Install and Setup Lynis Security Auditing tool on CentOS 8

0
326

In this tutorial, you will learn how to install and setup Lynis security auditing tool on CentOS 8. Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;

  • Automated Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Penetration testing
  • Vulnerability detection
  • System hardening
  • Configuration and asset management
  • Software patch management
  • Intrusion detection

Lynis, however, doesn’t provide system hardening automatically but instead provide tips on how to harden your system.

It is a cross platform tool and it was designed for systems running Linux, macOS, or Unix-based operating system.

Install and Setup Lynis Security Auditing tool on CentOS 8

Lynis can be installed on a CentOS system by cloning their Github repos, using the source tarball or by simply pulling it from the package repositories using the package manager.

Install Lynis on CentOS 8 from Software Repository

In this tutorial, we will install and setup Lynis security auditing tool on CentOS 8 from package repository.

You can use EPEL repos or Lynis Software community repos for CentOS to install Lynis on CentOS 8.

Installing Lynis from EPEL Repos on CentOS 8

Install EPEL repos by running the command below;

dnf install epel-release

Check what provides Lynis;

dnf provides lynis
lynis-3.0.0-1.el8.noarch : Security and system auditing tool
Repo        : epel
Matched from:
Provide    : lynis = 3.0.0-1.el8

Well, proceed to install Lynis on CentOS 8

dnf install lynis

Install Lynis on CentOS Lynis Software community repos for CentOS

Install Lynis Software community repos for Lynis on CentOS 8;

cat << 'EOL' > /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
EOL

Run package updates;

dnf update

Update the cURL, NSS, openssl, and CA-certificates  packages;

dnf update curl nss openssl ca-certificates

Install Lynis;

dnf install lynis
Dependencies resolved.
============================================================================================================================================================================
 Package                                 Architecture                             Version                                     Repository                               Size
============================================================================================================================================================================
Installing:
 lynis                                   noarch                                   3.0.0-100                                   lynis                                   312 k

Transaction Summary
============================================================================================================================================================================
Install  1 Package

Total download size: 312 k
Installed size: 1.5 M
Is this ok [y/N]: y

Check the version of installed Lynis;

lynis show version
3.0.0

Lynis Command Line Syntax and Options

The Lynis command syntax is

lynis [scan mode] [other options]

To show Lynis commands, run;

lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only

To show Lynis Settings run;

lynis show settings

To show discovered audit profiles;

lynis show profiles
/etc/lynis/default.prf

Perform System Audit using Lynis on CentOS 8

Lynis security auditing tool checks the system and the software configuration, to see if there is any room for improvement the security defenses.

The Lynis test and debug information are logged in /var/log/lynis.log while the audit report data is stored in: /var/log/lynis-report.dat.

/var/log/lynis.log is the file an auditor has to check and interpret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.

The following system areas may be checked by Lynis:

  • Boot loader files
  • Configuration files
  • Software packages
  • Directories and files related to logging and auditing

Perform System Audit with Lynis on CentOS 8

Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however they provide more details during the audit.

To run a basic system audit with Lynis execute the command below;

lynis audit system

When it runs, it display various checks and results to the standard output as well as writing to the log and reports file;

...
+] Software: e-mail and messaging
------------------------------------

[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ FOUND ]
    - Checking iptables policies of chains                    [ FOUND ]
    - Checking for empty ruleset                              [ WARNING ]
    - Checking for unused rules                               [ OK ]
  - Checking host based firewall                              [ ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache (binary /usr/sbin/httpd)                  [ FOUND ]
      Info: Configuration file found (/etc/httpd/conf/httpd.conf)
      Info: No virtual hosts found
    * Loadable modules                                        [ FOUND (106) ]
        - Found 106 loadable modules
          mod_evasive: anti-DoS/brute force                   [ NOT FOUND ]
          mod_reqtimeout/mod_qos                              [ FOUND ]
          ModSecurity: web application firewall               [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - OpenSSH option: AllowTcpForwarding                      [ SUGGESTION ]
    - OpenSSH option: ClientAliveCountMax                     [ SUGGESTION ]
    - OpenSSH option: ClientAliveInterval                     [ OK ]
    - OpenSSH option: Compression                             [ SUGGESTION ]
    - OpenSSH option: FingerprintHash                         [ OK ]
...

The output of the Lynis may show OK or WARNING with OK meaning the checks are okay while WARNING shows an identified issue in the system that requires attention.

