To safeguard your system from attack, you'll need to check many components and configuration files for vulnerabilities. This task is worthy of Sisyphus, but never fear – a small tool named Lynis can help you roll that rock. In addition to identifying problems, Lynis offers tips for how to resolve them.

When launched, Lynis [1] performs several hundred individual tests. In each test, the software checks the security of many components. Lynis takes a close look at the configuration files of the installed programs, checks the firewall rules, discovers expired SSL certificates, reports user accounts without a password, and more. According to the company behind Lynis, CISOfy, the tool follows generally accepted security guidelines and standards.

At the end of these tests, Lynis outputs a test report in which it points to the problems it has identified and gives the administrator tips on how to harden the system more effectively. Lynis thus identifies security problems, but it cannot resolve them autonomously; the interpretation of the results is left to the administrator. CISOfy sees the main applications for the tool as security audits, vulnerability scanning, and the first step toward system hardening.

You can launch Lynis directly; there is no need to install. Administrators can thus easily add it to a collection of tools on a rescue USB stick. Lynis also supports plugins to extend the feature scope. In addition to Linux, Lynis runs on other Unix-style systems, including OS X.

Choosing a License

Lynis is available under the GPLv3 and can thus be used without charge in the enterprise. CISOfy also offers a commercial version called Lynis Enterprise, which extends Lynis to include additional features and tools. The tools include a Lynis Collector component, which collects the test results from several computers and feeds the results to a central management console. Lynis Enterprise delivers more comprehensive reports. Among other things, administrators receive an assessment of the computers that are particularly endangered. Finally, CISOfy offers support – but not for the free variant. Lynis Enterprise is available under a subscription model with several levels. The simplest variant costs $1.50 per month and per system. If you need the full feature scope, you can expect to pay $3 per system per month. For more details on Lynis Enterprise, check out the website [2].

Installation

Many Linux distributions have the free Lynis version in their repositories – typically in the lynis package. In most cases, the repository will have an older version of the tool. For example, the package manager in Ubuntu 14.10 still offers version 1.5.5, although the latest version when this article was written was Lynis 1.6.4. Because newer versions may be able to discover additional issues, administrators will want always to use the latest version from the Lynis homepage. If you are thinking of using the tool in the long term, you need to keep it up to date yourself.

Once you have the .tar.gz archive with Lynis on your hard disk, it makes sense to validate the download by checking the SHA1 or SHA256 checksum. To do so on Linux, for example, type:

sha256sum lynis-version.tar.gz

Now compare the generated hash with the values that CISOfy provides in the File Integrity Information box on the download page [3]. You can only be sure that the archive has not been manipulated if the checksums match. If you want to be double sure, you can also download the digital signature, which is also available from the File Integrity Information box. You can then verify the source using GnuPG:

wget https://cisofy.com/files/ cisofy-software.pub
gpg --import cisofy-software.pub
gpg --list-keys --fingerprint

Instead of wget, users on Mac OS X can run curl:

curl https://cisofy.com/files/ cisofy-software.pub \
  -o cisofy-software.pub

The fingerprint for CISOfy output with the last command should now be identical to the one returned by the following command:

gpg --verify lynis-1.6.4.tar.gz.asc lynis-1.6.4.tar.gz

You might need to change the version numbers. Also, the fingerprint must match the one printed in the official documentation [4].

Checking Privileges Before Starting

If the checksum and the fingerprint are good, you can finally start up Lynis. To do so, simply unpack the archive and launch the lynis script with the -c parameter:

./lynis -c

The -c parameter tells Lynis to perform a full set of tests. Without it, Lynis would simply display the help. The command

./lynis --view-manpage

lets you view the fairly sparse man page. To check whether you have the latest version of Lynis, you can run:

./lynis --check-update

To inspect all the nooks and crannies of your system, Lynis needs root or administrative privileges. If you launch it as a normal user, the tool might not find all the problems. In any case, Lynis needs write privileges for the directories /tmp and /var/log. (Test reports will land in the /var/log directory.)

After launching, Lynis states the privileges with which it is running, whether or not it can perform all the tests, and whether it can write a logfile below /var/log (Figure 1). If you agree with all the settings, you can start the test run by pressing Enter.

Figure 1: When a normal user launches Lynis, the tool cannot perform some tests and cannot write a log file below /var/log.

Under certain circumstances, Lynis will complain about not having the right file permissions or ownership. You need to remedy this with the commands shown by Lynis; only then can you run the tool. On Linux, the following command will remedy all the ownership problems Lynis complains about with one action:

sudo chown root:root ./include/*

Once Lynis agrees with the ownership, it again summarizes the scenario. Among other things, Lynis states its program version, the operating system, and the storage location of the logfile and report file. If the logfile and report file end up in the black hole of /dev/null, you can assume that Lynis is unable to write to the /var/log directory. Currently, there is no option for defining a different storage location. Users can only suppress the logfile by stipulating the --no-log parameter.