Lynis: Linux audit and hardening

March 6th, 2022

Strong security begins with strong foundations.

That is the reason why CISOfy have created Lynis. An automated tool that will perform a Linux healthcheck on your server / computer.

What is Lynis?

Lynis is a Free and Open Source Software (FOSS). There is also a paying version of Lynis named Lynis Enterprise. It exists as SaaS or Self-Hotsed. I am only going to focus on the Lynis FOSS version here.

Lynis will scan, assess and report you the following:

• Boot and services
• Kernel
• Kernel Hardening
• Memory and Processes
• Users, Groups and Authentication
• Shells
• File systems
• USB Devices
• Storage
• NFS
• Name services
• Ports and packages
• Networking
• Printers and Spools
• Software: e-mail and messaging
• Software: firewalls
• Software: webserver
• SSH Support
• SNMP Support
• Databases
• LDAP Services
• PHP
• Squid Support
• Logging and files
• Insecure services
• Scheduled tasks
• Time and synchronization
• Accounting
• Cryptography
• Virtualization
• Containers
• Security frameworks
• File permissions
• Home directories
• Vulnerable packages
• and even more...!

For each category, Lynis will provide one of the following status:

• OK: Expected good result.
• WARNING: Pay attention and review this control. It might be desired or not. Basically you can fix or ignore based on the knowledge you have of your server / computer and the services he is running.
• FAIL: The test fail and Lynis was unable to retrieve or control the information. Review why (lack of privileges?).
• FOUND / NOT FOUND: A standard message to inform that he has found something such as a zombie process for example. It can be good news or bad news depending on the control.
• SUGGESTION: Lynis suggest you some changes to enhance your security posture. It's up to you to decide.
• DONE: Standard output message to inform that a task has been done. Querying some controls for example.

All this for the incredible price of:

Install Lynis

Deploying Lynis is a bit tricky...or not.

					
$ git clone https://github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 1733, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 1733 (delta 3), reused 0 (delta 0), pack-reused 1725
Receiving objects: 100% (1733/1733), 886.18 KiB | 378.00 KiB/s, done.
Resolving deltas: 100% (1204/1204), done.
Checking connectivity... done.
					

Audit your system with Lynis

Here again it's very complicated.

					
sudo lynis audit system
					

Wait 1 min for it to run.

Enjoy your first raw report

Fixing your findings with Lynis

First look at the details with following command and Lynis ID:

					
sudo lynis show details PKGS-7346
					

You will even find an online help for the findings: https://cisofy.com/lyrics/controls/PKGS-7346

More friendly report

Lynis is great but when it comes to report and sharing it with your colleagues or simply for analysis convenience the shell report might not be the best option for a long term usage.

I have found two easy ways to improve user friendliness of these reports.

Method 1: Output shell report into HTML file

Very cheap and easy way using ansi2html

					
sudo apt install colorized-logs					
sudo lynis audit system | ansi2html -l > report.html
					

Use your favorite browser to review the audit report.

Method 2: Lynis report converter

This great piece of code on github will give you possibility to convert your lynis report into HTML, PDF, Excel, JSON and XML!

https://github.com/d4t4king/lynis-report-converter

The whole installation and usage is explain on the github readme page.

Here is a picture of the HTML produced:

As Lynis comes with a plug-in integration, check on internet for plug-in or develop your own.

Conclusion

Lynis is a powerful free software that can help you create a customized hardened image that can be used after as a template to deploy on your whole environment. This give you the possibility to begin a new path of having what you want blocked from the beginning and based on the differents IT projects needs relax what needs to be relaxed. A whitelisting approach is always more powerful because it demonstrate a higher level of manturity and deeper knowledgee of your environments.

I hope that you will give Lynis a try because it's only 10 min work to try. Give it a chance!