Awesome Linux Tools: Lynis from CISOfy

Before anyone starts using Lynis to harden their servers, let me ask this question:

How much do you want your server hardened?

If you are using a VPS to host your website, do note that not all suggestions need apply.

Also, in Ubuntu-based distributions, removing any compilers such as GCC can break your system. For example, in Lynis:

[+] Hardening
------------------------------------
    - Installed compiler(s)                                   [ FOUND ]

In my case, the word FOUND is highlighted in red. Trying to remove gcc-10-base will result in the following:

$ sudo apt purge gcc-10-base
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ...
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  ...
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  ...
0 upgraded, 0 newly installed, 674 to remove and 0 not upgraded.
After this operation, 1057 MB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?] ^C
$

So it’s best to ignore the warning and not break your server in the process. Anyone remember Linus from Linux Tech Tips?

For SSH, it’s always better to create a unique username and password. Sure, a public key authentication can improve the security of your server until you leak your private/public key, so for me, I simply use a strong password in addition to unique username, disable root login, and change to a non-standard port number other than 22, 222, 2222, or 22222. The cybersecurity community’s mindset is that “security through obscurity” is bad; however, I would definitely choose obscurity whenever I have the chance in order to cut down on amount of noise in /var/log/auth.log file. Try to keep your port number secret to yourself, if you can. Of course, this will not stop a determined criminal hacker from trying to gain entry into your server, but every layer of security you can implement helps.

Plus, Lynis will tell you to put /var, /var/log, etc. into separate partitions in VPS. If you use Digital Ocean or Linode, that hardening may be impossible. A dedicated server will cost you a lot more money, but at least you can setup your partitions however you like.

For my website, I have already hardened my web server even before I try out Lynis in my VPS.

Lynis will suggest that you disable USB storage. I could blacklist a module, but is there a reason why I need to do so in a VPS?

Here’s an example profile I have created for Lynis:

profile-name=Grayson-Profile
skip-test=SSH-7408
skip-test=NETW-3015
skip-test=NETW-3200
skip-test=KRNL-6000
skip-test=BOOT-5264
skip-test=AUTH-9282
skip-test=AUTH-9229
skip-test=AUTH-9230
skip-test=AUTH-9286
skip-test=FILE-7524
skip-test=HOME-9304
skip-test=KRNL-5820
skip-test=BOOT-5122
skip-test=BOOT-5264
skip-test=FILE-6310
skip-test=NAME-4028
skip-test=NAME-4404
skip-test=LOGG-2154
skip-test=LOGG-2190
skip-test=USB-1000
skip-test=FIRE-4512
skip-test=ACCT-9626
skip-test=CRYP-7902
skip-test=FINT-4350
skip-test=TOOL-5002
skip-test=HRDN-7222

Then, if you setup a Lynis repository as detailed in the video, you can execute as follows:

sudo ./lynis audit system --profile custom.prf

You might want to customize the profile in order to suit your use-case.

The moral of the story is:

• Know what you are getting into.
• Know how much you want to harden your server.

Oh yes, maybe I’m missing something, but I don’t think the video covers the dangers of using Lynis in order to harden a server. Again, just know what you are getting into before you harden your server.

For someone who is not a developer, how is anyone going to get rid of gcc-*-base package without breaking their server or desktop?

As we humans are the weakest link, I think we need to keep educating ourselves so that we do not fall victim to security issues. I think the only way a threat actor can execute code is by logging in through SSH or maybe exploit any vulnerabilities in websites.

Unless if anyone does have any ideas regarding how to solve the warning regarding the compiler, I think we should just ignore it and hope that we keep cybersecurity hygiene in good shape. Or should we not ignore the “compiler found” warning at all?

@jay, not every YouTuber who subscribes to your channel visits the forum. I think you should discuss the pitfalls of Lynis and/or any other hardening tools on YouTube before they try out Lynis. Because if they do not understand what they are doing, there’s a chance they can break their system(s). What are your thoughts?