Regularly checking your devices or corporate infrastructure is an integral part of securing them. This process is called auditing, where it is necessary to assess, using appropriate criteria, whether the security of the device meets the stated requirements.
In order not to manually evaluate each machine, a script was developed that allows you to automate the OS check. In this article we will consider one of such utilities, which will allow you to assess the security of your device and give an estimate in a few minutes.
What is Lynis?
Lynis is an OS audit or security compliance utility that can be thought of as a system scanner. Its task is to identify the front end OS and perform a profile-based scan and then provide an assessment of how secure the device is.
At the moment the utility is an Open-Source solution, there is a similar commercial version with a large pool of features.
This solution can be found in almost all repositories of popular Linux distributions, so downloading it should not cause any problems. For this purpose we will use any package manager:
sudo apt install lynis -y
Screenshot №2 — Installation
The syntax is quite simple, you need to specify the command to run the lynis utility, additional sub-commands and options to it:
lynis show commands
This command allows you to view a list of available sub-commands that can be executed:
- audit is directly a module for scanning the system, as well as virtual environment vorkers, more specifically Dockerfile.
- configuration command allows you to configure the tests and modes to be used when scanning the profile;
- generate allows you to generate the configs for the service to be brought up as a lynis that will periodically test the system;
- show command allows you to view navigation through the utility, as well as brief information about the device;
- update command allows you to check the software for new versions and in case the current one is outdated it will mark it.
The default set of tests and profiles is sufficient for basic scanning. The main difference from typical scanners is that Lynis first determines what software is currently running, on which OS, etc. And only then starts scanning with modules related to the detected software.
Lynis utility audit
To perform a basic check on pre-prepared modules, the command must be written:
sudo lynis audit system
After OS scanning, profiles are initialised and additional information about where to look for scanning results is displayed. And also from which directory plug-ins will be pulled. This is followed by a detailed report, in order to run it in the background you can use the -q option:
sudo lynis audit system -q
Or if this report is not enough, a more detailed one can be run with the --verbose option:
sudo lynis audit system --verbose
.
The report will show the main categories related to software, file system, shells, etc. For each of them, the survey criteria will be described:
Green indicates requirements that matched the settings on the machine. Yellow indicates changes to improve safety, which will be suggested below. And red indicates a complete mismatch that needs to be corrected. You can also run pentest and forensics scans with the appropriate options:
sudo lynis audit system --pentest
In the results, we will see an assessment of the security of our device in relation to best practices, which will allow us to understand what measures we need to take to protect ourselves.
Each of them will either directly, or with a reference to help, describe how the device should be hardened. But not all settings may fit your tech processes, for example, the maximum number of login attempts is mentioned from 3 to 6. But usually the acceptable value can be 10 quite, so rely on these recommendations more as a hint. Critical issues will be highlighted separately:
In this context, there is a mailer banner sticking out, which gives the version of either the OS or the software itself and allows the attacker to try to find an exploit for it. It also presents a couple of vulnerable packages that can be found from the report and patched.
If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.
Then you can connect to the server via remote control protocols such as SSH and work with the machine!