We figure out how to use one of the most powerful freeware utilities for auditing Linux systems.Have you ever wondered how secure your Linux system is? There are many Linux distributions (each with its own default settings) on which you run dozens of software packages with different version numbers. In addition, on your OS in the background there are many services that you sometimes do not know or think about.To get information about the system, that is, check the general status of the software, network and services running on your computer with Linux installed, just run a few commands. But now what to do with the information received? How to understand it? After all, the amount of data that you need to analyze is huge.It would be much better if you could just run a tool that generates a structured report on the level of security of the system. Lynis is a popular open source tool that audits Linux and Unix based systems.“It performs a comprehensive scan of security settings and runs on the system itself. The main goal is to test security features and issue recommendations for further improving the level of system security. It also scans system-wide information, information about installed packages, and possible configuration errors. Lynis [usually] is used by system administrators and security experts to assess the level of system security, ” the project’s website says.Install Lynis
You can use package managers to install Lynis. Provided that your Linux system with the relevance of the versions in the repository is in order, the utility can be installed like this:dnf install lynis
or so:apt install lynis
However, if the utility version in your repository is not the latest, it is better to install Lynis with GitHub (I use the Red Hat Linux system, but similar commands work on any Linux distribution):$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)
$
$ uname -r
3.10.0-1127.el7.x86_64
$
$ git clone https://github.com/CISOfy/lynis.git
Cloning into 'lynis'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (30/30), done.
remote: Total 12566 (delta 15), reused 8 (delta 0), pack-reused 12536
Receiving objects: 100% (12566/12566), 6.36 MiB | 911.00 KiB/s, done.
Resolving deltas: 100% (9264/9264), done.
$
As soon as you clone the repository, go into it and see what is available to you, find the file named lynis. This is actually a shell script, so you can open it and read what it does. In fact, Lynis is mainly implemented using scripts:$ cd lynis/
$ ls
CHANGELOG.md CONTRIBUTING.md db developer.prf FAQ include LICENSE lynis.8 README SECURITY.md
CODE_OF_CONDUCT.md CONTRIBUTORS.md default.prf extras HAPPY_USERS.md INSTALL lynis plugins README.md
$
$ file lynis
lynis: POSIX shell script, ASCII text executable, with very long lines
$
Launch Lynis
Let's get started with Lynis by running help using the -h flag :$ ./lynis -h
So you can familiarize yourself with the main utility commands. For example, let's find out its version:$ ./lynis show version
3.0.0
$
For a complete list of Lynis commands, type:$ ./lynis show commands
Commands:
lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only
$
Running an audit of a Linux system
It all starts with the following command:$ ./lynis audit system
After starting the team we will receive a detailed report. Do not be alarmed, we will figure it out a bit later. Other team work results are also saved, so you can return to them later.Here Lynis stores the logs: Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
You can check if all the necessary files were actually created:$ ls -l /var/log/lynis.log
-rw-r-----. 1 root root 341489 Apr 30 05:52 /var/log/lynis.log
$
$ ls -l /var/log/lynis-report.dat
-rw-r-----. 1 root root 638 Apr 30 05:55 /var/log/lynis-report.dat
$
We study reports
Lynis provides fairly detailed reports, so I’ll only cover some important topics. The very first thing that Lynis does during initialization is to find out complete information about the operating system that is running on the computer. Then the utility checks which system tools and plugins you have installed:[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.0.0
Operating system: Linux
Operating system name: Red Hat Enterprise Linux Server 7.8 (Maipo)
Operating system version: 7.8
Kernel version: 3.10.0
Hardware platform: x86_64
Hostname: example
---------------------------------------------------
<<snip>>
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugin: pam
[..]
- Plugin: systemd
[................]
