Do you need in your cybersecurity program a tool for assessing the security and hardening status of your organisation Linux systems without cumbersome deployments or setups? If so, then the tool you are looking for is Lynis which is a tool that absolutely provides these needs and, amazingly, it’s open source.
Lynis streamlines the security assessment of a system with an all in one tool, that doesn’t needs too much tweaking before running it. It is simple as, getting it from the official repository or install it with the Linux package manager and it is ready for use. When you run Lynis, it checks what is present in the system like services or libraries and automatically scopes the assessment to run the required checks. Moreover, it doesn’t requires any other component and after using it, you can just remove it from the systems easily.
In the following sections of this post, I will show you how to deploy Lynis and run it to obtain the reports from the system assessment, and how to interpret the results.
How to install Lynis
Let’s explore first the deployment through git.
$ git clone --depth 1 https://github.com/CISOfy/lynis
$ cd lynis
$ ./lynis
An alternate way to install Lynis is through Linux package manager like yum, dnf, apt, zypper and so on. In this case, we’ll use yum:
$ sudo yum install lynis -y
$ lynisAnother way to do it is by downloading the tarball file which is the most clean way to deploy Lynis:
$ wget https://downloads.cisofy.com/lynis/lynis-3.0.8.tar.gz
$ tar xzvf lynis-3.0.8.tar.gz
$ cd lynis
$ ./lynisAfter any of the above steps, you’re ready to do the first steps with Lynis to obtain the assessment of your systems. Simple as that.
Run assessment with Lynis
Let’s start with an assessment of the system itself:
$ sudo lynis audit systemRecommendation is to run Lynis with sudo privileges since some checks would need elevated privileges and, as a cybersecurity professional, you really don’t want to miss any details that would be relevant for your assessment.
Lynis will show in the standard output the outcome of the assessment and it will look like what the following picture shows:
However, it is possible to convert it in a more convenient format like html with ansi2html. For CentOS 7, the converter tool needs to be run through python3 so you can install the converter tool by executing:
$ sudo yum install python3 -y
$ pip3 install --user ansi2htmlThen run Lynis combining the ansi2html tool:
$ sudo lynis audit system 2>/dev/null | python3 -c "import sys; from ansi2html import Ansi2HTMLConverter; print(Ansi2HTMLConverter().convert(''.join(sys.stdin.readlines())))" > lynis_report.htmlAfter running the above command, you may open the html report with a browser and will look like:
Working with Lynis assessment results
Once you have obtained a Lynis report, you can have the chance to analyse it and check what are the aspects of the system to be fixed with more priority. Another goal that could be followed, it’s the hardening index increase of the system assessment until it is on the acceptable levels or above.
In any case, let’s check some of the sections of the assessment and let’s fix some of them and see how the hardening index improves.
In previous executions, Lynis showed a 63 hardening index level:
One of the components of the systems to be improved, it’s the SSH service which is a typical service present in most of the Linux systems:
There are a bunch of suggestions for the system assessed, but let’s fix those 2 marked in red.
The “AllowTcpForwarding” setting on the ssh configuration is recommended to be set to “no”, since this will impede an attacker to leverage this system to use ssh forwarding, making lateral movement more difficult.
Regarding “PermitRootLogin”, it is a best practice to set it to “no” in order to avoid an attacker to connect directly to the system with root privileges remotely through ssh. The usage of root should be limited to only sudo and even su to root should not be allowed.
The following commands will make the fix for both settings, however, I recommend to check how is your ssh configuration file and see whether it will work or not, before executing any of the below commands:
$ sudo sed -i 's/^[#].*PermitRootLogin .*$//g' /etc/ssh/sshd_config && echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config
$ sudo sed -i 's/^[#].*AllowTcpForwarding .*$//g' /etc/ssh/sshd_config && echo "AllowTcpForwarding no" | sudo tee -a /etc/ssh/sshd_config
$ sudo systemctl restart sshdAfter changing the sshd configuration and restarting the service, on Lynis we should see that both settings turned into “OK” from “SUGGESTION”:
Jumping to another interesting section, the “Hardening” section, we could find 2 additional checks that can be improved:
Lynis concerns about these 2 items, because compilers could provide to the attacker the necessary tools to build in the system malicious code to further compromise or exploit the system, and the lack of malware scanner it’s normally a weakness on a system.
So, in order to fix both, we will restrict the permissions for root only of any compiler in the system (normally gcc) and install clamAV to satisfy the malware scanner check.
$ sudo yum install clamav -y
$ sudo chmod 700 /bin/gcc /bin/as /bin/g++
$ sudo rm /usr/bin/gcc /usr/bin/as /usr/bin/cc /usr/bin/g++Then, running again Lynis to see the previous fixes, both issues turned into green:
Continuing with the report, in the following section, you can see different kernel parameters not complying with what Lynis is expecting:
With the following 2 commands, we will fix the issues with “kernel.dmesg_restrict” and “kernel.kptr_restrict”:
$ echo "kernel.dmesg_restrict = 1" | sudo tee -a /etc/sysctl.conf
$ echo "kernel.kptr_restrict = 2" | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -pAfter applying both kernel parameters too what Lynis is expecting, the assessment turns both to “OK” from “DIFFERENT”:
Finally, we can appreciate these actions done on the system in the hardening index which currently has been increased to 66:
Just continue with the rest of the issues found in the assessment, elaborate the fixes and, if it is possible, automate the actions in a bash script, ansible playbook or, after completing the hardening manually, make a VM template of the system so new deployments coming from this template will bring all the actions you’ve done previously.
To summarise, Lynis it’s a helpful tool to obtain easily a security status report of the system without any complex deployment. Just deploy it as described in this post and you can start to execute.