Serious auditing with Lynis
If you want to do a thorough system security audit on a Linux machine what do you use? Cobble together a few of the pre-installed tools? Search through the numerous locations for a tool that might give you enough information to determine if your system is safe? Or, do you open up a terminal window and use the Lynis security auditing tool? If you are of the former category, you get a gold star!
The Lynis project is from the same team that brought us Rootkit Hunter, so you know you can trust this tool. Lynis will not only scan your system for security issues, it will also scan and report installed software, general system information, and even configuration mistakes. You can't afford to not use Lynis. In this article I will show you how to install and make use of Lynis.
Lynis works on the following distributions:
- Arch Linux
- Fedora Core 4 and higher
- Mac OS X
- Mandriva 2007
- OpenBSD 4.x
- Red Hat, RHEL 5.x
- Slackware 12.1
- Solaris 10
Installation will be done from the command line. You will want to download the required binary, for your system, from the main Lynis page under the download section. You will either download an .rpm, a .deb, or source. If you download the source you will find an executable binary, lynis, within the archive. You can copy that binary to a removable drive (for Lynis on the go), or just issue the command ./lynis from within the archive directory. If you want to keep Lynis on the system copy the lynis file to /usr/sbin/.
To install one of the packages you will do with like so:
sudo dpkg -i lynis-XXX.deb
rpm -ivh lynis-XXX.deb
Where XXX is the release number. NOTE: If installing with rpm you will need to do so as the root user.
If you just want to dive into things you can issue the command sudo lynis --check-all which will run a thorough examination of your system. Figure 1 shows a scan in progress. At certain points in the scan you will need to press the Enter key to continue on with the scan. You can also hit <Ctrl>C to stop the scan.
As the scan runs you will notice various output:
- NOT FOUND
- NOT DISABLED
And more. When the report completes Lynis will inform you of two log files to view:
The latter file is where you will want to look first, as it will contain suggestions that can help improve the security of your system. For example, after a running lynis --check-all I was given the suggestion:
suggestion=AUTH-9282|When possible set expire dates for all password protected accounts.
Of course that is a fairly generic suggestion. Â You will be surprised at the depth and amount of suggestions given by Lynis. You will also notice, mid-way through the log, that every package installed on your system is listed. This does make for a lengthy log file, but it is worth going through.
If you have been searching for a solid Linux auditing program, search no more. Use this in combination with a good network auditing application, and a good Windows auditing application and you are as good as gold.Advertisement