Lynis: Walkthrough
Lynis is an open-source security audit tool used to check the security of Linux and UNIX based systems. Since it is self-hosted, it performs extensive security scans when compared to other vulnerability scanners. Lynis is a tool released by CISOFY.
Lynis works on a variety of UNIX-based systems such as:
11 courses, 8+ hours of training
Lynis can also be used to audit additional services such as:
- Apache
- Nginx
- Oracle Database
- MySQL
- PostgreSQL
Lynis can be downloaded from https://cisofy.com/download/lynis/
An important feature of Lynis is its Opportunistic Scanning which means that it only scans for what it comes across. Say the system you are scanning has an Apache server running on it. Lynis will scan for only the vulnerabilities related to Apache. While doing so, if it comes across an SSL/TLS configuration, only then it will scan for additional vulnerabilities thus saving time. In short, it will always perform a customized scan depending on the system.
Installation
Once downloaded, simply go into the folder and start by typing:
$ ./lyins
This will show us the various commands and options we can do with it:
To get further information, we can type:
$ ./lynis show options
Mainly, Lynis is used for the following purposes:
- System hardening
- Vulnerability detection and scanning
- Security auditing
- Compliance testing (PCI, HIPPA, SOx)
Additional plugins can be used to perform additional tests.
Running a Basic Scan
To run a basic scan on your system with Lynis, simply type:
$ ./lynis audit system
Note: By adding the parameter --quick will enable Lynis to run without any pauses and would enable us to work on other things while it scans.
Lynis will show us any important warnings that we might need to be aware of
as well as the location of the log files generated along with the report data.
How it works
- It starts off by detecting the Operating System
- It will then search for the available tools and utilities
- It will check whether Lynis needs to be updated
- It will run tests from enabled plugins
- It will run relevant tests for each category
- Finally, it will end by reporting the status of the scan
Sample of Log File
Sample of Report File
As you can see, Lynis includes impacts and suggestions (highlighted in blue) for anything that might be harmful to the system.
Running Specific Tests
Lynis also gives us the option to run specific tests on specific modules. However, we need to know the TEST ID of that tests. To do that, we do need to have a log file of the complete scan so that we can fetch the TEST ID's from.
Here's a list of TEST ID's available in Lynis:
- BOOT
- KRNL (Kernel)
- PROC (Processor)
- AUTH (Authentication)
- SHELL
- FILE
- STRG (Storage)
- NAME (DNS)
- PKGC (Packages)
- NETW (Network)
- PRNT (Printer)
- FIRE (Firewall)
- HTTP (Web Server)
- SSH
- SNMP
- DBS (Database)
- PHP
- LDAP
- SQD (Squid Proxy)
- LOGG (Logging)
- INSE (Insecure Services - Inetd)
- SCHD (Scheduling - Cron Jobs)
- ACCT (Accounting)
- TIME (Time Protocol - NTP)
- CRYP (Cryptography)
- VIRT (Virtualization)
- HOME
- HRDN (Hardening)
- MALW (Malware)
- MACF (AppArmour - SELINUX)
By using a simple GREP command, we can fetch the relevant TEST ID from the log file and perform specific tests:
$ cat /var/log/lynis.log | grep MALW
Moreover, as we can see, it shows us all the TEST ID's associated with Malware scanning along with that they do. Now if we want to check for Rootkit Hunter, we will simply run:
$ ./lynis --tests "MALW-3276"
We can also run multiple specific tests say for Rootkit Hunter and LMD by:
$ ./lynis --tests "MALW-3276 MALW-3278"
We can do this with different test modules as well.
We can also use the GREP command to filter out the Warnings and Suggestions from that long log file.
Updating Lynis
It is always recommended to keep your scanners up-to-date, and Lynis is not an exception to that. A simple command can help us to do the same:
$ ./lynis update info
Making a Cron Job
We can create a simple bash script and make it run Lynis on a daily basis and save its report so as to be extra careful:
#!/bin/sh
AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"
cd /opt/lynis
./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}
mv /var/log/lynis-report.dat ${DATA}
Just save the above code in:
$ vi /etc/cron.daily/lynis-scan.sh
and give it the proper permissions by:
11 courses, 8+ hours of training
$ sudo chmod 755 /etc/cron.daily/lynis-scan.sh
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- Lynis: Walkthrough
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security