Use Lynis to scan Linux security

Have you ever thought about your Linux machine until safe? Linux distribution, each release has its own default settings, you run dozens of versions of each other, there are many services Run in the background, and we have hardly know or don’t care about it.

To determine security, you can run several commands to get some commands, but you need to resolve the amount of data, but you need to resolve the amount of data is huge.

If you can run a tool, generate a report on the machine security status, so much. Fortunately, there is such software: Lynis. It is a very popular open source security audit tool that can help strengthen Linux and UNIX systems. According to the introduction of the project:

“It runs in the system itself, can perform in-depth security scan. The main goal is to test security defense measures and provide a prompt to further strengthen the system. It will also scan general system information, susceptible packages and possible configuration issues. Lynis is often used by system administrators and auditors to assess the security defense of its system. “

Install Lynis

You may have Lynis in your Linux software warehouse. If so, you can install it with the following methods:

DNFINSTALLLYNIS

or

Aptinstalllynis

However, if the version in your warehouse is not the latest, you’d better install it from Github. (I am using the Red Hat Linux system, but you can run it on any Linux release). Just like all the tools, try a try on the virtual machine. To install it on Github:

$ Cat / etc / redhat-releaseRedHatEnterpriseLinuxServerrelease7.8 (Maipo) $$ uname-r3.10.0-1127.el7.x86_64 $$ gitclonehttps: //github.com/CISOfy/lynis.gitCloninginto’lynis’…remote: Enumeratingobjects : 30, DONE.REMOTE: CountingObjects: 100% (30/30), Done.Remote: CompressingObjects: 100% (30/30), DONE.Remote: Total12566 (Delta15), Reused8 (Delta0), pack-reused12536ReceivingObjects: 100 % (12566/12566), 6.36MIB | 911.00kib / s, Done.ResolvingDeltas: 100% (9264/9264), DONE. $

Once you cloned this version of the library, then enter the directory and see what it is available. The main tool is in a file called Lynis. It is actually a shell script, so you can open it to see what it is doing. In fact, Lynis is mainly implemented by shell scripts:

$ Cdlynis / $ lsCHANGELOG.mdCONTRIBUTING.mddbdeveloper.prfFAQincludeLICENSElynis.8READMESECURITY.mdCODE_OF_CONDUCT.mdCONTRIBUTORS.mddefault.prfextrasHAPPY_USERS.mdINSTALLlynispluginsREADME.md $$ filelynislynis: POSIXshellscript, ASCIItextexecutable, withverylonglines $

Runlynis

View the help section by giving the Lynis -h option, so you can have a probably:

$. / lynis-h

You will see a short message screen, then all subcommands supported by Lynis.

Next, try some test commands to be generally familiar. To view the Lynis version you are using, please run:

$. / LynisShowVersion3.0.0 $

To see all available commands in Lynis:

$. / lynisshowcommandscommands: lynisauditlynisconfigureLynisgeneratelynisshowlynisupdatelynisupload-only $

Audit Linux system

To audit your system’s security situation, run the following command: $. / Lynisauditsystem

This command runs very quickly and will return a detailed report, and the output may be frightened at the beginning, but I will guide you below to read it. The output of this command will also be saved in a log file, so you can check anything that may be interested in any time.

Lynis saves the log here:

Files: -testanddebuginformation: /var/log/lynis.log-reportdata: /var/log/lynis-report.dat

You can verify that the log file is created. It does create:

$ ls-l / var / log / lynis.log-rw-r —–. 1Rootroot341489apr3005: 52 / var / log / lynis.log $$ ls-l / var / log / lynis-report.dat-rw -r —–. 1 ROOTROOT638APR3005: 55 / VAR / log / lynis-report.dat $

Exploration report

Lynis provides a considerable full report, so I will introduce some important parts. As part of the initialization, the first thing of Lynis is to find the complete information of the operating system running on the machine. After that, check if system tools and plugins have been installed:

