Security Audit and Lynis
Prepare for a Security Audit or check your Server for Security Hardening. All Companies need to take a SA from tile to time by an outside Agency. Many corporations with ISO 9001/27001 certs has written protocols to follow visa-vi testing and setting up services. #security #hardening #audit # lynis
How to prepare for a System Security Audit (SSA) or check your Server for Security Hardening. Hardening is usually the process of securing a system by reducing its surface of vulnerability.
Attack Surface Analysis (ASA) is the process of identifying the attack surface, typically includes identifying and discuss what this means from a risk perspective:
- ASA of computer systems and applications is mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. Both hardware and software risks need to be addressed
- What parts of the system are open to the public, internet or/and internal users.
- What is the minimum exposure needed for the effective operation of the company.
- Understand the risk areas in an application or a machine and find ways of minimizing these risks
- How to notice and how to act when the Attack Surface changes
- How to secure updates to machines and software
- Attack Surface Analysis is usually done independently by security architects and pen testers.
Reducing the attack surface of systems and applications typically includes:
- use of keys and tokens instead of passwords,
- changing passwords to long and complicated ones,
- adding 2FA or MFA authentication,
- removal of unnecessary software, usernames, and services
- denial of root and other unnecessary logins
- disabling or removal of unnecessary services
See my next blog on Hardening Servers
All Companies need to take an SSA from tile to time by an outside Agency. It's a stressful time for IT Managers and DevOps to prepare and fix all minor bugs and to be ready in time. Many corporations with ISO 9001 and ISO 27001 certs has written protocols to follow visa-vi testing and setting up services. The problem is to keep them up to date. Enterprises uses tools like Lynis to cope with it.
I will demonstrate a method for performing a DIY SSA for your servers using Lynis, a tool that is Free and Open Source Software (FOSS). They also provide Lynis Enterprise - SaaS for $3/system/month, SaaS Premium has many added features like a dashboard. For large Enterprises (100+ systems) they provide special pricing.
Lynis by Cisofy
Auditing, system hardening, compliance testing
Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It conducts a comprehensive health scan of your systems to facilitate system hardening and compliance testing. The project is free software licensed under the GPL license and has been available since 2007. See Lynis Enterprise page for more screenshots.
How it works
Lynis scanning is modular and opportunistic. This means it will only use and test the components that it can find, such as the available system tools and its libraries. The benefit is that no installation of other tools is needed, so you can keep your systems clean.
By using this scanning method, the tool can run with almost no dependencies. Also, the more components it discovers, the more extensive the audit will be. In other words: Lynis will always perform scans that are tailored to your system. No audit will be the same!
Installation of the Community version
One can execute it as an installation from their OS repository, or execute it without installing from the GitHub repository. Since the Community version is based on the CLI, there is no dashboard. It offers numerous advantages of the Enterprise version, however, not all of them.
I have a ready-made script for installing Lynis from apt
, download link.
Using the link
Download wget
https://github.com/nallej/MyJourney/raw/main/scripts/
, read the code and make your choice, then chmod 700
and ./LynisInstall.sh
.
As the script uses sudo
you need to edit that out before using it on Proxmox.
Proxmox node or any other Debian/Ubuntu server
First we need to install some apps and a key.
We need to run as sudo
or as root with su -
sudo apt update && sudo apt install apt-transport-https gnupg2 -y
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
For English speakers, configure APT to skip downloading translations. It will save bandwidth and prevents additional load on the repository servers.
sudo echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
Set the packages and install Lynis
sudo echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update && sudo apt install lynis -y
Confirm the installation
Run lynis show version
current version is 3.0.8. Is your version not the latest, run sudo apt-cache policy lynis
to see where your package came from.
Install Lynis plugins (community)
If you want to enhance Lynis' functionality, you can install Lynis plugins (community) from https://github.com/CISOfy/lynis/tree/master/plugins
- Download what you need using WGET or CURL
- Plugin permissions should be 600, 640 or the least restrictive 400.
- Each plugin should be enabled in the profile, before it will be activated.
- Custom plugins should use a test ID's with a "CUS-" prefix.
Setup proper permissions:
sudo chown root:root /usr/share/lynis/plugins/plugin_*
sudo chmod 600 /usr/share/lynis/plugins/plugin_*
Finally, check the Lynis profile file to check that newly-added plugins are enabled:
sudo grep plugin= /etc/lynis/default.prf
Running Lynis Community version
Lynis has a ton of features and ways to run it. You can run an open test or a pinpoint version. First run is best to run an open test. You will see a very long log(5–6000 pages) as output. See this link.
Audit steps
This is what happens during a typical scan with Lynis:
- Initialization
- Perform basic checks, such as file ownership
- Determine operating system and tools
- Search for available software components
- Check latest Lynis version
- Run enabled plugins
- Run security tests per category
- Perform execution of your custom tests (optional)
- Report status of security scan
- Enhance Lynis audits by adding your settings to
custom.prf
- see
/etc/lynis/default.prf
for all settings
- see
Besides the report and information displayed on screen, all technical details about the scan are stored in a log file in ~/lynis.log
or /var/log/lynis.log
.
Findings like warnings and suggestions are stored in a separate report file ~/lynis-report.dat
or /var/log/lynis-report.dat
.
You may enhance Lynis audits by adding your personal settings to /etc/lynis/custom.prf
(for all settings, see the defaults in /etc/lynis/default.prf
)
Run Lynis
Due to the nature of the audit, you need to run as root su -
or use sudo
. It's good practice to state your name and make a new file for each scan.
