Serious auditing with Lynis

Jack Wallen
Feb 9, 2010
Updated • Dec 2, 2012
Linux
|
0

If you want to do a thorough system security audit on a Linux machine what do you use? Cobble together a few of the pre-installed tools? Search through the numerous locations for a tool that might give you enough information to determine if your system is safe? Or, do you open up a terminal window and use the Lynis security auditing tool? If you are of the former category, you get a gold star!

The Lynis project is from the same team that brought us Rootkit Hunter, so you know you can trust this tool. Lynis will not only scan your system for security issues, it will also scan and report installed software, general system information, and even configuration mistakes. You can't afford to not use Lynis. In this article I will show you how to install and make use of Lynis.

Installation

Lynis works on the following distributions:

  • Arch Linux
  • CentOS
  • Debian
  • Fedora Core 4 and higher
  • FreeBSD
  • Gentoo
  • Knoppix
  • Mac OS X
  • Mandriva 2007
  • OpenBSD 4.x
  • OpenSolaris
  • OpenSuSE
  • PcBSD
  • PCLinuxOS
  • Red Hat, RHEL 5.x
  • Slackware 12.1
  • Solaris 10
  • Ubuntu

Installation will be done from the command line. You will want to download the required binary, for your system, from the main Lynis page under the download section. You will either download an .rpm, a .deb, or source. If you download the source you will find an executable binary, lynis, within the archive. You can copy that binary to a removable drive (for Lynis on the go), or just issue the command ./lynis from within the archive directory. If you want to keep Lynis on the system copy the lynis file to /usr/sbin/.

To install one of the packages you will do with like so:

sudo dpkg -i lynis-XXX.deb

or

rpm -ivh lynis-XXX.deb

Where XXX is the release number. NOTE: If installing with rpm you will need to do so as the root user.

Usage

Figure 1

If you just want to dive into things you can issue the command sudo lynis --check-all which will run a thorough examination of your system. Figure 1 shows a scan in progress. At certain points in the scan you will need to press the Enter key to continue on with the scan. You can also hit <Ctrl>C to stop the scan.

As the scan runs you will notice various output:

  • OK
  • SUGGESTION
  • NONE
  • FOUND
  • NOT FOUND
  • NOT DISABLED
  • WARNING
  • UNKNOWN
  • SKIPPED
  • DONE
  • RUNNING
  • ACTIVE
  • ON
  • OFF
  • WEAK

And more. When the report completes Lynis will inform you of two log files to view:

/var/log/lynis.log

/var/log/lynis-report.dat

The latter file is where you will want to look first, as it will contain suggestions that can help improve the security of your system. For example, after a running lynis --check-all I was given the suggestion:

suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts.

Of course that is a fairly generic suggestion.  You will be surprised at the depth and amount of suggestions given by Lynis. You will also notice, mid-way through the log, that every package installed on your system is listed. This does make for a lengthy log file, but it is worth going through.

Final thoughts

If you have been searching for a solid Linux auditing program, search no more. Use this in combination with a good network auditing application, and a good Windows auditing application and you are as good as gold.

Advertisement

Previous Post: «
Next Post: «

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.