If you run production systems either on the cloud or even on-premise, there is a need for periodic review and auditing of security of the hosts and the infrastructure to meet compliance requirements. Lynis is an open source security auditing tool that can be run on hosts on periodic basis (as a cron job) and provide the necessary reports for compliance. This utility is a good addition to file integrity and IDS solution like OSSEC.
Lynis can be downloaded from - https://cisofy.com/lynis/
or can be obtained from github repository using steps below
1. Clone the repository
*************
$sudo git clone https://github.com/CISOfy/lynis
*************
2. To run the audit, simply cd into the directory and run the audit system command
*************
$cd lynis
$sudo ./lynis audit system -Q
*************
The tool outputs the below files for review later:-
- Test and debug information :
/var/log/lynis.log
- Report data :
/var/log/lynis-report.dat
You can also run the tool as a cron job using --cronjob switch and bash script as detailed in
https://cisofy.com/documentation/lynis/#installation
To check whether you are running the latest version of lynis, you can review the banner of lynis.log
************
[01:59:35] ===---------------------------------------------------------------===
[01:59:35] ### Copyright 2007-2015 - CISOfy, https://cisofy.com ###
[01:59:35] Program version: 2.1.1
[01:59:35] Operating system: Linux
[01:59:35] Operating system name: Red Hat
[01:59:35] Operating system version: Red Hat Enterprise Linux Server release 7.
1 (Maipo)
[01:59:35] Kernel version: 3.10.0
[01:59:35] Kernel version (full): 3.10.0-229.el7.x86_64
[01:59:35] Hardware platform: x86_64
[01:59:35] Hostname: ip-198-162-0-7
[01:59:35] Auditor: [Unknown]
[01:59:35] Profile: ./default.prf
[01:59:35] Log file: /var/log/lynis.log
[01:59:35] Report file: /var/log/lynis-report.dat
[01:59:35] Report version: 1.0
[01:59:35] -----------------------------------------------------
************
Some of the interesting parts of the report are if you are running Apache or Nginx and some kernel parameter recommendations as well
************
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/httpd) [ FOUND ]
AH00557: httpd: apr_sockaddr_info_get() failed for <ip address>
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Info: Configuration file found (/etc/httpd/conf/httpd.conf)
Info: No virtual hosts found
* Loadable modules [ FOUND ]
- Found 100 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_qos: anti-Slowloris [ NOT FOUND ]
mod_spamhaus: anti-spam (spamhaus) [ NOT FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- AFICK [ NOT FOUND ]
- AIDE [ NOT FOUND ]
- Osiris [ NOT FOUND ]
- Samhain [ NOT FOUND ]
- Tripwire [ NOT FOUND ]
-
OSSEC (syscheck) [ FOUND ]
- mtree [ NOT FOUND ]
- Checking presence integrity tool [ FOUND ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.kptr_restrict (exp: 1) [ DIFFERENT ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
************