[+] InitializingProgram ———————————– DetectingS … [DONE] -CheckingProfiles … [DONE] —————————————————————————————————————————————————————————————— ——- Programversion: 3.0.0Operatingsystem: LinuxOperatingsystemname: RedHatEnterpriseLinuxServer7.8 (Maipo) operatingsystemversion: 7.8Kernelversion: 3.10.0Hardwareplatform: x86_64Hostname: example —————– ———————————- > [+] systemTools ——- —————————— Scanningavailabletools …- CheckingsystemBinaries … [+] Plugins (Phase1) —- —————————— NOTE: PluginshaveMoreextensiveTestSandmaytakeseveralminutestOComplete-plugin: Pam [.] – Plugin: Systemd [. …………..]

Next, the report is divided into different parts, each of which starts with the [+] symbol. Here you can see some chapters. (Wow, there are so many places to review, Lynis is the most suitable tool!)

[+] Bootandservices [+] Kernel [+] MemoryandProcesses [+] Users, GroupsandAuthentication [+] Shells [+] Filesystems [+] USBDevices [+] Storage [+] NFS [+] Nameservices [+] Portsandpackages [+] Networking [+] PrintersandSpools [+] Software: e-mailandmessaging [+] Software: firewalls [+] Software: webserver [+] SSHSupport [+] SNMPSupport [+] Databases [+] LDAPServices [+] PHP [+] SquidSupport [+ ] Loggingandfiles [+] Insecureservices [+] Bannersandidentification [+] Scheduledtasks [+] Accounting [+] TimeandSynchronization [+] Cryptography [+] Virtualization [+] Containers [+] Securityframeworks [+] Software: fileintegrity [+] Software: Systemtooling [+] Software: Malware [+] FILEPERMISSIONS [+] HOMEDIRECTORIES [+] kernelhandening [+] hardening [+] CustomtestslyNIS uses color coding to make reports easier to interpret.

green. Everything is normal yellow. Skip, no found, there may be a suggestion. You may need to take a closer look at this

In my case, most of the red tags are found in the “kernel hardening” section. The kernel has various adjustable settings that define the functions of the kernel, where some adjustable settings may have their security scenarios. The release may not be defaults for these, but you should check each item to see if you need to change its value according to your safety:

[+] Kernelhandening ———————————— ComparingsysctlKeypairswithscanprofile-fs.protected_hardlinks (exp: 1 [Ok] -fs.protected_symlinks (exp: 1) [OK] -fs.suid_dumpable (exp: 0) [OK] -kernel.core_uses_pid (exp: 1) [OK] -kernel.ctrl-alt-del (Exp) : 0) [OK] -kernel.dmesg_restrict (exp: 1) [Different] -kernel.kptr_restrict (exp: 2) [DIFFERENT] -kernel.randomize_va_space (exp: 2) [OK] -kernel.sysrq (EXP: 0 [Different] -kernel.yama.ptrace_scope (exp: 123) [DIFFERENT] -Net.ipv4.conf.all.accept_redirects (exp: 0) [DIFFERENT] -NET.IPV4.conf.Accept_source_route (exp: 0) ) [OK] -net.ipv4.conf.all.bootp_relay (exp: 0) [OK] -Net.ipv4.conf.all.Forwarding (exp: 0) [OK] -net.ipv4.conf.all.log_martians (EXP: 1) [DIFFERENT] -NET.IPV4.conf.all.mc_forwarding (exp: 0) [OK] -net.ipv4.conf.all.Proxy_arp (exp: 0) [OK] -Net.IPv4.conf .all.rp_filter (exp: 1) [OK] -net.ipv4.conf.all.send_redirects (exp: 0) [DIFFERENT] -NET.IPV4.Conf.default.accept_redirects (exp: 0) [Different] -NET .ipv4.conf.default.accept_source_route (exp: 0) [OK] -net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT] -net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [OK] -net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [OK] -net.ipv4.tcp_syncookies (exp: 1) [OK] -net.ipv4.tcp_timestamps (EXP: 01) [OK] -net.ipv6.conf.all.accept_redirects (exp: 0) [DIFFERENT] -Net.ipv6.conf.Accept_source_route (exp: 0) [OK] -Net.ipv6.conf .default.accept_redirects (exp: 0) [DIFFERENT] -Net.ipv6.conf.default.accept_source_route (exp: 0) [OK] See SSH example, because it is a key area that needs to ensure security. There is no red thing here, but Lynis gives me a lot of reinforcing SSH services:

[+] SSHSUPPORT ———————————— CheckingRunningsshdaemon [Found] -Searchingsshconfiguration [Found] -OpenSSHoption: AllowTcpForwarding [SUGGESTION] -OpenSSHoption: ClientAliveCountMax [SUGGESTION] -OpenSSHoption: ClientAliveInterval [OK] -OpenSSHoption: Compression [SUGGESTION] -OpenSSHoption: FingerprintHash [OK] -OpenSSHoption: GatewayPorts [OK] -OpenSSHoption: IgnoreRhosts [OK] – OpenSSHoption: LoginGraceTime [OK] -OpenSSHoption: LogLevel [SUGGESTION] -OpenSSHoption: MaxAuthTries [SUGGESTION] -OpenSSHoption: MaxSessions [SUGGESTION] -OpenSSHoption: PermitRootLogin [SUGGESTION] -OpenSSHoption: PermitUserEnvironment [OK] -OpenSSHoption: PermitTunnel [OK] -OpenSSHoption : Port [SUGGESTION] -OpenSSHoption: PrintLastLog [OK] -OpenSSHoption: StrictModes [OK] -OpenSSHoption: TCPKeepAlive [SUGGESTION] -OpenSSHoption: UseDNS [SUGGESTION] -OpenSSHoption: X11Forwarding [SUGGESTION] -OpenSSHoption: AllowAgentForwarding [SUGGESTION] -OpenSSHoption: Useprivilegeseparation [OK] -OpenSshoption: allowusers [notfound] -opensshoption: allowgroups [notfound] My There is no virtual machine or container on the system, so the result of these display is empty:

[+] Virtualization ———————————— [+] Containers —— ——————————

Lynis will check some file permissions for files from security perspectives:

[+] FILEPERMISSIONS ———————————– StartingFilePermissionsCheckfile: / boot / grub2 / grub. CFG [suggestion] file: /etc/cron.deyle [OK] file: / etc / crontab [suggest] file: / etc / group [ok] file: / etc / group- [ok] file: / etc / hosts. Allow [OK] file: /etc/hosts.deny [ok] file: / etc / ixxue [ok] file: /etc/issue.net [ok] file: / etc / motd [ok] file: / etc / passwd [OK] file: / etc / passwd- [ok] file: / etc / ssh / sshd_config [ok] Directory: /Root/.ssh [suggest] Directory: /etc/cron.d [suggestion] Directory: / ETC / cron.daily [suggestion] Directory: /etc/cron.Hourly [suggest] Directory: /etc/cron.Weekly [suggest] Directory: /etc/cron.monthly [suggest] In the bottom of the report, Lynis proposed based on the report Suggestions. There is a “test-id” after each suggestion (for the next part, please save it).

Suggestions (47): ————————— * ifnotrequired, consideXPlicitdisablingofcoredumpin / etc / security / limiteds.conffile [KRNL-5820] https://cisofy.com/lynis/controls/KRNL-5820/*CheckPAMconfiguration,addroundsifapplicableandexpirepasswordstoencryptwithnewvalues[AUTH-9229]https://cisofy.com/lynis/controls/AUTH-9229/

Lynis provides an option to find more information about each suggestion, you can use the show details command and Test-ID number:

./lynisshowdetailstest-ID

This will display additional information of the test. For example, I checked the details of SSH-7408:

: 23Suggestion: Considerhardeningsshconfiguration [Test: SSH-7408] [DETAILS: ALLOWTCPFORWARDING (SETYESTONO)] [Solution: -] Try it

If you want to know more about your Linux machine, try Lynis.If you want to know how Lynis work, you can study its shell script to see how it collects this information.

Uncategorized