In this tutorial, you will learn how to install and setup Lynis security auditing tool on Ubuntu 20.04. Lynis is an open-source security tool that can perform an in-depth system security scan in order to evaluate the system’s security profile. Due to its simplicity and flexibility, Lynis can be used to achieve the following;
- Automated Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Penetration testing
- Vulnerability detection
- System hardening
- Configuration and asset management
- Software patch management
- Intrusion detection
Lynis, however, doesn’t provide system hardening automatically but instead provide tips on how to harden your system.
It is a cross platform tool and it was designed for systems running Linux, macOS, or Unix-based operating system.
Installing Lynis Security Auditing tool on Ubuntu 20.04
Install Lynis on Ubuntu 20.04
There are various methods in which Lynis can be installed on an Ubuntu 20.04 system or on any other system. These include;
- Clonening their Github repository
- Via a source tarball
- Via Package manager using their Software repos
In this tutorial, we will install the free version of Lynis from their official community software repository.
As much as Lynis is available on the default Ubuntu 20.04 universe repos, it is not up-to-date.
apt-cache policy lynis
lynis:
Installed: (none)
Candidate: 2.6.2-1
Version table:
2.6.2-1 500
500 http://ke.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
As you can see, the Lynis v2.6.2 is provided by universe repos. As of this writing, Lynis 3.0.0 is the current stable release version.
You can obtain the latest version by using the Lynis community software repos.
Install Lynis Community Software Repository on Ubuntu 20.04
Download and install the Lynis repository PGP signing key from a central keyserver;
wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
Install the repository itself;
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
To only the English version of the software, disable translations from being downloaded to save on bandwidth.
echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
Next, resynchronize the package repositories to their latest versions;
apt install apt-transport-https
apt update
Install Lynis Security Auditing tool
Once the repos are in place, you can proceed to install Lynis security auditing tool.
apt install lynis
Check the version of installed Lynis;
lynis show version
3.0.0
Check if there an update available;
lynis update info
Check the output status.
== Lynis ==
Version : 3.0.0
Status : Up-to-date
Release date : 2020-03-20
Project page : https://cisofy.com/lynis/
Source code : https://github.com/CISOfy/lynis
Latest package : https://packages.cisofy.com/
2007-2020, CISOfy - https://cisofy.com/lynis/
Lynis Command Line Syntax and Options
The Lynis command syntax is
lynis [scan mode] [other options]
To show Lynis commands, run;
lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only
To show Lynis Settings run;
lynis show settings
To show discovered audit profiles;
lynis show profiles
/etc/lynis/default.prf
For a comprehensive list of options, check;
man lynis
Perform System Audit using Lynis on Ubuntu 20.04
When run, Lynis checks the system and the software configuration for any would be security loopholes. Lynis logs the audit details in a log file as well as in a report file. The reports can be used to compare differences between audits.
The test and debug information are logged in /var/log/lynis.log
while the audit report data is stored in: /var/log/lynis-report.dat
.
/var/log/lynis.log
is the file an auditor has to check and interpret the results as it explains the reason for the issues identified as well suggestions on how to fix those issues.
The following system areas may be checked by Lynis:
- Boot loader files
- Configuration files
- Software packages
- Directories and files related to logging and auditing
Running Lynis for the First time
Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however they provide more details during the audit.
To run a basic system audit with Lynis for the first time. execute the command below;
lynis audit system
When it runs, it display various checks and results to the standard output as well as writing to the log and reports file;
The output of the Lynis may show OK or WARNING with OK meaning good while WARNING shows an identified issue in the system that requires attention. Sometimes what may be flagged as OK may not actually be good to the best practice and what is flagged as WARNING may actually be nothing and can be ignored.
Sample checks;
...
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2) [ FOUND ]
Info: Configuration file found (/etc/apache2/apache2.conf)
Info: No virtual hosts found
* Loadable modules [ FOUND (119) ]
- Found 119 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_reqtimeout/mod_qos [ FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
...
[+] Home directories
------------------------------------
- Permissions of home directories [ WARNING ]
- Ownership of home directories [ OK ]
- Checking shell history files [ OK ]
...
The summary of the results;
...
================================================================================
-[ Lynis 3.0.0 Results ]-
Warnings (1):
----------------------------
! Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/lynis/controls/PKGS-7392/
Suggestions (56):
----------------------------
* This release is more than 4 months old. Consider upgrading [LYNIS]
https://cisofy.com/lynis/controls/LYNIS/
* Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
https://cisofy.com/lynis/controls/BOOT-5122/
* Consider hardening system services [BOOT-5264]
- Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service
https://cisofy.com/lynis/controls/BOOT-5264/
...
Lynis Security scan details;
From the scan details, you will see the percentage score of your current system hardening, number of tests performed, plugins enabled, scan mode activated and enabled Lynis modules.
...
================================================================================
Lynis security scan details:
Hardening index : 60 [############ ]
Tests performed : 250
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [X]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Check Hardening Warnings and Suggestions from Lynis Audit report
You can check the warning or suggestions of the Lynis audit scan from the /var/log/lynis-report.dat
report.
grep -i "^warning" /var/log/lynis-report.dat
warning[]=PKGS-7392|Found one or more vulnerable packages.|-|-|
To check the suggestions;
grep -i "^suggestion" /var/log/lynis-report.dat
suggestion[]=LYNIS|This release is more than 4 months old. Consider upgrading|-|-|
suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-|
suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-|
suggestion[]=KRNL-5820|If not required, consider explicit disabling of core dump in /etc/security/limits.conf file|-|-|
suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-|
suggestion[]=AUTH-9230|Configure minimum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9230|Configure maximum encryption algorithm rounds in /etc/login.defs|-|-|
suggestion[]=AUTH-9262|Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc|-|-|
suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-|
suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-|
..
