System hardening is a hard (hah!) thing to do: Every computer has loads of vulnerabilities that can compromise our security. From SSH brute-force attacks to weak passwords, misconfigurations, etc. Keeping track of each potential vulnerability is a difficult thing to do unless we use things like Lynis.
Table of contents |
Introduction: What is hardening? |
What is Lynis? |
Downloading and running our first test |
Fixing our vulnerabilities |
Testing our system after fixing it |
Final thoughts |
Resources |
Introduction: What is hardening?
Systems hardening is the process of securing a computer system or network by reducing its vulnerabilities and minimizing potential attack surfaces. The goal of systems hardening is to improve the overall security of a system, making it more resistant to various cyber threats and attacks. This involves configuring and managing the hardware, software, and network components in a way that minimizes security risks.
And we can do it easily with Lynis.
What is Lynis?
Lynis is an open-source security auditing tool for Unix-based systems. First, it runs a series of tests and checks on your system and its configuration, then it gives you a score (from 0 to 100) based on your hardening level.
Then, it gives you a series of recommendations and tips to improve it even further.
Let’s give it a try! First, we will download Lynis, run a first test, follow their recommendations, and then run another test to see if it improved our hardening index.
Downloading and running our first test
First, we will clone the GitHub repo:
git clone https://github.com/CISOfy/lynis.git
Then, we will move to the lynis folder, then run our first test:
./lynis audit system --quick
We ran our test on a new Ubuntu Server 22.04.3 LTS computer. It is just a fresh install, where we only did sudo apt update && sudo apt upgrade -y, so no configurations nor hardening has been applied to it yet.
After a minute or two, we will have a hardening score and a few recommendations about how to improve our score.
As you can see, our score is only XX/100. That’s too low! We need to pump those numbers up. If we scroll up or read the newly created /var/log/lynis-report.dat report file, we have a few suggestions and tips about how to fix them
Fixing our vulnerabilities
Then, let’s fix them!
Let’s pick a few misconfigurations and fix them. For example, the SSH-7408, tell us how to properly configure SSH to reduce known vulnerabilities:
Let’s edit /etc/ssh/sshd_config with the following values:
Nice. This would improve our hardening score for sure. But if we remember, we had other vulnerabilities:
This is an easy one. apt-show-versions is a Linux package that lists all available package versions with distribution. That’s it. You just install this package, and then you improve your security.
Let’s go for another one:
Seems like we don’t have a minimum nor a maximum password age: This lets the users use the same password for years without changing it. If the password gets compromised, as they don’t change it, an attacker could use it indefinitely. Let’s also make umask (related to permissions) more strict.
Let’s fix this problem by setting a minimum and maximum password age, and also restricting umask in the /etc/login.defs file:
That would do it!
Testing our system after fixing it
We have hardened our SSH, installed a package, improved the password’s ageing controls and more.
Could this have improved our starting 63/100 score?
It did! The hardening index increased its score by 10 points with just 5 minutes of hard work!
Yes, there is still work to do (or less work, if you use scripts to automate the hardening process), but now our computer is more secure and harder to crack!
Final thoughts
Lynis and systems hardening are crucial elements in improving cybersecurity. Lynis, as a security auditing tool, identifies and addresses vulnerabilities, offering recommendations for system fortification. By regularly running Lynis audits we can keep our systems updated.
Lynis minimizes a system’s attack surface, creating a robust defence strategy by mitigating or even removing known vulnerabilities and common security weaknesses, improving the overall security of your operating system, and reducing the risk of security breaches.
And, as you saw, it is pretty addicting, as you want to keep increasing your score more and more!