How to use Lynis Linux Security Audit Tool on Ubuntu

Lynis is an open-source security auditing tool for extensive scanning of systems and its security defense to achieve compliance testing and system hardening. This software has been distributed under a GPL license since 2004. It assists in server hardening guidelines, software patch management, fully automatic auditing, Actually lynis doesn’t harden the server by itself but it will provide information about the vulnerability and suggest a different way to harden the software.

This article will help you to install Lynis from its official package repository and audit the system security in Ubuntu 20.04 LTS system.

Lynis usage:

lynis command [options]

You can view all the applicable commands using the following command.

$ lynis show command

Lynis commands list.

Installing Lynis via Package

Lynis can be installed using various methods but installing via package manager is the easiest way to install as well as updating the Lynis. You can find the lynis package already being maintained in Ubuntu 20.04 but it's not the most recent one. So, we will use the official Lynis package repository to install the latest one.

The Lynis repository uses HTTP Secure Protocol for secure transport so make sure you have installed apt-transport-https it does not use the following command.

$ sudo apt update
$ sudo apt install apt-transport-https

Before implementing the Lynis repo we need to add the repo key using the following command.

$ sudo wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -

To use Lynis only English skip the translation using the following command and this saves on bandwidth.

$ echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations

Now, add the Lynis repository to the system package repository list using the following command.

$ echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

Update package info before installing the package,

$ sudo apt update
$ sudo apt install lynis

Now, once installation completes, check the Lynis version if the latest one was installed using the following command.

$ lynis show version

Auditing a Linux System Using Lynis

Using the following lynis command you can perform basic system auditing. To run this command we don’t need root privilege but using it will provide auditing results.

$ sudo lynis audit system

During the auditing process, it performs the various test and results in the stream of tests to the standard output. In the auditing process, it performs the test and results in the output divided into different categories such as security, suggestion, file system, test result, debug information, etc. All the test and debug information are logged to /var/log/lynis.log and the auditing report is saved to /var/log/lynis-report.dat. You can find general information about the system application, server vulnerable packages, etc. in the report file. Each time you run the system auditing it will overwrite the previous test results.

In the following example of system auditing, you can see different auditing results labeled by keywords like Ok, Found, Not Found, Suggestion, Warning, etc. The output labeled with the Warning keyword needs to be fixed according to Lynis’s advice.

Lynis System Audit

System Auditing Output

Port check

System Auditing Output.

At the end of the auditing output, you can see security scan details where Lynis calculate our system harden index, several scans performed, and many more related to security.

Security Scan details

Lynis Security Scan Details.

Evaluating Lynis Audit Warnings & Suggestions

In the result section, you see the list of warnings if there are any. In the first line, you can see the issue type along with its test-id. Second-line contains the suggested solution if exists if not it will not show any. At the last, you can see the URL referring to the guidance on the warning.

Security warnings

As you can see in the above audit warning section there is no solution given to the warning. You can view more information on the warning using the following command with the help of the test-id.

$ sudo lynis show details PKGS-7392

As you can see the following output when viewing more info on specific warnings. In the end, it also shows the optimal solution to the warning.

Detailed warning

View more info on the warning.

Next in the suggestion section, we have got 37 suggestions to harden our system. Similarly, you can also view more info on suggested security fixes using test-id.

System hardening suggestions

Suggestions

Create a Custom Lynis Profile

Lynis uses profiles to have a set of predefined options for system auditing. You can skip auditing on specific test-id by creating a custom profile and using the skip-test directive along with the test id. In the example below I have created a custom profile (custom.prf) and added a skip-test directive along with the test id one per line. Basically, we can skip the test on the warning that we find appropriate to the system.

$ sudo vim /etc/lynis/custom.prf

Customize Lynis

Save and run the system auditing again, you will see two of the previous warnings have been skipped by lynis.

Custom results

Result after skipping warnings.

Conclusion

In this article, we learn to audit the system using Lynis and to review the fixes for the warning along with suggestions for hardening the system security. You can learn more from its official site if you want. Thank you for reading this article.