How To Check The Security Of A Linux PC With Lynis
If your Linux security is lacking, a good idea is to audit your system. A great way to run an audit is to use a program that tests security and offers concrete solutions. One such auditing tool is Lynis. It’s a a tool that can check the security of a Linux PC. It scans any Linux PC, tests its security, and prints out a list of possible issues and fixes. The best part of this tool is that it’s very simple to use and anyone can use it.
Ubuntu/Debian
Lynis has excellent support for Debian and Ubuntu through their own software repository. Enabling this software repository is a little different from other software sources, as it’s a traditional software repository. There are no PPAs or anything. This is so that Lynis works on both Debian and Ubuntu without issue.
To start the installation, launch a terminal window and download the correct GPG key.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
With the key working, add the new Lynis software source to the system.
sudo -s echo '#Lynis repo ' >> /etc/apt/sources.list echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' >> /etc/apt/sources.list
The Lynis software repo needs a special package. This package will allow Ubuntu (or Debian) to interact with HTTPS software sources.
sudo apt install apt-transport-https
or
sudo apt-get install apt-transport-https
With the Apt-transport-https package working on your system, it’s safe to refresh the software sources. Run update in the terminal.
sudo apt update
or
sudo apt-get update
Finally, install Lynis.
sudo apt install lynis
or
sudo apt-get install lynis
Arch Linux
Like most programs, Arch has the Lynis security tool in the AUR. To install it, launch a terminal and install Git and the Base-devel packages. Then pull the code down and generate a new Arch package.
Note: please understand that installing software directly from the Arch AUR, rather than the official software sources means that sometimes dependencies do not install. You may need to install these packages manually if this happens during the Lynis installation process. Dependencies can be found at the bottom of this page here.
sudo pacman -S git base-devel git clone https://aur.archlinux.org/lynis-git.git cd lynis-git makepkg -si
Fedora
Lynis has support for Fedora, though it requires a third-party software source to install it. Enable the software source by launching a terminal and using the touch and echo commands.
sudo -s touch /etc/yum.repos.d/cisofy-lynis.repo
echo '[lynis]' >> /etc/yum.repos.d/cisofy-lynis.repo echo 'name=CISOfy Software - Lynis package' >> /etc/yum.repos.d/cisofy-lynis.repo echo 'baseurl=https://packages.cisofy.com/community/lynis/rpm/' >> /etc/yum.repos.d/cisofy-lynis.repo echo 'enabled=1' >> /etc/yum.repos.d/cisofy-lynis.repo echo 'gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key' >> /etc/yum.repos.d/cisofy-lynis.repo echo 'gpgcheck=1' >> /etc/yum.repos.d/cisofy-lynis.repo
Next, update the following packages on your system:
sudo dnf update ca-certificates curl nss openssl -y
Finally, install Lynis with dnf install.
sudo dnf install lynis -y
OpenSUSE
The Lynis tool has a software repository available for all versions of OpenSUSE. Turn it on with the following commands in a terminal window.
sudo rpm --import https://packages.cisofy.com/keys/cisofy-software-rpms-public.key sudo zypper addrepo --gpgcheck --name "CISOfy Lynis repository" --priority 1 --refresh --type rpm-md https://packages.cisofy.com/community/lynis/rpm/ lynis
With the repo on Suse, it’s time to refresh the system.
sudo zypper refresh
Finish up the setup process by using Zypper to install Lynis.
sudo zypper install lynis
Generic Linux
The Lynis auditing tool has a generic Tarball for those on Linux distributions that don’t have direct support from the developer. Thankfully, this downloadable Tar archive requires no compilation of any kind. Instead, users just download it and run the program as is.
To install Lynis via a downloadable Tar archive, use the wget tool and download the package, then extract it.
wget https://downloads.cisofy.com/lynis/lynis-2.6.8.tar.gz tar -zxvf lynis-2.6.8.tar.gz cd lynis
Run the Lynis tool with:
./lynis
Using Lynis
Lynis is a simple tool with a lot of options. For the average user, basic options will do. The most basic (yet comprehensive) operation that the program can do is to do a complete audit of the system. To run the audit, open up a terminal and enter the following command into it.
lynis audit system
Running the above command without any Sudoer privileges will scan many aspects of the system. However, it won’t get everything. Running a full scan requires sudo.
sudo lynis audit system --pentest
Need to save the results for later? Pipe them to a text file.
sudo lynis audit system >> /home/username/Documents/lynis-results.txt
Scan Docker File
Docker is becoming increasingly popular on Linux systems. With all of the pre-made Docker images out there, security breaches are bound to happen. Thankfully, Lynis allows users to scan Docker files and test them for issues. To run a test, try the following command.
lynis audit dockerfile /home/username/path/to/dockerfile
Quick Scan
Lynis can do many different types of scans. A scan that may be useful if you’re in a hurry is the “quick” scan mode. This mode tests basic areas of the system, for fasts results.
Run a quick system audit with:
lynis audit system -Q