Lynis is an open-source security auditing tool. It’s used by system administrators and auditors to evaluate the security defenses of their Linux and Unix-based systems. Lynis comes with hundreds of tests, including those for checking the system configuration, system processes, and the presence of malware.
Prerequisites
Before you start, ensure you have:
- A system running CentOS 6.2 or CentOS 6.3.
- Root access to the system.
Installation Steps
Follow these steps to install Lynis:
Step 1: Download the Latest Version of Lynis
Use the following command to download Lynis:
wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
For example:
# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
Example :
[root@centos63 ~]# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz --2012-10-06 12:18:13-- http://www.rootkit.nl/files/lynis-1.3.0.tar.gz Resolving www.rootkit.nl... 31.7.1.110 Connecting to www.rootkit.nl|31.7.1.110|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 119797 (117K) [application/x-gzip] Saving to: lynis-1.3.0.tar.gz 100%[==========================================================>] 119,797 96.3K/s in 1.2s 2012-10-06 12:18:15 (96.3 KB/s) - lynis-1.3.0.tar.gz
Step 2: Extract the Downloaded File
After downloading, extract the file using the command:
tar xzvf lynis-1.3.0.tar.gz
Example:
[root@centos63 lynis]# tar xzvf lynis-1.3.0.tar.gz lynis-1.3.0/CHANGELOG lynis-1.3.0/FAQ lynis-1.3.0/INSTALL lynis-1.3.0/LICENSE lynis-1.3.0/README lynis-1.3.0/db/ lynis-1.3.0/db/integrity.db lynis-1.3.0/db/sbl.db lynis-1.3.0/db/fileperms.db lynis-1.3.0/db/malware-susp.db lynis-1.3.0/db/malware.db lynis-1.3.0/db/hints.db lynis-1.3.0/default.prf lynis-1.3.0/dev/ lynis-1.3.0/dev/README lynis-1.3.0/dev/files.dat lynis-1.3.0/dev/TODO lynis-1.3.0/dev/openbsd/ lynis-1.3.0/dev/openbsd/+CONTENTS lynis-1.3.0/dev/check-lynis.sh lynis-1.3.0/dev/build-lynis.sh lynis-1.3.0/include/ lynis-1.3.0/include/profiles lynis-1.3.0/include/tests_malware lynis-1.3.0/include/tests_accounting lynis-1.3.0/include/parameters lynis-1.3.0/include/tests_ssh lynis-1.3.0/include/tests_time lynis-1.3.0/include/tests_firewalls lynis-1.3.0/include/tests_nameservices lynis-1.3.0/include/binaries lynis-1.3.0/include/tests_webservers lynis-1.3.0/include/tests_squid lynis-1.3.0/include/tests_storage_nfs lynis-1.3.0/include/tests_insecure_services lynis-1.3.0/include/tests_scheduling lynis-1.3.0/include/tests_tooling lynis-1.3.0/include/tests_hardening lynis-1.3.0/include/tests_networking lynis-1.3.0/include/report lynis-1.3.0/include/tests_boot_services lynis-1.3.0/include/functions lynis-1.3.0/include/tests_memory_processes lynis-1.3.0/include/tests_file_permissions lynis-1.3.0/include/tests_file_integrity lynis-1.3.0/include/tests_shells lynis-1.3.0/include/tests_databases lynis-1.3.0/include/tests_homedirs lynis-1.3.0/include/osdetection lynis-1.3.0/include/tests_ldap lynis-1.3.0/include/tests_ports_packages lynis-1.3.0/include/tests_hardening_tools lynis-1.3.0/include/tests_logging lynis-1.3.0/include/tests_mail_messaging lynis-1.3.0/include/tests_banners lynis-1.3.0/include/tests_crypto lynis-1.3.0/include/tests_kernel lynis-1.3.0/include/tests_mac_frameworks lynis-1.3.0/include/tests_solaris lynis-1.3.0/include/tests_virtualization lynis-1.3.0/include/tests_kernel_hardening lynis-1.3.0/include/tests_snmp lynis-1.3.0/include/tests_authentication lynis-1.3.0/include/tests_filesystems lynis-1.3.0/include/tests_storage lynis-1.3.0/include/tests_printers_spools lynis-1.3.0/include/tests_php lynis-1.3.0/include/consts lynis-1.3.0/include/tests_tcpwrappers lynis-1.3.0/lynis lynis-1.3.0/lynis.8 lynis-1.3.0/plugins/ lynis-1.3.0/plugins/README lynis-1.3.0/plugins/custom_plugin.template
Step 3: Navigate to the Lynis Directory
Change to the Lynis directory with:
cd lynis
Step 4: Check if Lynis is up-to-date
# ./lynis --check-update
Example:
[root@centos63 lynis-1.3.0]# ./lynis --check-update == Lynis == Version : 1.3.0 Release date : 28 April 2011 Update location : http://www.rootkit.nl/ == Databases == Current Latest Status ----------------------------------------------------------------------------- Malware : 2008062700 2008062700 Up-to-date File perms : 2008053000 2008053000 Up-to-date Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
By running ./lynis without any option, it will provide you a complete list of available parameters and you can use this as a references:
Example:
[root@centos63 lynis-1.3.0]# ./lynis [ Lynis 1.3.0 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See LICENSE file for details about using this software. Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/ ################################################################################ [+] Initializing program ------------------------------------ Scan options: --auditor "" : Auditor name --check-all (-c) : Check system --no-log : Don't create a log file --profile : Scan the system with the given profile file --quick (-Q) : Quick mode, don't wait for user input --tests " " : Run only tests defined by --tests-category " " : Run only tests defined by Layout options: --no-colors : Don't use colors in output --quiet (-q) : No output, except warnings --reverse-colors : Optimize color display for light backgrounds Misc options: --check-update : Check for updates --view-manpage (--man) : View man page --version (-V) : Display version number and quit Error: No parameters specified! See man page and documentation for all available options. Exiting..
