Linux Auditing, Pentesting And Hardening With CISOFY’s Lynis

Linux penguin and lock for security.

Linux Dominates Performance-based Computing Market Share

Linux may be less susceptible to cyber-attacks because Windows presents such an attactive target by holding the majority of the desktop marketshare. However, Linux servers dominate the global market in some powerful ways. According to industry reports, Linux OSs comprise 100% of all supercomputers, and over 95% of the top 1 million web servers are running Linux. Linux runs on 90% of all cloud infrastructure and dominates the mobile phone market with > 80% of market share. Embedded operating systems, and RTOS for IoT devices? Again, Linux is by far the most popular OS of choice. If you want more interesting facts about Linux’s market presence, you can Read Nick Galov’s revealing 2021 comprehensive summary of Linux market penetration.

Knowing how to conduct a Security Audit of a Linux system and services is very important indeed.  This most often includes whitelisting required applications and removing anything that is not required to reduce the attack surface, and hardening the configuration for any applications and services that are required.  Trend Micro has produced a brief report that characterizes Linux security from the perspective of it’s market share.

Lynis – Linux Security Auditing Tool

Lynis is the defacto tool for Pentesting and Auditing a Linux OS installation and is owned and maintained by CISOFY and supports auditing on all *nix OS’s including AIX, OpenBSD, Solaris, Debian, RHEL, and MacOs. It can be run on a fresh installation of Linux to identify the security holes unique to a given Linux distribution’s install configuration, services, and applications, and Lynis should be run after system changes such as installing new services or applications, and updates to verify that critical configuration settings have not changed and look for new weaknesses that may have been introduced. Lynis can also provide intrusion detection by scanning Linux boot loading services and scripts, run-time settings, scheduled cron-jobs, and certificates so they can be audited.  If an attacker has installed a persistent  RAT on your system it will very likely show up in these scans.

Lynis can be used to meet compliance with industry standards such as NIST, (more), and regulatory compliance for ISO27001, PCI-DSS, HIPAA, and more. Lynis Enterprise has tests designed especially to meet compliance for:

Lynis can be used to run credentialed and non-credentialed scans, and can be scheduled to automate  remote attestation of systems on a regular basis. The worlds most critical infrastructure runs on Linux and Lynis is the most in-depth Open Source Tool available on the market to Audit Linux Security.

The rest of this article will cover:

  1. How to install Lynis
  2. How to run a scan
  3. Basic scan types
  4. Advanced configuration
  5. Reading and parsing reports
  6. How to run only a selected test
  7. How to perform a remote scan

1. How to Install Lynis

If you want to review Lynis’s source code or build and install Lynis from source you can visit the CISOFY Lynis GitHub repository, download, and run it.

2. How to Run a Scan

3. Scan Types

Lynis needs to be executed as root for a full scan and audit. If you don’t have root permissions, use a regular scan or the –pentest option to conduct a non-privileged scan.

4. Advanced Configuration

The lynis -h command will show the basic flags used to start a scan. However, the manual provides more details and can be viewed from the terminal with the man lynis or lynis –man command. You can also find the Linux man-page online and full documentation from the CISOFY. Some additional CLI options to note are:

  • –config (shows which profile files are loaded)
  • –profile specify an alternative profile for the scan
  • -report-file specify an alternative log output filename
  • –no-colors (do not use colors in stdout. This is better for parsing of the stdout, which is markedly easier than parsing the log file for automation of tasks or report building.)
  • –verbose (show more details in stdout output)

Profiles can be stored in scan profile configuration files and specified at run-time. These files have .prf extensions and the default template is stored in the /etc/lynis directory.

5. Reading and Parsing Reports

The result of a Lynis audit scan can be read manually and parsed using a script for automating actions or report building. The stdout is the most human readable output, and can be piped to a file to send and review later:

The lynis-report.dat file is the easiest output to parse by script. For example, suggestions are formatted as follows:

suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-|

The contents of the lynis-report.dat file can be parsed from the CLI using commands such as:


6. How to Perform a Remote Scan

To perform a remote scan, issue a command to the terminal. Lynis will output commands that are customized for a remote scan on the host you specify. These commands can be built into a bash script and scheduled to run at intervals.

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.