Summary of the system audit checks;

...
================================================================================

  -[ Lynis 3.0.0 Results ]-

  Warnings (2):
  ----------------------------
  ! Reboot of system is most likely needed [KRNL-5830] 
    - Solution : reboot
      https://cisofy.com/lynis/controls/KRNL-5830/

  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

  Suggestions (46):
  ----------------------------
  * This release is more than 4 months old. Consider upgrading [LYNIS] 
      https://cisofy.com/lynis/controls/LYNIS/

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] 
      https://cisofy.com/lynis/controls/KRNL-5820/
...

As you can see, we have two warnings and 46 other suggestions.

Go through the suggested solutions to find how to implement various system hardenings.

Lynis security scan details

From this section, you will see;

  • your system hardening percentage
  • number of tests run against the system
  • Lynis plugins enabled, if any
  • Lynis modules enabled
  • Log/Report files
================================================================================

  Lynis security scan details:

  Hardening index : 63 [############        ]
  Tests performed : 241
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [X]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

Check Hardening Warnings and Suggestions from Lynis Audit report

Apart from being written to the stdout, the Lynis scan report is also written to /var/log/lynis-report.dat report.

From this report, you can read the warnings and suggestions given

grep -i "^warning" /var/log/lynis-report.dat
warning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot|
warning[]=FIRE-4512|iptables module(s) loaded, but no rules active|-|-|

To check the suggestions;

grep -i "^suggestion" /var/log/lynis-report.dat
...
suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|
suggestion[]=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
...

Showing Details of a Specific Test

Every Lynis system check has an associated test ID. To find more about an specific check, you can show the details using the command below.

lynis show details TEST-ID

Take for example, let us check more about the system reboot warning above;

lynis show details KRNL-5830
2020-08-05 22:28:05 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-08-05 22:28:05 Test: Checking presence /var/run/reboot-required.pkgs
2020-08-05 22:28:05 Result: file /var/run/reboot-required.pkgs not found
2020-08-05 22:28:05 Result: /boot exists, performing more tests from here
2020-08-05 22:28:05 Result: found /boot/vmlinuz-4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Test: checking kernel version on disk
2020-08-05 22:28:05 Result: found version 4.18.0-193.14.2.el8_2.x86_64
2020-08-05 22:28:05 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-08-05 22:28:05 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-08-05 22:28:05 Result: /var/cache/apt/archives/ does not exist
2020-08-05 22:28:05 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-08-05 22:28:05 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)
2020-08-05 22:28:05 Security check: file is normal
2020-08-05 22:28:05 Checking permissions of /usr/share/lynis/include/tests_memory_processes
2020-08-05 22:28:05 File permissions are OK
2020-08-05 22:28:05 ====

Lynis Audit Scanning Profiles

Lynis uses profiles to have a set of predefined options for your operating system and preferences. The default profiles are stored under /etc/lynis directory.

ls /etc/lynis
default.prf

If you want to use a custom profile, use the –profile <name> option with lynis audit system command.

lynis audit system --profile /path/to/custom/profile.prf

To create your own custom profile, you can copy the default profile and edit it to define your custom test options.

When run with no further options defined, the default profile, /etc/lynis/default.prf will be used.

Disabling Specific Checks

If you consider some checks as false positives, you can create a custom profile where you can define the test ID that Lynis should skip while running the system scan

For instance, to skip the suggestion below;

suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|

Create a custom profile and put the following contents.

vim /etc/lynis/custom.prf
# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore Vulnerable packages Warnings
skip-test=KRNL-5820

When you run the Lynis audit scan next time, the specified checks will be skipped.

Lynis is a useful tool. Go through all the fixes and suggestions provided to harden your system.

That marks the end of our tutorial on how to install and setup Lynis Security Auditing tool on CentOS 8.

Further Reading

Get Started with Lynis

Lynis – Security auditing tool for Linux, macOS, and UNIX-based systems

Related Tutorials

Install and Setup Lynis Security Auditing tool on Ubuntu 20.04

How to Perform System Security Auditing with Lynis on Ubuntu 18.04

Restrict Access to WordPress Login Page to Specific IPs with libModSecurity

Install and use ClamAV on Ubuntu 20.04

How to Install and Configure Maltrail on Ubuntu 18.04

How to Install RKHunter (RootKit Hunter) On Ubuntu 18.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here