How to use lynis for linux vulnerability scanning
- 2020-10-23 20:23:50
- OfStack
preface
lynis is a host-based, open source security audit software running on the Unix/Linux platform. Lynis is a security check tool for Unix/Linux that can detect potential security threats. This tool covers suspect file monitoring, vulnerabilities, malicious program scanning, configuration errors, and more. Take a look at using lynis for linux vulnerability scanning
Install lynis
On archlinux you can install directly via pacman
sudo pacman -S lynis --noconfirm
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
Use lynis for host scanning
First, let's run lynis without any arguments, which will list those supported by lynis
[lujun9972@T520 linux And his little friend ]$ lynis
[ Lynis 2.6.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
Usage: lynis command [options]
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
Options:
--no-log : Don't create a log file
--pentest : Non-privileged scan (useful for pentest)
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
Layout options
--no-colors : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
Misc options
--debug : Debug logging to screen
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
Enterprise options
--plugindir <path> : Define path of available plugins
--upload : Upload data to central node
More options available. Run '/usr/bin/lynis show options', or use the man page.
No command provided. Exiting..
As you can see from the above, using lynis for host scanning is very simple. You only need to take the parameter audit system. Lynis performs a variety of similar tests during the audit, during which various test results, debugging information, and reinforcement recommendations for the system are written to stdin. We can skip the inspection process by executing the following command and directly intercept the final scan recommendation.
sudo lynis audit system |sed '1,/Results/d'
lynis divides the scanned content into several categories, which can be obtained by using the show groups parameter
lynis show groups
[
accounting
authentication
banners
boot_services
containers
crypto
databases
dns
file_integrity
file_permissions
filesystems
firewalls
hardening
homedirs
insecure_services
kernel
kernel_hardening
ldap
logging
mac_frameworks
mail_messaging
malware
memory_processes
nameservices
networking
php
ports_packages
printers_spools
scheduling
shells
snmp
squid
ssh
storage
storage_nfs
system_integrity
time
tooling
usb
virtualization
webservers
The tests-ES131en-ES132en parameter can be used to specify if it points to a scan of some class of content.
For example, if I just want to scan shells and networking, I can do it
sudo lynis --tests-from-group "shells networking" --no-colors
[ Lynis 2.6.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
[2C- Detecting OS... [41C [ DONE ]
[2C- Checking profiles...[37C [ DONE ]
[2C- Detecting language and localization[22C [ zh ]
[4CNotice: no language file found for 'zh' (tried: /usr/share/lynis/db/languages/zh)[0C
---------------------------------------------------
Program version: 2.6.4
Operating system: Linux
Operating system name: Arch Linux
Operating system version: Rolling release
Kernel version: 4.16.13
Hardware platform: x86_64
Hostname: T520
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: zh
Test category: all
Test group: shells networking
---------------------------------------------------
[2C- Program update status... [32C [ NO UPDATE ]
[+] System Tools
------------------------------------
[2C- Scanning available tools...[30C
[2C- Checking system binaries...[30C
[+] Plugins (phase 1)
------------------------------------
[0CNote: plugins have more extensive tests and may take several minutes to complete[0C
[0C [0C
[2C- Plugins enabled[42C [ NONE ]
[+] Shells
------------------------------------
[2C- Checking shells from /etc/shells[25C
[4CResult: found 5 shells (valid shells: 5).[16C
[4C- Session timeout settings/tools[25C [ NONE ]
[2C- Checking default umask values[28C
[4C- Checking default umask in /etc/bash.bashrc[13C [ NONE ]
[4C- Checking default umask in /etc/profile[17C [ WEAK ]
[+] Networking
------------------------------------
[2C- Checking IPv6 configuration[30C [ ENABLED ]
[6CConfiguration method[35C [ AUTO ]
[6CIPv6 only[46C [ NO ]
[2C- Checking configured nameservers[26C
[4C- Testing nameservers[36C
[6CNameserver: 202.96.134.33[30C [ SKIPPED ]
[6CNameserver: 202.96.128.86[30C [ SKIPPED ]
[4C- Minimal of 2 responsive nameservers[20C [ SKIPPED ]
[2C- Getting listening ports (TCP/UDP)[24C [ DONE ]
[6C* Found 11 ports[39C
[2C- Checking status DHCP client[30C [ RUNNING ]
[2C- Checking for ARP monitoring software[21C [ NOT FOUND ]
[+] Custom Tests
------------------------------------
[2C- Running custom tests... [33C [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ Lynis 2.6.4 Results ]-
Great, no warnings
Suggestions (1):
----------------------------
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
https://cisofy.com/controls/NETW-3032/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 33 [###### ]
Tests performed : 13
Plugins enabled : 0
Components:
- Firewall [X]
- Malware scanner [X]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 2.6.4
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2018, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
View details
When viewing the audit results, you can use the show details parameter to get a detailed description of a particular warning/recommendation. Its corresponding command form is:
lynis show details ${test_id}
For example, there is one suggestion in the figure above
* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
We can run the command:
sudo lynis show details NETW-3032
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
0
View log files
lynis after completion of the audit will be detailed information recorded on/var log/lynis log.
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
1
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
2
Meanwhile, the report data is saved in /var/log/ ES168en-ES169en.dat.
sudo tail /var/log/lynis-report.dat
It is also important to note that the original log file is overwritten with each audit.
Check the update
The audit software needs to be updated at any time to get the latest advice and information. We can use the update info parameter to check for updates:
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
4
resolving dependencies...
looking for conflicting packages...
Packages (1) lynis-2.6.4-1
Total Installed Size: 1.35 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
(0/1) checking keys in keyring [----------------------] 0%
(1/1) checking keys in keyring [######################] 100%
(0/1) checking package integrity [----------------------] 0%
(1/1) checking package integrity [######################] 100%
(0/1) loading package files [----------------------] 0%
(1/1) loading package files [######################] 100%
(0/1) checking for file conflicts [----------------------] 0%
(1/1) checking for file conflicts [######################] 100%
(0/1) checking available disk space [----------------------] 0%
(1/1) checking available disk space [######################] 100%
:: Processing package changes...
(1/1) reinstalling lynis [----------------------] 0%
(1/1) reinstalling lynis [######################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
5
Custom lynis security audit policy
The configuration information for lynis is saved in the /etc/lynis directory as a.prf file. The default lynis comes with a default configuration file named ES192en.prf.
Instead of modifying the default configuration file, we simply added an custom.prf file to add custom information.
The meaning of each configuration item in the configuration file is explained in default.prf, which I will not elaborate on here.
To learn more about lynis, visit its website.
conclusion