What’s New in Lynis 2: Features
Lynis 2.x Features
Lynis 2.x will bring security auditing of Linux and Unix systems to a new level. In this blog post we share some exciting new features.
Release of Lynis 2 is planned for February 2015.
- Lynis 2.x
- Systemd Support
- File Integrity Monitoring
- Containers & Virtualization
- Operating Systems
- Focus on Simplicity
- Free and Commercial Support
Lynis has been created in 2007, as a follow-up on the well-known tool Rootkit Hunter (rkhunter). Both tools are now used by companies all over the world, from individuals up to big companies, military and governments.
Where Rootkit Hunter only searched for malware, Lynis was about scanning systems broader and deeper. The goal was simply measuring the security defenses of a particular system and assisting with hardening.
Since 2013, Lynis under the support of CISOfy, to ensure ongoing development and keep up with new trends. With the author still being involved in development and promotion, the tool gained much traction over the last years. This resulted in more downloads and reaching even more users than ever before. The tool has been covered on many blogs, magazines and recently ended 3rd in ToolsWatch’s hunt for the best security tool of 2014.
Now seven years later, the goal is much higher. Instead of just hardening, the new Lynis wants to help you preventing break-ins, detecting intruders and provide continuously security monitoring. In this post we share some of the upcoming developments.
The biggest change in Lynis 2.x might the usage of plugins. It implies a difference in thinking about how individual tests are performed. In the past different types of tests where placed in the category file (e.g. include/tests_firewalls). From now on, they are split into two different types:
- Information gathering
- Configuration checks
The first type of tests simply gather information on the system, or in other words system discovery. Examples include a process listing, files in a directory, or the status of a particular program.
Configuration checks on the other hand, are the ones who you might recognize from the screen output. They actually make an informed decision on what has been found and tell the user the result. This may include actual advice or a suggestion.
Most plugins will focus on the information gathering. Where appropriate, it might be an input for configuration checks and provide a suggestion here and there. With this new separation, the scan process will be more efficient, resulting in quicker scans.
The plan is to release both community plugins and commercial plugins. The last group will focus on the Enterprise functionality, like compliance and file integrity monitoring.
While there are many strong opinions about systemd, and its strengths and weaknesses, the truth is that it is out there. Since systemd is still under (heavy) development, we will be the first auditing tool to do a deep analysis of systemd, and keep up with its development. Each related Lynis test will determine what systemd options are available and process the related output, helping you to understand systemd more easily.
Auditing is underrated?
We believe that auditing is still underrated by companies. After all, even with a lot of auditing in place, systems get compromised. That does not mean auditing is useless. Too often simple basic details are being overlooked, which later then turn out to be cause for a break-in.
While Systemd enhances the boot process, it might complicate things. Proper auditing is needed to keep it well configured. Analyzing systemd is something which is of great value to maintain a healthy system. Our goal with Lynis 2.x is to audit it inside out and tell you when things can be improved.
- Determine available units
- Checked for failed units
- Analyze coredump configuration
- Determine timers
- Check journal and its configuration
File Integrity Monitoring
Being a host based auditing utility, also indicates that the files on the system can be analyzed. During the audit much information can be gathered about what security defenses are applied, and how many. One interesting area is that of determining the integrity of files, packages and data. Lynis 2.x will focus even more on these areas.
Some examples which will be tested in the newer Lynis versions:
- GPG signing
- Vulnerability database
- Aging of files
- Presence of file integrity monitoring tools
Additionally a plugin will be released which will do more data collection, so this data can be stored and compared.
Containers & Virtualization
The upcoming releases of Lynis have improved detection for both virtualization and container technology. By better determination of the environment a machine is running it, the better advice can be provided.
Control groups (cgroups) and Namespaces
Not new, but definitely more used in the last years are cgroups and namespaces. Both combined they prioritize, control and restrict processes. When used properly, powerful protection against limited resources. From a security point of view they are both very interesting options.
A few posts have already been dedicated to this subject. What is new is following how container technology and the role of Docker will develop. Lynis will be tracking these developments to ensure the security aspects. With containers still not being able to fully contain, companies and individuals might be sharing way too much they intended. Lynis will help detecting possible gaps.
One of the first areas to secure Docker is building your images securely. With the new command lynis audit dockerfile, you can test your Dockerfile for security best practices.
Another company, known for its Linux distribution Ubuntu, is Canonical with its product Snappy. Definitely something which will be used by Ubuntu users in the (near) future. Enough reason to ensure those areas are audited.
Lynis has been tested on many different platforms and versions. From Solaris to lesser known Linux distributions, the tool runs on all of them.
The big difference with benchmarks and other tools, is that it uses a “discover on the go” method. So it actually learns per machine what can be tested, how much is needed and what tools are available. This method has proven to be successful and one of the reasons why tools like OpenSCAP simply don’t take off. Most of you do not want to run binaries, have to compile things manually or have to read hundreds of unclear findings.
To ensure portability of our code, we regularly test it on different platforms and perform an extensive analysis on the related log file. Within Lynis 2.x we will continue this effort and focus on the key differences of each operating system.
One of the great benefits of Linux is that it is open source and new features in software are quickly shared. Arch Linux being a “rolling release” distribution, means it is always up-to-date and using new great features. With the Lynis 2 releases, Arch Linux will be better supported. As they are one of the pioneers when it comes to new features, Lynis will keep an eye on them.
Gentoo and clones are still being used a lot. With the great support of Gentoo to include Lynis, we will keep on supporting this Linux distribution in the best possible way.
One of the giants in open source is Red Hat and their commercial product line. For those using clones like CentOs, Scientific Linux or Red Hat’s playground distribution Fedora, Lynis will leverage common used technologies. One of best known parts might be that of the Linux Audit framework.
Commercially available operating systems are interesting for corporate users. With the upcoming Lynis releases we will add additional support for commercial platforms like those of SuSE. This will include the detection of specific tools not found on other distributions.
Originally Ubuntu was seen as a desktop distribution. During the last years it has become clear Ubuntu is also suitable for servers. With upcoming container technologies, Ubuntu will implement Snappy. Lynis will aim for including as many technologies as possible. By proper segmentation, audits will remain quick and at the same time the code base will be as simple as before.
Free and Commercial Support
Too many open source projects became closed source or abandoned after an organization got involved with its development. We are so passionate about our software and the community of users, that we want to keep Lynis open source and available to the community.
This means that the Lynis remains free and can be used as a standalone tool. At the same time it is part of the Lynis Enterprise solution, being the client which collects data and brings it to the central node.
Good software needs the right support. If your business is relying on security tools like Lynis, you will benefit from having an up-to-date tool. To ensure you have the best possible tools in your toolbox, we continue to release often. Free users will benefit from the development efforts by the supporting company, while customers will benefit from a well-known tool, which is well-known and peer reviewed by the community.
With Lynis version 2, we want to finish the transformation from a hobby project, to a well-known and rock-solid solution for system administrator and security professionals.
- License: Open Source, GPLv3
- Pricing: Free
- Primary goal: Security auditing and system hardening
- Developer: CISOfy
- Project URL: https://cisofy.com/lynis/
Lynis Enterprise Features:
- Additional plugins (e.g. file integrity, compliance)
- Central management interface
- Reporting possibilities
- Automation, snippets and defensive hardening tools
- Project URL: https://cisofy.com/lynis-enterprise/
Do you believe in open source and security auditing? Share this post in your social network and get the internet a safer place.