ObjectiveInstall Lynis and use it to scan for vulnerabilities.
DistributionsLynis is available for most major distributions.
RequirementsA working Linux install with root privileges.
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
- $ - requires given linux commands to be executed as a regular non-privileged user
IntroductionLynis is a tool for performing an automated audit of your system. It's not a virus scanner or an antivirus. Instead, it checks certain criteria on your system to see how it's configured. By evaluating the system configuration, Lynis can give you an idea what areas are reasonably secure, and which ones need additional hardening.
Install LynisLynis is packaged for just about every distribution. It's fairly simple to get installed.
Ubuntu 17.10/Debian Testing and SidUbuntu Artful and the testing releases of Debian have the latest version already available. Just install it.
$ sudo apt install lynis
Ubuntu 16.04/Debian StableDebian Stable and Ubuntu 16.04 both have Lynis in their repositories, but it's old. To install the latest version, add the repository from the Lynis developers.
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5FAdd Apt transport over HTTPS.
$ sudo apt install apt-transport-httpsCreate a file at
/etc/apt/sources.list.d/lynis.list. Add in he following line. Ubuntu 16.04
deb https://packages.cisofy.com/community/lynis/deb/ xenial mainDebian Stretch
deb https://packages.cisofy.com/community/lynis/deb/ stretch mainThen, update and install Lynis.
$ sudo apt update $ sudo apt install lynis
CentOS/RHEL and FedoraFirst, install all of the dependencies.
# yum/dnf install ca-certificates curl nss opensslNext, create a file at
/etc/yum.repos.d/lynis.repo. Place the following configuration in the file.
Update and install Lynis.
[lynis] name=CISOfy Software - Lynis package baseurl=https://packages.cisofy.com/community/lynis/rpm/ enabled=1 gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key gpgcheck=1
# yum/dnf update # yum/dnf install lynis
ScanScanning with Lynis is very simple. You really just tell Lynis to audit the system, and it runs with it.
# lynis audit systemLynis will run through and scan your system. As it runs, it prints its results in the terminal. For a more detailed scan, you can tell Lynis to check the entire system with the
# lynis audit system -c
The report that Lynis generates might be a little confusing at first. The entire report is broken down into sections. The sections break down potential vulnerabilities by service or logical grouping to make the report easier to read.
Next, the results use a color code from green to red to denote the severity of the issue. The results will also tell you the basic status of different things. The results are usually basic, and let you know if something is present or on.
Ultimately, it's up to you to determine whether the results of the report concern you or not. The purpose is to make you aware of potential issues. It's your call on whether or not to act.