How to Setup Lynis Linux Auditing Tool on CentOS 6.2/CentOS 6.3

Share this Article :

Lynis is a free and open source auditing tool for Unix-based operating system. It will provide report and makes suggestion after it scans the system and detect general system information, installed packages, configuration errors and security issues. Lynis aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. Follow this steps to setup Linux Auditing Tool on CentOS 6.3.

1. Create lynis directory under /usr/local/ :

[[email protected] ~]# mkdir /usr/local/lynis

2. Download lynis software from http://www.rootkit.nl/projects/lynis.html :

# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz

Example :

[[email protected] ~]# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
--2012-10-06 12:18:13--  http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
Resolving www.rootkit.nl... 31.7.1.110
Connecting to www.rootkit.nl|31.7.1.110|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 119797 (117K) [application/x-gzip]
Saving to: âlynis-1.3.0.tar.gzâ

100%[==========================================================>] 119,797     96.3K/s   in 1.2s

2012-10-06 12:18:15 (96.3 KB/s) - âlynis-1.3.0.tar.gzâ

3. Copy lynis-1.3.0.tar.gz to the created directory :

[[email protected] ~]# cp lynis-1.3.0.tar.gz /usr/local/lynis

Then go to the created lynis directory :

[[email protected] ~]# cd /usr/local/lynis

4. Extract lynis-1.3.0.tar.gz into /usr/local/lynis :

# tar xzvf lynis-1.3.0.tar.gz

Example :

[[email protected] lynis]# tar xzvf lynis-1.3.0.tar.gz
lynis-1.3.0/CHANGELOG
lynis-1.3.0/FAQ
lynis-1.3.0/INSTALL
lynis-1.3.0/LICENSE
lynis-1.3.0/README
lynis-1.3.0/db/
lynis-1.3.0/db/integrity.db
lynis-1.3.0/db/sbl.db
lynis-1.3.0/db/fileperms.db
lynis-1.3.0/db/malware-susp.db
lynis-1.3.0/db/malware.db
lynis-1.3.0/db/hints.db
lynis-1.3.0/default.prf
lynis-1.3.0/dev/
lynis-1.3.0/dev/README
lynis-1.3.0/dev/files.dat
lynis-1.3.0/dev/TODO
lynis-1.3.0/dev/openbsd/
lynis-1.3.0/dev/openbsd/+CONTENTS
lynis-1.3.0/dev/check-lynis.sh
lynis-1.3.0/dev/build-lynis.sh
lynis-1.3.0/include/
lynis-1.3.0/include/profiles
lynis-1.3.0/include/tests_malware
lynis-1.3.0/include/tests_accounting
lynis-1.3.0/include/parameters
lynis-1.3.0/include/tests_ssh
lynis-1.3.0/include/tests_time
lynis-1.3.0/include/tests_firewalls
lynis-1.3.0/include/tests_nameservices
lynis-1.3.0/include/binaries
lynis-1.3.0/include/tests_webservers
lynis-1.3.0/include/tests_squid
lynis-1.3.0/include/tests_storage_nfs
lynis-1.3.0/include/tests_insecure_services
lynis-1.3.0/include/tests_scheduling
lynis-1.3.0/include/tests_tooling
lynis-1.3.0/include/tests_hardening
lynis-1.3.0/include/tests_networking
lynis-1.3.0/include/report
lynis-1.3.0/include/tests_boot_services
lynis-1.3.0/include/functions
lynis-1.3.0/include/tests_memory_processes
lynis-1.3.0/include/tests_file_permissions
lynis-1.3.0/include/tests_file_integrity
lynis-1.3.0/include/tests_shells
lynis-1.3.0/include/tests_databases
lynis-1.3.0/include/tests_homedirs
lynis-1.3.0/include/osdetection
lynis-1.3.0/include/tests_ldap
lynis-1.3.0/include/tests_ports_packages
lynis-1.3.0/include/tests_hardening_tools
lynis-1.3.0/include/tests_logging
lynis-1.3.0/include/tests_mail_messaging
lynis-1.3.0/include/tests_banners
lynis-1.3.0/include/tests_crypto
lynis-1.3.0/include/tests_kernel
lynis-1.3.0/include/tests_mac_frameworks
lynis-1.3.0/include/tests_solaris
lynis-1.3.0/include/tests_virtualization
lynis-1.3.0/include/tests_kernel_hardening
lynis-1.3.0/include/tests_snmp
lynis-1.3.0/include/tests_authentication
lynis-1.3.0/include/tests_filesystems
lynis-1.3.0/include/tests_storage
lynis-1.3.0/include/tests_printers_spools
lynis-1.3.0/include/tests_php
lynis-1.3.0/include/consts
lynis-1.3.0/include/tests_tcpwrappers
lynis-1.3.0/lynis
lynis-1.3.0/lynis.8
lynis-1.3.0/plugins/
lynis-1.3.0/plugins/README
lynis-1.3.0/plugins/custom_plugin.template

