Security Audit and Lynis

Prepare for a Security Audit or check your Server for Security Hardening. All Companies need to take a SA from tile to time by an outside Agency. Many corporations with ISO 9001/27001 certs has written protocols to follow visa-vi testing and setting up services. #security #hardening #audit # lynis

Security Audit and Lynis
Photo by Scott Graham / Unsplash

How to prepare for a System Security Audit (SSA) or check your Server for Security Hardening. Hardening is usually the process of securing a system by reducing its surface of vulnerability.

Attack Surface Analysis (ASA) is the process of identifying the attack surface, typically includes identifying and discuss what this means from a risk perspective:

  • ASA of computer systems and applications is ‌‌mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. Both hardware and software risks need to be addressed
  • What parts of the system are open to the public, internet or/and internal users.
  • What is the minimum exposure needed for the effective operation of the company.
  • Understand the risk areas in an application or a machine and find ways of minimizing these risks
  • How to notice and how to act when the Attack Surface changes
  • How to secure updates to machines and software
  • Attack Surface Analysis is usually done independently by security architects and pen testers.

Reducing the attack surface of systems and applications typically includes:

  • use of keys and tokens instead of passwords,
  • changing passwords to long and complicated ones,
  • adding 2FA or MFA authentication,
  • removal of unnecessary software, usernames, and services
  • denial of root and other unnecessary logins
  • disabling or removal of unnecessary services

See my next blog on Hardening Servers

All Companies need to take an SSA from tile to time by an outside Agency. It's a stressful time for IT Managers and DevOps to prepare and fix all minor bugs and to be ready in time. Many corporations with ISO 9001 and ISO 27001 certs has written protocols to follow visa-vi testing and setting up services. The problem is to keep them up to date. Enterprises uses tools like Lynis to cope with it.

I will demonstrate a method for performing a DIY SSA for your servers using Lynis, a tool that is Free and Open Source Software (FOSS). They also provide Lynis Enterprise - SaaS for $3/system/month, SaaS Premium has many added features like a dashboard. For large Enterprises (100+ systems) they provide special pricing.

The Dashboard in Lynis Enterprise -SaaS
Lynis Enterprise Improvement Plan

Lynis by Cisofy

Auditing, system hardening, compliance testing

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It conducts a comprehensive health scan of your systems to facilitate system hardening and compliance testing. The project is free software licensed under the GPL license and has been available since 2007. See Lynis Enterprise page for more screenshots.

How it works

Lynis scanning is modular and opportunistic. This means it will only use and test the components that it can find, such as the available system tools and its libraries. The benefit is that no installation of other tools is needed, so you can keep your systems clean.

By using this scanning method, the tool can run with almost no dependencies. Also, the more components it discovers, the more extensive the audit will be. In other words: Lynis will always perform scans that are tailored to your system. No audit will be the same!

Installation of the Community version

One can execute it as an installation from their OS repository, or execute it without installing from the GitHub repository. Since the Community version is based on the CLI, there is no dashboard. It offers numerous advantages of the Enterprise version, however, not all of them.

I have a ready-made script for installing Lynis from apt, download link.

Download wget https://github.com/nallej/MyJourney/raw/main/scripts/, read the code and make your choice, then chmod 700 and ./LynisInstall.sh.
As the script uses sudo you need to edit that out before using it on Proxmox.

Proxmox node or any other Debian/Ubuntu server

First we need to install some apps and a key.
We need to run as sudo or as root with su -

sudo apt update && sudo apt install apt-transport-https gnupg2 -y
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg

For English speakers, configure APT to skip downloading translations. It will save bandwidth and prevents additional load on the repository servers.

sudo echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations

Set the packages and install Lynis

sudo echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update && sudo apt install lynis -y

Confirm the installation

Run lynis show version current version is 3.0.8. Is your version not the latest, run sudo apt-cache policy lynis to see where your package came from.

Install Lynis plugins (community)

If you want to enhance Lynis' functionality, you can install Lynis plugins (community) from https://github.com/CISOfy/lynis/tree/master/plugins

  1. Download what you need using WGET or CURL
  2. Plugin permissions should be 600, 640 or the least restrictive 400.
  3. Each plugin should be enabled in the profile, before it will be activated.
  4. Custom plugins should use a test ID's with a "CUS-" prefix.

