Linux Hardening with Lynis
Lynis is a powerful open source auditing tool for Unix/Linux like operating systems. It scans the system for security information, general system information, installed software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.
Lynis is also one of the most trusted automated auditing tools for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.
sudo mkdir /usr/local/lynis
Download the stable version of Lynis from the website and unpack it:
cd /usr/local/lynis
sudo wget https://cisofy.com/files/lynis-2.4.0.tar.gz
Unpack the tarball
sudo tar -xvf lynis-2.4.0.tar.gz
cd lynis
./lynis
By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt:
To start the Lynis analysis, you must define the proper parameter to begin scanning of your entire Linux system. Use the following command to start scanning:
sudo ./lynis audit system --quick
The "quick" option will run the scanner without any pauses between sections and will allow you to run Lynis while you doing other things.
In most cases, the application provides suggestions to fix problems.
However, you should follow the provided links to get more info:
./lynis update info
If outdated, go to the Cisofy downloads page and get the latest version
Lynis is also one of the most trusted automated auditing tools for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.
Installing Lynis in Ubuntu
This application doesn’t require any installation, it can be used directly from any directory. So, it’s a good idea to create a custom directory for Lynis:sudo mkdir /usr/local/lynis
Download the stable version of Lynis from the website and unpack it:
cd /usr/local/lynis
sudo wget https://cisofy.com/files/lynis-2.4.0.tar.gz
Unpack the tarball
sudo tar -xvf lynis-2.4.0.tar.gz
Running Lynis
You must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. Therefore, to run Lynis execute the following commands:cd lynis
./lynis
By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt:
To start the Lynis analysis, you must define the proper parameter to begin scanning of your entire Linux system. Use the following command to start scanning:
sudo ./lynis audit system --quick
The "quick" option will run the scanner without any pauses between sections and will allow you to run Lynis while you doing other things.
Lynis Scanning Results
While scanning, you will see output as [OK] or [WARNING] where the first is considered as a good result and the later as bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log.Ubuntu 16.04 LTS results:
Fedora Workstation 25 results:
CentOS 7-1611 Core results:
In most cases, the application provides suggestions to fix problems.
However, you should follow the provided links to get more info:
- https://cisofy.com/controls/AUTH-XXXX
- https://cisofy.com/controls/FILE-XXXX
- …
Updating Lynis
Lynis is often updated so you should check the status of your version on a regular basis:./lynis update info
If outdated, go to the Cisofy downloads page and get the latest version
No comments:
Post a Comment