Security auditing your Linux OS with Lynis

System hardening is a hard (hah!) thing to do: Every computer has loads of vulnerabilities that can compromise our security. From SSH brute-force attacks to weak passwords, misconfigurations, etc. Keeping track of each potential vulnerability is a difficult thing to do unless we use things like Lynis.

Table of contents
Introduction: What is hardening?
What is Lynis?
Downloading and running our first test
Fixing our vulnerabilities
Testing our system after fixing it
Final thoughts
Resources

Introduction: What is hardening?

Systems hardening is the process of securing a computer system or network by reducing its vulnerabilities and minimizing potential attack surfaces. The goal of systems hardening is to improve the overall security of a system, making it more resistant to various cyber threats and attacks. This involves configuring and managing the hardware, software, and network components in a way that minimizes security risks.

And we can do it easily with Lynis.

What is Lynis?

Lynis is an open-source security auditing tool for Unix-based systems. First, it runs a series of tests and checks on your system and its configuration, then it gives you a score (from 0 to 100) based on your hardening level.

Lynis first scan

Then, it gives you a series of recommendations and tips to improve it even further.

Let’s give it a try! First, we will download Lynis, run a first test, follow their recommendations, and then run another test to see if it improved our hardening index.

Downloading and running our first test

First, we will clone the GitHub repo:

git clone https://github.com/CISOfy/lynis.git

Then, we will move to the lynis folder, then run our first test:

./lynis audit system --quick

We ran our test on a new Ubuntu Server 22.04.3 LTS computer. It is just a fresh install, where we only did sudo apt update && sudo apt upgrade -y, so no configurations nor hardening has been applied to it yet.

Lynis scan starting

After a minute or two, we will have a hardening score and a few recommendations about how to improve our score.

Lynis first scan

As you can see, our score is only XX/100. That’s too low! We need to pump those numbers up. If we scroll up or read the newly created /var/log/lynis-report.dat report file, we have a few suggestions and tips about how to fix them

Lynis warnings and suggestions

Fixing our vulnerabilities

Then, let’s fix them!

Let’s pick a few misconfigurations and fix them. For example, the SSH-7408, tell us how to properly configure SSH to reduce known vulnerabilities:

Lynis SSH suggestions

Let’s edit /etc/ssh/sshd_config with the following values:

Fixing  /etc/ssh/sshd_config
Fixing  /etc/ssh/sshd_config

Nice. This would improve our hardening score for sure. But if we remember, we had other vulnerabilities:

Lynis package suggestion

This is an easy one. apt-show-versions is a Linux package that lists all available package versions with distribution. That’s it. You just install this package, and then you improve your security.

Let’s go for another one:

Lynis password's age suggestions

Seems like we don’t have a minimum nor a maximum password age: This lets the users use the same password for years without changing it. If the password gets compromised, as they don’t change it, an attacker could use it indefinitely. Let’s also make umask (related to permissions) more strict.

Let’s fix this problem by setting a minimum and maximum password age, and also restricting umask in the /etc/login.defs file:

Fixing minimum and maximum password age errors in /etc/login.defs

That would do it!

Testing our system after fixing it

We have hardened our SSH, installed a package, improved the password’s ageing controls and more.

Could this have improved our starting 63/100 score?

Lynis final text

It did! The hardening index increased its score by 10 points with just 5 minutes of hard work!

Yes, there is still work to do (or less work, if you use scripts to automate the hardening process), but now our computer is more secure and harder to crack!

Final thoughts

Lynis and systems hardening are crucial elements in improving cybersecurity. Lynis, as a security auditing tool, identifies and addresses vulnerabilities, offering recommendations for system fortification. By regularly running Lynis audits we can keep our systems updated.

Lynis minimizes a system’s attack surface, creating a robust defence strategy by mitigating or even removing known vulnerabilities and common security weaknesses, improving the overall security of your operating system, and reducing the risk of security breaches.

And, as you saw, it is pretty addicting, as you want to keep increasing your score more and more!

Resources

GitHub: Lynis

GitHub: Hardening

Linux File System