5. Enter the extracted lynis directory, lynis-1.3.0 :

[[email protected] lynis]# cd lynis-1.3.0

6. Check if Lynis is up-to-date :

# ./lynis --check-update

Example :

[[email protected] lynis-1.3.0]# ./lynis --check-update

 == Lynis ==

  Version         :   1.3.0
  Release date    :   28 April 2011
  Update location :   http://www.rootkit.nl/

 == Databases ==
                      Current          Latest           Status
  -----------------------------------------------------------------------------
  Malware         :   2008062700       2008062700       Up-to-date
  File perms      :   2008053000       2008053000       Up-to-date


Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/

7. By running ./lynis without any option, it will provide you a complete list of available parameters and you can use this as a references :

# ./lynis

Example :

[[email protected] lynis-1.3.0]# ./lynis

[ Lynis 1.3.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See LICENSE file for details about using this software.

 Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
################################################################################

[+] Initializing program
------------------------------------
  Scan options:
    --auditor ""            : Auditor name
    --check-all (-c)              : Check system
    --no-log                      : Don't create a log file
    --profile            : Scan the system with the given profile file
    --quick (-Q)                  : Quick mode, don't wait for user input
    --tests ""             : Run only tests defined by 
    --tests-category "" : Run only tests defined by 

  Layout options:
    --no-colors                   : Don't use colors in output
    --quiet (-q)                  : No output, except warnings
    --reverse-colors              : Optimize color display for light backgrounds

  Misc options:
    --check-update                : Check for updates
    --view-manpage (--man)        : View man page
    --version (-V)                : Display version number and quit

  Error: No parameters specified!
  See man page and documentation for all available options.

Exiting..

8. To start Lynis with full system scanning, define a –check-all or -c option to begin scanning of your entire Linux system. It will prompt you “[ Press [ENTER] to continue, or [CTRL]+C to stop ]” for every process that it scans.

# ./lynis -c

Example :

[[email protected] lynis-1.3.0]# ./lynis -c

[ Lynis 1.3.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See LICENSE file for details about using this software.

 Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.3.0
  Operating system:          Linux
  Operating system name:     CentOS
  Operating system version:  CentOS release 6.3 (Final)
  Kernel version:            2.6.32-279.1.1.el6.i686
  Hardware platform:         i686
  Hostname:                  centos63
  Auditor:                   [Unknown]
  Profile:                   ./default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

9. To proceed with quick mode and avoid user input, execute lynis command with -c and -Q options as shown below :

# ./lynis -c -Q

Examples :

[[email protected] lynis-1.3.0]# ./lynis -c -Q

Examples result :

[+] Software: PHP
------------------------------------
  - Checking PHP...                                           [ FOUND ]
  - Checking PHP disabled functions...                        [ FOUND ]
    - Checking register_globals option...                     [ OK ]
    - Checking expose_php option...                           [ ON ]
    - Checking enable_dl option...                            [ OFF ]
    - Checking allow_url_fopen option...                      [ ON ]
    - Checking allow_url_include option...                    [ OFF ]

[+] Squid Support
------------------------------------
  - Checking running Squid daemon...                          [ NOT FOUND ]

[+] Logging and files
------------------------------------
  - Checking for a running syslog daemon...                   [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
  - Checking minilogd instances                               [ NONE ]
  - Checking logrotate presence                               [ OK ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ FILES FOUND ]

[+] Insecure services
------------------------------------
  - Checking inetd status...                                  [ ACTIVE ]
    - Checking inetd.conf...                                  [ NOT FOUND ]

[+] Banners and identification
------------------------------------
  - /etc/motd...                                              [ FOUND ]
    - /etc/motd permissions...                                [ OK ]
    - /etc/motd contents...                                   [ WEAK ]
  - /etc/issue...                                             [ FOUND ]
    - /etc/issue contents...                                  [ WEAK ]
  - /etc/issue.net...                                         [ FOUND ]
    - /etc/issue.net contents...                              [ WEAK ]

[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]
  - Checking atd status                                       [ NOT RUNNING ]

[+] Accounting
------------------------------------
  - Checking accounting information...                        [ NOT FOUND ]
  - Checking auditd                                           [ ENABLED ]
    - Checking audit rules                                    [ SUGGESTION ]
    - Checking audit configuration file                       [ OK ]
    - Checking auditd log file                                [ FOUND ]

[+] Time and Synchronization
------------------------------------
  - Checking running NTP daemon...                            [ FOUND ]
  - Checking NTP client in crontab file...                    [ NOT FOUND ]
  - Checking NTP client in cron.d files...                    [ NOT FOUND ]
  - Checking for a running NTP daemon or client...            [ OK ]
  - Checking NTP daemon...                                    [ FOUND ]
  - Checking valid association ID's...                        [ FOUND ]
  - Checking high stratum ntp peers...                        [ OK ]
  - Checking unreliable ntp peers...                          [ FOUND ]
  - Checking selected time source...                          [ OK ]
  - Checking time source candidates...                        [ OK ]
  - Checking falsetickers...                                  [ OK ]
  - Checking NTP version...                                   [ FOUND ]

