Lynis is an open-source security audit tool used to check the security of Linux and UNIX based systems. Since it is self-hosted, it performs extensive security scans when compared to other vulnerability scanners. Lynis is a tool released by CISOFY.

Lynis works on a variety of UNIX-based systems such as:

  • FreeBSD
  • Linux
  • MacOS
  • OpenBSD
  • NetBSD
  • AIX
  • HP-UX
  • Solaris
  • Raspberry Pi
  • Backtrack Linux
  • Kali Linux
  • CentOS
  • Linux Mint
  • Debian
  • Arch Linux
  • Fedora
  • Ubuntu
  • Red Hat Enterprise Linux

Lynis can also be used to audit additional services such as:

  • Apache
  • Nginx
  • Oracle Database
  • MySQL
  • PostgreSQL

Lynis can be downloaded from https://cisofy.com/download/lynis/

An important feature of Lynis is its Opportunistic Scanning which means that it only scans for what it comes across. Say the system you are scanning has an Apache server running on it. Lynis will scan for only the vulnerabilities related to Apache. While doing so, if it comes across an SSL/TLS configuration, only then it will scan for additional vulnerabilities thus saving time. In short, it will always perform a customized scan depending on the system.

Installation

Once downloaded, simply go into the folder and start by typing:

$ ./lyins

This will show us the various commands and options we can do with it:

To get further information, we can type:

$ ./lynis show options

Mainly, Lynis is used for the following purposes:

  • System hardening
  • Vulnerability detection and scanning
  • Security auditing
  • Compliance testing (PCI, HIPPA, SOx)

Additional plugins can be used to perform additional tests.

Running a Basic Scan

To run a basic scan on your system with Lynis, simply type:

$ ./lynis audit system

Note: By adding the parameter –quick will enable Lynis to run without any pauses and would enable us to work on other things while it scans.

Lynis will show us any important warnings that we might need to be aware of

as well as the location of the log files generated along with the report data.

How it works

  • It starts off by detecting the Operating System
  • It will then search for the available tools and utilities
  • It will check whether Lynis needs to be updated
  • It will run tests from enabled plugins
  • It will run relevant tests for each category
  • Finally, it will end by reporting the status of the scan

Sample of Log File

Sample of Report File

Ethical Hacking Training – Resources (InfoSec)

As you can see, Lynis includes impacts and suggestions (highlighted in blue) for anything that might be harmful to the system.

Running Specific Tests

Lynis also gives us the option to run specific tests on specific modules. However, we need to know the TEST ID of that tests. To do that, we do need to have a log file of the complete scan so that we can fetch the TEST ID’s from.

Here’s a list of TEST ID’s available in Lynis:

  • BOOT
  • KRNL (Kernel)
  • PROC (Processor)
  • AUTH (Authentication)
  • SHELL
  • FILE
  • STRG (Storage)
  • NAME (DNS)
  • PKGC (Packages)
  • NETW (Network)
  • PRNT (Printer)
  • MAIL
  • FIRE (Firewall)
  • HTTP (Web Server)
  • SSH
  • SNMP
  • DBS (Database)
  • PHP
  • LDAP
  • SQD (Squid Proxy)
  • LOGG (Logging)
  • INSE (Insecure Services – Inetd)
  • SCHD (Scheduling – Cron Jobs)
  • ACCT (Accounting)
  • TIME (Time Protocol – NTP)
  • CRYP (Cryptography)
  • VIRT (Virtualization)
  • HOME
  • HRDN (Hardening)
  • MALW (Malware)
  • MACF (AppArmour – SELINUX)

By using a simple GREP command, we can fetch the relevant TEST ID from the log file and perform specific tests:

$ cat /var/log/lynis.log | grep MALW

Moreover, as we can see, it shows us all the TEST ID’s associated with Malware scanning along with that they do. Now if we want to check for Rootkit Hunter, we will simply run:

$ ./lynis –tests “MALW-3276”

We can also run multiple specific tests say for Rootkit Hunter and LMD by:

$ ./lynis –tests “MALW-3276 MALW-3278”

We can do this with different test modules as well.

We can also use the GREP command to filter out the Warnings and Suggestions from that long log file.

Updating Lynis

It is always recommended to keep your scanners up-to-date, and Lynis is not an exception to that. A simple command can help us to do the same:

$ ./lynis update info

Making a Cron Job

We can create a simple bash script and make it run Lynis on a daily basis and save its report so as to be extra careful:

#!/bin/sh

AUDITOR=”automated”

DATE=$(date +%Y%m%d)

HOST=$(hostname)

LOG_DIR=”/var/log/lynis”

REPORT=”$LOG_DIR/report-${HOST}.${DATE}”

DATA=”$LOG_DIR/report-data-${HOST}.${DATE}.txt”

cd /opt/lynis

./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}

Just save the above code in:

$ vi /etc/cron.daily/lynis-scan.sh

and give it the proper permissions by:

$ sudo chmod 755 /etc/cron.daily/lynis-scan.sh