SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Sponsor:

Would you like to sponsor this site?
Or buy me a beer?:


Recently Changed Pages:

View All Pages
View All Q Pages


View All Tags


Sign up for Q to post comments.





WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Terms And Conditions for Q users


Pages with comments

PageDateDiscussionTags
2019/05/01 14:08 2 Comments
2019/03/15 16:02 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 3 Comments
2017/04/20 15:28 1 Comment
2017/04/20 15:23 1 Comment
2017/04/19 14:44 1 Comment
2017/04/17 20:10 1 Comment
2017/04/17 20:07 1 Comment
2017/04/17 19:58 1 Comment
2017/04/17 19:52 1 Comment

View All Comments

lynis

Lynix Security Baseline with Lynis

Introduction

Securing a Linux system can take a lot of time. For this purpose there is a tool called Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. This page describes how to install and use it on a Red Hat system.

EPEL Repository

Lynis is part of the epel repository for Red Hat, so as long as you have the EPEL repository you can use yum to install the package.

In case you don't have EPEL (yet), follow these steps to add EPEL to your repositories:

  • Then install the package and import the key like this:
    • rpm -i epel-release-6-8.noarch.rpm
    • rpm –import RPM-GPG-KEY-EPEL-6
  • Configure yum to be able to use a proxy by adding this line to the /etc/yum.conf file:
    • proxy=http://proxy.getshifting.com:8080

Install

You can install lynis now using yum, currently this package is available:

[sjoerd@rhmgmtsrv ~]$ sudo yum info lynis
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Available Packages
Name        : lynis
Arch        : noarch
Version     : 1.6.4
Release     : 1.el6
Size        : 160 k
Repo        : epel
Summary     : Security and system auditing tool
URL         : http://cisofy.com/lynis/
License     : GPLv3
Description : Lynis is an auditing and hardening tool for Unix/Linux and you might even call
            : it a compliance tool. It scans the system and installed software. Then it
            : performs many individual security control checks. It determines the hardening
            : state of the machine, detects security issues and provides suggestions to
            : improve the security defense of the system.

Now install the package:

[sjoerd@rhmgmtsrv ~]$ sudo yum install lynis
Loaded plugins: product-id, refresh-packagekit, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
Setting up Install Process
rhel-6-server-eus-rpms                                                                                                                                 | 3.2 kB     00:00
rhel-6-server-optional-rpms                                                                                                                            | 3.5 kB     00:00
rhel-6-server-rpms                                                                                                                                     | 3.7 kB     00:00
rhel-server-dts-6-rpms                                                                                                                                 | 2.9 kB     00:00
rhel-server-dts2-6-rpms                                                                                                                                | 2.9 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package lynis.noarch 0:1.6.4-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================
Package                                 Arch                                     Version                                        Repository                              Size
==============================================================================================================================================================================
Installing:
lynis                                   noarch                                   1.6.4-1.el6                                    epel                                   160 k

Transaction Summary
==============================================================================================================================================================================
Install       1 Package(s)

Total download size: 160 k
Installed size: 862 k
Is this ok [y/N]: y
Downloading Packages:
lynis-1.6.4-1.el6.noarch.rpm                                                                                                                           | 160 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : lynis-1.6.4-1.el6.noarch                                                                                                                                   1/1
rhel-6-server-eus-rpms/productid                                                                                                                       | 1.7 kB     00:00
rhel-6-server-rpms/productid                                                                                                                           | 1.7 kB     00:00
  Verifying  : lynis-1.6.4-1.el6.noarch                                                                                                                                   1/1

Installed:
  lynis.noarch 0:1.6.4-1.el6

Complete!

First Time Use

For the first time it is recommended to run Lynis manually. You can do this in two ways, with confirming every check or without:

  • Manually:
    • sudo lynis -c
  • Manually without confirming every check:
    • sudo lynis -c -Q

This will either way trigger an output like this (somewhat trimmed):

[sjoerd@rhmgmtsrv ~]$ sudo lynis -c

[ Lynis 1.6.4 ]

################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

Copyright 2007-2014 - CISOfy & Michael Boelen, http://cisofy.com
Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.6.4
  Operating system:          Linux
  Operating system name:     Red Hat
  Operating system version:  Red Hat Enterprise Linux Server release 6.5 (Santiago)
  Kernel version:            2.6.32
  Hardware platform:         x86_64
  Hostname:                  rhmgmtsrv
  Auditor:                   [Unknown]
  Profile:                   /etc/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          /usr/share/lynis/plugins
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