[+] Cryptography
------------------------------------
  - Checking SSL certificate expiration...                    [ OK ]

[+] Virtualization
------------------------------------

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ NOT FOUND ]
  - Checking presence SELinux                                 [ FOUND ]
    - Checking SELinux status                                 [ DISABLED ]
  - Checking presence grsecurity                              [ NOT FOUND ]

[+] Software: file integrity
------------------------------------
  - Checking AFICK...                                         [ NOT FOUND ]
  - Checking AIDE...                                          [ NOT FOUND ]
  - Checking Osiris...                                        [ NOT FOUND ]
  - Checking Samhain...                                       [ NOT FOUND ]
  - Checking Tripwire...                                      [ NOT FOUND ]
  - Checking presence integrity tool...                       [ NOT FOUND ]

[+] Software: Malware scanners
------------------------------------
  - Checking chkrootkit...                                    [ NOT FOUND ]
  - Checking Rootkit Hunter...                                [ NOT FOUND ]
  - Checking ClamAV scanner...                                [ FOUND ]
  - Checking ClamAV daemon...                                 [ NOT FOUND ]

[+] System Tools
------------------------------------
  - Starting file permissions check...
    /etc/lilo.conf                                            [ NOT FOUND ]
    /root/.ssh                                                [ OK ]

[+] Home directories
------------------------------------
  - Checking shell history files...                           [ OK ]

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile...
      - kernel.core_uses_pid (exp: 1)                         [ OK ]
      - kernel.ctrl-alt-del (exp: 0)                          [ OK ]
      - kernel.exec-shield (exp: 1)                           [ OK ]
      - kernel.sysrq (exp: 0)                                 [ OK ]
      - net.ipv4.conf.all.accept_redirects (exp: 0)           [ DIFFERENT ]
      - net.ipv4.conf.all.accept_source_route (exp: 0)        [ OK ]
      - net.ipv4.conf.all.bootp_relay (exp: 0)                [ OK ]
      - net.ipv4.conf.all.forwarding (exp: 0)                 [ OK ]
      - net.ipv4.conf.all.log_martians (exp: 1)               [ DIFFERENT ]
      - net.ipv4.conf.all.mc_forwarding (exp: 0)              [ OK ]
      - net.ipv4.conf.all.proxy_arp (exp: 0)                  [ OK ]
      - net.ipv4.conf.all.rp_filter (exp: 1)                  [ DIFFERENT ]
      - net.ipv4.conf.all.send_redirects (exp: 0)             [ DIFFERENT ]
      - net.ipv4.conf.default.accept_redirects (exp: 0)       [ DIFFERENT ]
      - net.ipv4.conf.default.accept_source_route (exp: 0)    [ OK ]
      - net.ipv4.conf.default.log_martians (exp: 1)           [ DIFFERENT ]
      - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)         [ OK ]
      - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)   [ OK ]
      - net.ipv4.tcp_syncookies (exp: 1)                      [ OK ]
      - net.ipv4.tcp_timestamps (exp: 0)                      [ DIFFERENT ]
      - net.ipv6.conf.all.accept_redirects (exp: 0)           [ DIFFERENT ]
      - net.ipv6.conf.all.accept_source_route (exp: 0)        [ OK ]
      - net.ipv6.conf.default.accept_redirects (exp: 0)       [ DIFFERENT ]
      - net.ipv6.conf.default.accept_source_route (exp: 0)    [ OK ]

[+] Hardening
------------------------------------
    - Installed compiler(s)...                                [ FOUND ]
    - Installed malware scanner...                            [ FOUND ]

================================================================================

  -[ Lynis 1.3.0 Results ]-

  Tests performed: 164
  Warnings:
  ----------------------------
   - [12:34:29] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
   - [12:34:33] Warning: No password set for single mode [test:AUTH-9308] [impact:L]
   - [12:34:51] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
   - [12:34:52] Warning: Found mail_name in SMTP banner, and/or mail_name contains 'Postfix' [test:MAIL-8818] [impact:L]
   - [12:34:57] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]

  Suggestions:
  ----------------------------
   - [12:34:29] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=, add: password --md5  [test:BOOT-5121]
   - [12:34:33] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
   - [12:34:33] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
   - [12:34:33] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
   - [12:34:33] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
   - [12:34:33] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
   - [12:34:39] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410]
   - [12:34:39] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
   - [12:34:39] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
   - [12:34:48] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
   - [12:34:51] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
   - [12:34:52] Suggestion: You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [test:MAIL-8818]
   - [12:34:53] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]

For more information visit the offical Lynis page at http://www.rootkit.nl/projects/lynis.html.

Leave a Reply