= Lynis Security Baseline with Lynis =
**Summary**: How to istall and setup Lynis, a small easy to use Linux security audit tool. \\
**Date**: Around 2015 \\
**Refactor**: 6 March 2025: Checked links and formatting. \\
{{tag>linux compliance}}
= Introduction =
Securing a Linux system can take a lot of time. For this purpose there is a tool called Lynis, a quick and small audit tool. It's an open source tool and freely available. You just need root permissions and a common shell and you're ready to do your first audit. This page describes how to install and use it on a Red Hat system.
= EPEL Repository =
Lynis is part of the epel repository for Red Hat, so as long as you have the EPEL repository you can use yum to install the package.
In case you don't have EPEL (yet), follow these steps to add EPEL to your repositories:
* Download the EPEL repo package and key from http://mirror.serverbeheren.nl/epel/6/i386/repoview/epel-release.html
* Then install the package and import the key like this:
* rpm -i epel-release-6-8.noarch.rpm
* rpm -import RPM-GPG-KEY-EPEL-6
* Configure yum to be able to use a proxy by adding this line to the /etc/yum.conf file:
* {{{proxy=http://proxy.getshifting.com:8080}}}
= Install =
You can install lynis now using yum, currently this package is available:
[sjoerd@rhmgmtsrv ~]$ sudo yum info lynis
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Available Packages
Name : lynis
Arch : noarch
Version : 1.6.4
Release : 1.el6
Size : 160 k
Repo : epel
Summary : Security and system auditing tool
URL : http://cisofy.com/lynis/
License : GPLv3
Description : Lynis is an auditing and hardening tool for Unix/Linux and you might even call
: it a compliance tool. It scans the system and installed software. Then it
: performs many individual security control checks. It determines the hardening
: state of the machine, detects security issues and provides suggestions to
: improve the security defense of the system.
Now install the package:
[sjoerd@rhmgmtsrv ~]$ sudo yum install lynis
Loaded plugins: product-id, refresh-packagekit, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
Setting up Install Process
rhel-6-server-eus-rpms | 3.2 kB 00:00
rhel-6-server-optional-rpms | 3.5 kB 00:00
rhel-6-server-rpms | 3.7 kB 00:00
rhel-server-dts-6-rpms | 2.9 kB 00:00
rhel-server-dts2-6-rpms | 2.9 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package lynis.noarch 0:1.6.4-1.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================
Installing:
lynis noarch 1.6.4-1.el6 epel 160 k
Transaction Summary
==============================================================================================================================================================================
Install 1 Package(s)
Total download size: 160 k
Installed size: 862 k
Is this ok [y/N]: y
Downloading Packages:
lynis-1.6.4-1.el6.noarch.rpm | 160 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : lynis-1.6.4-1.el6.noarch 1/1
rhel-6-server-eus-rpms/productid | 1.7 kB 00:00
rhel-6-server-rpms/productid | 1.7 kB 00:00
Verifying : lynis-1.6.4-1.el6.noarch 1/1
Installed:
lynis.noarch 0:1.6.4-1.el6
Complete!
= First Time Use =
For the first time it is recommended to run Lynis manually. You can do this in two ways, with confirming every check or without:
* Manually:
* sudo lynis -c
* Manually without confirming every check:
* sudo lynis -c -Q
This will either way trigger an output like this (somewhat trimmed):
[sjoerd@rhmgmtsrv ~]$ sudo lynis -c
[ Lynis 1.6.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
Copyright 2007-2014 - CISOfy & Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Clearing log file (/var/log/lynis.log)... [ DONE ]
---------------------------------------------------
Program version: 1.6.4
Operating system: Linux
Operating system name: Red Hat
Operating system version: Red Hat Enterprise Linux Server release 6.5 (Santiago)
Kernel version: 2.6.32
Hardware platform: x86_64
Hostname: rhmgmtsrv
Auditor: [Unknown]
Profile: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Checking profile file (/etc/lynis/default.prf)...
- Program update status... [ UNKNOWN ]
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
- /bin [ FOUND ]
- /sbin [ FOUND ]
- /usr/bin [ FOUND ]
- /usr/sbin [ FOUND ]
- /usr/local/bin [ FOUND ]
- /usr/local/sbin [ FOUND ]
- /usr/local/libexec [ FOUND ]
- /usr/libexec [ FOUND ]
......
================================================================================
-[ Lynis 1.6.4 Results ]-
Warnings:
----------------------------
- Nameserver 172.18.10.11 does not respond [NETW-2704]
http://cisofy.com/controls/NETW-2704/
- Nameserver 172.16.110.1 does not respond [NETW-2704]
http://cisofy.com/controls/NETW-2704/
- Couldn't find 2 responsive nameservers [NETW-2705]
http://cisofy.com/controls/NETW-2705/
Suggestions:
----------------------------
- Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
http://cisofy.com/controls/BOOT-5122/
......
- Harden the system by installing one or malware scanners to perform periodic file system scans [HRDN-7230]
http://cisofy.com/controls/HRDN-7230/
Follow-up:
----------------------------
- Check the logfile (less /var/log/lynis.log)
- Read security controls texts (http://cisofy.com)
- Use --upload to upload data (Lynis Enterprise users)
================================================================================
Lynis Scanner (details):
Hardening index : 54 [########## ]
Tests performed : 194
Plugins enabled : 0
Lynis Modules:
- Heuristics Check [NA] - Security Audit [V] - Vulnerability Scan [V]
Compliance Checks:
- HIPAA [NA] - PCI [NA] - SOx [NA]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 1.6.4
Copyright 2007-2014 - CISOfy & Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy - http://cisofy.com
================================================================================
There are a few warnings and suggestions that will have to be solved, or excluded from testing. Either way, you should work with your security department to get it right.
= Run Lynis Periodically =
I want to run the Lynis test weekly so I can check weekly for things that have been changed over the week. Also, I want to create a monthly report of just the warnings to sent to the security department.
One requirement anyway is to be able to use the screen output as an report. For this I downloaded the ansi2html.sh script from [[http://www.pixelbeat.org/scripts/ansi2html.sh|here]] and placed it in /adminscripts. Don't forget to make it executable with {{{sudo chmod 750 ansi2html.sh}}}.
== Run Lynis Weekly ==
Then in /adminscripts create a script using {{{sudo vi lynisrun}}} with these lines:
#!/bin/bash
MAILTO="sjoerd_ @_ getshifting.com,it-department _@_ getshifting.com"
TMPFILE=/tmp/lynisupdate.`hostname`.`date +%Y%m%d%H%M`
LYNISFILE=${TMPFILE}.lynis
HTMLFILE=${TMPFILE}.html
trap "rm -f /tmp/lynisupdate.*" 0 2 3 15
(cd /usr/bin; ./lynis -c -Q --auditor "automated" ) > ${LYNISFILE}
/adminscripts/ansi2html.sh --bg=dark < ${LYNISFILE} > ${HTMLFILE}
# Mail report
echo "See attachment" | mailx -s "Weekly Lynis security check `date` for `hostname`" -a ${HTMLFILE} $MAILTO
Then make the file executable using {{{sudo chmod 750 lynisrun}}} and schedule it using {{{sudo crontab -e}}}:
# Run lynis every monday on 05:00
0 5 * * 1 /adminscripts/lynisrun
= Run Lynis Monthly with only a Summary for Multiple Servers =
....
= Useful Links =
* http://linux-audit.com/securing-linux-audit-lynis/
* http://cisofy.com