How to Perform System Security Auditing with Lynis on Ubuntu 18.04

1
4191

Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;

  • Automated Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Penetration testing
  • Vulnerability detection
  • System hardening
  • Configuration and asset management
  • Software patch management
  • Intrusion detection

Lynis was designed for systems running Linux, macOS, or Unix-based operating system. It, however, doesn’t provide system hardening automatically but instead provide tips on how to harden your system.

In this tutorial, we are going to learn how to install and setup Lynis on Ubuntu 18.04 for system auditing.

Installing Lynis on Ubuntu 18.04

There are several ways in which Lynis can be installed;

  • Installing via package manager
  • Installation via Git by cloning the project to some parent directory on the local system
  • Downloading the binary to specific directory on your system

In this tutorial, we are going to install Lynis via the package manager.

Add Lynis Software Repository

Lynis is usually available by default on Ubuntu repositories. However, to get the latest version of it, you need to add the software repositories.

Import the repository signing key

Run either of the commands below to download the Lynis repository signing key from the central key server.

# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

or

# wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -

Add software repository

The Lynis software repository uses HTTPS for secure transport.Therefore you need to enable https transport method for APT as shown below if it is not already enabled.

# apt install apt-transport-https

Configure APT to skip downloading software translations if you are using your software in English.

# echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/99disable-translations

Once that is done, run the command below to add the software repository.

# echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" > /etc/apt/sources.list.d/cisofy-lynis.list

Once you have the software repository set, update you system to re-synchronize the package index files from their sources.

# apt update

Install Lynis

Now that we have the software repositories and the local package database has been refreshed, run the command below to install Lynis.

# apt install lynis -y

Once the installation is done, you can verify the version using the command below;

# lynis show version
2.7.0

You can also run the command below verify whether a new version is available.

# lynis update info

 == Lynis ==

  Version            : 2.7.0
  Status             : Up-to-date
  Release date       : 2018-10-26
  Update location    : https://cisofy.com/lynis/


2007-2018, CISOfy - https://cisofy.com/lynis/

So you got the latest version of Lynis program.

Lynis Commands

The Lynis command syntax is lynis [scan mode] [other options]

  • To show Lynis command, run lynis show commands
  • To show Lynis Settings run; lynis show settings
  • To show discovered audit profiles; lynis show profiles

For a comprehensive list of options, check man lynis

Run System Audit

To run system audit, execute; lynis audit system

When Lynis run, it audits various parts of the system including;

  • Boot loader files
  • Configuration files
  • Software packages
  • Directories and files related to logging and auditing

The test and debug information is found in: /var/log/lynis.log while the audit report data is found on: /var/log/lynis-report.dat.

/var/log/lynis.log is the file an auditor has to check and intepret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.

Lynis Warnings

The output of the Lynis may show OK or WARNING with OK meaning good while WARNING shows an identified issue in the system that requires attention. Sometimes what may be flagged as OK may not actually be good to the best practice and what is flagged as WARNING may actually be nothing and can be ignored.

Sample output of the warnings;

================================================================================
...output-cut...
  -[ Lynis 2.7.0 Results ]-

  Warnings (2):
  ----------------------------
  ! Found BIND version in banner [NAME-4210] 
      https://cisofy.com/lynis/controls/NAME-4210/

  ! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
      https://cisofy.com/lynis/controls/MAIL-8818/
...output-cut...

To get more information about a warning, you can use the command; lynis show details TEST-ID for example to show more details about BIND warning, run the command;

# lynis show details NAME-4210
2018-10-28 20:07:58 Performing test ID NAME-4210 (Check DNS banner)
2018-10-28 20:07:58 Test: Trying to determine version from banner
2018-10-28 20:07:58 Result: possible BIND version available in version banner
2018-10-28 20:07:58 Warning: Found BIND version in banner [test:NAME-4210] [details:-] [solution:-]
2018-10-28 20:07:58 Suggestion: The version in BIND can be masked by defining 'version none' in the configuration file [test:NAME-4210] [details:-] [solution:-]
2018-10-28 20:07:58 Hardening: assigned partial number of hardening points (0 of 2). Currently having 92 points (out of 128)
2018-10-28 20:07:58 ===---------------------------------------------------------------===

This at least shades light on the identified warnings.

Disable the test (whitelisting)

If for some reasons you have a test which gives a warning and you are not interested in the result of that particular test, you can set it to be ignored. To achieve this, you need create a custom profile where you can define your test options.

Lynis uses profiles to have a set of predefined options for your operating system and preferences. If you don’t provide a profile (–profile <name>), the default profile (default.prf) will be used. You can copy the default profile and edit it to define your custom test options.

For instance, to skip the warnings shown above, create a custom profile and put the following contents.

# vim /etc/lynis/custom.prf
#################################################################################
#
#
# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore BIND version in the banner
skip-test=NAME-4210

# Ignore SMTP banner information disclosure
skip-test=MAIL-8818

When you run system audit next time, these warnings will be ignored. See the output below;

...
================================================================================

  -[ Lynis 2.7.0 Results ]-

  Great, no warnings

  Suggestions (40):
  ----------------------------
  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262] 
      https://cisofy.com/lynis/controls/AUTH-9262/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/
...

Lynis Suggestions

Apart from WARNINGS, there are also suggestions in the Lynis audit output. Basically, suggestions tells you how to go about fixing an identified issue. Take for example, the SSH hardening suggestions shown. It is made of the suggestion and the specific changes to make.

 Suggestions (42):
  ----------------------------
  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
      https://cisofy.com/lynis/controls/HTTP-6643/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (6 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/lynis/controls/SSH-7408/
...

Lynis Hardening Index

Lynis system audit output also show the system hardening index. See part of the output below with a hardening index of 65%.

...
================================================================================

  Lynis security scan details:

  Hardening index : 65 [#############       ]
  Tests performed : 238
  Plugins enabled : 0
...

This basically shows the hardening index in percentage, the number of tests performed and the number of plugins enabled.

The hardening index shows how secure your system is based on the Lynis tests. The more you carry out the fixes of the identified issues, the hardening index percentage will increase.

Well, so far so good, we have seen and learnt how to install and perform system auditing with Lynis on Ubuntu 18.04. We hope you enjoyed.

Reference;

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here