Securing Linux: Audit with Lynis (an introduction into auditing)

Securing a Linux system can take a lot of time. For this purpose we have written Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. The main audience for this tool is auditors, security professionals, penetrating testers and system administrators.

First audit

Most Linux distributions already have Lynis in their software repository. If not, then download Lynis and extract it in a temporary directory. Start Lynis with the lynis command, or ./lynis. Run the first scan with just the -c parameter.

Lynis will now initialize itself and determine the operating system type and check what binaries are present. After this first step is done, tests from the first category will be executed. After each section you will be asked to press Enter to continue.

First time users are advised to read the text labels, especially if any warnings show up. At the end of the scan they will be summarized for your convenience. These will help you later in securing your Linux machine(s), by applying hardening measures.

Next steps

After the scan is done, the findings are listed in the scan report at the end of the screen output. Also a hardening index is displayed, giving an indication on how well the system has been secured already. Note that it’s just an informational indicator and does not tell how “safe” a system might be.

During the scan much information is collected and stored in the log file (by default /var/log/lynis.log) for further analysis. For example what files were tested, what discoveries were made or what additional information is available. Consider this log file as a debug treasure chest. The report file (/var/log/lynis-report.dat) is another valuable file which contains useful audit results, including the warnings and suggestions displayed before and additional data for automatic parsing.

Securing Linux

Linux systems can be easily secured by following each of the findings and determine if a related change is justified. For technical savvy users applying these changes might be simple, yet we do advise to be careful with making adjustments. As part of our Lynis Enterprise Suite we therefore have marked each finding in a so-called control, together with the effort needed to fix the finding and the related risk. Additionally users of the Enterprise version will get a personalized implementation plan, so they can start with hardening the right controls first. Securing Linux systems might be time consuming when not taking in account that each change should be carefully reviewed and tested.

Automation

Depending on your needs, you could schedule Lynis and run it every week (or daily) via means of a cronjob. If you have more than 10 machines, we suggest to have a look at the Lynis Enterprise Suite. This suite will help you a lot in automating Lynis scans, collect data and properly report about all findings. Now only will be informed about what has been discovered, but also how to fix it and preferable when (priority based). Securing Linux will be easier than ever before!

Lynis plugins

For people who want to do additional tests can use plugins, part of the Lynis Enterprise Suite. Besides the normal system audit, it also will be scanned for malware, possible intrusion(s) and a more in-depth scan is performed. See our other articles and the Lynis documentation for more tips.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon