Audit the security of your Unix/Linux systems using lynis

by
Share this Article: Facebook45Google+58Twitter64LinkedIn5Reddit8StumbleUpon1

Lynis is an auditing tool for unix/linux like systems which is used to scan the entire unix/linux systems for security issues, installed software informations, general system information, configuration issues or mistakes, software patch management, malware and vulnerability, firewall auditing, user accounts without passwords, invalid file permissions and many more.

This tool is quite often used for novice system administrators, system auditors, network and security specialists. The notable feature of this tool is easy to use and it tests and gathers the linux systems security informations in few minutes. Sounds good, why don’t you give it a try?

Install lynis in Ubuntu / Debian Distros

Installation is quite easy in ubuntu/debian like systems. You can install it either from synaptic manager or from terminal. For other distros plaese check offical homepage.

unixmen@server:~$ sudo apt-get install lynis

Usage and Run lynis

The running and using of lynis is faily simple. All you need to do is just open the terminal and type following command.

unixmen@server:~$ sudo lynis -c

or

unixmen@server:~$ sudo lynis --check-all

Now lynis will begin to audit the entire system including the following:

  • Boot loaders and startup services.
  • kernel configuration, core dumps, run level and loaded modules.
  • Memory and processes.
  • Users and groups.
  • mount points, /tmp files and root file system
  • NFS and BIND services.
  • Update/upgradeable packages and software repositories.
  • Iptables and SElinux issues/configurations.
  • Apache and nginx web servers.
  • SSH configurations and Issues.
  • MySQL root password and LDAP services.
  • php options.
  • crontab/cronjob and atd.
  • ntp daemon.
  • SSL certificate expiration and Issues.
  • malwares.
  • Home directories.

The following output will open when you type above commands.

Now pressing enter will lead you through the next screens.

To stop asking “Press Enter” every time, use the parameters ‘-c and -Q’ as shown below.

unixmen@server:~$ sudo lynis -c -Q
unixmen@server: ~_003

After completing the scanning, it will generate a output report in ‘/var/log/lynis.log’ file.

unixmen@server:~$ sudo vi /var/log/lynis.log 
[13:13:13] ### Starting Lynis 1.3.0 with PID 4356, build date 28 April 2011 ###
[13:13:13] ### Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/ ###
[13:13:13] Program version:           1.3.0
[13:13:13] Operating system:          Linux
[13:13:13] Operating system name:     Ubuntu
[13:13:13] Operating system version:  12.10
[13:13:13] Kernel version:            3.5.0-17-generic
[13:13:13] Hardware platform:         i686
[13:13:13] Hostname:                  server
[13:13:13] Auditor:                   [Unknown]
[13:13:13] Profile:                   /etc/lynis/default.prf
[13:13:13] Log file:                  /var/log/lynis.log
[13:13:13] Report file:               /var/log/lynis-report.dat
[13:13:13] Report version:            1.0
[13:13:13] -----------------------------------------------------
[13:13:13] Include directory:         /usr/share/lynis/include
[13:13:13] Plugin directory:          /etc/lynis/plugins
[13:13:13] Database directory:        /usr/share/lynis/db
[13:13:13] ===---------------------------------------------------------------===
[13:13:13] Reading profile/configuration /etc/lynis/default.prf
[13:13:13] Profile option set: profile_name (with value Default Audit Template)
[13:13:13] Profile option set: pause_between_tests (with value 0)
[13:13:14] Profile option set: show_tool_tips (with value 1)

You can scroll down through the log file for any Warnings or Suggestions or use the following commands to view the ‘Warnings’ and ‘Suggestions’ found in the log file.

To list out the ‘Warnings’, use the following command:

unixmen@server:~$ sudo grep Warning /var/log/lynis.log 
[13:14:10] Warning: Found BIND version in banner [test:NAME-4210] [impact:M]
[13:18:43] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
[13:18:47] Warning: Found mail_name in SMTP banner, and/or mail_name contains 'Postfix' [test:MAIL-8818] [impact:L]
[13:19:02] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
[13:19:06] Warning: PHP option register_globals option is turned on, which can be a risk for variable value overwriting [test:PHP-2368] [impact:M]
[13:19:06] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
[13:19:30] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

To list out the ‘Suggestions’, use the following command:

unixmen@server:~$ sudo grep Suggestion /var/log/lynis.log 
[13:13:57] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
[13:13:59] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
[13:13:59] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
[13:14:00] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
[13:14:00] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
[13:14:00] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
[13:14:02] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
[13:14:02] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
[13:14:05] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
[13:14:06] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
[13:18:42] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
[13:18:43] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
[13:18:47] Suggestion: You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [test:MAIL-8818]
[13:18:50] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
[13:19:06] Suggestion: Change the register_globals line to: register_globals = Off [test:PHP-2368]
[13:19:07] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
[13:19:07] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [test:PHP-2376]
[13:19:26] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
[13:19:27] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
[13:19:29] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
[13:19:30] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
[13:19:36] Suggestion: Install a file integrity tool [test:FINT-4350]
[13:19:51] Suggestion: One or more sysctl values differ from the scan profile and could be tweaked [test:KRNL-6000]
[13:19:52] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]

Thats it. Now you can rectify the security loopholes even if you are unexperienced system administrator in your Unix/Linux systems.

For questions please refer to our Q/A forum at : http://ask.unixmen.com/

Share this Article: Facebook45Google+58Twitter64LinkedIn5Reddit8StumbleUpon1