Installation and Configuration of Lynis

This training module is sponsored by CISOfy

Overview

Lab machines

During this guide, the following machines are used:
web01

Related Tools

» Lynis

1. Introduction

Lynis is a system auditing tool with the focus on Linux, macOS, BSD, and other Unix-derivatives. The tool is written in shell script, which makes it easy to deploy. Another benefit is that it requires almost no other software components. The Lynis project is created by Michael Boelen, who is also known as the author of Rootkit Hunter (or rkhunter). Lynis was first released in 2007 under the GPL license.

2. Deployment

Most software packages need to be installed. Lynis is an exception here, as installation is optional. In this section, we look at several options on how to deploy the software.

Suggestion
When possible, use the official software packages for installation

Tarball

Via the website of CISOfy, download the tarball. Create a specific directory and extract the tarball.

tar xvzf tarball.tar.gz

Extract a tarball by using extract verbosely and using gzipped support

Git

Another way to deploy Lynis is by using GitHub. With the 'git clone' command, you typically get a more recent version than using a tarball or package. If you are familiar with shell scripting, you can even chime in and provide improvements in the form of a pull request.

git clone https://github.com/CISOfy/lynis

Clone the Lynis project with the 'git clone' command

Package

Using a package is the most common method of installing Lynis. Simply use your package manager and tell it to install the latest version of Lynis.

Suggestion
When a vendor provides a repository, the packages are usually newer than the ones provided by the Linux distribution.

Automation

Automation is a great way to save time and do repeating tasks. The deployment of a software package like Lynis may be automated with tools like Ansible, Chef, Puppet, or Salt Stack.

3. First security scan

When Lynis is installed on the system, it is time to learn more about how the tool works. We will first look at the directory structure, its components, and important files. If you are using tmux, consider splitting the screen vertically. With the left pane look into the files, while having the structure at the right pane. Otherwise use two terminal windows, each at 50% width.

Directory and files

lynis
The 'lynis' command is the main software component. It is responsible for initializing the program and to guide the security scan. When using a package, this file is stored in a 'bin' directory, like /usr/bin.

include
The Lynis program has modular design. It retrieves the required components from the 'include' directory. This directory contains the required logic to test which operating system is being used. The generic program functions are being included as well, together with the collection of security tests.

plugins
To make Lynis even more modular, plugins can be added to the program. These are custom tests to be performed during the execution of the program.

Running a basic security scan

Even without any configuration, Lynis can be started directly after its installation.

lynis audit system

Running a security scan with Lynis just requires the 'audit system' parameters.

Output types

During the execution of Lynis, the system is analyzed extensively. Most of the system parts will be tested, including the boot loader, software packages, and running processes. This means that a lot of information will be available. Lynis will separate this information into multiple levels of detail.

High-level information will be displayed on the screen output. This is what is visible when running Lynis with the basic parameters in an interactive shell.

More specific data is available in the report file, which contains interesting details on the system itself, like installed packages. This file is typically stored in the /var/log directory and has the name lynis-report.dat. When running Lynis as a normal user, then this file might be stored in /tmp.

Then finally there is the log file, stored in the same directory as the report. It goes by the name lynis.log and has the most detailed information available. This file is useful for diving into the details of the tests performed by Lynis.

Definitions and Terms

Below are the relevant definitions and terms for this training guide.

Auditing

Auditing is the process of testing security policies, processes, and procedures. Typically an IT auditor will ask tailored questions. The goal is to ensure that the defined security policies are being adhered to and find room for improvement. During an audit, it is common that the auditor also requests samples to use as a proof that processes are in place and the right procedures are used.