Awesome Linux Tools: Lynis from CISOfy

In this episode of Awesome Linux Tools, the spotlight is on Lynis – a really awesome utility you can use to get a better understanding of the overall security hygiene of your server. In this video, Jay will show you how to install it, and also how to run an audit.

Subscribe to LearnLinuxTV

Relevant documentation links

Notable Replies

  1. Before anyone starts using Lynis to harden their servers, let me ask this question:

    How much do you want your server hardened?

    If you are using a VPS to host your website, do note that not all suggestions need apply.

    Also, in Ubuntu-based distributions, removing any compilers such as GCC can break your system. For example, in Lynis:

    [+] Hardening
    ------------------------------------
        - Installed compiler(s)                                   [ FOUND ]
    

    In my case, the word FOUND is highlighted in red. Trying to remove gcc-10-base will result in the following:

    $ sudo apt purge gcc-10-base
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following packages were automatically installed and are no longer required:
      ...
    Use 'sudo apt autoremove' to remove them.
    The following packages will be REMOVED:
      ...
    WARNING: The following essential packages will be removed.
    This should NOT be done unless you know exactly what you are doing!
      ...
    0 upgraded, 0 newly installed, 674 to remove and 0 not upgraded.
    After this operation, 1057 MB disk space will be freed.
    You are about to do something potentially harmful.
    To continue type in the phrase 'Yes, do as I say!'
     ?] ^C
    $
    

    So it’s best to ignore the warning and not break your server in the process. Anyone remember Linus from Linux Tech Tips?

    For SSH, it’s always better to create a unique username and password. Sure, a public key authentication can improve the security of your server until you leak your private/public key, so for me, I simply use a strong password in addition to unique username, disable root login, and change to a non-standard port number other than 22, 222, 2222, or 22222. The cybersecurity community’s mindset is that “security through obscurity” is bad; however, I would definitely choose obscurity whenever I have the chance in order to cut down on amount of noise in /var/log/auth.log file. Try to keep your port number secret to yourself, if you can. Of course, this will not stop a determined criminal hacker from trying to gain entry into your server, but every layer of security you can implement helps.

    Plus, Lynis will tell you to put /var, /var/log, etc. into separate partitions in VPS. If you use Digital Ocean or Linode, that hardening may be impossible. A dedicated server will cost you a lot more money, but at least you can setup your partitions however you like.

    For my website, I have already hardened my web server even before I try out Lynis in my VPS.

    Lynis will suggest that you disable USB storage. I could blacklist a module, but is there a reason why I need to do so in a VPS?

    Here’s an example profile I have created for Lynis:

    profile-name=Grayson-Profile
    skip-test=SSH-7408
    skip-test=NETW-3015
    skip-test=NETW-3200
    skip-test=KRNL-6000
    skip-test=BOOT-5264
    skip-test=AUTH-9282
    skip-test=AUTH-9229
    skip-test=AUTH-9230
    skip-test=AUTH-9286
    skip-test=FILE-7524
    skip-test=HOME-9304
    skip-test=KRNL-5820
    skip-test=BOOT-5122
    skip-test=BOOT-5264
    skip-test=FILE-6310
    skip-test=NAME-4028
    skip-test=NAME-4404
    skip-test=LOGG-2154
    skip-test=LOGG-2190
    skip-test=USB-1000
    skip-test=FIRE-4512
    skip-test=ACCT-9626
    skip-test=CRYP-7902
    skip-test=FINT-4350
    skip-test=TOOL-5002
    skip-test=HRDN-7222
    

    Then, if you setup a Lynis repository as detailed in the video, you can execute as follows:

    sudo ./lynis audit system --profile custom.prf
    

    You might want to customize the profile in order to suit your use-case.

    The moral of the story is:

    • Know what you are getting into.
    • Know how much you want to harden your server.

    Oh yes, maybe I’m missing something, but I don’t think the video covers the dangers of using Lynis in order to harden a server. Again, just know what you are getting into before you harden your server.

  2. For someone who is not a developer, how is anyone going to get rid of gcc-*-base package without breaking their server or desktop?

    As we humans are the weakest link, I think we need to keep educating ourselves so that we do not fall victim to security issues. I think the only way a threat actor can execute code is by logging in through SSH or maybe exploit any vulnerabilities in websites.

    Unless if anyone does have any ideas regarding how to solve the warning regarding the compiler, I think we should just ignore it and hope that we keep cybersecurity hygiene in good shape. Or should we not ignore the “compiler found” warning at all?

    @jay, not every YouTuber who subscribes to your channel visits the forum. I think you should discuss the pitfalls of Lynis and/or any other hardening tools on YouTube before they try out Lynis. Because if they do not understand what they are doing, there’s a chance they can break their system(s). What are your thoughts?

  3. Avatar for jay jay says:

    Good thoughts in this thread for sure!

    I think context is important to keep in mind too, as not every suggestion should be actioned. You can advise Lynis to ignore a particular item if it doesn’t apply to you or your use-case. Also, many of the suggestions are going to align to certification requirements (such as SOC/2) but not everyone will be going after such a thing.

    I probably should’ve mentioned it in the video, but what I do is go through what’s relevant for me and then I ignore what doesn’t apply to me.

    To play devil’s advocate though, I think it is the case that a lot of people don’t seem to take vulnerability chains seriously. For example, you might think that if vim has a security issue, what’s the big deal? After all, it’s not like the average person typically forwards an external port to an internal installation of vim. But hypothetically, if someone was to obtain access to a server but were only able to commandeer a non-root account, an exploit in vim might be just what they needed to elevate their access to root. Of course, you can argue that the fact they were able to access a non-root account means that there was a bigger security failure, but whether or not the individual items that Lynis finds matters to you depends on context, and sometimes it’s good to look at the results from a different angle.

Continue the discussion at community.learnlinux.tv

Participants