In this tutorial, you will learn how to install and setup Lynis security auditing tool on CentOS 8. Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;
- Automated Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Penetration testing
- Vulnerability detection
- System hardening
- Configuration and asset management
- Software patch management
- Intrusion detection
Lynis, however, doesn’t provide system hardening automatically but instead provide tips on how to harden your system.
It is a cross platform tool and it was designed for systems running Linux, macOS, or Unix-based operating system.
Installing Lynis Security Auditing tool on CentOS 8
Lynis can be installed on a CentOS system by cloning their Github repos, using the source tarball or by simply pulling it from the package repositories using the package manager.
Install Lynis from Software Repository
You can use EPEL repos or Lynis Software community repos for CentOS to install Lynis on CentOS 8.
Installing Lynis from EPEL Repos
Install EPEL repos by running the command below;
dnf install epel-releaseCheck what provides Lynis;
dnf provides lynislynis-3.0.0-1.el8.noarch : Security and system auditing tool
Repo : epel
Matched from:
Provide : lynis = 3.0.0-1.el8Well, proceed to install Lynis on CentOS 8
dnf install lynisInstall Lynis Community repos for CentOS
Install Lynis Software community repos for Lynis on CentOS 8;
cat << 'EOL' > /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
EOLRun package updates;
dnf updateUpdate the cURL, NSS, openssl, and CA-certificates packages;
dnf update curl nss openssl ca-certificatesInstall Lynis;
dnf install lynisDependencies resolved.
============================================================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================================================
Installing:
lynis noarch 3.0.0-100 lynis 312 k
Transaction Summary
============================================================================================================================================================================
Install 1 Package
Total download size: 312 k
Installed size: 1.5 M
Is this ok [y/N]: yCheck the version of installed Lynis;
lynis show version3.0.0Lynis Command Line Syntax and Options
The Lynis command syntax is
lynis [scan mode] [other options]To show Lynis commands, run;
lynis show commandsCommands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-onlyTo show Lynis Settings run;
lynis show settingsTo show discovered audit profiles;
lynis show profiles/etc/lynis/default.prfPerform System Audit using Lynis on CentOS 8
Lynis security auditing tool checks the system and the software configuration, to see if there is any room for improvement the security defenses.
The Lynis test and debug information are logged in /var/log/lynis.log while the audit report data is stored in: /var/log/lynis-report.dat.
/var/log/lynis.log is the file an auditor has to check and interpret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.
The following system areas may be checked by Lynis:
- Boot loader files
- Configuration files
- Software packages
- Directories and files related to logging and auditing
Perform System Audit with Lynis on CentOS 8
Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however they provide more details during the audit.
To run a basic system audit with Lynis execute the command below;
lynis audit systemWhen it runs, it display various checks and results to the standard output as well as writing to the log and reports file;
...
+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking for empty ruleset [ WARNING ]
- Checking for unused rules [ OK ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/httpd) [ FOUND ]
Info: Configuration file found (/etc/httpd/conf/httpd.conf)
Info: No virtual hosts found
* Loadable modules [ FOUND (106) ]
- Found 106 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_reqtimeout/mod_qos [ FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: Compression [ SUGGESTION ]
- OpenSSH option: FingerprintHash [ OK ]
...The output of the Lynis may show OK or WARNING with OK meaning the checks are okay while WARNING shows an identified issue in the system that requires attention.
Summary of the system audit checks;
...
================================================================================
-[ Lynis 3.0.0 Results ]-
Warnings (2):
----------------------------
! Reboot of system is most likely needed [KRNL-5830]
- Solution : reboot
https://cisofy.com/lynis/controls/KRNL-5830/
! iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/lynis/controls/FIRE-4512/
Suggestions (46):
----------------------------
* This release is more than 4 months old. Consider upgrading [LYNIS]
https://cisofy.com/lynis/controls/LYNIS/
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
...As you can see, we have two warnings and 46 other suggestions.
Go through the suggested solutions to find how to implement various system hardenings.
Lynis security scan details
From this section, you will see;
- your system hardening percentage
- number of tests run against the system
- Lynis plugins enabled, if any
- Lynis modules enabled
- Log/Report files
================================================================================
Lynis security scan details:
Hardening index : 63 [############ ]
Tests performed : 241
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [X]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================Check Hardening Warnings and Suggestions from Lynis Audit report
Apart from being written to the stdout, the Lynis scan report is also written to /var/log/lynis-report.dat report.
From this report, you can read the warnings and suggestions given
grep -i "^warning" /var/log/lynis-report.datwarning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot|
warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-|To check the suggestions;
grep -i "^suggestion" /var/log/lynis-report.dat...
suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|
suggestion[]=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
...Showing Details of a Specific Test
Every Lynis system check has an associated test ID. To find more about an specific check, you can show the details using the command below.
lynis show details TEST-IDTake for example, let us check more about the system reboot warning above;
lynis show details KRNL-58302020-08-05 22:28:05 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-08-05 22:28:05 Test: Checking presence /var/run/reboot-required.pkgs
2020-08-05 22:28:05 Result: file /var/run/reboot-required.pkgs not found
2020-08-05 22:28:05 Result: /boot exists, performing more tests from here
2020-08-05 22:28:05 Result: found /boot/vmlinuz-4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Test: checking kernel version on disk
2020-08-05 22:28:05 Result: found version 4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-08-05 22:28:05 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-08-05 22:28:05 Result: /var/cache/apt/archives/ does not exist
2020-08-05 22:28:05 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-08-05 22:28:05 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)
2020-08-05 22:28:05 Security check: file is normal
2020-08-05 22:28:05 Checking permissions of /usr/share/lynis/include/tests_memory_processes
2020-08-05 22:28:05 File permissions are OK
2020-08-05 22:28:05 ====Lynis Audit Scanning Profiles
Lynis uses profiles to have a set of predefined options for your operating system and preferences. The default profiles are stored under /etc/lynis directory.
ls /etc/lynisdefault.prfIf you want to use a custom profile, use the –profile <name> option with lynis audit system command.
lynis audit system --profile /path/to/custom/profile.prfTo create your own custom profile, you can copy the default profile and edit it to define your custom test options.
When run with no further options defined, the default profile, /etc/lynis/default.prf will be used.
Disabling Specific Checks
If you consider some checks as false positives, you can create a custom profile where you can define the test ID that Lynis should skip while running the system scan
For instance, to skip the suggestion below;
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|Create a custom profile and put the following contents.
vim /etc/lynis/custom.prf# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore Vulnerable packages Warnings
skip-test=KRNL-5820When you run the Lynis audit scan next time, the specified checks will be skipped.
Lynis is a useful tool. Go through all the fixes and suggestions provided to harden your system.
Further Reading
Lynis – Security auditing tool for Linux, macOS, and UNIX-based systems
Related Tutorials
Install and Setup Lynis Security Auditing tool on Ubuntu 20.04
How to Perform System Security Auditing with Lynis on Ubuntu 18.04
Restrict Access to WordPress Login Page to Specific IPs with libModSecurity
Install and use ClamAV on Ubuntu 20.04
