Security

How to quickly audit a Linux system from the command line

For a deep penetrating scan of your Linux servers and desktops, turn to the Lynis auditing tool. Check out how to install and use Lynis.

Image: Jack Wallen

Every system on your business network needs auditing at some point. Why? Because you never know when you've missed some obscure or even glaring issue that could leave your system wide open for prying, spying eyes. When that happens, company data could be compromised. That, my friends, is never a good thing.

To avoid that, run a security audit on every system. Even though you firmly believe your Linux systems are hardened as tempered steel, you should never leave anything to chance—so add those boxes to the audit.

But what do you use to audit those Linux systems? You're in luck—there's a command line tool created by CISOfy that handles the job with ease. The tool is called Lynis, and it will scan almost all UNIX-based systems (even Raspberry Pi and QNAP storage devices). Lynis runs hundreds of security tests on your system and reports back any issues so you can fix them.

You can run Lynis without installation—you simply download the latest version, extract it, and run the executable (with the proper options). If you're running a Ubuntu system, there's a repository you can add to install the latest tool. Let's install and run Lynis on a machine running Ubuntu 16.04.

SEE: Ubuntu Core 16: Linux for a secure Internet of Things (ZDNet)

Installing Lynis

In order to install Lynis on your Ubuntu system, you must follow these steps.

    1. Open a terminal window.
    2. Create the file /etc/apt/sources.d/lynis.list with the following content (RELEASE is the release of Ubuntu...aka xenial):

    deb https://packages.cisofy.com/community/lynis/deb RELEASE main

    3. Save and close the file.
    4. Update apt with the command sudo apt-get update.
    5. Install Lynis with the command sudo apt-get install lynis.
    6. Okay the installation when prompted (you will be warned that the package cannot be authenticated).
    7. Allow the installation to complete.

    You can now run the Lynis auditor.

    Using Lynis

    The command to kick off an audit is:

    sudo lynis audit system

    As the command runs, it will output the results to stdout (Figure A), so you can see what's happening as it occurs.

    Figure A

    Figure A

    A Lynis audition in action.

    Once the scan completes, you'll find that Lynis has also written the results to the log file /var/log/lynis.log; you can then comb through the results to see what the tool says about your system. The log file will take some time to go through (it's fairly lengthy), but what you get from reading through the file is worth every minute.

    After running Lynis on my Ubuntu 16.04 server, I found nothing that needed my attention. Lynis did find that the default umask in /etc/init.d/rc could be more strict and even suggested a umask of 027, as opposed to the discovered 022. The 027 umask setting would mean that the owning group would be allowed to read any newly-created files. This moves the permission granting model somewhat away from permission bits and more toward group ownership. That could effectively create issues down the road, so I opted to leave that particular umask at 022.

    A must-use tool

    If you're a system administrator, a good auditing tool can make your life exponentially easier (or harder...depending upon the results of the audit). Lynis is a must-use tool for any Linux system administrator who takes the security of their systems and network seriously.

    Give this tool a try, and see if it detects holes in the armor of your Linux systems.

    Also see

    About Jack Wallen

    Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

    Editor's Picks