Harden your systems with Lynis
The Tester
The Lynis testing tool looks for potential security problems and even suggests possibly remedies.
To safeguard your system from attack, you'll need to check many components and configuration files for vulnerabilities. This task is worthy of Sisyphus, but never fear – a small tool named Lynis can help you roll that rock. In addition to identifying problems, Lynis offers tips for how to resolve them.
When launched, Lynis [1] performs several hundred individual tests. In each test, the software checks the security of many components. Lynis takes a close look at the configuration files of the installed programs, checks the firewall rules, discovers expired SSL certificates, reports user accounts without a password, and more. According to the company behind Lynis, CISOfy, the tool follows generally accepted security guidelines and standards.
At the end of these tests, Lynis outputs a test report in which it points to the problems it has identified and gives the administrator tips on how to harden the system more effectively. Lynis thus identifies security problems, but it cannot resolve them autonomously; the interpretation of the results is left to the administrator. CISOfy sees the main applications for the tool as security audits, vulnerability scanning, and the first step toward system hardening.
You can launch Lynis directly; there is no need to install. Administrators can thus easily add it to a collection of tools on a rescue USB stick. Lynis also supports plugins to extend the feature scope. In addition to Linux, Lynis runs on other Unix-style systems, including OS X.
Choosing a License
Lynis is available under the GPLv3 and can thus be used without charge in the enterprise. CISOfy also offers a commercial version called Lynis Enterprise, which extends Lynis to include additional features and tools. The tools include a Lynis Collector component, which collects the test results from several computers and feeds the results to a central management console. Lynis Enterprise delivers more comprehensive reports. Among other things, administrators receive an assessment of the computers that are particularly endangered. Finally, CISOfy offers support – but not for the free variant. Lynis Enterprise is available under a subscription model with several levels. The simplest variant costs $1.50 per month and per system. If you need the full feature scope, you can expect to pay $3 per system per month. For more details on Lynis Enterprise, check out the website [2].
Installation
Many Linux distributions have the free Lynis version in their repositories – typically in the lynis package. In most cases, the repository will have an older version of the tool. For example, the package manager in Ubuntu 14.10 still offers version 1.5.5, although the latest version when this article was written was Lynis 1.6.4. Because newer versions may be able to discover additional issues, administrators will want always to use the latest version from the Lynis homepage. If you are thinking of using the tool in the long term, you need to keep it up to date yourself.
Once you have the .tar.gz
archive with Lynis on your hard disk, it makes sense to validate the download by checking the SHA1 or SHA256 checksum. To do so on Linux, for example, type:
sha256sum lynis-version.tar.gz
Now compare the generated hash with the values that CISOfy provides in the File Integrity Information box on the download page [3]. You can only be sure that the archive has not been manipulated if the checksums match. If you want to be double sure, you can also download the digital signature, which is also available from the File Integrity Information box. You can then verify the source using GnuPG:
wget https://cisofy.com/files/ cisofy-software.pub gpg --import cisofy-software.pub gpg --list-keys --fingerprint
Instead of wget
, users on Mac OS X can run curl
:
curl https://cisofy.com/files/ cisofy-software.pub \ -o cisofy-software.pub
The fingerprint for CISOfy output with the last command should now be identical to the one returned by the following command:
gpg --verify lynis-1.6.4.tar.gz.asc lynis-1.6.4.tar.gz
You might need to change the version numbers. Also, the fingerprint must match the one printed in the official documentation [4].
Checking Privileges Before Starting
If the checksum and the fingerprint are good, you can finally start up Lynis. To do so, simply unpack the archive and launch the lynis
script with the -c
parameter:
./lynis -c
The -c
parameter tells Lynis to perform a full set of tests. Without it, Lynis would simply display the help. The command
./lynis --view-manpage
lets you view the fairly sparse man page. To check whether you have the latest version of Lynis, you can run:
./lynis --check-update
To inspect all the nooks and crannies of your system, Lynis needs root or administrative privileges. If you launch it as a normal user, the tool might not find all the problems. In any case, Lynis needs write privileges for the directories /tmp
and /var/log
. (Test reports will land in the /var/log
directory.)
After launching, Lynis states the privileges with which it is running, whether or not it can perform all the tests, and whether it can write a logfile below /var/log
(Figure 1). If you agree with all the settings, you can start the test run by pressing Enter.
Under certain circumstances, Lynis will complain about not having the right file permissions or ownership. You need to remedy this with the commands shown by Lynis; only then can you run the tool. On Linux, the following command will remedy all the ownership problems Lynis complains about with one action:
sudo chown root:root ./include/*
Once Lynis agrees with the ownership, it again summarizes the scenario. Among other things, Lynis states its program version, the operating system, and the storage location of the logfile and report file. If the logfile and report file end up in the black hole of /dev/null
, you can assume that Lynis is unable to write to the /var/log
directory. Currently, there is no option for defining a different storage location. Users can only suppress the logfile by stipulating the --no-log
parameter.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.