How to audit the security of your Linux system with Lynis

A terminal prompt on a Linux system.

Performing a security audit on your Linux computer with Lynis will ensure that your machine is as protected as possible. Security is everything for Internet-connected devices, so here’s how to make sure yours are securely locked.

How secure is your Linux computer?

Lynis performs a series of automated tests They thoroughly inspect many system components and configurations of your Linux operating system. Present your findings in a color code. ASCII report as a list of warnings, suggestions, and graded actions to be taken.

Cybersecurity is a balancing act. Absolute paranoia is of no use to anyone, so how worried should I be? If you only visit reputable websites, don’t open attachments or follow links in unsolicited emails, and use different and strong passwords for all the systems you log into, what danger still exists? Especially when you use Linux?

Let’s approach them the other way around. Linux is not immune to malware. In fact, the first computer worm was designed to target Unix computers in 1988. Rootkits they were named by the Unix superuser (root) and the collection of software (kits) with which they are installed to evade detection. This gives the superuser access to the threat actor (that is, the bad guy).

Why are they named after root? Because the first rootkit was released in 1990 and was aimed at Solar microsystems running the SunOS Unix.

So the malware started on Unix. He jumped over the fence when Windows took off and grabbed the spotlight. But now that Linux runs the world, it’s back. Linux and Unix-like operating systems, such as macOS, are getting the full attention of threat actors.

What danger is left if you are careful, sensible and attentive when using your computer? The answer is long and detailed. To condense it a bit, cyberattacks are many and varied. They are capable of doing things that were recently considered impossible.

Rootkits, like Ryuk, it can infect computers when they are turned off by compromising the waking up the LAN tracking functions. Proof of Concept Code it has also developed. A successful “attack” was demonstrated by researchers in Ben-Gurion University of the Negev that would allow threat actors to exfiltrate data from a air gap computer.

It is impossible to predict what cyber threats will be capable of in the future. However, we understand which points in a computer’s defenses are vulnerable. Regardless of the nature of present or future attacks, it only makes sense to close those gaps in advance.

Of the total number of cyberattacks, only a small percentage consciously target specific organizations or individuals. Most threats are indiscriminate because malware doesn’t care who you are. Automated port scanning and other techniques only look for vulnerable systems and attack them. You nominate yourself as a victim for being vulnerable.

And that’s where Lynis comes in.

Lynis installation

To install Lynis on Ubuntu, run the following command:

sudo apt-get install lynis

In Fedora, type:

sudo dnf install lynis

In Manjaro, you use pacman:

sudo pacman -Sy lynis

Conducting an audit

Lynis is terminal based, so there is no GUI. To start an audit, open a terminal window. Click and drag it to the edge of your monitor to fit its maximum height or stretch it as high as possible. There are a lot of Lynis results, so the higher the terminal window, the easier it will be to review.

It is also more convenient if you open a terminal window specifically for Lynis. It will scroll up and down a lot, so not having to deal with the clutter of the above commands will make navigating the Lynis output easier.

To start the audit, type this refreshing and simple command:

sudo lynis audit system

Category names, test titles, and results will scroll in the terminal window as each test category is completed. An audit only takes a few minutes at most. When done, you will be returned to the command prompt. To review the findings, simply scroll through the terminal window.

The first section of the audit detects the Linux version, kernel version, and other system details.

Areas to be examined are highlighted in amber (tips) and red (warnings to be addressed).

Below is an example of a warning. Lynis has analyzed the postfix mail server settings and checked something related to the banner. We can get more details on what exactly you found and why it might be a problem later.

Next, Lynis warns us that the firewall is not configured in the Ubuntu virtual machine that we are using.

Scroll through your results to see what Lynis scored. At the bottom of the audit report, you will see a summary screen.

The “Hardening Index” is your exam score. We got 56 out of 100, which is not great. 222 tests were performed and a Lynis plugin was enabled. If you go to the Lynis Community Edition plugin download page and subscribe to the newsletter, you will get links to more plugins.

There are many plugins, including some for auditing against the standards, such as GDPR, ISO27001, and PCI-DSS.

A green V represents a check mark. You may also see amber question marks and red X’s.

We have green check marks because we have a firewall and a malware scanner. For testing purposes, we also install rkhunter, a rootkit detector, to see if Lynis would discover it. As you can see above, it did; we have a green check mark next to “Malware Scanner”.

Compliance status is unknown because the audit did not use a compliance plugin. The security and vulnerability modules were used in this test.

Two files are generated: a log file and a data file. The data file, located in “/var/log/lynis-report.dat”, is the one that interests us. It will contain a copy of the results (without the highlighted color) that we can see in the terminal window. These are useful to see how your cure rate improves over time.

If you scroll back in the terminal window, you will see a list of suggestions and a list of warnings. The caveats are the “expensive” items, so we’ll look at those.

These are the five caveats:

  • “The Lynis version is very old and should be updated”: This is actually the newest version of Lynis in the Ubuntu repositories. Although it is only 4 months old, Lynis considers it very old. The versions of the Manjaro and Fedora packages were more recent. Updates in the package managers are always likely to lag a bit. If you really want the latest version, you can clone the project from GitHub and keep it in sync.
  • “No password has been set for single mode”: Unique is a maintenance and recovery mode in which only the root user is operational. No password is set for this mode by default.
  • “Could not find 2 responsive nameservers”: Lynis tried to communicate with two DNS servers, but was unsuccessful. This is a warning that if the current DNS server fails, there will be no automatic transfer to another.
  • “Found information disclosure on SMTP banner”: Information disclosure occurs when applications or network equipment reveal your make and model number (or other information) in standard responses. This can provide threat actors or automated malware with information on the types of vulnerabilities to look for. Once they have identified the software or device they have connected to, a simple search will find the vulnerabilities that they can try to exploit.
  • “Iptables module (s) loaded, but no active rules”: The Linux firewall is up and running, but there are no set rules for it.

Clear warnings

Each warning has a link to a web page that describes the problem and what you can do to fix it. Just hover your mouse over one of the links, then Ctrl-click it. Your default browser will open to the web page for that message or warning.

The page below opened for us when we Ctrl + clicked on the fourth warning link that we covered in the previous section.

A Lynis audit warning web page.

You can review each of these and decide which caveats to address.

The web page above explains that the default piece of information (the “banner”) sent to a remote system when connecting to the postfix mail server configured on our Ubuntu computer is too verbose. There is no benefit in offering too much information; in fact, it is often used against them.

The web page also tells us that the banner resides in “/etc/postfix/”. It warns us that it should be trimmed to only show “$ myhostname ESMTP”.

We write the following to edit the file as Lynis recommends:

sudo gedit /etc/postfix/

We locate in the file the line that defines the banner.

We edit it to show only the text recommended by Lynis.

We save our changes and close gedit. Now we need to restart the postfix mail server for the changes to take effect:

sudo systemctl restart postfix

Now let’s run Lynis one more time and see if our changes have taken effect.

The “Warnings” section now only shows four. The one that refers to postfix It is gone.

One less, and only four more warnings and 50 tips to complete!

How far must you go?

If you’ve never hardened the system on your computer, you likely have roughly the same number of warnings and suggestions. You should review them all and, guided by the Lynis web pages for each one, make a decision on whether to address it.

The textbook method, of course, would be to try to erase them all. However, that might be easier said than done. Also, some of the suggestions may be overkill for the average home computer.

Blacklist USB kernel drivers to disable USB access when you are not using it? For a mission critical computer providing a sensitive business service, this may be necessary. But for a home PC running Ubuntu? Probably not.

Leave a Reply