The report is divided into different sections, and each section begins with [+] . Some of the sections can be seen below.[+] Boot and services
[+] Kernel
[+] Memory and Processes
[+] Users, Groups and Authentication
[+] Shells
[+] File systems
[+] USB Devices
[+] Storage
[+] NFS
[+] Name services
[+] Ports and packages
[+] Networking
[+] Printers and Spools
[+] Software: e-mail and messaging
[+] Software: firewalls
[+] Software: webserver
[+] SSH Support
[+] SNMP Support
[+] Databases
[+] LDAP Services
[+] PHP
[+] Squid Support
[+] Logging and files
[+] Insecure services
[+] Banners and identification
[+] Scheduled tasks
[+] Accounting
[+] Time and Synchronization
[+] Cryptography
[+] Virtualization
[+] Containers
[+] Security frameworks
[+] Software: file integrity
[+] Software: System tooling
[+] Software: Malware
[+] File Permissions
[+] Home directories
[+] Kernel Hardening
[+] Hardening
[+] Custom tests
For greater clarity, Lynis uses color conventions:- green: all is well
- yellow: did not find everything necessary, or a controversial situation arose
- red: this is a problem, it’s worth dealing with it
In my case, most of the problems (red marks) were found in the Kernel Hardening section. The kernel has various configurable parameters that determine its operation, and some of these parameters are responsible for security. The distribution may not install them by default for various reasons, but you should examine each of them and see if you need to change its value depending on your security requirements:[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
Look at SSH for example. This is an important part of the system and it must be protected. Nothing is highlighted in red here, but Lynis has many suggestions for improving the security of the SSH service:[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: Compression [ SUGGESTION ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ SUGGESTION ]
- OpenSSH option: MaxAuthTries [ SUGGESTION ]
- OpenSSH option: MaxSessions [ SUGGESTION ]
- OpenSSH option: PermitRootLogin [ SUGGESTION ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ SUGGESTION ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ SUGGESTION ]
- OpenSSH option: UseDNS [ SUGGESTION ]
- OpenSSH option: X11Forwarding [ SUGGESTION ]
- OpenSSH option: AllowAgentForwarding [ SUGGESTION ]
- OpenSSH option: UsePrivilegeSeparation [ OK ]
- OpenSSH option: AllowUsers [ NOT FOUND ]
- OpenSSH option: AllowGroups [ NOT FOUND ]
Not a single container or virtual machine is running on my system. So, alas, there will be nothing to read here.[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
Lynis checks the privileges of some files, as this is important from a security point of view.[+] File Permissions
------------------------------------
- Starting file permissions check
File: /boot/grub2/grub.cfg [ SUGGESTION ]
File: /etc/cron.deny [ OK ]
File: /etc/crontab [ SUGGESTION ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /root/.ssh [ SUGGESTION ]
Directory: /etc/cron.d [ SUGGESTION ]
Directory: /etc/cron.daily [ SUGGESTION ]
Directory: /etc/cron.hourly [ SUGGESTION ]
Directory: /etc/cron.weekly [ SUGGESTION ]
Directory: /etc/cron.monthly [ SUGGESTION ]
At the end of the report, Lynis makes corrections based on the audit results. Each sentence begins with a description, and the test ( TEST-ID ) that generated it is indicated in parentheses next to it. The next line suggests a solution to the problem, if it exists:Suggestions (47):
----------------------------
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
* Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
https://cisofy.com/lynis/controls/AUTH-9229/
Lynis provides the ability to find additional information about each correction proposal using the show details command , followed by the TEST-ID test number :./lynis show details TEST-ID
For example, to find out more information for the SSH-7408 test, I enter $ ./lynis show details SSH-7408 and get:$ ./lynis show details SSH-7408
2020-04-30 05:52:23 Performing test ID SSH-7408 (Check SSH specific defined options)
2020-04-30 05:52:23 Test: Checking specific defined options in /tmp/lynis.k8JwazmKc6
2020-04-30 05:52:23 Result: added additional options for OpenSSH < 7.5
2020-04-30 05:52:23 Test: Checking AllowTcpForwarding in /tmp/lynis.k8JwazmKc6
2020-04-30 05:52:23 Result: Option AllowTcpForwarding found
2020-04-30 05:52:23 Result: Option AllowTcpForwarding value is YES
2020-04-30 05:52:23 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed
2020-04-30 05:52:23 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]
Try not torture
So if you want to know more about the security of your Linux system, check out Lynis. And, if you want to learn more about how this utility works, how it collects all this information, dig in its shell scripts. As with other utilities, it makes sense to first try it out on a virtual machine.What tools do you use? Share in the comments.
As an advertisement
VDSina offers servers on any operating system - choose one of the pre-installed OS, or install from your image. Daily payment servers or a unique offer on the market - eternal servers!