Auditing Linux system security using lynis

Lynis is a security auditing tool for UNIX and Linux based systems. It performs a security scan on the system and provides suggestions for best practices for system hardening. The report from lynis shows a lot of suggestions to harden the system and requires some adaptation to fit the setup of the scanned system.

Lynis is available via the CISOfy website as well as on theirĀ Guthub repository. To install lynis on RedHat or CentOS, enable the EPEL repository as described in How to Enable EPEL Repository for RHEL/CentOS 7.x/6.x/5.x. After the EPEL repository is enabled, install lynis via yum.

$ yum install lynis

To install the latest version on Ubuntu based systems, use the package repository directly from CISOfy.com. If the package from the Ubuntu package repository is installed, it might be outdated. At the time of writing, the latest version of lynis is 2.4.0 (released 2016-10-27) while the Ubuntu repositories provided only version 2.1.1 (released 2015-07-22).

Directly after the installation, the first audit run can be started. To do this, execute the following with root privileges.

$ sudo lynis --quick audit system

The output of the command is quite long. The first part shows which checks have been performed and their result. The second part of the output is where warnings and suggestions are shown. This section might look similar to this.

================================================================================
-[ Lynis 2.4.0 Results ]-
Warnings (2):
----------------------------
! No password set for single mode [AUTH-9308] 
https://cisofy.com/controls/AUTH-9308/
! PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [PHP-2372] 
https://cisofy.com/controls/PHP-2372/
Suggestions (29):
----------------------------
* Configure minimum password age in /etc/login.defs [AUTH-9286] 
https://cisofy.com/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286] 
https://cisofy.com/controls/AUTH-9286/
* Set password for single user mode to minimize physical access attack surface [AUTH-9308] 
https://cisofy.com/controls/AUTH-9308/
* Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328] 
https://cisofy.com/controls/AUTH-9328/
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] 
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] 
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] 
https://cisofy.com/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
https://cisofy.com/controls/STRG-1840/
* Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
https://cisofy.com/controls/STRG-1846/
* Check DNS configuration for the dns domain name [NAME-4028] 
https://cisofy.com/controls/NAME-4028/
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
https://cisofy.com/controls/NETW-3032/
* Configure a firewall/packet filter to filter incoming and outgoing traffic [FIRE-4590] 
https://cisofy.com/controls/FIRE-4590/
* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] 
https://cisofy.com/controls/HTTP-6640/
* Install Apache mod_qos to guard webserver against Slowloris attacks [HTTP-6641] 
https://cisofy.com/controls/HTTP-6641/
* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
https://cisofy.com/controls/HTTP-6643/
* Consider hardening SSH configuration [SSH-7408] 
- Details  : AllowTcpForwarding (YES --> NO)
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
- Details  : LogLevel (INFO --> VERBOSE)
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
- Details  : TCPKeepAlive (YES --> NO)
https://cisofy.com/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408] 
- Details  : UsePrivilegeSeparation (YES --> SANDBOX)
https://cisofy.com/controls/SSH-7408/
* Change the expose_php line to: expose_php = Off [PHP-2372] 
https://cisofy.com/controls/PHP-2372/
* Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] 
https://cisofy.com/controls/PHP-2376/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
https://cisofy.com/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
https://cisofy.com/controls/BANN-7130/
* Enable process accounting [ACCT-9622] 
https://cisofy.com/controls/ACCT-9622/
* Enable auditd to collect audit information [ACCT-9628] 
https://cisofy.com/controls/ACCT-9628/
* Use NTP daemon or NTP client to prevent time issues. [TIME-3104] 
https://cisofy.com/controls/TIME-3104/
* Determine if automation tools are present for system management [TOOL-5002] 
https://cisofy.com/controls/TOOL-5002/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
https://cisofy.com/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222] 
https://cisofy.com/controls/HRDN-7222/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================

The “findings” is shown in the related section as “Warnings” or “Suggestions”. Each “finding” is shown with a short explanation of the check including a unique identification like “[TOOL-5002]” and a link to the developer’s website with details about the finding and the mitigation.

Customize the profile

The auditing profile is configured at “/etc/lynis/default.prf” which should not be edited. Instead copy / add the necessary settings to custom.prf and put it in the same directory as default.prf (by default this would be “/etc/lynis/”).

$ vim /etc/lynis/custom.prf

In this file all settings from the default.prf can be overridden. This custom.prf file allows for customizing the audit profile to the needs and setup of the system. It allows you, for example, to disable the tests not fitting your system setup using the “skip-test=” setting.

# Skip a test (one per line)
skip-test=SSH-7408
# Skip a particular option within a test (when applicable)
skip-test=SSH-7408:loglevel

The first skips the complete check with the identifier “SSH-7408” while the second will only disable one sub-check of that called “loglevel”. This information can be collected from the logfile shown in the report.

Check the logfile for all details (less /var/log/lynis.log)

The log file contains lines like the following for each test. The output shows the suggestion with a little more details.

Performing test ID SSH-7408 (Check SSH specific defined options)
...
Test: Checking LogLevel in /tmp/lynis.HItKlbfDeU
Result: Option LogLevel found
Result: Option LogLevel value is INFO
Result: SSH option LogLevel is configured reasonably
Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:LogLevel (INFO --> VERBOSE)] [solution:-]

The “test” and “details” labels indicate the information needed to skip this particular check inside the test SSH-7408.


Read more of my posts on my blog at https://blog.tinned-software.net/.

This entry was posted in Security and tagged , , . Bookmark the permalink.