How to install lynis linux auditing tool in centos

Lynis is an open source and a powerful auditing tool for Unix-like operating systems. It scans system for protection knowledge, common approach know-how, any pre-installed software’s and to be had knowledge, configuration mistakes, safety disorders, consumer accounts without password, unsuitable file permissions, firewall auditing and so forth.

Understanding Lynis

Linux performs individual test cases to secure your Linux system. To display test report, follow the below cases –

  • Determine operating system

  • Search for available tools and utilities

  • Check for Lynis update

  • Run tests from enabled plugins

  • Run security tests per category

  • Report status of security scan

During the test cases, all scanned details are stored in a log file and all warnings, errors are stored in a Report file.

Installing Lynis

To install Lynis, use the following command –

# yum install lynis

Sample output should be like this –

Loaded plugins: fastestmirror, langpacks
base                               | 3.6 kB 00:00
elrepo                            | 2.9 kB 00:00
epel/x86_64/metalink             | 3.2 kB 00:00
epel                             | 4.3 kB 00:00
extras                            | 3.4 kB 00:00
google-chrome                       | 951 B 00:00
updates                             | 3.4 kB 00:00
(1/2): epel/x86_64/updateinfo       | 501 kB 00:02
(2/2): epel/x86_64/primary_db       | 3.9 MB 00:02
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* elrepo: mirrors.ircam.fr
* epel: mirrors.hustunique.com
* extras: ftp.iitm.ac.in
* updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package lynis.noarch 0:2.1.0-1.el7 will be installed
.......

Please note that, Lynis will need a root privilege to run.

Run Lynis Commands

Before Running Lynis, you should know the following parameters –

  • –checkall or -c − Will start scanning

  • –check-update − Checks for Lynis update

  • –cronjob − Runs Lynis as cronjob (includes -c -Q)

  • –help or -h − Shows valid parameters

  • –quick or -Q − Don’t wait for user input, except on errors

  • –version or -V − Shows Lynis version

To run Lynis, use the following command –

# lynis -c --auditor “tutorialspoint”

It is recommended to use -c paramater. -c parameter means doing all tests to check the systems. If you want to put the auditor name, just add –auditor parameter.

In the above example, tutorialspoint is an auditor name. The sample output of the above command should be as below –

[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
---------------------------------------------------
Program version:             2.1.0
Operating system:           Linux
Operating system name:       CentOS
Operating system version:    CentOS Linux release 7.2.1511 (Core)
Kernel version:             3.10.0
Hardware platform:           x86_64
Hostname:                   linux
Auditor:                   “tutorialspoint”
Profile:                   /etc/lynis/default.prf
Log file:                   /var/log/lynis.log
Report file:                /var/log/lynis-report.dat
Report version:             1.0
Plugin directory:          /usr/share/lynis/plugins
---------------------------------------------------
- Checking profile file (/etc/lynis/default.prf)...
- Program update status... [ UPDATE AVAILABLE ]
.......

The above result indicates the initializing program of Lynis.

[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts                     [ OK ]
- Checking for non-unique UIDs                      [ OK ]
- Checking consistency of group files (grpck)       [ OK ]
- Checking non unique group ID's                    [ OK ]
- Checking non unique group names                   [ OK ]
- Checking password file consistency                [ OK ]
- Query system users (non daemons)                  [ DONE ]
- Checking NIS+ authentication support              [ NOT ENABLED ]
- Checking NIS authentication support               [ NOT ENABLED ]
- Checking sudoers file                             [ FOUND ]
- Check sudoers file permissions                    [ OK ]
- Checking PAM password strength tools              [ OK ]
- Checking PAM configuration file (pam.conf)        [ NOT FOUND ]
- Checking PAM configuration files (pam.d)          [ FOUND ]
- Checking PAM modules                              [ FOUND ]
- Checking user password aging                      [ DISABLED ]
- Checking Linux single user mode authentication    [ WARNING ]
- Determining default umask
- Checking umask (/etc/profile)                     [ SUGGESTION ]
- Checking umask (/etc/login.defs)                  [ OK ]
- Checking umask (/etc/init.d/functions)            [ SUGGESTION ]
- Checking LDAP authentication support              [ NOT ENABLED ]
......

The above output indicates Users, Groups and Authentication.

[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point                  [ OK ]
- Checking /tmp mount point                   [ SUGGESTION ]
- Checking /var mount point                   [ OK ]
- Checking LVM volume groups                  [ FOUND ]
- Checking LVM volumes                        [ FOUND ]
- Querying FFS/UFS mount points (fstab)       [ NONE ]
- Query swap partitions (fstab)               [ OK ]
- Testing swap partitions                     [ WARNING ]
- Checking for old files in /tmp              [ OK ]
- Checking /tmp sticky bit                    [ OK ]
- ACL support root file system                [ DISABLED ]
- Checking Locate database                    [ FOUND ]
........

The above result indicates the file systems.

[+] Ports and packages
------------------------------------
- Searching package managers
- Searching RPM package manager                 [ FOUND ]
- Querying RPM package manager
- Checking YUM package management consistency   [ OK ]
- Checking package database duplicates          [ OK ]
- Checking package database for problems        [ OK ]
- Checking missing security packages            [ OK ]
- Checking GPG checks (yum.conf)                [ OK ]
- Checking package audit tool                   [ INSTALLED ]
Found: yum-security
.......

The above result indicates the ports and packages of the Linux system.

[+] Networking
------------------------------------
- Checking configured nameservers
- Testing nameservers
Nameserver: 192.168.1.1                  [ OK ]
- Minimal of 2 responsive nameservers    [ WARNING ]
- Checking default gateway               [ DONE ]
- Getting listening ports (TCP/UDP)      [ DONE ]
* Found 22 ports
- Checking promiscuous interfaces        [ OK ]
- Checking waiting connections           [ OK ]
- Checking status DHCP client
.....

The above result indicates the networking information.

[+] Printers and Spools
------------------------------------
- Checking cups daemon                [ RUNNING ]
- Checking CUPS configuration file    [ OK ]
- File permissions                    [ OK ]
- Checking CUPS addresses/sockets     [ FOUND ]
- Checking lp daemon
......

The above result indicates the printers and spools information.

Creating Lynis Cronjobs

To create a daily scan of the system, use the following command –

# crontab -e

Add the following cron job with option –e. All the special characters will be ignored from the output and the scan will run automatically.

3022***root /path/to/lynis -c -Q --auditor "automated" --cronjob

The above example cron job will run daily at 10:30pm in the night and creates a daily report under /var/log/lynis.log file.

Updating Lynis

To update Lynis, use the following command –

# lynis --check-update

Congratulations! Now, you know “ How to Install Lynis (Linux Auditing Tool) in CentOS”. We’ll learn more about these types of commands in our next Linux post. Keep reading!

Lakshmi Srinivas
Lakshmi Srinivas

Programmer / Analyst / Technician

Updated on: 21-Oct-2019

332 Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements