How to scan Linux for vulnerabilities with lynis
Last updated on April 9, 2013 Authored by
Dan Nanni5 Comments
As a system administrator, Linux security technician or system
auditor, your responsibility can involve any combination of these:
software patch management, malware scanning, file integrity checks,
security audit, configuration error checking, etc. If there is an
automatic vulnerability scanning tool, it can save you a lot of
time checking up on common security issues.
One such vulnerability scanner on Linux is lynis. This tool is
open-source (GPLv3), and actually supported on multiple platforms
including Linux, FreeBSD, and Mac OS.
To install lynis on Linux, do the
following.
$ wget http://cisofy.com/files/lynis-1.6.3.tar.gz
$ sudo tar xvfvz lynis-1.6.3.tar.gz -C /opt
To scan Linux for vulnerabilities with lynis,
run the following.
$ cd /opt/lynis
$ sudo ./lynis --check-all -Q
Once lynis starts scanning your system, it will perform auditing
in a number of categories:
System tools: system binaries
Boot and services: boot loaders, startup
services
Kernel: run level, loaded modules, kernel
configuration, core dumps
Memory and processes: zombie processes, IO
waiting processes
Users, groups and authentication: group IDs,
sudoers, PAM configuration, password aging, default mask
Shells
File systems: mount points, /tmp files, root
file system
Storage: usb-storage, firewire ohci
NFS
Software: name services: DNS search domain,
BIND
Ports and packages: vulnerable/upgradable
packages, security repository
Networking: nameservers, promiscuous
interfaces, connections
Printers and spools: cups configuration
Software: e-mail and messaging
Software: firewalls: iptables, pf
Software: webserver: Apache, nginx
SSH support: SSH configuration
SNMP support
Databases: MySQL root password
LDAP services
Software: php: php options
Squid support
Logging and files: syslog daemon, log
directories
Insecure services: inetd
Banners and identification
Scheduled tasks: crontab/cronjob, atd
Accounting: sysstat data, auditd
Time and synchronization: ntp daemon
Cryptography: SSL certificate expiration
Virtualization
Security frameworks: AppArmor, SELinux,
grsecurity status
Software: file integrity
Software: malware scanners
Home directories: shell history files
The screenshot of lynis in action is shown below:
Once scanning is completed, the auditing report of your system
is generated and stored in /var/log/lynis.log.
The audit report contains warnings for potential vulnerabilities
detected by the tool. For example:
$ sudo grep Warning /var/log/lynis.log
[20:20:04] Warning: Root can directly login via SSH [test:SSH-7412]
[impact:M][20:20:04] Warning: PHP option expose_php is possibly
turned on, which can reveal useful information for attackers.
[test:PHP-2372] [impact:M][20:20:06] Warning: No running NTP daemon
or available client found [test:TIME-3104] [impact:M]
The audit report also contains a number of suggestions that can
help harden your Linux system. For example:
$ sudo grep Suggestion /var/log/lynis.log
[20:19:41] Suggestion: Install a PAM module for password strength
testing like pam_cracklib or pam_passwdqc
[test:AUTH-9262][20:19:41] Suggestion: When possible set expire
dates for all password protected accounts
[test:AUTH-9282][20:19:41] Suggestion: Configure password aging
limits to enforce password changing on a regular base
[test:AUTH-9286][20:19:41] Suggestion: Default umask in
/etc/profile could be more strict like 027
[test:AUTH-9328][20:19:42] Suggestion: Default umask in
/etc/login.defs could be more strict like 027
[test:AUTH-9328][20:19:42] Suggestion: Default umask in
/etc/init.d/rc could be more strict like 027
[test:AUTH-9328][20:19:42] Suggestion: To decrease the impact of a
full /tmp file system, place /tmp on a separated partition
[test:FILE-6310][20:19:42] Suggestion: Disable drivers like USB
storage when not used, to prevent unauthorized storage or data
theft [test:STRG-1840][20:19:42] Suggestion: Disable drivers like
firewire storage when not used, to prevent unauthorized storage or
data theft [test:STRG-1846][20:20:03] Suggestion: Install package
apt-show-versions for patch management purposes [test:PKGS-7394]. .
. .
Scan Your System for Vulnerabilities as a Daily Cron Job
To get the most out of lynis, it’s recommended to run it on a
regular basis, for example, as a daily cronjob. When run with
"--cronjob" option, lynis runs in automatic, non-interactive scan
mode.
The following is a daily cronjob script that runs lynis in
automatic mode to audit your system, and archives daily scan
reports.
$ sudo vi /etc/cron.daily/scan.sh
#!/bin/shAUDITOR="automated"DATE=$(date
%Y%m%d)HOST=$(hostname)LOG_DIR="/var/log/lynis"REPORT="$LOG_DIR/report-${HOST}.${DATE}"DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"cd
/opt/lynis./lynis -c --auditor "${AUDITOR}" --cronjob
> ${REPORT}mv /var/log/lynis-report.dat ${DATA}
$ sudo chmod 755 /etc/cron.daily/scan.sh