How to Setup Lynis Linux Auditing Tool on CentOS 6.2/CentOS 6.3

Lynis is an open-source security auditing tool. It’s used by system administrators and auditors to evaluate the security defenses of their Linux and Unix-based systems. Lynis comes with hundreds of tests, including those for checking the system configuration, system processes, and the presence of malware.

Prerequisites

Before you start, ensure you have:

  • A system running CentOS 6.2 or CentOS 6.3.
  • Root access to the system.

Installation Steps

Follow these steps to install Lynis:

Step 1: Download the Latest Version of Lynis

Use the following command to download Lynis:

wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz

For example:

# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz

Example :

[root@centos63 ~]# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
--2012-10-06 12:18:13--  http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
Resolving www.rootkit.nl... 31.7.1.110
Connecting to www.rootkit.nl|31.7.1.110|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 119797 (117K) [application/x-gzip]
Saving to: lynis-1.3.0.tar.gz

100%[==========================================================>] 119,797     96.3K/s   in 1.2s

2012-10-06 12:18:15 (96.3 KB/s) - lynis-1.3.0.tar.gz

Step 2: Extract the Downloaded File

After downloading, extract the file using the command:

tar xzvf lynis-1.3.0.tar.gz

Example:

[root@centos63 lynis]# tar xzvf lynis-1.3.0.tar.gz
lynis-1.3.0/CHANGELOG
lynis-1.3.0/FAQ
lynis-1.3.0/INSTALL
lynis-1.3.0/LICENSE
lynis-1.3.0/README
lynis-1.3.0/db/
lynis-1.3.0/db/integrity.db
lynis-1.3.0/db/sbl.db
lynis-1.3.0/db/fileperms.db
lynis-1.3.0/db/malware-susp.db
lynis-1.3.0/db/malware.db
lynis-1.3.0/db/hints.db
lynis-1.3.0/default.prf
lynis-1.3.0/dev/
lynis-1.3.0/dev/README
lynis-1.3.0/dev/files.dat
lynis-1.3.0/dev/TODO
lynis-1.3.0/dev/openbsd/
lynis-1.3.0/dev/openbsd/+CONTENTS
lynis-1.3.0/dev/check-lynis.sh
lynis-1.3.0/dev/build-lynis.sh
lynis-1.3.0/include/
lynis-1.3.0/include/profiles
lynis-1.3.0/include/tests_malware
lynis-1.3.0/include/tests_accounting
lynis-1.3.0/include/parameters
lynis-1.3.0/include/tests_ssh
lynis-1.3.0/include/tests_time
lynis-1.3.0/include/tests_firewalls
lynis-1.3.0/include/tests_nameservices
lynis-1.3.0/include/binaries
lynis-1.3.0/include/tests_webservers
lynis-1.3.0/include/tests_squid
lynis-1.3.0/include/tests_storage_nfs
lynis-1.3.0/include/tests_insecure_services
lynis-1.3.0/include/tests_scheduling
lynis-1.3.0/include/tests_tooling
lynis-1.3.0/include/tests_hardening
lynis-1.3.0/include/tests_networking
lynis-1.3.0/include/report
lynis-1.3.0/include/tests_boot_services
lynis-1.3.0/include/functions
lynis-1.3.0/include/tests_memory_processes
lynis-1.3.0/include/tests_file_permissions
lynis-1.3.0/include/tests_file_integrity
lynis-1.3.0/include/tests_shells
lynis-1.3.0/include/tests_databases
lynis-1.3.0/include/tests_homedirs
lynis-1.3.0/include/osdetection
lynis-1.3.0/include/tests_ldap
lynis-1.3.0/include/tests_ports_packages
lynis-1.3.0/include/tests_hardening_tools
lynis-1.3.0/include/tests_logging
lynis-1.3.0/include/tests_mail_messaging
lynis-1.3.0/include/tests_banners
lynis-1.3.0/include/tests_crypto
lynis-1.3.0/include/tests_kernel
lynis-1.3.0/include/tests_mac_frameworks
lynis-1.3.0/include/tests_solaris
lynis-1.3.0/include/tests_virtualization
lynis-1.3.0/include/tests_kernel_hardening
lynis-1.3.0/include/tests_snmp
lynis-1.3.0/include/tests_authentication
lynis-1.3.0/include/tests_filesystems
lynis-1.3.0/include/tests_storage
lynis-1.3.0/include/tests_printers_spools
lynis-1.3.0/include/tests_php
lynis-1.3.0/include/consts
lynis-1.3.0/include/tests_tcpwrappers
lynis-1.3.0/lynis
lynis-1.3.0/lynis.8
lynis-1.3.0/plugins/
lynis-1.3.0/plugins/README
lynis-1.3.0/plugins/custom_plugin.template