Setup proper permissions:

sudo chown root:root /usr/share/lynis/plugins/plugin_*
sudo chmod 600 /usr/share/lynis/plugins/plugin_*

Finally, check the Lynis profile file to check that newly-added plugins are enabled:

sudo grep plugin= /etc/lynis/default.prf

Running Lynis Community version

Part of a Lynis Community Edition output. The report is 5 - 6.000 pages.

Lynis has a ton of features and ways to run it. You can run an open test or a pinpoint version. First run is best to run an open test. You will see a very long log(5–6000 pages) as output. See this link.

Audit steps

This is what happens during a typical scan with Lynis:

  1. Initialization
  2. Perform basic checks, such as file ownership
  3. Determine operating system and tools
  4. Search for available software components
  5. Check latest Lynis version
  6. Run enabled plugins
  7. Run security tests per category
  8. Perform execution of your custom tests (optional)
  9. Report status of security scan
  10. Enhance Lynis audits by adding your settings to custom.prf
    1. see /etc/lynis/default.prf for all settings

Besides the report and information displayed on screen, all technical details about the scan are stored in a log file in ~/lynis.log or /var/log/lynis.log. ‌‌
Findings like warnings and suggestions are stored in a separate report file ~/lynis-report.dat or /var/log/lynis-report.dat.

You may enhance Lynis audits by adding your personal settings to /etc/lynis/custom.prf (for all settings, see the defaults in /etc/lynis/default.prf)

Run Lynis

Due to the nature of the audit, you need to run as root su - or use sudo.‌‌ ‌‌It's good practice to state your name and make a new file for each scan.

sudo lynis audit system

A plain scan

Reports

sudo lynis audit system --auditor "<users, full name>" --logfile ~/name_of_file.log

--auditor can be aither a user for internal use or a users full name for Official Reports

Or if you cloned it cd lynis && ./lynis audit system

After the initial scan, you are presented with a report on screen and in the logs. ‌‌The report also includes several links to explanations of things you should consider doing to up your security score.

Lynis commands (see man or help for full list)

Usage: sudo lynis command [options]

Audit

lynis audit system                   : Perform local security scan 
lynis audit system remote <host>     : Remote security scan 
lynis audit dockerfile <file>        : Analyze Dockerfile Options 

--auditor "Full Name" or name  : Use "quotes" for full name 
--logfile /full/path/to/file   : Create a dedicated file

Show

lynis show               : Show all commands 
lynis show version       : Show Lynis version 
lynis show help          : Show help 
lynis update info        : Show update details

Other options

Alternative system audit modes:

--forensics       : Perform forensics on a running/mounted system
--pentest         : Non-privileged, show points of interest for pen testing 

Layout options

--no-colors (colours)    : Don't use colors in output 
--quiet (-q)             : No output 
--reverse-colors         : Optimize color display for light backgrounds 

Misc options

--debug                  : Debug logging to screen 
--no-log                 : Don't create a log file 
--profile <profile>      : Scan the system with the given profile file 
--view-manpage (--man)   : View man page 
--verbose                : Show more details on screen 
--version (-V)           : Display version number and quit 
--wait                   : Wait between a set of tests 
--slow-warning <seconds> : Threshold for slow test warning in seconds
                           (the default is 10)

For more options, run /usr/sbin/lynis show options, lynis show options or use the man page man lynis.

Quick Guide

Run lynis without any installation.

git clone https://github.com/CISOfy/lynis
cd lynis

How to Run

We can now use Lynis to perform security audits on our system, to view what we can do, use the show command.

./lynis show
./lynis show commands

Lynis can be run without pre-configuration, but you can also configure it for your audit needs. Lynis can run in both privileged and non-privileged mode (pentest). There are tests that require root privileges, so these are skipped.

./lynis audit system
sudo ./lynis audit system

Adding the --quick parameter, will enable Lynis to run without pauses and will enable us to work on other things simultaneously while it scans. 

./lynis audit system --quick
sudo ./lynis audit system --quick

Lynis will perform system audits and there are a number of tests divided into categories. After every audit test, results debug information and suggestions are provided for hardening the system.
More detailed information is stored in /var/log/lynis/log, while the data report is stored in /var/log/lynis-report.data

Examine Lynis Audit Reports

A newly installed server may get scores like 60-65. Meaning, you should do something to improve your servers' security according to your safety rules.

Send the report to your security team or start figuring out how to improve the score. Lynis helps you by identifying things and giving advice like links to articles.

For example, some of the important categories include:

  • Boot and Services: In this category, Lynis gives you an overview of the boot process and the service manager in use on your system. Lynis indicates which services pose a security threat to your system as unsafe or exposed.
  • Users, Groups, and Authentication: Lynis scans your user administrator accounts, checks for password strength and expiry. Lynis will examine if important files like /etc/passwd and PAM config have the proper permissions.
  • Ports and Packages: Lynis gives an overview of unsafe and open ports that infiltrators can use to exploit your system.‌‌ Lynis informs you of outdated packages, i.e. a security risk.
  • Logging and Files: Lynis checks if the logging daemon is up and running. ‌‌It checks the availability and security of important log files.

Apart from these categories, Lynis also checks your kernel, memory and processes, shells, file systems, DNS stuff, networking, virtualization and other critical parts of your system.

It also creates a "Warnings and a Suggestion" section, all with links to articles. And also an executive summary called Lynis security scan details.

Executive summary for a fresh install of Ubuntu 

A hardening index of 60-65 is to be expected before hardening the server for production usage. Be aware that a CEO may freak out from seeing that number.

The lynis.log contains the output in list form for future reference.


This is me, at the VRN airport, playing with the lights.
Photo by Alessio Lin / Unsplash

Final thoughts

I definitely prefer to use the Enterprise version over the Community version for a number of reasons. First the number of tests 171/211, a set of ready plugins, the ease of use with the Dashboard and the extensive reporting (ISO 27001).

This is part 1 in a multi part series on Server Security and Hardening

General thoughts on Hardening Servers

Hardening servers is an interesting topic. It's a key task for IT professionals. There are several excellent guides on this subject on the internet that I recommend you read and discuss with yourself. There are a number of hardening scripts to use.

  • Don't use passwords. If you do, use long and complicated ones.
  • Uses different passwords on everything
  • Use a good password manager like Bitwarden
  • Don't run as root - create superusers
  • Block root on SSH
  • Use keys and tokens
  • Use 2FA as a minimum - even for the intranet
  • Don't open ports if you can avoid it
  • Don't run old software or firmware
  • Kill unnecessary processes and severs
  • Pay special attention to network security
  • Treat the intranet as the web - Prepare for an intrusion
  • Use VPN tunnels
  • Use firewalls - not the ISP junk but a real one
  • Add Malware and Virus protection to your servers
  • Do your SSA frequently
  • Read security blogs

References

Lynis Auditing system [1] Installing the Community version [2] Lynis on Github [3]
Kali Linux [4] is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.
Multi-factor authentication (MFA), includind two-factor authentication (2FA), is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. [5]
Check Rootkit (chkrootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies. [6]
Rootkit hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems (Fedora, Debian, etc.) [7]
Clam Antivirus [8] (ClamAV) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
Other Host-based intrusion detection systems comparison [9] Computer security on Wikipedia [10]
The Hardening Servers Serie [11]


  1. Cisofy the Lynis Home Page ↩︎

  2. Install the Community version page and this page ↩︎

  3. Lynis on GitHub Lynis Development Guid for Lynis Plugins ↩︎

  4. Kali Linux on Wikipedia and the Home page ↩︎

  5. Authenticatin security see this page ↩︎

  6. Check Rootkit on Wikipedia and the Home Page ↩︎

  7. Rootkit hunter on Wikipedia ant the Home page ↩︎

  8. Clam AntiVirus by Cisco Systems on Wikipedia and the Home Page ↩︎

  9. Host-based intrusion detection systems on Wikipedia and a long list of FOSS packages on this Wikipedia Page or this Page ↩︎

  10. Information security on Wikipedia Page ↩︎

  11. Security Audit and Hardening post Hardening your Servers blog Hardening Servers 3 blog Proxmox Backup Server blog Moitoring your Serversblog ↩︎