Lynis - Security auditing tool for Linux

mail

Lynis

Usage

Lynis is a security tool performing an extensive health scan of your systems to support system hardening and compliance testing.

Setup :

Albeit it may look more convenient (to Debian users), to install with apt install lynis, this is not the recommended installation method because, due to the packaging delays + frequent Lynis updates, you'll end up with an outdated version permanently requiring to update : 
	===============================================================================
	  Lynis update available
	===============================================================================

	  Current version is more than 4 months old

	  Current version : 240   Latest version : 266

	  Please update to the latest version.
	  New releases include additional features, bug fixes, tests and baselines.

	  Download the latest version:
	  Packages (DEB/RPM) -  https://packages.cisofy.com
	  Website            -  https://cisofy.com/downloads/
	  GitHub             -  https://github.com/CISOfy/lynis

	===============================================================================

Let's use the GitHub install method :

installDir='/run/shm/lynis'; mkdir -p "$installDir" && cd "$installDir" && git clone https://github.com/CISOfy/lynis . && alias lynis="$installDir/lynis"
Remarks :
  • advanced users can define extra settings in /etc/lynis/custom.prf (all settings are visible in /etc/lynis/default.prf)
  • install + scan can be performed by non-root users, but some tests will be skipped (as they require root permissions)

Scan :

lynis audit system
basic / default scan
lynis audit system -Q
quick scan, for interactive mode
lynis audit system -q
quiet scan, for non-interactive mode

View results :

Results are written to :

/var/log/lynis-report.dat
Report data
/var/log/lynis.log
Test and debug information (same information than the report file but with timestamps + spacers + tabular layout (i.e. not to be parsed))

Points of attention :

  • Warnings :
    • grep warning /var/log/lynis-report.dat
    • grep Warning /var/log/lynis.log
    • grep --color=always Warning /var/log/lynis.log | less -R
  • Suggestions :
    • grep suggestion /var/log/lynis-report.dat
    • grep Suggestion /var/log/lynis.log
    • grep --color=always Suggestion /var/log/lynis.log | less -R

Flags

Flag Usage
-Q --quick do a quick scan (don't wait for user input)
-c --checkall perform a full check of the system, printing out the results of each test to stdout. This option invokes the audit system scan mode. Additional information will be saved into a log file.
In case the outcome of a scan needs to be automated, use the report file.
This option is deprecated, use audit system instead.
-h show help
-q --quiet run quietly (don't output anything to the screen). Will also enable quick mode
audit
  • audit system : perform local security scan
  • audit system remote host : remote security scan
    this actually outputs a list of commands you'll have to execute to re-"package" Lynis, send + extract the package on host, perform the audit, retrieve the status report and clean the mess. This works "not-too-bad" provided you enabled ssh root@host (which is a bad idea). (Read more)
show
  • show : show all commands
  • show options :

Example

Audit a remote host :

Lynis already offers the possibility to audit a remote host, but :
  • it relies on the possibility to ssh root@host, which is not a good idea and should be reported as such by Lynis itself, actually. Trying to workaround this leads to a mess where you'll have to copy files as a non-root user, but, for security reasons, Lynis refuses to execute programs owned by non-root users.
  • it's a manual operation requiring to copy-paste several command lines
  • I love big fat one-liners (it's shown splitted below for readability, but you can join all commands with some &&)
Requirements :
  • remoteUser must be able to ssh remoteUser@remoteHost
  • remoteUser must be a sudoer on remoteHost
  1. Set some variables :
    remoteHost='192.168.105.15'; remoteUser='kevin'; appName='lynis'; lynisGithubUrl='https://github.com/CISOfy/lynis'; baseInstallDir='/run/shm'; localInstallDir="$baseInstallDir/$appName"; remoteInstallDir="$localInstallDir"; archiveName="$appName.tgz"; resultDir="$baseInstallDir/${appName}_results"
  2. Get / update Lynis :
    mkdir -p "$localInstallDir" && cd "$localInstallDir" && git clone "$lynisGithubUrl" . 2>/dev/null || git pull
  3. Pack + ship + run the audit :
    cd "$baseInstallDir" && tar cfz "$archiveName" "$appName" && scp "$archiveName" "$remoteUser"@"$remoteHost":"$baseInstallDir" && ssh -t "$remoteUser"@"$remoteHost" "sudo bash -c \"cd $baseInstallDir && tar xfoz $archiveName && cd $appName && bash ./lynis audit system && chmod o+r /var/log/lynis* \"" && mkdir -p "$resultDir" && scp "$remoteUser"@"$remoteHost":"/var/log/lynis*" "$resultDir"
  4. Remove all traces on the remote host :
    ssh -t "$remoteUser"@"$remoteHost" "sudo bash -c \"[ -d '$remoteInstallDir' ] && mv /var/log/lynis* '$baseInstallDir/$archiveName' '$remoteInstallDir' && rm -rf '$remoteInstallDir'\"";