How to scan Linux for vulnerabilities with lynis

Last updated on December 7, 2020 by Dan Nanni

As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.

One such vulnerability scanner on Linux is lynis. This tool is open-source (GPLv3), and actually supported on multiple platforms including Linux, FreeBSD, and Mac OS.

Install lynis on Linux

lynis is available as a shell script. To install lynis on Linux, you can download it from the official source as follows.
$ wget https://downloads.cisofy.com/lynis/lynis-3.0.1.tar.gz
$ sudo tar xvfvz lynis-3.0.1.tar.gz -C /opt

Scan for Linux Vulnerability with lynis

To scan your Linux system for any vulnerabilities using lynis, run the following command.

$ cd /opt/lynis
$ sudo ./lynis --check-all -Q

Once lynis starts scanning your system, it will perform auditing in a number of categories:

The screenshot of lynis in action is shown below:

Once scanning is completed, the auditing report of your system is generated and stored in /var/log/lynis.log.

The audit report contains warnings for potential vulnerabilities detected by the tool. For example:

$ sudo grep Warning /var/log/lynis.log
[20:20:04] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
[20:20:04] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
[20:20:06] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

The audit report also contains a number of suggestions that can help harden your Linux system. For example:

$ sudo grep Suggestion /var/log/lynis.log
[20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
[20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
[20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
[20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
[20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
[20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
[20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
. . . .

Scan Your System for Vulnerabilities as a Daily Cron Job

To get the most out of lynis, it is recommended to run it on a regular basis, for example, as a daily cron job. When run with --cronjob option, lynis runs in automatic, non-interactive scan mode.

The following is a daily cron job script that runs lynis in automatic mode to audit your system, and archives daily scan reports.

$ sudo vi /etc/cron.daily/scan.sh
#!/bin/sh

AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /opt/lynis
./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}
$ sudo chmod 755 /etc/cron.daily/scan.sh

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean