Lynis: Run a Security Audit on Linux for Free
When developing for cloud or containers, you know you’re probably going to be working with Linux, UNIX, or some similar operating system. When that’s the case, you should also know how imperative that the OS be as secure as possible. After all, with the numerous moving parts of containers and the cloud, if your foundation is weak, everything could crumble.
That means you need to know the ins and outs and minutia of those platforms, especially regarding security.
The problem can be if you’re coming from either a MacOS or Windows background and you’re unfamiliar with Linux. That’s when a tool like Lynis comes in handy.
Lynis simplifies the security audits for operating systems such as:
- AIX
- FreeBSD
- HP-UX
- Linux
- macOS
- NetBSD
- NixOS
- OpenBSD
- Solaris
With Lynis, you can perform tasks like:
- Security auditing
- Compliance testing
- Penetration testing
- Vulnerability detection
- System hardening
Lynis is also opportunistic, which means it will only use and test components within an OS that it discovers. In other words, if a component isn’t installed on your OS, Lynis won’t test for it. Lynis is also quite easy to install and use for system auditing, which is something you should be doing for every OS you use for cloud and container development and/or deployment.
I’m going to walk you through the steps of installing Lynis on both Ubuntu Server and Rocky Linux 9. Once installed, we’ll run security audits to see what’s what. The good news is that the auditing process is the same, regardless of the OS.
What You Need
To install and use Lynis, you’ll need either a running instance of Ubuntu Server (I’m using v22.04) or Rocky Linux (v9). You’ll also need a user with sudo privileges.
That’s all you need. Let’s get to the installation.
Installing Lynis
The installation of Lynis on both Ubuntu Server and Rocky Linux is similar.
To install Lynis on Ubuntu Server, the command is:
sudo apt-get install lynis -y
The command to install Lynis on Rocky Linux (or another RHEL clone), the command is:
sudo dnf install lynis -y
If you don’t want to fully install Lynis, you can do the following:
- Download the source from the official Lynis download page.
- Extract the downloaded file with the command tar xvzf lynix-XXX.tar.gz (where XXX is the release number).
- Change into the newly created directory with the command cd lynis.
Running a Security Audit with Lynis
We can now run our first security audit with Lynis. The basic command for the audit is:
|
1 |
sudo lynis audit system |
You need to run the lynis command with sudo, otherwise you miss out on a number of checks. If you are using Lynis from source, the same command would be (run from within the lynis directory):
|
1 |
sudo ./lynis audit system |
The command will execute all of the checks (based on what’s installed on the system) and will report (in most cases) considerable output, which will look something like this:
* Determine if protocol ‘tipc’ is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
https://cisofy.com/lynis/controls/HTTP-6640/
* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
https://cisofy.com/lynis/controls/HTTP-6643/
* Consider hardening SSH configuration [SSH-7408]
– Details : AllowTcpForwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : ClientAliveCountMax (set 3 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : Compression (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : LogLevel (set INFO to VERBOSE)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : MaxAuthTries (set 6 to 3)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : MaxSessions (set 10 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : Port (set 22 to )
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : TCPKeepAlive (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
As you can see, when Lynis finds a possible issue, it will offer a suggestion by way of a link. Open any one of those links to read a description of how to mitigate the issue.
One caveat to using Lynis is the output can be fairly lengthy. If you’re on a headless server (or using it via a remote cloud host), you might not have the ability to scroll through the output. Fortunately, Lynis also writes to a log file at /var/log/lynis.log. You can view the log file with the command:
|
1 |
sudo less /var/log/lynis.log |
Scroll through the file to see if you find anything that must be taken care of immediately.
Keep in mind, however, that each time you run Lynis it will overwrite the log file. So make sure you either rename the previous log file (if you’ve not read through it) or move it. You can rename it with a command like:
|
1 |
sudo mv /var/log/lynis.log /var/log/lynis.log.old |
You’ll probably find that Lynis reports that a lot needs to be done to harden your server, which can be rather daunting. Go through the Lynis log file, line by line, and mitigate anything you deem necessary and your server will thank you by being considerably more secure than it was prior to using this tool.
Just remember, Lynis doesn’t fix things for you, it simply lets you know what needs to be addressed.