lynis
Table of Contents
Lynis Security Baseline with Lynis
Summary: How to istall and setup Lynis, a small easy to use Linux security audit tool.
Date: Around 2015
Refactor: 6 March 2025: Checked links and formatting.
Introduction
Securing a Linux system can take a lot of time. For this purpose there is a tool called Lynis, a quick and small audit tool. It's an open source tool and freely available. You just need root permissions and a common shell and you're ready to do your first audit. This page describes how to install and use it on a Red Hat system.
EPEL Repository
Lynis is part of the epel repository for Red Hat, so as long as you have the EPEL repository you can use yum to install the package.
In case you don't have EPEL (yet), follow these steps to add EPEL to your repositories:
- Download the EPEL repo package and key from http://mirror.serverbeheren.nl/epel/6/i386/repoview/epel-release.html
- Then install the package and import the key like this:
- rpm -i epel-release-6-8.noarch.rpm
- rpm -import RPM-GPG-KEY-EPEL-6
- Configure yum to be able to use a proxy by adding this line to the /etc/yum.conf file:
proxy=http://proxy.getshifting.com:8080
Install
You can install lynis now using yum, currently this package is available:
[sjoerd@rhmgmtsrv ~]$ sudo yum info lynis
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Available Packages
Name : lynis
Arch : noarch
Version : 1.6.4
Release : 1.el6
Size : 160 k
Repo : epel
Summary : Security and system auditing tool
URL : http://cisofy.com/lynis/
License : GPLv3
Description : Lynis is an auditing and hardening tool for Unix/Linux and you might even call
: it a compliance tool. It scans the system and installed software. Then it
: performs many individual security control checks. It determines the hardening
: state of the machine, detects security issues and provides suggestions to
: improve the security defense of the system.
Now install the package:
[sjoerd@rhmgmtsrv ~]$ sudo yum install lynis Loaded plugins: product-id, refresh-packagekit, subscription-manager This system is receiving updates from Red Hat Subscription Management. Setting up Install Process rhel-6-server-eus-rpms | 3.2 kB 00:00 rhel-6-server-optional-rpms | 3.5 kB 00:00 rhel-6-server-rpms | 3.7 kB 00:00 rhel-server-dts-6-rpms | 2.9 kB 00:00 rhel-server-dts2-6-rpms | 2.9 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package lynis.noarch 0:1.6.4-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================== Installing: lynis noarch 1.6.4-1.el6 epel 160 k Transaction Summary ============================================================================================================================================================================== Install 1 Package(s) Total download size: 160 k Installed size: 862 k Is this ok [y/N]: y Downloading Packages: lynis-1.6.4-1.el6.noarch.rpm | 160 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : lynis-1.6.4-1.el6.noarch 1/1 rhel-6-server-eus-rpms/productid | 1.7 kB 00:00 rhel-6-server-rpms/productid | 1.7 kB 00:00 Verifying : lynis-1.6.4-1.el6.noarch 1/1 Installed: lynis.noarch 0:1.6.4-1.el6 Complete!
First Time Use
For the first time it is recommended to run Lynis manually. You can do this in two ways, with confirming every check or without:
- Manually:
- sudo lynis -c
- Manually without confirming every check:
- sudo lynis -c -Q
This will either way trigger an output like this (somewhat trimmed):
[sjoerd@rhmgmtsrv ~]$ sudo lynis -c
[ Lynis 1.6.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
Copyright 2007-2014 - CISOfy & Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Clearing log file (/var/log/lynis.log)... [ DONE ]
---------------------------------------------------
Program version: 1.6.4
Operating system: Linux
Operating system name: Red Hat
Operating system version: Red Hat Enterprise Linux Server release 6.5 (Santiago)
Kernel version: 2.6.32
Hardware platform: x86_64
Hostname: rhmgmtsrv
Auditor: [Unknown]
Profile: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Checking profile file (/etc/lynis/default.prf)...
- Program update status... [ UNKNOWN ]
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
- /bin [ FOUND ]
- /sbin [ FOUND ]
- /usr/bin [ FOUND ]
- /usr/sbin [ FOUND ]
- /usr/local/bin [ FOUND ]
- /usr/local/sbin [ FOUND ]
- /usr/local/libexec [ FOUND ]
- /usr/libexec [ FOUND ]
...<cut>...
================================================================================
-[ Lynis 1.6.4 Results ]-
Warnings:
----------------------------
- Nameserver 172.18.10.11 does not respond [NETW-2704]
http://cisofy.com/controls/NETW-2704/
- Nameserver 172.16.110.1 does not respond [NETW-2704]
http://cisofy.com/controls/NETW-2704/
- Couldn't find 2 responsive nameservers [NETW-2705]
http://cisofy.com/controls/NETW-2705/
Suggestions:
----------------------------
- Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
http://cisofy.com/controls/BOOT-5122/
...<cut>...
- Harden the system by installing one or malware scanners to perform periodic file system scans [HRDN-7230]
http://cisofy.com/controls/HRDN-7230/
Follow-up:
----------------------------
- Check the logfile (less /var/log/lynis.log)
- Read security controls texts (http://cisofy.com)
- Use --upload to upload data (Lynis Enterprise users)
================================================================================
Lynis Scanner (details):
Hardening index : 54 [########## ]
Tests performed : 194
Plugins enabled : 0
Lynis Modules:
- Heuristics Check [NA] - Security Audit [V] - Vulnerability Scan [V]
Compliance Checks:
- HIPAA [NA] - PCI [NA] - SOx [NA]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 1.6.4
Copyright 2007-2014 - CISOfy & Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy - http://cisofy.com
================================================================================
There are a few warnings and suggestions that will have to be solved, or excluded from testing. Either way, you should work with your security department to get it right.
Run Lynis Periodically
I want to run the Lynis test weekly so I can check weekly for things that have been changed over the week. Also, I want to create a monthly report of just the warnings to sent to the security department.
One requirement anyway is to be able to use the screen output as an report. For this I downloaded the ansi2html.sh script from here and placed it in /adminscripts. Don't forget to make it executable with sudo chmod 750 ansi2html.sh.
Run Lynis Weekly
Then in /adminscripts create a script using sudo vi lynisrun with these lines:
#!/bin/bash MAILTO="sjoerd_ @_ getshifting.com,it-department _@_ getshifting.com" TMPFILE=/tmp/lynisupdate.`hostname`.`date +%Y%m%d%H%M` LYNISFILE=${TMPFILE}.lynis HTMLFILE=${TMPFILE}.html trap "rm -f /tmp/lynisupdate.*" 0 2 3 15 (cd /usr/bin; ./lynis -c -Q --auditor "automated" ) > ${LYNISFILE} /adminscripts/ansi2html.sh --bg=dark < ${LYNISFILE} > ${HTMLFILE} # Mail report echo "See attachment" | mailx -s "Weekly Lynis security check `date` for `hostname`" -a ${HTMLFILE} $MAILTO
Then make the file executable using sudo chmod 750 lynisrun and schedule it using sudo crontab -e:
# Run lynis every monday on 05:00 0 5 * * 1 /adminscripts/lynisrun
Run Lynis Monthly with only a Summary for Multiple Servers
….
Useful Links
lynis.txt · Last modified: by 127.0.0.1