Apr 122013
 

Article by Dan Nanni first published on xmodulo.com

As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.

One such vulnerability scanner on Linux is lynis. This tool is actually supported on multiple platforms including CentOS, Debian, Fedora, FreeBSD, Mac OS and Ubuntu.




To install lynis on Linux, open a terminal and run the following commands:

$ wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
$ sudo tar xvfvz lynis-1.3.0.tar.gz -C /opt

To scan Linux for vulnerabilities with lynis, run the following.

$ cd /opt/lynis-1.3.0/
$ sudo /opt/lynis-1.3.0/lynis --check-all -Q

Once lynis starts scanning your system, it will perform auditing in a number of categories:

  • System tools: system binaries
  • Boot and services: boot loaders, startup services
  • Kernel: run level, loaded modules, kernel configuration, core dumps
  • Memory and processes: zombie processes, IO waiting processes
  • Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask
  • Shells
  • File systems: mount points, /tmp files, root file system
  • Storage: usb-storage, firewire ohci
  • NFS
  • Software: name services: DNS search domain, BIND
  • Ports and packages: vulnerable/upgradable packages, security repository
  • Networking: nameservers, promiscuous interfaces, connections
  • Printers and spools: cups configuration
  • Software: e-mail and messaging
  • Software: firewalls: iptables, pf
  • Software: webserver: Apache, nginx
  • SSH support: SSH configuration
  • SNMP support
  • Databases: MySQL root password
  • LDAP services
  • Software: php: php options
  • Squid support
  • Logging and files: syslog daemon, log directories
  • Insecure services: inetd
  • Banners and identification
  • Scheduled tasks: crontab/cronjob, atd
  • Accounting: sysstat data, auditd
  • Time and synchronization: ntp daemon
  • Cryptography: SSL certificate expiration
  • Virtualization
  • Security frameworks: AppArmor, SELinux, grsecurity status
  • Software: file integrity
  • Software: malware scanners
  • Home directories: shell history files

The screenshot of lynis in action is shown below:

lynis

 

Once scanning is completed, the auditing report of your system is generated and stored in /var/log/lynis.log.

The audit report contains warnings for potential vulnerabilities detected by the tool. For example:

$ sudo grep Warning /var/log/lynis.log
[20:20:04] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
[20:20:04] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
[20:20:06] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

The audit report also contains a number of suggestions that can help harden your Linux system. For example:

$ sudo grep Suggestion /var/log/lynis.log
[20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
[20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
[20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
[20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
[20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
[20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
[20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
. . . .

So what are you waiting for ?
One run can give you some good suggestion on how to improve the security of your system, a regular scan can help you in notice changes and malware.


Popular Posts:

flattr this!

  26 Responses to “How to scan Linux for vulnerabilities with lynis”

  1. I tried to run it on Ubuntu 13.04 (beta). Got this error:

    $ sudo /opt/lynis-1.3.0/lynis –check-all -Q

    Fatal error: can’t find include directory
    Make sure to execute Lynis from untarred directory or check installation

    • It’s in the Ubuntu archives already, just use apt-get install lynis. It’s far safer than just downloading a file over the net without cryptographic verification.

  2. Copied and pasted your instructions. Execution comes back with

    ~$ sudo /opt/lynis-1.3.0/lynis –check-all -Q

    Fatal error: can’t find include directory
    Make sure to execute Lynis from untarred directory or check installation

    • Thanks for the feedback, it needs a cd :

      ~$ cd /opt/lynis-1.3.0/
      ~$ sudo /opt/lynis-1.3.0/lynis --check-all -Q

  3. Heya, great article. the commands given will never work however as you need to be in the directory before running. Just add a “cd /opt/lynis-1.3.0/” before running the command “sudo /opt/lynis-1.3.0/lynis –check-all -Q”

    • Thanks Liz,
      I noticed this and posted an update in the same minute of your comment.

  4. sounds like you should skip the step:

    cd /opt/lynis-1.3.0/

    Haven’t tried it yet, but that’s what it sounds like from

    ‘Fatal error: can’t find include directory
    Make sure to execute Lynis from untarred directory or check installation’

    • In the first release of the article, the command cd was missing, this was the error.
      Now it’s fixed.

      Thanks

      • yeah… posted while you were in the middle of fixing it, lol!

        “Rico…. smoke bomb!”
        Poooofffffff!!!!!!!!!!!!!!!!

  5. Thank you.
    Works fine after :
    cd /opt/lynis-1.3.0/

  6. Perhaps install from the Repo’s. I did (Kubuntu 13.04) and all went well.

  7. both you guys need to run

    /opt/lynis-1.3.0/lynis –check-all -Q

    not

    /opt/lynis-1.3.0/lynis –check-all -Q

    debian doesn’t have sudo enabled by default, so I take it your running ubuntu so use sudo

  8. Pretty epic, thank you very much for this. Do you think it is okay to use this on a web hosting server? Especially cPanel empowered servers?

    • Why not, you need a root account to do this but you’ll have a nice report and some useful things to check to start to check your security.

