What is Lynis?
Lynis is a security auditing tool developed for Linux, macOS and other UNIX based distros . It is used for an in-depth security scan. you can download it from https://packages.cisofy.com.
Prerequisites:
1. Basic knowledge of Linux security.
2. How to use a Linux terminal.
3. Root Accesses is preferable.
4. Working internet connection.
Installing Lynis on Kali Linux
It can be installed via pacakge manager:
$ sudo apt install lynis
This way Lynis can started from anywhere but the version may not be latest one
Alternatively, clone the git version to your system and run from inside the directory. But it can be started only from this directory only, however the version will be the latest available one:
$ git clone https://github.com/CISOfy/lynis
Now go to lynis folder which you just cloned from git:
$ cd lynis
Check the version of Lynis with the command:
$ ./lynis show version
Running a Lynis Audit
Running a Lynis is a very straightforward one, it just uses a single command to do all the work. Launching the scan however depends on how lynis is installed. If we have installed it via package manager like apt on Ubuntu, we can literally start it from anywhere on the system. Just opening the terminal and running the below command:
$ lynis audit system -Q
If we have installed it via git we can start it from its directory using the the below command :
$ ./lynis audit system -Q
Now running the above command will start the scan in non privileged mode but some automated tests will not be performed. So to get an in depth scan result we should run it with sudo privileges. To avoid entering sudo every time, enter:
$ sudo su
And now run the below command:
# cd ..
# chown -R 0:0 lynis
# cd lynis
# ./lynis audit system -Q
The last command will trigger the Lynis in privileged mode. Now wait for the scan to complete.
Interpreting the audit results
The scan results are very descriptive and we can easily interpret them, for most of them, however if you are unable to understand any details you can use the command:
$ sudo lynis show details test-id
This will give you in depth information for that specific warning. Alternatively there is a link to cisofy website for each suggestion that contains the description for that particular suggestion.
Let us now take a close look at the audit results. The program begins with a general system audit like detecting the OS name, its type and version, CPU architecture, Hostname and so on. It also displays the location where different files will be stored: Profiles, log files, Report file and the plugin directory location. It also mentions the auditors’ name, language of the audit, and Lynis update information. As you can see there are several sections on which Lynis performs its audit. For example, some of the important sections are:
Lynis provides extra plugins in its enterprise edition for more extensive audits. These plugins contain one or more tests.
Debian Tests include check for system binaries, Authentication via PAM, file system checks and necessary softwares.
Boot and services section is a very important one. We can see the type of service manager on our system (systemd or init V), how many services are running and how many of them are enabled and their security status, that is if they are Unsafe, exposed, protected or moderately secure. Also if GRUB is protected or not.
Kernel is another critical element to care about. Lynis checks the run level of the system, kernel version, its type and all the kernel related stuff.
Now the Memory and Processes section is where Lynis looks out for the processes that are dead or hanged in a waiting state.
There are many things that we can talk of, in Lynis audit, the above few sections we described are just an overview to let you know what huge source of information Lynis has left to you. Now we turn our attention to the last vital section: Warnings and suggestions. Lynis audit concludes with or without some warnings and a number of suggestions to harden your system. It gives a hardening index at the end to evaluate your system security.
Concluding the story
Lynis’ audit shows a lot of suggestions for the very first search you make. Instead of being panicked, try to figure out what each error or suggestion wants you to resolve. For e.g., while exploring these errors or suggestions, you will find that some of them only need a package to be installed. If you are not able to decode a test result, you can use the test-id in the below command, for example for a test id:DEB-0831 the command will be:
sudo lynis show details DEB-0831
