Lynis commands work the same, regardless of which operating system that you want to scan. The only difference is that if you're running it from the archive file that you downloaded from the website, you would cd into the lynis directory and precede the lynis commands with a ./. (That's because, for security reasons, your own home directory isn't in the path setting that allows the shell to automatically find executable files.)
To scan your system that has Lynis installed, execute the following command:
sudo lynis audit system
To scan a system that you just downloaded the archive file on, execute the following command:
cd lynis
sudo ./lynis audit system
Running Lynis from the shell script in your home directory presents you with the following message:
donnie@ubuntu:~/lynis$ sudo ./lynis audit system
. . .
[X] Security check failed
Why do I see this error?
-------------------------------
This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.
. . .
[ Press ENTER to continue, or CTRL+C to cancel ]
This isn't hurting anything, so you can just hit Enter to continue. Alternatively, if seeing this message really bothers you, you can change ownership of the Lynis files to the root user, as the message tells you. For now, I'll just press Enter.
Running a Lynis scan in this manner is similar to running an OpenSCAP scan against a generic security profile. The major difference is that OpenSCAP has an automatic remediation feature, while Lynis doesn't. Lynis tells you what it finds and suggests how to fix what it perceives to be a problem, but it doesn't fix anything for you.
Space doesn't permit me to show the entire scan output, but I can show you a couple of example snippets:
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB [ OK ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ WARNING ]
- Check running services (systemctl) [ DONE ]
Result: found 21 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 28 enabled services
- Check startup files (permissions) [ OK ]
This warning message shows that I don't have password protection for my GRUB2 bootloader. That may or may not be a big deal because the only way someone can exploit it is to gain physical access to the machine. If it's a server that's locked away in a room that only a few trusted individuals can access, then I'm not going to worry about it, unless rules from an applicable regulatory agency dictate that I do. If it's a desktop machine that's out in an open cubicle, then I would definitely fix that. (We'll look at GRUB password protection in Chapter 14, Security Tips and Tricks for the Busy Bee.)
In the File systems section, we can see some items with the SUGGESTION flag next to them:
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ OK ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
Exactly what Lynis suggests comes near the end of the output:
. . .
. . .
* To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
https://cisofy.com/controls/FILE-6310/
. . .
. . .
The last thing we'll look at is the scan details section at the end of the output:
Lynis security scan details:
Hardening index : 67 [############# ]
Tests performed : 218
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [X]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
For Components, there's a red X by Malware Scanner. That's because I don't have ClamAV or maldet installed on this machine, so Lynis couldn't do a virus scan.
For Lynis Modules, we can see a question mark by Compliance Status. That's because this feature is reserved for the Enterprise version of Lynis, which requires a paid subscription. As we saw in the previous chapter, you have OpenSCAP profiles to make a system compliant with several different security standards, and it doesn't cost you anything. With Lynis, you have to pay for the compliance profiles, but you have a wider range to choose from. In addition to the compliance profiles that OpenSCAP offers, Lynis also offers profiles for HIPAA and Sarbanes-Oxley compliance.
Having said that, if you work in the healthcare industry, even if you're not in the United States, the HIPAA profile can give you guidance on how to protect private data for patients.
The last thing I want to say about Lynis is in regard to the Enterprise version. In the following screenshot, which is from their website, you can see the current pricing and the differences between the different subscription plans:
As you can see, you have choices.
That pretty much wraps things up as regards our discussion of Lynis. Next, we'll look at an external vulnerability scanner.