How To Audit with Lynis on Ubuntu Server
Steps to audit Ubuntu Systems with the Lynis tool.
What is Lynis?
Lynis is an application responsible for performing security audits in Linux environments.
Lynis is open source which evaluates the security profile of each team and will give us suggestions on how to increase and improve security levels in the company.
Analyzes UNIX and Linux environments much more closely than a vulnerability analysis application. Lynis supports the following environments:
- Linux – Most Distros
This application is use in cases such as:
- Analysis and detection of vulnerabilities.
- Security audits
- Compliance tests such as PCI or HIPAA.
- Improvements in system security.
- Administrative management.
How to install Lynis in Ubuntu Server
Although there are several ways to install Lynis, for this case, we will install from the most recent repository.
It is important to emphasize that this repository uses the HTTPS protocol for its access, so we must confirm that our server has HTTPS support, to validate this we will execute the following line:
dpkg -s apt-transport-https | grep -i status
In case of not having this support we will run the next line for its installation:
sudo apt-get install apt-transport-https
Once we are sure that we have HTTPS support, we proceed to install the official repository key by executing the following:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
Now we will add the official Lynis repository so that it is available in the package manager, for this we run the following:
sudo add-apt-repository "deb [arch=amd64] https://packages.cisofy.com/community/lynis/deb/ xenial main"
Update the packages:
sudo apt-get update
Once the packages are updated, we proceed with the installation of Lynis in Ubuntu Server executing the following command:
sudo apt-get install lynis
Security Audit with Lynis on Ubuntu Server
Once the application is installed we can see the available Lynis commands by running the next line:
lynis show commands
Each security audit in Lynis is performed through profiles that are nothing more than configuration files with various parameters to control the way in which the audit is carried out.
We can check, before performing the audit, if there is a more recent Lynis version that can include improvements to verify this, we will use the following line:
lynis update info
This indicates that we have the most current version of Lynis. We can also check this result by executing the line:
lynis update check
To perform our first audit of the system, we proceed to run the following command as root users:
sudo lynis audit system
We can see that the audit process starts on Ubuntu Server:
This process takes between one to two minutes maximum. At the end of the audit we will see the following:
The detailed information of this result is stored in the path /var/log/lynis.log and the report data, where we have all the information associated with the server, will be stored in the path /var/log/lynis-report.dat.
The interesting thing about Lynis is that in the previous report he shows us warnings and the own safety suggestions to take into account to have a stable and reliable system.
Fix Warnings Generated by Lynis
A warning (Warning) allows us to be alert to vulnerabilities that may arise in the operating system. In general, the warning includes the solution to it.
One of the ways we have in Lynis to analyze a warning in more detail is to use the following syntax:
sudo lynis show details (Code)
For example, if we want to know in detail the warning of code FIRE-4512 we will execute the following:
sudo lynis show details FIRE-4512
Implement the Lynis Suggestions
We can see that within the respective audit analysis we have various suggestions (suggestions) offered by the tool in order to improve server security levels.
The suggestion is composed as follows:
- Suggestion information.
- ID of the suggestion.
- Finally a solution.
As with the warnings, we can use the sudo lynis show details line to get more information:
Customize Lynis Audits
As we mentioned at the beginning, Lynis relies on profiles to carry out the audits and this has a predefined profile.
These profiles have the extension .prf and are housed in the route:
To create a new profile and tell Lynis to only audit what we need and not the whole system we will create a new file called solvetic by executing the following:
sudo nano /etc/lynis/solvetic.prf
In this file we will add the tests that we want to omit which are:
- FILE-6310: It is used to check the state of the partitions.
- HTTP-6622: It is used to validate Nginx in a web server installation.
- HTTP-6702: Used to check Apache.
- PRNT-2307 and PRNT-2308: Used to check print servers.
- TOOL-5002: Used to check automatic tools such as Puppet and Salt.
- SSH-7408: tcpkeepalive: It is used to perform basic test checks.
In this file we will add the following:
# Lines starting with "#" are comments # Skip a test (one per line) # This will ignore separation of partitions test skip-test = FILE-6310 # Is Nginx installed? skip-test = HTTP-6622 # Is Apache installed? skip-test = HTTP-6702 # Skip checking print-related services skip-test = PRNT-2307 skip-test = PRNT-2308 # If a test id includes more than one test use this form to ignore a particular test skip-test = SSH-7408: tcpkeepalive
We save the changes using the key combination Ctrl + O, and we exit the editor using Ctrl + X.
We have learned how Lynis becomes a great ally for all administrators and personnel who want to keep track of the security levels of the various Linux distros.