In this tutorial, you will learn how to install and setup Lynis security auditing tool on CentOS 8. Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;
- Automated Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Penetration testing
- Vulnerability detection
- System hardening
- Configuration and asset management
- Software patch management
- Intrusion detection
Lynis, however, doesn’t provide system hardening automatically but instead provide tips on how to harden your system.
It is a cross platform tool and it was designed for systems running Linux, macOS, or Unix-based operating system.
Install and Setup Lynis Security Auditing tool on CentOS 8
Lynis can be installed on a CentOS system by cloning their Github repos, using the source tarball or by simply pulling it from the package repositories using the package manager.
Install Lynis on CentOS 8 from Software Repository
In this tutorial, we will install and setup Lynis security auditing tool on CentOS 8 from package repository.
You can use EPEL repos or Lynis Software community repos for CentOS to install Lynis on CentOS 8.
Installing Lynis from EPEL Repos on CentOS 8
Install EPEL repos by running the command below;
dnf install epel-release
Check what provides Lynis;
dnf provides lynis
lynis-3.0.0-1.el8.noarch : Security and system auditing tool Repo : epel Matched from: Provide : lynis = 3.0.0-1.el8
Well, proceed to install Lynis on CentOS 8
dnf install lynis
Install Lynis on CentOS Lynis Software community repos for CentOS
Install Lynis Software community repos for Lynis on CentOS 8;
cat << 'EOL' > /etc/yum.repos.d/cisofy-lynis.repo [lynis] name=CISOfy Software - Lynis package baseurl=https://packages.cisofy.com/community/lynis/rpm/ enabled=1 gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key gpgcheck=1 priority=2 EOL
Run package updates;
Update the cURL, NSS, openssl, and CA-certificates packages;
dnf update curl nss openssl ca-certificates
dnf install lynis
Dependencies resolved. ============================================================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================================================ Installing: lynis noarch 3.0.0-100 lynis 312 k Transaction Summary ============================================================================================================================================================================ Install 1 Package Total download size: 312 k Installed size: 1.5 M Is this ok [y/N]: y
Check the version of installed Lynis;
lynis show version
Lynis Command Line Syntax and Options
The Lynis command syntax is
lynis [scan mode] [other options]
To show Lynis commands, run;
lynis show commands
Commands: lynis audit lynis configure lynis generate lynis show lynis update lynis upload-only
To show Lynis Settings run;
lynis show settings
To show discovered audit profiles;
lynis show profiles
Perform System Audit using Lynis on CentOS 8
Lynis security auditing tool checks the system and the software configuration, to see if there is any room for improvement the security defenses.
The Lynis test and debug information are logged in
/var/log/lynis.log while the audit report data is stored in:
/var/log/lynis.log is the file an auditor has to check and interpret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.
The following system areas may be checked by Lynis:
- Boot loader files
- Configuration files
- Software packages
- Directories and files related to logging and auditing
Perform System Audit with Lynis on CentOS 8
Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however they provide more details during the audit.
To run a basic system audit with Lynis execute the command below;
lynis audit system
When it runs, it display various checks and results to the standard output as well as writing to the log and reports file;
... +] Software: e-mail and messaging ------------------------------------ [+] Software: firewalls ------------------------------------ - Checking iptables kernel module [ FOUND ] - Checking iptables policies of chains [ FOUND ] - Checking for empty ruleset [ WARNING ] - Checking for unused rules [ OK ] - Checking host based firewall [ ACTIVE ] [+] Software: webserver ------------------------------------ - Checking Apache (binary /usr/sbin/httpd) [ FOUND ] Info: Configuration file found (/etc/httpd/conf/httpd.conf) Info: No virtual hosts found * Loadable modules [ FOUND (106) ] - Found 106 loadable modules mod_evasive: anti-DoS/brute force [ NOT FOUND ] mod_reqtimeout/mod_qos [ FOUND ] ModSecurity: web application firewall [ NOT FOUND ] - Checking nginx [ NOT FOUND ] [+] SSH Support ------------------------------------ - Checking running SSH daemon [ FOUND ] - Searching SSH configuration [ FOUND ] - OpenSSH option: AllowTcpForwarding [ SUGGESTION ] - OpenSSH option: ClientAliveCountMax [ SUGGESTION ] - OpenSSH option: ClientAliveInterval [ OK ] - OpenSSH option: Compression [ SUGGESTION ] - OpenSSH option: FingerprintHash [ OK ] ...
The output of the Lynis may show OK or WARNING with OK meaning the checks are okay while WARNING shows an identified issue in the system that requires attention.