Step 5: Run Lynis
You can now run Lynis with the command:
./lynis audit system
Example:
[+] Software: PHP ------------------------------------ - Checking PHP... [ FOUND ] - Checking PHP disabled functions... [ FOUND ] - Checking register_globals option... [ OK ] - Checking expose_php option... [ ON ] - Checking enable_dl option... [ OFF ] - Checking allow_url_fopen option... [ ON ] - Checking allow_url_include option... [ OFF ] [+] Squid Support ------------------------------------ - Checking running Squid daemon... [ NOT FOUND ] [+] Logging and files ------------------------------------ - Checking for a running syslog daemon... [ OK ] - Checking Syslog-NG status [ NOT FOUND ] - Checking Metalog status [ NOT FOUND ] - Checking RSyslog status [ FOUND ] - Checking RFC 3195 daemon status [ NOT FOUND ] - Checking minilogd instances [ NONE ] - Checking logrotate presence [ OK ] - Checking log directories (static list) [ DONE ] - Checking open log files [ DONE ] - Checking deleted files in use [ FILES FOUND ] [+] Insecure services ------------------------------------ - Checking inetd status... [ ACTIVE ] - Checking inetd.conf... [ NOT FOUND ] [+] Banners and identification ------------------------------------ - /etc/motd... [ FOUND ] - /etc/motd permissions... [ OK ] - /etc/motd contents... [ WEAK ] - /etc/issue... [ FOUND ] - /etc/issue contents... [ WEAK ] - /etc/issue.net... [ FOUND ] - /etc/issue.net contents... [ WEAK ] [+] Scheduled tasks ------------------------------------ - Checking crontab/cronjob [ DONE ] - Checking atd status [ NOT RUNNING ] [+] Accounting ------------------------------------ - Checking accounting information... [ NOT FOUND ] - Checking auditd [ ENABLED ] - Checking audit rules [ SUGGESTION ] - Checking audit configuration file [ OK ] - Checking auditd log file [ FOUND ] [+] Time and Synchronization ------------------------------------ - Checking running NTP daemon... [ FOUND ] - Checking NTP client in crontab file... [ NOT FOUND ] - Checking NTP client in cron.d files... [ NOT FOUND ] - Checking for a running NTP daemon or client... [ OK ] - Checking NTP daemon... [ FOUND ] - Checking valid association ID's... [ FOUND ] - Checking high stratum ntp peers... [ OK ] - Checking unreliable ntp peers... [ FOUND ] - Checking selected time source... [ OK ] - Checking time source candidates... [ OK ] - Checking falsetickers... [ OK ] - Checking NTP version... [ FOUND ] [+] Cryptography ------------------------------------ - Checking SSL certificate expiration... [ OK ] [+] Virtualization ------------------------------------ [+] Security frameworks ------------------------------------ - Checking presence AppArmor [ NOT FOUND ] - Checking presence SELinux [ FOUND ] - Checking SELinux status [ DISABLED ] - Checking presence grsecurity [ NOT FOUND ] [+] Software: file integrity ------------------------------------ - Checking AFICK... [ NOT FOUND ] - Checking AIDE... [ NOT FOUND ] - Checking Osiris... [ NOT FOUND ] - Checking Samhain... [ NOT FOUND ] - Checking Tripwire... [ NOT FOUND ] - Checking presence integrity tool... [ NOT FOUND ] [+] Software: Malware scanners ------------------------------------ - Checking chkrootkit... [ NOT FOUND ] - Checking Rootkit Hunter... [ NOT FOUND ] - Checking ClamAV scanner... [ FOUND ] - Checking ClamAV daemon... [ NOT FOUND ] [+] System Tools ------------------------------------ - Starting file permissions check... /etc/lilo.conf [ NOT FOUND ] /root/.ssh [ OK ] [+] Home directories ------------------------------------ - Checking shell history files... [ OK ] [+] Kernel Hardening ------------------------------------ - Comparing sysctl key pairs with scan profile... - kernel.core_uses_pid (exp: 1) [ OK ] - kernel.ctrl-alt-del (exp: 0) [ OK ] - kernel.exec-shield (exp: 1) [ OK ] - kernel.sysrq (exp: 0) [ OK ] - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] - net.ipv4.conf.all.forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] - net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] - net.ipv4.tcp_syncookies (exp: 1) [ OK ] - net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] [+] Hardening ------------------------------------ - Installed compiler(s)... [ FOUND ] - Installed malware scanner... [ FOUND ] ================================================================================ -[ Lynis 1.3.0 Results ]- Tests performed: 164 Warnings: ---------------------------- - [12:34:29] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M] - [12:34:33] Warning: No password set for single mode [test:AUTH-9308] [impact:L] - [12:34:51] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L] - [12:34:52] Warning: Found mail_name in SMTP banner, and/or mail_name contains 'Postfix' [test:MAIL-8818] [impact:L] - [12:34:57] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M] Suggestions: ---------------------------- - [12:34:29] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=, add: password --md5 [test:BOOT-5121] - [12:34:33] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286] - [12:34:33] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308] - [12:34:33] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328] - [12:34:33] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310] - [12:34:33] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310] - [12:34:39] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410] - [12:34:39] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840] - [12:34:39] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846] - [12:34:48] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384] - [12:34:51] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705] - [12:34:52] Suggestion: You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [test:MAIL-8818] - [12:34:53] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
Conclusion
Lynis is a powerful tool for auditing and hardening Unix and Linux systems. It’s easy to install and provides a comprehensive security audit. Regularly running Lynis on your system can help identify weaknesses and guide you in hardening your system’s defenses.