Hosting Websites on Bare Minimum VPS/Dedicated Servers

Lynis Overview & Installation

Tags: , , Date/Time: April 8, 2019 @ 9:29 am, by Frank Williams

Once a server is installed, you will want to keep a regular watch for points of vulnerability. Having a security auditing application will make this an easier task. Lynis is open source, server-based application that evaluates it for vulnerabilities and generates a report with the suggestions. You can then evaluate this and make necessary changes.

Before we get started, I must point out that security auditing takes a bit of time to review, revise and fine-tune before you get to the Goldilocks zone (neither too permissive nor too restrictive).

Why Lynis (Or Any Security Auditor for That Matter)?

One of the prime reasons you will need Lynis is to get compliance certified. By running a security audit you can prove to auditors that all necessary steps required for compliance are met. Other use cases for running Lynis are

  • Security auditing
  • Penetration testing
  • Vulnerability detection
  • System hardening

Lynis works on almost all UNIX based systems (including systems such as Raspberry Pi).

How It Works

Lynis works by identifying current components, applications and services and digging in further. This means that no additional installation of components. For e.g., if it detects the presence of MySQL, it will try to check if root user has an empty password. If yes, reports it. Likewise, each application or service has a list of tests that are performed against.

Some of the key controls validated include Authentication (checking for empty passwords, multiple root user IDs), certificate expiry, web services (missing error logs for nginx, for e.g.) and so on.

A typical scan involves the following

  • Initialization
  • Perform basic checks, such as file ownership
  • Determine operating system and tools
  • Search for available software components
  • Check latest Lynis version
  • Run enabled plugins
  • Run security tests per category
  • Perform execution of your custom tests (optional)
  • Report status of security scan

The report is displayed online and the scan log is also reported in a log file (lynis.log). Throughout the test process, Lynis runs hundreds of tests (mainly shell scripts) and is based on a given set of controls. Each test has a unique identifier. For e.g., the empty root password is control DBS-1816 Lynis is extensible, which means you can write your own controls.

It also means that the controls can be enabled or disabled based on your system needs. Tests run are defined based on profiles found in the folder /etc/lynis. The default is /etc/lynis/default.prf. If you want to skip a test create a custom.prf file. If you want to bypass the checks for HTTP servers nginx and apache, add the following entries

# contents of /etc/lynis/custom.prf

# Check if nginx is installed

skip-test=HTTP-6622

# Check if apache is installed

skip-test=HTTP-6702

Installation & Execution

Lynis is available as a package for most linux distributions and installation is a single command

# yum install lynis       # CentOS/RHEL

# apt-get install lynis   # Ubuntu/Debian

Running Lynis is as easy as running

# lynis audit system

Or

# lynis audit system --quick

(use the second one if you want to run a quick scan)

Other commands available are

Command Description
audit system Perform a system audit
show commands Show available Lynis commands
show help Provide a help screen
show profiles Display discovered profiles
show settings List all active settings from profiles
show version Display current Lynis version

The output from Lynis can be investigated further using the test ID

For e.g., if the output shows this

! Reboot of system is most likely needed [KRNL-5830]

- Solution : reboot

https://cisofy.com/controls/KRNL-5830/

You can find more about KRNL-5830 by

# lynis show details KRNL-5830

Conclusion

Lynis by default starts with running a lot of tests, as I mentioned earlier, you can skip some of them based on the custom profile. I would also advice to run this as a cronjob (daily/weekly) and review the audit logs on a regular basis.

No Comments

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *