Thursday, December 5, 2024
HomeVulnerabilityLynis – Open Source Security Auditing & Pentesting Tool - 2023

Lynis – Open Source Security Auditing & Pentesting Tool – 2023

Published on

SIEM as a Service

Lynis is an open-source security auditing tool. Its main goal is to audit and harden Unix and Linux-based systems.

It scans the system by performing many security control checks.

Examples include searching for installed software and determining possible configuration flaws.

- Advertisement - SIEM as a Service

Many tests are part of common security guidelines and standards, with top additional security tests. After the scan, a report will be displayed with all discovered findings.

To provide you with initial guidance, a link is shared with the related Lynis control.

Lynis is one of the most trusted automated auditing tools for software patch management, malware scanning, and vulnerability detecting in Unix/Linux-based systems.

This tool is useful for auditors, network and system administrators, security specialists, and penetration testers.

Intended audience:

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS, and SOX (Sarbanes-Oxley) compliance audits.

Security specialists, Penetration Testers, System auditors, System/network managers, and Security Engineers.

Lynis is compatible with many Operating Systems, such as:

  • AIX
  • Arch Linux
  • BackTrack Linux
  • CentOS
  • Debian, DragonFlyBSD
  • Fedora Core, FreeBSD
  • Gentoo
  • HPUX
  • Kali, Knoppix
  • Linux Mint
  • MacOS X, Mageia, Mandriva
  • NetBSD
  • OpenBSD, OpenSolaris, openSUSE, Oracle Linux
  • PcBSD, PCLinuxOS
  • Red Hat Enterprise Linux (RHEL) and derivatives
  • Sabayon, Scientific Linux, Slackware, Solaris 10, SuSE
  • TrueOS
  • Ubuntu and derivatives

Lynis can also be auditing software such as :

  • Database servers: MySQL, Oracle, PostgreSQL
  • Time daemons: dntpd, ntpd, timed
  • Web servers: Apache, Nginx

Once lynis starts scanning your system, it will perform auditing in a number of categories:

  • System tools: system binaries
  • Boot and services: boot loaders, startup services
  • Kernel: run level, loaded modules, kernel configuration, core dumps
  • Memory and processes: zombie processes, IO waiting processes
  • Users, groups, and authentication: group IDs, sudoers, PAM configuration, password aging, the default mask
  • Shells
  • File systems: mount points, /tmp files, root file system
  • Storage: USB-storage, firewire ohci
  • NFS
  • Software: name services: DNS search domain, BIND
  • Ports and packages: vulnerable/upgradable packages, security repository
  • Networking: nameservers, promiscuous interfaces, connections
  • Printers and spools: cups configuration
  • Software: e-mail and messaging
  • Software: firewalls: iptables, pf
  • Software: webserver: Apache, nginx
  • SSH support: SSH configuration
  • SNMP support
  • Databases: MySQL root password
  • LDAP services
  • Software: php: php options
  • Squid support
  • Logging and files: Syslog daemon, log directories
  • Insecure services: inetd
  • Banners and identification
  • Scheduled tasks: crontab/cronjob, atd
  • Accounting: sysstat data, auditd
  • Time and synchronization: ntp daemon
  • Cryptography: SSL certificate expiration
  • Virtualization
  • Security frameworks: AppArmor, SELinux, security status
  • Software: file integrity
  • Software: malware scanners
  • Home directories: shell history files

How Lynis works:

In this Kali Linux Tutorial, To run it for the first time, it is recommended to use the -c parameter. -c parameter means doing all tests to check the systems. If you want to put the Auditor name, just add the –auditor parameter there. Here’s some

Download and Install the Lynis from GitHub 

git clone https://github.com/CISOfy/lynis

$ cd lynis-2.7.3
# ./lynis

samples output :

Once Installed then Start with Auditor or Pentester name.

# lynis -c –auditor “BALAJI”

Figure 1. Initialize

Lynis – Open source security auditing tool

 

Figure 2. System Tools

Lynis – Open source security auditing tool

Figure 3. Boot & Services and Kernel

Lynis – Open source security auditing tool

Figure 4. Users and Group

Lynis – Open source security auditing tool

Figure 5. Shell and storage

Lynis – Open source security auditing tool

Figure 6. Software, Ports, and Packages

6

Figure 7. Networking and Printer

7

Figure 8. Email, Firewalls, and Web Server

8

Figure 9. SSH, SNMP, and Databases

Lynis – Open source security auditing tool

Figure 10. PHP, Squid Proxy, and Logging

10

Figure 11. Inetd, Banner and Cron

11

Figure 12. Accounting, NTP, and Cryptography

12

Figure 13. Virtualization, Security Frameworks, and File Integrity

13

Figure 14. Malware Scanners, System Tools, and Home directory

14

Figure 15. Kernel Hardening

15

Figure 16. Hardening, Custom Tests, and Result

lynis_16_hardening_customtests_result

Figure 17. Hardening Index

17

Run Lynis with Custom Tests

Your system may not need to run all the tests. If your server not running a web server, you don’t need to test it. For this purpose, we can use –tests parameter. The syntax is :

# lynis –tests “Test-IDs”

there are more than 100 tests that we can do. Here is a list of Lynis Tests-ID.

 

  • FILE-7502 (Check all system binaries)
  • BOOT-5121 (Check for GRUB boot loader presence).
  • BOOT-5139 (Check for LILO boot loader presence)
  • BOOT-5142 (Check SPARC Improved boot loader (SILO))
  • BOOT-5155 (Check for YABOOT boot loader configuration file)
  • BOOT-5159 (Check for OpenBSD i386 boot loader presence)
  • BOOT-5165 (Check for FreeBSD boot services)
  • BOOT-5177 (Check for Linux boot and running services)
  • BOOT-5180 (Check for Linux boot services (Debian style))
  • BOOT-5184 (Check permissions for boot files/scripts)
  • BOOT-5202 (Check uptime of system)
  • KRNL-5677 (Check CPU options and support)
  • KRNL-5695 (Determine Linux kernel version and release number)
  • KRNL-5723 (Determining if Linux kernel is monolithic)
  • KRNL-5726 (Checking Linux loaded kernel modules)
  • KRNL-5728 (Checking Linux kernel config)
  • KRNL-5745 (Checking FreeBSD loaded kernel modules)
  • [04:57:04] Reason to skip: Test not in the list of tests to perform
  • KRNL-5770 (Checking active kernel modules)
  • KRNL-5788 (Checking availability of new kernel)
  • KRNL-5820 (Checking core dumps configuration)

Below is a sample command to run Check uptime of the system and Checking core dumps configuration tests. If you want to add more tests, just add more Test-ID separated by space.

# ./lynis –tests “BOOT-5202 KRNL-5820”

 

111111

 

To get more Tests-IDs, you can find them inside /var/log/lynis.log. Here’s a trick on how to do it.

1. First, we need to run lynis with the -c (check-all) parameter.

# ./lynis -c -Q

2. Then look at the inside /var/log/lynis.log file. Use the cat command and combine it with grep. Let’s say you want to search Test-ID which is related to Kernel. Use the keyword KRNL to find it.

# cat /var/log/lynis.log | grep KRNL

2222

Below is a complete keyword of Test-IDs that are available in Lynis.

BOOT
KRNL (kernel)
PROC (processor)
AUTH (authentication)
SHLL (shell)
FILE
STRG (storage)
NAME (dns)
PKGS (packaging)
NETW (network)
PRNT (printer)
MAIL
FIRE (firewall)
HTTP (webserver)
SSH
SNMP
DBS (database)
PHP
LDAP
SQD (squid proxy)
LOGG (logging)
INSE (insecure services – inetd)
SCHD (scheduling – cron job)
ACCT (accounting)
TIME (time protocol – NTP)
CRYP (cryptography)
VIRT (virtualization)
MACF (AppArmor – SELINUX)
MALW (malware)
HOME
HRDN (hardening)

Run lynis with categories

If you feel that putting a lot of Test-IDs is painful, you can use the –test-category parameter.

With this option, Lynis will run Test-IDs which are included inside a specific category. For example, you want to run Firewall and Kernel tests. Then you can do this :

# ./lynis –tests-category “firewalls kernel”

3333

Run Lynis as Cronjob

Since security needs consistency, you can automate Lynis to run periodically.

Let’s say you want to run it every month to see if there is any improvement since the last Lynis run. To do this, we can run Lynis as a cronjob.

Here’s a sample cronjob to run it every month.

#!/bin/sh

AUDITOR=”automated”
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR=”/var/log/lynis”
REPORT=”$LOG_DIR/report-${HOST}.${DATE}”
DATA=”$LOG_DIR/report-data-${HOST}.${DATE}.txt”

cd /usr/local/lynis
./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}

# End

Save the script into /etc/cron.monthly/lynis. Don’t forget to add related paths (/usr/local/lynis and /var/log/lynis), otherwise, the script will not work properly.

You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated

Also, Read

Android vs iOS Development

Most Important Web Server Penetration Testing Checklist

Advanced Computer Hacker Professional Certification Course Bundle

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...