Complete Guide to Lynis

Introduction to Lynis

First released in 2007 and available under the GPL license, Lynis has become a popular security tool for various purposes, including compliance testing (PCI, HIPAA, SOx), system hardening, and vulnerability assessments.

Key Features of Lynis

• Comprehensive Security Scanning: Lynis performs extensive health scans to support system hardening and compliance testing.
• Agentless Architecture: No additional installations or dependencies are required, allowing it to run on clean systems.
• Modular and Opportunistic: Scanning is modular and opportunistic, testing components as they are discovered.
• Extensive System Coverage: Lynis can audit printers, spools, software messaging, firewalls, insecure services, SSH support, SNMP support, databases, LDAP services, kernel, memory, processes, file systems, file permissions, and more.
• Detailed Reporting: Provides thorough reports with suggestions for improving security posture.
• Compliance Testing: Assists with compliance testing for various standards including ISO 27001, PCI DSS, and HIPAA.

Installation Options

Package Manager Installation

Lynis is available in most Linux distribution repositories, though these versions might not always be the latest:

# Debian/Ubuntu
sudo apt install lynis

# Red Hat/CentOS/Fedora
sudo yum install lynis

# Arch Linux
sudo pacman -S lynis

Manual Installation (Latest Version)

To get the latest version, you can download Lynis from the official repository or use Git:

# Clone the repository
git clone https://github.com/CISOfy/lynis

# Navigate to the Lynis directory
cd lynis

# Make the main file executable
chmod +x lynis

CISOfy Repository Installation

CISOfy provides repositories with the latest Lynis versions:

# Add the repository and install (example for Debian/Ubuntu)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update
sudo apt install lynis

Running Lynis

Basic System Audit

The most common command to start Lynis is using the audit system command, which will initiate a comprehensive security scan:

# If installed via package manager
sudo lynis audit system

# If using the manual installation
sudo ./lynis audit system

Non-Privileged Mode (Pentest)

While Lynis can run in non-privileged mode, some tests require root privileges and will be skipped in non-privileged mode:

# Non-privileged mode (pentest)
lynis audit system --pentest

Quick Mode

To run Lynis without pauses, allowing you to work on other things simultaneously:

sudo lynis audit system --quick

Understanding Lynis Output

Lynis provides multiple outputs after completing an audit:

Screen Output

The screen output shows test results in real-time with color-coded indicators:

• Green: Indicates good configuration or no issues found
• Yellow: Suggestions for improvement
• Red: Warnings that require attention

Result Indicators

Lynis uses various result indicators in its output:

• OK: Test passed successfully
• WARNING: Potential security issue detected
• FOUND/NOT FOUND: Feature or component presence
• NONE/DONE: Action status

Log File

The complete log file is saved to /var/log/lynis.log and contains detailed information including:

• Action and event times
• Reasons for test failures or skips
• Internal test output
• Configuration suggestions
• Threat impact scores

Report File

The report file is saved to /var/log/lynis-report.dat and contains structured data for further processing.

Key Areas Audited by Lynis

Lynis performs checks in numerous security-critical areas:

System Basics

• Kernel version, system tools, installed software, configuration files
• Boot and services
• System initialization

Authentication & Access Control

• User accounts (password policies, authorizations) and group configurations
• PAM configuration
• SSH configuration and hardening

Network Security

• Firewall configuration
• Network services
• Insecure services

Software & Services

• SSH daemon configuration
• SNMP daemon configuration
• Database security (MySQL, PostgreSQL, Oracle, DB2, Redis)
• LDAP services

File Systems

• File permissions
• File system configuration
• Sensitive files

Malware Detection

• Malware scanner presence and configuration

Logging & Auditing

• System logging configuration
• Audit daemon configuration

Interpreting Results and Hardening

Suggestions vs. Warnings

Lynis categorizes its findings into suggestions and warnings:

• Warnings: Issues that require immediate action
• Suggestions: Opportunities for improvement

Hardening Index

Lynis provides a unique Hardening Index score up to 100, giving auditors an idea of how well a system is hardened. A higher score indicates better security measures. Even a score in the 80s can indicate a solid security baseline.

Getting Detailed Information

To get detailed information about a specific finding, use the test ID provided in the results:

lynis show details TEST-ID

Replace TEST-ID with the actual test identifier (e.g., SSH-7408).

Implementing Security Recommendations

When implementing Lynis recommendations, consider the following approach:

1. Prioritize warnings over suggestions
2. Consider system role and environment (production, development, etc.)
3. Test changes in non-production environments first
4. Document changes for future reference
5. Re-run Lynis after implementing changes to verify improvement

Common Hardening Areas

Based on Lynis findings, these are common areas requiring hardening:

• SSH Configuration: Disable root login, use key-based authentication
• Firewall Rules: Implement and verify proper firewall configuration
• File Permissions: Correct overly permissive file and directory permissions
• Service Hardening: Disable unnecessary services
• Password Policies: Implement strong password requirements

Automating Lynis Audits

To automate regular security audits, you can use cron jobs:

# Open crontab for editing
crontab -e

# Add a job to run Lynis weekly and save output
0 2 * * 0 /usr/bin/lynis audit system --cronjob > /var/log/lynis-weekly.log 2>&1

For more comprehensive automation, consider:

1. Running Lynis on multiple systems
2. Collecting and centralizing reports
3. Monitoring changes in security posture over time
4. Integrating with other security tools

Advanced Usage

Custom Profiles

Lynis allows you to create custom profiles to tailor the audit to your environment:

# Create a custom profile
sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf

# Edit the custom profile
sudo nano /etc/lynis/custom.prf

# Run Lynis with the custom profile
sudo lynis audit system --profile /etc/lynis/custom.prf

Plugins

Lynis plugins are extensions to the core functionality. While normal Lynis controls perform individual tests and share the outcome, plugins usually just gather information.

Enterprise Features

For enterprise environments, there’s the Lynis Enterprise Suite which uses Lynis as a core component. This provides additional features for large-scale deployments, centralized reporting, and compliance management.

Conclusion

Lynis is a powerful, flexible security auditing tool that should be part of every system administrator’s toolkit. By regularly running Lynis audits and implementing its recommendations, you can significantly improve your system’s security posture and maintain compliance with various security standards.

The tool’s agentless architecture, comprehensive scanning capabilities, and detailed reporting make it an excellent choice for both individual systems and enterprise environments.

Additional Resources

• Official Lynis Website
• Lynis GitHub Repository
• Lynis Documentation
• Linux Audit Blog - For in-depth articles about Linux security