How to Audit Your Linux System’s Security with Lynis

A terminal prompt on a Linux system.Fatmawati Achmad Zaenuri/Shutterstock

If you perform a security audit on your Linux computer with Lynis, it will ensure your machine is as protected as it can be. Security is everything for internet-connected devices, so here’s how to make sure yours are safely locked down.

How Secure Is Your Linux Computer?

Lynis performs a suite of automated tests that thoroughly inspect many system components and settings of your Linux operating system. It presents its findings in a color-coded ASCII report as a list of graded warnings, suggestions, and actions that should be taken.

Cybersecurity is a balancing act. Outright paranoia isn’t useful to anyone, so how concerned should you be? If you only visit reputable web sites, don’t open attachments or follow links in unsolicited emails, and use different, robust, passwords for all the systems you log in to, what danger remains? Especially when you’re using Linux?

Let’s address those in reverse. Linux isn’t immune to malware. In fact, the very first computer worm was designed to target Unix computers in 1988. Rootkits were named after the Unix superuser (root) and the collection of software (kits) with which they install themselves to evade detection. This gives the superuser access to the threat actor (i.e., the bad guy).

Why are they named after root? Because the first rootkit was released in 1990 and targeted at Sun Microsystems running the SunOS Unix.

So, malware got its start on Unix. It jumped the fence when Windows took off and hogged the limelight. But now that Linux runs the world, it’s back. Linux and Unix-like operating systems, like macOS, are getting the full attention of threat actors.

What danger remains if you’re careful, sensible, and mindful when you use your computer? The answer is long and detailed. To condense it somewhat, cyberattacks are many and varied. They’re capable of doing things that, just a short while ago, were considered impossible.

Rootkits, like Ryuk, can infect computers when they’re turned off by compromising the wake-on-LAN monitoring functions. Proof-of-concept code has also been developed. A successful “attack” was demonstrated by researchers at Ben-Gurion University of the Negev that would allow threat actors to exfiltrate data from an air-gapped computer.

It’s impossible to predict what cyberthreats will be capable of in the future. However, we do understand which points in a computer’s defenses are vulnerable. Regardless of the nature of present or future attacks, it only makes sense to plug those gaps in advance.

Of the total number of cyberattacks, only a small percentage are consciously targeted at specific organizations or individuals. Most threats are indiscriminate because malware doesn’t care who you are. Automated port-scanning and other techniques just seek out vulnerable systems and attack them. You nominate yourself as a victim by being vulnerable.

And that’s where Lynis comes in.

Installing Lynis

To install Lynis on Ubuntu, run the following command:

sudo apt-get install lynis

sudo apt-get install lynis in a terminal window.

On Fedora, type:

sudo dnf install lynis

sudo dnf install lynis in a terminal window.

On Manjaro, you use pacman:

sudo pacman -Sy lynis

sudo pacman -Sy lynis in a terminal window.

Conducting an Audit

Lynis is terminal-based, so there’s no GUI. To start an audit, open a terminal window. Click and drag it to the edge of your monitor to make it snap to full height or stretch it as tall as it can go. There’s a lot of output from Lynis, so the taller the terminal window is, the easier it will be to review.

It’s also more convenient if you open a terminal window specifically for Lynis. You’ll be scrolling up and down a lot, so not having to deal with the clutter of previous commands will make navigating the Lynis output easier.

To start the audit, type this refreshingly straightforward command:

sudo lynis audit system

sudo lynis audit system in a terminal window.

Category names, test titles, and results will scroll in the terminal window as each category of tests is completed. An audit only takes a few minutes at most. When it’s finished, you’ll be returned to the command prompt. To review the findings, just scroll the terminal window.

The first section of the audit detects the version of Linux, kernel release, and other system details.

System detection section of a Lynis audit report in a terminal window.

Areas that need to be looked at are highlighted in amber (suggestions) and red (warnings that should be addressed).

Below is an example of a warning. Lynis has analyzed the postfix mail server configuration and flagged something to do with the banner. We can get more details of exactly what it found and why it might be an issue later.

Email and messaging category results in a Lynis audit report in a terminal window.

Below, Lynis warns us that the firewall isn’t configured on the Ubuntu virtual machine we’re using.

Firewalls category results in a Lynis audit report in a terminal window.

Scroll through your results to see what Lynis flagged. At the bottom of the audit report, you’ll see a summary screen.

Lynis audit report summary screen in a terminal window.