Show Details of a Specific Test
Every system check has an associated test ID. If you need to find more details about an specific test, you can grab its ID and display more information using the command below;
lynis show details TEST-ID
Take for example, let us check more about the vulnerable package with a warning above
lynis show details PKGS-7392
2020-08-05 15:43:47 Performing test ID PKGS-7392 (Check for Debian/Ubuntu security updates)
2020-08-05 15:43:47 Action: updating package repository with apt-get
2020-08-05 15:44:01 Result: apt-get finished
2020-08-05 15:44:01 Test: Checking if /usr/lib/update-notifier/apt-check exists
2020-08-05 15:44:01 Result: found /usr/lib/update-notifier/apt-check
2020-08-05 15:44:01 Test: checking if any of the updates contain security updates
2020-08-05 15:44:03 Result: found 9 security updates via apt-check
2020-08-05 15:44:03 Hardening: assigned partial number of hardening points (0 of 25). Currently having 109 points (out of 180)
2020-08-05 15:44:04 Result: found vulnerable package(s) via apt-get (-security channel)
2020-08-05 15:44:04 Found vulnerable package: apport
2020-08-05 15:44:04 Found vulnerable package: grub-common
2020-08-05 15:44:04 Found vulnerable package: grub-pc
2020-08-05 15:44:04 Found vulnerable package: grub-pc-bin
2020-08-05 15:44:04 Found vulnerable package: grub2-common
2020-08-05 15:44:04 Found vulnerable package: libmysqlclient21
2020-08-05 15:44:04 Found vulnerable package: libssh-4
2020-08-05 15:44:04 Found vulnerable package: python3-apport
2020-08-05 15:44:04 Found vulnerable package: python3-problem-report
2020-08-05 15:44:04 Warning: Found one or more vulnerable packages. [test:PKGS-7392] [details:-] [solution:-]
2020-08-05 15:44:04 Suggestion: Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [test:PKGS-7392] [details:-] [solution:-]
2020-08-05 15:44:04 ====
Disabling Specific Checks
Assuming you have some checks that are throwing warnings and you consider them false positives, then you can create your custom profile where you can specific the checks ID and tell Lynis to skip the checks against those specific IDs.
Lynis uses profiles to have a set of predefined options for your operating system and preferences. The default profiles are stored under /etc/lynis
directory.
ls /etc/lynis
default.prf developer.prf
You can tell Lynis to use a specific profile using the –profile <name>
option.
If you don’t specify the profile, then the default profile, /etc/lynis/default.prf
will be used. You can open this file and read what it contains. It is highly commended.
To create your own custom profile, you can copy the default profile and edit it to define your custom test options.
For instance, to skip the warnings about vulnerable packages shown in the Lynis audit report above, create a custom profile and put the following contents.
vim /etc/lynis/custom.prf
# Lynis - Custom Scan Profile to ignore some warnings
#
# Ignore Vulnerable packages Warnings
skip-test=PKGS-7392
Save and exit the file. When you re-run the audit scan, the specified checks will be skipped;
lynis audit system
================================================================================
-[ Lynis 3.0.0 Results ]-
Great, no warnings
Suggestions (56):
...
Auditing Docker file with Lynis Auditing tool
it is also possible to audit your Docker file using Lynis.
lynis audit dockerfile Dockerfile
Sample output;
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Helper: audit_dockerfile
------------------------------------
File to audit = Dockerfile
[+] Image
------------------------------------
Found image: [ nginx:alpine ]
[+] Basics
------------------------------------
[+] Software
------------------------------------
[+] Downloads
------------------------------------
No files seems to be downloaded in this Dockerfile
[+] Permissions
------------------------------------
================================================================================
-[ Lynis 3.0.0 Results ]-
Warnings (4):
----------------------------
! No maintainer found. Unclear who created this file. [dockerfile]
https://cisofy.com/lynis/controls/dockerfile/
! No ENTRYPOINT defined in Dockerfile. [dockerfile]
https://cisofy.com/lynis/controls/dockerfile/
! No CMD defines in Dockerfile. [dockerfile]
https://cisofy.com/lynis/controls/dockerfile/
! No user declared in Dockerfile. Container will execute command as root [dockerfile]
https://cisofy.com/lynis/controls/dockerfile/
Auditing Remote Linux hosts using Lynis
To audit a remote host, use the command;
lynis audit system remote <host>
The command will basically gives you steps you need to take to scan a remote host.
Reference;
Other Related Tutorials
How to Perform System Security Auditing with Lynis on Ubuntu 18.04
Restrict Access to WordPress Login Page to Specific IPs with libModSecurity
Install and use ClamAV on Ubuntu 20.04
Thanks for a great tutorial.
I followed the exact steps to install the repository to get the latest version on Ubuntu 20.04, but still ended up with 2.6.2, which is strange. Not sure why.