  9. Amazing! I should get myself inspired using his scripts ;)

  10. Worked like a charm the first run. lots of useful info. Thanks

  11. To make it easier to view output I had added a simple menu to ease the output of logs under ubuntu.

    !#/bin/bash
    cd /opt/lynis-1.3.0/
    sudo /opt/lynis-1.3.0/lynis –check-all -Q
    clear
    echo ” Select required lynis audit view: ”
    echo ” 1) Check Warnings ”
    echo ” 2) Check Suggestions ”
    read n
    case $n in
    1) sudo grep Warning /var/log/lynis.log >> lynis.log;;
    2) sudo grep Suggestion /var/log/lynis.log >> lynis.log;;
    *) invalid option;;
    esac

    hope this helps.

  12. I ran it on Sabayon and worked flawlessly, thanks for the tip man.

  13. changelog

    * 1.3.0 (2011-12-25)

    are you kidding? you recommend security tool that is no longer maintained?

    • I agree, and well done for at least CHECKING … How many people copied and pasted the instructions as root without even checking on the source!!

    • What’s the definition of being “maintained”? Every day a release?
      The software is stable and even without updates for a year, that doesn’t mean the software is bad.

      For readers who got scared after the remark above: new releases are available, it’s still maintained.

  14. Inspired by script from AlanT, I made some changes in this script:

    #!/bin/bash
    #
    # use $ sudo bash lynis.sh [quiet]
    # where quiet does not produce detailed output
    #
    cd /opt/lynis-1.3.0/
    if [ $1 = “quiet” ]
    then
    /opt/lynis-1.3.0/lynis –check-all -Q > /dev/null
    else
    /opt/lynis-1.3.0/lynis –check-all -Q
    fi
    echo
    echo ” *** Check Warnings ***”
    grep Warning /var/log/lynis.log
    echo
    echo ” *** Check Suggestions ***”
    grep Suggestion /var/log/lynis.log

  15. Great tool ;)

  16. Be carrefully with this Suggestion :

    [18:37:23] Performing test ID AUTH-9328 (Default umask values)

    [18:37:23] Test: Checking /etc/init.d/rc
    [18:37:23] Result: file /etc/init.d/rc exists
    [18:37:23] Test: Checking UMASK value in /etc/init.d/rc
    [18:37:23] Result: found umask 022, which could be improved
    [18:37:23] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027

    If you modify this default umask given by rc to 027, dbus-daemon may become unaccessible to some daemons, like on these extracts of my syslog, and you ll lose access to graphical session :-(
    Tested for you on Debian-amd64

    May 1 15:29:30 localhost bluetoothd[2422]: Bluetooth daemon 4.99
    May 1 15:29:30 localhost bluetoothd[2422]: Unable to get on D-Bus
    May 1 15:29:31 localhost avahi-daemon[2823]: Found user ‘avahi’ (UID 107) and group ‘avahi’ (GID 117).
    May 1 15:29:31 localhost avahi-daemon[2823]: Successfully dropped root privileges.
    May 1 15:29:31 localhost avahi-daemon[2823]: avahi-daemon 0.6.31 starting up.
    May 1 15:29:31 localhost avahi-daemon[2823]: dbus_bus_get_private(): Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
    May 1 15:29:31 localhost avahi-daemon[2823]: WARNING: Failed to contact D-Bus daemon.
    May 1 15:29:31 localhost avahi-daemon[2823]: avahi-daemon 0.6.31 exiting.

    May 1 15:29:46 localhost gnome-session[3427]: libupower-glib-WARNING: Couldn’t connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission non accordée

    ay 1 15:29:46 localhost gnome-session[3427]: WARNING: Impossible de se connecter : Permission non accordée

    May 1 15:30:21 localhost pulseaudio[4721]: [pulseaudio] core-util.c: Failed to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission non accordée

    May 1 15:30:22 localhost pulseaudio[4790]: [pulseaudio] core-util.c: Failed to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission non accordée
    May 1 15:30:22 localhost pulseaudio[4790]: [pulseaudio] module-console-kit.c: Unable to contact D-Bus system bus: org.freedesktop.DBus.Error.AccessDenied: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission non accordée
    May 1 15:30:22 localhost pulseaudio[4790]: [pulseaudio] module.c: Failed to load module “module-console-kit” (argument: “”): initialization failed.
    May 1 15:30:22 localhost pulseaudio[4790]: [pulseaudio] main.c: Module load failed.
    May 1 15:30:22 localhost pulseaudio[4790]: [pulseaudio] main.c: Échec lors de l’initialisation du démon
    May 1 15:30:22 localhost pulseaudio[4772]: [pulseaudio] main.c: Échec lors du démarrage du démon.
    May 1 15:30:22 localhost pulseaudio[5021]: [pulseaudio] core-util.c: Failed to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission non accordée

    and so on

    Otherwise, it’s a very nice and usefull audit tool!

    • for the same error, this solve my conf

      $sudo vi /etc/group
      ../..
      messagebus:x:106:avahi
      ../..
      $sudo /etc/init.d/avahi-daemon restart

  17. Excellent article.18 Suggestions and 4 Warnings! Now if I could only figure out how to implement them!

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>