Step 3: Navigate to the Lynis Directory

Change to the Lynis directory with:

cd lynis

Step 4: Check if Lynis is up-to-date

# ./lynis --check-update

Example:

[root@centos63 lynis-1.3.0]# ./lynis --check-update

 == Lynis ==

  Version         :   1.3.0
  Release date    :   28 April 2011
  Update location :   http://www.rootkit.nl/

 == Databases ==
                      Current          Latest           Status
  -----------------------------------------------------------------------------
  Malware         :   2008062700       2008062700       Up-to-date
  File perms      :   2008053000       2008053000       Up-to-date


Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/

By running ./lynis without any option, it will provide you a complete list of available parameters and you can use this as a references:

Example:

[root@centos63 lynis-1.3.0]# ./lynis

[ Lynis 1.3.0 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See LICENSE file for details about using this software.

 Copyright 2007-2012 - Michael Boelen, http://www.rootkit.nl/
################################################################################

[+] Initializing program
------------------------------------
  Scan options:
    --auditor ""            : Auditor name
    --check-all (-c)              : Check system
    --no-log                      : Don't create a log file
    --profile            : Scan the system with the given profile file
    --quick (-Q)                  : Quick mode, don't wait for user input
    --tests ""             : Run only tests defined by 
    --tests-category "" : Run only tests defined by 

  Layout options:
    --no-colors                   : Don't use colors in output
    --quiet (-q)                  : No output, except warnings
    --reverse-colors              : Optimize color display for light backgrounds

  Misc options:
    --check-update                : Check for updates
    --view-manpage (--man)        : View man page
    --version (-V)                : Display version number and quit

  Error: No parameters specified!
  See man page and documentation for all available options.

Exiting..

Step 5: Run Lynis

You can now run Lynis with the command:

./lynis audit system

Example:


[+] Software: PHP
------------------------------------
  - Checking PHP...                                           [ FOUND ]
  - Checking PHP disabled functions...                        [ FOUND ]
    - Checking register_globals option...                     [ OK ]
    - Checking expose_php option...                           [ ON ]
    - Checking enable_dl option...                            [ OFF ]
    - Checking allow_url_fopen option...                      [ ON ]
    - Checking allow_url_include option...                    [ OFF ]

[+] Squid Support
------------------------------------
  - Checking running Squid daemon...                          [ NOT FOUND ]

[+] Logging and files
------------------------------------
  - Checking for a running syslog daemon...                   [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
  - Checking minilogd instances                               [ NONE ]
  - Checking logrotate presence                               [ OK ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ FILES FOUND ]

[+] Insecure services
------------------------------------
  - Checking inetd status...                                  [ ACTIVE ]
    - Checking inetd.conf...                                  [ NOT FOUND ]

[+] Banners and identification
------------------------------------
  - /etc/motd...                                              [ FOUND ]
    - /etc/motd permissions...                                [ OK ]
    - /etc/motd contents...                                   [ WEAK ]
  - /etc/issue...                                             [ FOUND ]
    - /etc/issue contents...                                  [ WEAK ]
  - /etc/issue.net...                                         [ FOUND ]
    - /etc/issue.net contents...                              [ WEAK ]

[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]
  - Checking atd status                                       [ NOT RUNNING ]

[+] Accounting
------------------------------------
  - Checking accounting information...                        [ NOT FOUND ]
  - Checking auditd                                           [ ENABLED ]
    - Checking audit rules                                    [ SUGGESTION ]
    - Checking audit configuration file                       [ OK ]
    - Checking auditd log file                                [ FOUND ]

[+] Time and Synchronization
------------------------------------
  - Checking running NTP daemon...                            [ FOUND ]
  - Checking NTP client in crontab file...                    [ NOT FOUND ]
  - Checking NTP client in cron.d files...                    [ NOT FOUND ]
  - Checking for a running NTP daemon or client...            [ OK ]
  - Checking NTP daemon...                                    [ FOUND ]
  - Checking valid association ID's...                        [ FOUND ]
  - Checking high stratum ntp peers...                        [ OK ]
  - Checking unreliable ntp peers...                          [ FOUND ]
  - Checking selected time source...                          [ OK ]
  - Checking time source candidates...                        [ OK ]
  - Checking falsetickers...                                  [ OK ]
  - Checking NTP version...                                   [ FOUND ]

[+] Cryptography
------------------------------------
  - Checking SSL certificate expiration...                    [ OK ]

[+] Virtualization
------------------------------------

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ NOT FOUND ]
  - Checking presence SELinux                                 [ FOUND ]
    - Checking SELinux status                                 [ DISABLED ]
  - Checking presence grsecurity                              [ NOT FOUND ]