The “Hardening Index” is your exam score. We got 56 out of 100, which isn’t great. There were 222 tests performed and one Lynis plugin is enabled. If you go to the Lynis Community Edition plugin download page and subscribe to the newsletter, you’ll get links to more plugins.

There are many plugins, including some for auditing against standards, such as GDPR, ISO27001, and PCI-DSS.

A green V represents a check mark. You might also see amber question marks and red X’s.

We have green check marks because we have a firewall and malware scanner. For test purposes, we also installed rkhunter, a rootkit detector, to see whether Lynis would discover it. As you can see above, it did; we got a green check mark next to “Malware Scanner.”

The compliance status is unknown because the audit didn’t use a compliance plugin. The security and vulnerability modules were used in this test.

Two files are generated: a log and data file. The data file, located at “/var/log/lynis-report.dat,” is the one we’re interested in. It will contain a copy of the results (without the color highlighting) that we can see in the terminal window. These come in handy to see how your hardening index improves over time.

If you scroll backward in the terminal window, you’ll see a list of suggestions and another of warnings. The warnings are the “big ticket” items, so we’ll look at those.

A warnings section in a Lynis audit report in a terminal window.

These are the five warnings:

  • “Version of Lynis is very old and should be updated”: This is actually the newest version of Lynis in the Ubuntu repositories. Although it’s only 4 months old, Lynis considers this very old.  The versions in the Manjaro and Fedora packages were newer. Updates in package managers are always likely to be slightly behind. If you really want the latest version you can clone the project from GitHub and keep it synchronized.
  • “No password set for single mode”: Single is a recovery and maintenance mode in which only the root user is operational. No password is set for this mode by default.
  • “Couldn’t find 2 responsive nameservers”: Lynis tried to communicate with two DNS servers, but was unsuccessful. This is a warning that if the current DNS server failed, there’d be no automatic roll-over to another.
  • “Found some information disclosure in SMTP banner”: Information disclosure happens when applications or network equipment give away their make and model numbers (or other info) in standard replies. This can give threat actors or automated malware insight into the types of vulnerability to check for. Once they’ve identified the software or device they’ve connected to, a simple lookup will find the vulnerabilities they can try to exploit.
  • “iptables module(s) loaded, but no rules active”: The Linux firewall is up and running, but there are no rules set for it.

Clearing Warnings

Each warning has a link to a webpage that describes the issue and what you can do to remedy it. Just hover your mouse pointer over one of the links, and then press Ctrl and click it. Your default browser will open on the webpage for that message or warning.

The page below opened for us when we Ctrl+clicked on the link for the fourth warning we covered in the previous section.

A Lynis audit warning web page.

You can review each of these and decide which warnings to address.

The web page above explains that the default snippet of information (the “banner”) sent to a remote system when it connects to the postfix mail server configured on our Ubuntu computer is too verbose. There’s no benefit to offering too much information—in fact, that’s often used against you.

The web page also tells us the banner resides in “/etc/postfix/main.cf.” It advises us that it should be trimmed back to only show “$myhostname ESMTP.”

We type the following to edit the file as Lynis recommends:

sudo gedit /etc/postfix/main.cf

sudo gedit /etc/postfix/main.cf in a terminal window.

We locate the line in the file that defines the banner.

postfix main.cf file in a gedit editor with the smtp_banner line highlighted.

We edit it to show only the text Lynis recommended.

postfix main.cf file in a gedit editor with the edited smtp_banner line highlighted.

We save our changes and close gedit. We now need to restart the postfix mail server for the changes to take effect:

sudo systemctl restart postfix

sudo lynis audit system in a terminal window.

Now, let’s run Lynis once more and see if our changes have had an effect.

sudo lynis audit system in a terminal window.

The “Warnings” section now only shows four. The one referring to postfix is gone.

warnings section of a Lynis audit report, in a terminal window.

One down, and just four more warnings and 50 suggestions to go!

How Far Should You Go?

If you’ve never done any system hardening on your computer, you’ll likely have roughly the same number of warnings and suggestions. You should review them all and, guided by the Lynis webpages for each, make a judgment call about whether to address it.

The textbook method, of course, would be to try to clear them all. That might be easier said than done, though. Plus, some of the suggestions might be overkill for the average home computer.

Blacklist the USB kernel drivers to disable USB access when you’re not using it? For a mission-critical computer that provides a sensitive business service, this might be necessary. But for an Ubuntu home PC? Probably not.

Source

Author: admin

Leave a Reply

Your email address will not be published. Required fields are marked *