Summary of the system audit checks;
... ================================================================================ -[ Lynis 3.0.0 Results ]- Warnings (2): ---------------------------- ! Reboot of system is most likely needed [KRNL-5830] - Solution : reboot https://cisofy.com/lynis/controls/KRNL-5830/ ! iptables module(s) loaded, but no rules active [FIRE-4512] https://cisofy.com/lynis/controls/FIRE-4512/ Suggestions (46): ---------------------------- * This release is more than 4 months old. Consider upgrading [LYNIS] https://cisofy.com/lynis/controls/LYNIS/ * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] https://cisofy.com/lynis/controls/KRNL-5820/ ...
As you can see, we have two warnings and 46 other suggestions.
Go through the suggested solutions to find how to implement various system hardenings.
Lynis security scan details
From this section, you will see;
- your system hardening percentage
- number of tests run against the system
- Lynis plugins enabled, if any
- Lynis modules enabled
- Log/Report files
================================================================================ Lynis security scan details: Hardening index : 63 [############ ] Tests performed : 241 Plugins enabled : 0 Components: - Firewall [V] - Malware scanner [X] Scan mode: Normal [V] Forensics [ ] Integration [ ] Pentest [ ] Lynis modules: - Compliance status [?] - Security audit [V] - Vulnerability scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat ================================================================================
Check Hardening Warnings and Suggestions from Lynis Audit report
Apart from being written to the stdout, the Lynis scan report is also written to
From this report, you can read the warnings and suggestions given
grep -i "^warning" /var/log/lynis-report.dat
warning=KRNL-5830|Reboot of system is most likely needed||text:reboot| warning=FIRE-4512|iptables module(s) loaded, but no rules active|-|-|
To check the suggestions;
grep -i "^suggestion" /var/log/lynis-report.dat
... suggestion=LYNIS|This release is more than 4 months old. Consider upgrading|-|-| suggestion=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-| suggestion=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-| suggestion=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-| suggestion=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-| suggestion=AUTH-9282|When possible set expire dates for all password protected accounts|-|-| ...
Showing Details of a Specific Test
Every Lynis system check has an associated test ID. To find more about an specific check, you can show the details using the command below.
lynis show details TEST-ID
Take for example, let us check more about the system reboot warning above;
lynis show details KRNL-5830
2020-08-05 22:28:05 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel) 2020-08-05 22:28:05 Test: Checking presence /var/run/reboot-required.pkgs 2020-08-05 22:28:05 Result: file /var/run/reboot-required.pkgs not found 2020-08-05 22:28:05 Result: /boot exists, performing more tests from here 2020-08-05 22:28:05 Result: found /boot/vmlinuz-4.18.0-193.14.2.el8_2.x86_64 2020-08-05 22:28:05 Test: checking kernel version on disk 2020-08-05 22:28:05 Result: found version 4.18.0-193.14.2.el8_2.x86_64 2020-08-05 22:28:05 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64 2020-08-05 22:28:05 Result: reboot needed, as there is a difference between active kernel and the one on disk 2020-08-05 22:28:05 Result: /var/cache/apt/archives/ does not exist 2020-08-05 22:28:05 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot] 2020-08-05 22:28:05 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21) 2020-08-05 22:28:05 Security check: file is normal 2020-08-05 22:28:05 Checking permissions of /usr/share/lynis/include/tests_memory_processes 2020-08-05 22:28:05 File permissions are OK 2020-08-05 22:28:05 ====
Lynis Audit Scanning Profiles
Lynis uses profiles to have a set of predefined options for your operating system and preferences. The default profiles are stored under
If you want to use a custom profile, use the
–profile <name> option with
lynis audit system command.
lynis audit system --profile /path/to/custom/profile.prf
To create your own custom profile, you can copy the default profile and edit it to define your custom test options.
When run with no further options defined, the default profile,
/etc/lynis/default.prf will be used.
Disabling Specific Checks
If you consider some checks as false positives, you can create a custom profile where you can define the test ID that Lynis should skip while running the system scan
For instance, to skip the suggestion below;
suggestion=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
Create a custom profile and put the following contents.
# Lynis - Custom Scan Profile to ignore some warnings # # Ignore Vulnerable packages Warnings skip-test=KRNL-5820
When you run the Lynis audit scan next time, the specified checks will be skipped.
Lynis is a useful tool. Go through all the fixes and suggestions provided to harden your system.
That marks the end of our tutorial on how to install and setup Lynis Security Auditing tool on CentOS 8.