Reports
Or if you cloned it cd lynis && ./lynis audit system
After the initial scan, you are presented with a report on screen and in the logs. The report also includes several links to explanations of things you should consider doing to up your security score.
Lynis commands (see man or help for full list)
Usage: sudo lynis command [options]
Audit
lynis audit system : Perform local security scan
lynis audit system remote <host> : Remote security scan
lynis audit dockerfile <file> : Analyze Dockerfile Options
--auditor "Full Name" or name : Use "quotes" for full name
--logfile /full/path/to/file : Create a dedicated file
Show
lynis show : Show all commands
lynis show version : Show Lynis version
lynis show help : Show help
lynis update info : Show update details
Other options
Alternative system audit modes:
--forensics : Perform forensics on a running/mounted system
--pentest : Non-privileged, show points of interest for pen testing
Layout options
--no-colors (colours) : Don't use colors in output
--quiet (-q) : No output
--reverse-colors : Optimize color display for light backgrounds
Misc options
--debug : Debug logging to screen
--no-log : Don't create a log file
--profile <profile> : Scan the system with the given profile file
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
--wait : Wait between a set of tests
--slow-warning <seconds> : Threshold for slow test warning in seconds
(the default is 10)
For more options, run /usr/sbin/lynis show options
, lynis show options
or use the man page man lynis
.
Quick Guide
Run lynis without any installation.
git clone https://github.com/CISOfy/lynis
cd lynis
How to Run
We can now use Lynis to perform security audits on our system, to view what we can do, use the show
command.
./lynis show
./lynis show commands
Lynis can be run without pre-configuration, but you can also configure it for your audit needs. Lynis can run in both privileged and non-privileged mode (pentest). There are tests that require root privileges, so these are skipped.
./lynis audit system
sudo ./lynis audit system
Adding the --quick
parameter, will enable Lynis to run without pauses and will enable us to work on other things simultaneously while it scans.
./lynis audit system --quick
sudo ./lynis audit system --quick
Lynis will perform system audits and there are a number of tests divided into categories. After every audit test, results debug information and suggestions are provided for hardening the system.
More detailed information is stored in /var/log/lynis/log
, while the data report is stored in /var/log/lynis-report.data
.
Examine Lynis Audit Reports
A newly installed server may get scores like 60-65. Meaning, you should do something to improve your servers' security according to your safety rules.
Send the report to your security team or start figuring out how to improve the score. Lynis helps you by identifying things and giving advice like links to articles.
For example, some of the important categories include:
- Boot and Services: In this category, Lynis gives you an overview of the boot process and the service manager in use on your system. Lynis indicates which services pose a security threat to your system as unsafe or exposed.
- Users, Groups, and Authentication: Lynis scans your user administrator accounts, checks for password strength and expiry. Lynis will examine if important files like /etc/passwd and PAM config have the proper permissions.
- Ports and Packages: Lynis gives an overview of unsafe and open ports that infiltrators can use to exploit your system. Lynis informs you of outdated packages, i.e. a security risk.
- Logging and Files: Lynis checks if the logging daemon is up and running. It checks the availability and security of important log files.
Apart from these categories, Lynis also checks your kernel, memory and processes, shells, file systems, DNS stuff, networking, virtualization and other critical parts of your system.
It also creates a "Warnings and a Suggestion" section, all with links to articles. And also an executive summary called Lynis security scan details.
A hardening index of 60-65 is to be expected before hardening the server for production usage. Be aware that a CEO may freak out from seeing that number.
The lynis.log
contains the output in list form for future reference.
Final thoughts
I definitely prefer to use the Enterprise version over the Community version for a number of reasons. First the number of tests 171/211, a set of ready plugins, the ease of use with the Dashboard and the extensive reporting (ISO 27001).
This is part 1 in a multi part series on Server Security and Hardening
General thoughts on Hardening Servers
Hardening servers is an interesting topic. It's a key task for IT professionals. There are several excellent guides on this subject on the internet that I recommend you read and discuss with yourself. There are a number of hardening scripts to use.
- Don't use passwords. If you do, use long and complicated ones.
- Uses different passwords on everything
- Use a good password manager like Bitwarden
- Don't run as root - create superusers
- Block root on SSH
- Use keys and tokens
- Use 2FA as a minimum - even for the intranet
- Don't open ports if you can avoid it
- Don't run old software or firmware
- Kill unnecessary processes and severs
- Pay special attention to network security
- Treat the intranet as the web - Prepare for an intrusion
- Use VPN tunnels
- Use firewalls - not the ISP junk but a real one
- Add Malware and Virus protection to your servers
- Do your SSA frequently
- Read security blogs
References
Lynis Auditing system [1] Installing the Community version [2] Lynis on Github [3]
Kali Linux [4] is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.
Multi-factor authentication (MFA), includind two-factor authentication (2FA), is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. [5]
Check Rootkit (chkrootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies. [6]
Rootkit hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian, etc.) [7]
Clam Antivirus [8] (ClamAV) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
Other Host-based intrusion detection systems comparison [9] Computer security on Wikipedia [10]
The Hardening Servers Serie [11]
Lynis on GitHub Lynis Development Guid for Lynis Plugins ↩︎
Clam AntiVirus by Cisco Systems on Wikipedia and the Home Page ↩︎
Host-based intrusion detection systems on Wikipedia and a long list of FOSS packages on this Wikipedia Page or this Page ↩︎
Security Audit and Hardening post Hardening your Servers blog Hardening Servers 3 blog Proxmox Backup Server blog Moitoring your Serversblog ↩︎