  - Checking profile file (/etc/lynis/default.prf)...
  - Program update status...                                  [ UNKNOWN ]

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
    - /bin                                                    [ FOUND ]
    - /sbin                                                   [ FOUND ]
    - /usr/bin                                                [ FOUND ]
    - /usr/sbin                                               [ FOUND ]
    - /usr/local/bin                                          [ FOUND ]
    - /usr/local/sbin                                         [ FOUND ]
    - /usr/local/libexec                                      [ FOUND ]
    - /usr/libexec                                            [ FOUND ]

...<cut>...

================================================================================

  -[ Lynis 1.6.4 Results ]-

  Warnings:
  ----------------------------
  - Nameserver 172.18.10.11 does not respond [NETW-2704]
      http://cisofy.com/controls/NETW-2704/

  - Nameserver 172.16.110.1 does not respond [NETW-2704]
      http://cisofy.com/controls/NETW-2704/

  - Couldn't find 2 responsive nameservers [NETW-2705]
      http://cisofy.com/controls/NETW-2705/

  Suggestions:
  ----------------------------
  - Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
      http://cisofy.com/controls/BOOT-5122/
...<cut>...
  - Harden the system by installing one or malware scanners to perform periodic file system scans [HRDN-7230]
      http://cisofy.com/controls/HRDN-7230/

  Follow-up:
  ----------------------------
  - Check the logfile (less /var/log/lynis.log)
  - Read security controls texts (http://cisofy.com)
  - Use --upload to upload data (Lynis Enterprise users)

================================================================================
  Lynis Scanner (details):

  Hardening index : 54 [##########          ]
  Tests performed : 194
  Plugins enabled : 0

  Lynis Modules:
  - Heuristics Check [NA] - Security Audit [V] - Vulnerability Scan [V]

  Compliance Checks:
  - HIPAA [NA] - PCI [NA] - SOx [NA]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat
================================================================================
  Tip: Disable all tests which are not relevant or are too strict for the
       purpose of this particular machine. This will remove unwanted suggestions
       and also boost the hardening index. Each test should be properly analyzed
       to see if the related risks can be accepted, before disabling the test.
================================================================================
  Lynis 1.6.4
  Copyright 2007-2014 - CISOfy & Michael Boelen, http://cisofy.com
  Enterprise support and plugins available via CISOfy - http://cisofy.com
================================================================================

There are a few warnings and suggestions that will have to be solved, or excluded from testing. Either way, you should work with your security department to get it right. Solving the issues is out of scope of this page, but for excluding test see below.

How to Exclude a Test

Run Lynis Periodically

I want to run the Lynis test weekly so I can check weekly for things that have been changed over the week. Also, I want to create a monthly report of just the warnings to sent to the security department.

One requirement anyway is to be able to use the screen output as an report. For this I downloaded the ansi2html.sh script from here and placed it in /adminscripts. Don't forget to make it executable with sudo chmod 750 ansi2html.sh.

Run Lynis Weekly

Then in /adminscripts create a script using sudo vi lynisrun with these lines:

#!/bin/bash
MAILTO="sjoerd_ @_ getshifting.com,it-department _@_ getshifting.com"
 
TMPFILE=/tmp/lynisupdate.`hostname`.`date +%Y%m%d%H%M`
LYNISFILE=${TMPFILE}.lynis
HTMLFILE=${TMPFILE}.html
 
trap "rm -f /tmp/lynisupdate.*" 0 2 3 15
 
(cd /usr/bin; ./lynis -c -Q --auditor "automated" ) > ${LYNISFILE}
/adminscripts/ansi2html.sh --bg=dark < ${LYNISFILE} > ${HTMLFILE}
 
# Mail report
echo "See attachment" | mailx -s "Weekly Lynis security check `date` for `hostname`" -a ${HTMLFILE} $MAILTO

Then make the file executable using sudo chmod 750 lynisrun and schedule it using sudo crontab -e:

# Run lynis every monday on 05:00
0 5 * * 1 /adminscripts/lynisrun

Run Lynis Monthly with only a Summary for Multiple Servers

….

Resources

You could leave a comment if you were logged in.
lynis.txt · Last modified: 2015/01/28 16:52 by sjoerd