to include additional features and tools. The tools include a Lynis Collector component, which collects the test results from several computers and feeds the results to a central management console. Lynis Enterprise delivers more comprehensive reports. Among other things, administrators receive an assessment of the computers that are particularly endangered. Finally, CISOfy offers support – but not for the free variant. Lynis Enterprise is available under a subscription model with several levels. The simplest variant costs $1.50 per month and per system. If you need the full feature scope, you can expect to pay $3 per system per month. For more details on Lynis Enterprise, check out the website [2].
Installation
Many Linux distributions have the free Lynis version in their repositories – typically in the lynis package. In most cases, the repository will have an older version of the tool. For example, the package manager in Ubuntu 14.10 still offers version 1.5.5, although the latest version when this article was written was Lynis 1.6.4. Because newer versions may be able to discover additional issues, administrators will want always to use the latest version from the Lynis homepage. If you are thinking of using the tool in the long term, you need to keep it up to date yourself.
Once you have the .tar.gz
archive with Lynis on your hard disk, it makes sense to validate the download by checking the SHA1 or SHA256 checksum. To do so on Linux, for example, type:
sha256sum lynis-version.tar.gz
Now compare the generated hash with the values that CISOfy provides in the File Integrity Information box on the download page [3]. You can only be sure that the archive has not been manipulated if the checksums match. If you want to be double sure, you can also download the digital signature, which is also available from the File Integrity Information box. You can then verify the source using GnuPG:
wget https://cisofy.com/files/ cisofy-software.pub gpg --import cisofy-software.pub gpg --list-keys --fingerprint
Instead of wget
, users on Mac OS X can run curl
:
curl https://cisofy.com/files/ cisofy-software.pub \ -o cisofy-software.pub
The fingerprint for CISOfy output with the last command should now be identical to the one returned by the following command:
gpg --verify lynis-1.6.4.tar.gz.asc lynis-1.6.4.tar.gz
You might need to change the version numbers. Also, the fingerprint must match the one printed in the official documentation [4].
Checking Privileges Before Starting
If the checksum and the fingerprint are good, you can finally start up Lynis. To do so, simply unpack the archive and launch the lynis
script with the -c
parameter:
./lynis -c
The -c
parameter tells Lynis to perform a full set of tests. Without it, Lynis would simply display the help. The command
./lynis --view-manpage
lets you view the fairly sparse man page. To check whether you have the latest version of Lynis, you can run:
./lynis --check-update
To inspect all the nooks and crannies of your system, Lynis needs root or administrative privileges. If you launch it as a normal user, the tool might not find all the problems. In any case, Lynis needs write privileges for the directories /tmp
and /var/log
. (Test reports will land in the /var/log
directory.)
After launching, Lynis states the privileges with which it is running, whether or not it can perform all the tests, and whether it can write a logfile below /var/log
(Figure 1). If you agree with all the settings, you can start the test run by pressing Enter.
Under certain circumstances, Lynis will complain about not having the right file permissions or ownership. You need to remedy this with the commands shown by Lynis; only then can you run the tool. On Linux, the following command will remedy all the ownership problems Lynis complains about with one action:
sudo chown root:root ./include/*
Once Lynis agrees with the ownership, it again summarizes the scenario. Among other things, Lynis states its program version, the operating system, and the storage location of the logfile and report file. If the logfile and report file end up in the black hole of /dev/null
, you can assume that Lynis is unable to write to the /var/log
directory. Currently, there is no option for defining a different storage location. Users can only suppress the logfile by stipulating the --no-log
parameter.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.
-
Linux Foundation Adopts OMI to Foster Ethical LLMs
The Open Model Initiative hopes to create community LLMs that rival proprietary models but avoid restrictive licensing that limits usage.
-
Ubuntu 24.10 to Include the Latest Linux Kernel
Ubuntu users have grown accustomed to their favorite distribution shipping with a kernel that's not quite as up-to-date as other distros but that changes with 24.10.