[+] Software: file integrity
------------------------------------
  - Checking AFICK...                                         [ NOT FOUND ]
  - Checking AIDE...                                          [ NOT FOUND ]
  - Checking Osiris...                                        [ NOT FOUND ]
  - Checking Samhain...                                       [ NOT FOUND ]
  - Checking Tripwire...                                      [ NOT FOUND ]
  - Checking presence integrity tool...                       [ NOT FOUND ]

[+] Software: Malware scanners
------------------------------------
  - Checking chkrootkit...                                    [ NOT FOUND ]
  - Checking Rootkit Hunter...                                [ NOT FOUND ]
  - Checking ClamAV scanner...                                [ FOUND ]
  - Checking ClamAV daemon...                                 [ NOT FOUND ]

[+] System Tools
------------------------------------
  - Starting file permissions check...
    /etc/lilo.conf                                            [ NOT FOUND ]
    /root/.ssh                                                [ OK ]

[+] Home directories
------------------------------------
  - Checking shell history files...                           [ OK ]

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile...
      - kernel.core_uses_pid (exp: 1)                         [ OK ]
      - kernel.ctrl-alt-del (exp: 0)                          [ OK ]
      - kernel.exec-shield (exp: 1)                           [ OK ]
      - kernel.sysrq (exp: 0)                                 [ OK ]
      - net.ipv4.conf.all.accept_redirects (exp: 0)           [ DIFFERENT ]
      - net.ipv4.conf.all.accept_source_route (exp: 0)        [ OK ]
      - net.ipv4.conf.all.bootp_relay (exp: 0)                [ OK ]
      - net.ipv4.conf.all.forwarding (exp: 0)                 [ OK ]
      - net.ipv4.conf.all.log_martians (exp: 1)               [ DIFFERENT ]
      - net.ipv4.conf.all.mc_forwarding (exp: 0)              [ OK ]
      - net.ipv4.conf.all.proxy_arp (exp: 0)                  [ OK ]
      - net.ipv4.conf.all.rp_filter (exp: 1)                  [ DIFFERENT ]
      - net.ipv4.conf.all.send_redirects (exp: 0)             [ DIFFERENT ]
      - net.ipv4.conf.default.accept_redirects (exp: 0)       [ DIFFERENT ]
      - net.ipv4.conf.default.accept_source_route (exp: 0)    [ OK ]
      - net.ipv4.conf.default.log_martians (exp: 1)           [ DIFFERENT ]
      - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)         [ OK ]
      - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)   [ OK ]
      - net.ipv4.tcp_syncookies (exp: 1)                      [ OK ]
      - net.ipv4.tcp_timestamps (exp: 0)                      [ DIFFERENT ]
      - net.ipv6.conf.all.accept_redirects (exp: 0)           [ DIFFERENT ]
      - net.ipv6.conf.all.accept_source_route (exp: 0)        [ OK ]
      - net.ipv6.conf.default.accept_redirects (exp: 0)       [ DIFFERENT ]
      - net.ipv6.conf.default.accept_source_route (exp: 0)    [ OK ]

[+] Hardening
------------------------------------
    - Installed compiler(s)...                                [ FOUND ]
    - Installed malware scanner...                            [ FOUND ]

================================================================================

  -[ Lynis 1.3.0 Results ]-

  Tests performed: 164
  Warnings:
  ----------------------------
   - [12:34:29] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
   - [12:34:33] Warning: No password set for single mode [test:AUTH-9308] [impact:L]
   - [12:34:51] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
   - [12:34:52] Warning: Found mail_name in SMTP banner, and/or mail_name contains 'Postfix' [test:MAIL-8818] [impact:L]
   - [12:34:57] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]

  Suggestions:
  ----------------------------
   - [12:34:29] Suggestion: Run grub-md5-crypt and create a hashed password. Add a line below the line timeout=, add: password --md5  [test:BOOT-5121]
   - [12:34:33] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
   - [12:34:33] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
   - [12:34:33] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
   - [12:34:33] Suggestion: To decrease the impact of a full /home file system, place /home on a separated partition [test:FILE-6310]
   - [12:34:33] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
   - [12:34:39] Suggestion: The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file. [test:FILE-6410]
   - [12:34:39] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
   - [12:34:39] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
   - [12:34:48] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
   - [12:34:51] Suggestion: Check your resolv.conf file and fill in a backup nameserver if possible [test:NETW-2705]
   - [12:34:52] Suggestion: You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [test:MAIL-8818]
   - [12:34:53] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]

Conclusion

Lynis is a powerful tool for auditing and hardening Unix and Linux systems. It’s easy to install and provides a comprehensive security audit. Regularly running Lynis on your system can help identify weaknesses and guide you in hardening your system’s defenses.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *