Once a server is installed, you will want to keep a regular watch for points of vulnerability. Having a security auditing application will make this an easier task. Lynis is open source, server-based application that evaluates it for vulnerabilities and generates a report with the suggestions. You can then evaluate this and make necessary changes.
Before we get started, I must point out that security auditing takes a bit of time to review, revise and fine-tune before you get to the Goldilocks zone (neither too permissive nor too restrictive).
Why Lynis (Or Any Security Auditor for That Matter)?
One of the prime reasons you will need Lynis is to get compliance certified. By running a security audit you can prove to auditors that all necessary steps required for compliance are met. Other use cases for running Lynis are
Lynis works on almost all UNIX based systems (including systems such as Raspberry Pi).
How It Works
Lynis works by identifying current components, applications and services and digging in further. This means that no additional installation of components. For e.g., if it detects the presence of MySQL, it will try to check if root user has an empty password. If yes, reports it. Likewise, each application or service has a list of tests that are performed against.
Some of the key controls validated include Authentication (checking for empty passwords, multiple root user IDs), certificate expiry, web services (missing error logs for nginx, for e.g.) and so on.
A typical scan involves the following
Perform basic checks, such as file ownership
Determine operating system and tools
Search for available software components
Check latest Lynis version
Run enabled plugins
Run security tests per category
Perform execution of your custom tests (optional)
Report status of security scan
The report is displayed online and the scan log is also reported in a log file (lynis.log). Throughout the test process, Lynis runs hundreds of tests (mainly shell scripts) and is based on a given set of controls. Each test has a unique identifier. For e.g., the empty root password is control DBS-1816 Lynis is extensible, which means you can write your own controls.
It also means that the controls can be enabled or disabled based on your system needs. Tests run are defined based on profiles found in the folder /etc/lynis. The default is /etc/lynis/default.prf. If you want to skip a test create a custom.prf file. If you want to bypass the checks for HTTP servers nginx and apache, add the following entries
# contents of /etc/lynis/custom.prf
# Check if nginx is installed
# Check if apache is installed
Installation & Execution
Lynis is available as a package for most linux distributions and installation is a single command
# yum install lynis # CentOS/RHEL
# apt-get install lynis # Ubuntu/Debian
Running Lynis is as easy as running
# lynis audit system
# lynis audit system --quick
(use the second one if you want to run a quick scan)
Other commands available are
Perform a system audit
Show available Lynis commands
Provide a help screen
Display discovered profiles
List all active settings from profiles
Display current Lynis version
The output from Lynis can be investigated further using the test ID
For e.g., if the output shows this
! Reboot of system is most likely needed [KRNL-5830]
- Solution : reboot
You can find more about KRNL-5830 by
# lynis show details KRNL-5830
Lynis by default starts with running a lot of tests, as I mentioned earlier, you can skip some of them based on the custom profile. I would also advice to run this as a cronjob (daily/weekly) and review the audit logs on a regular basis.