Regularly checking your macOS systems for properly configured systems, apps, and services with Lynis helps administrators harden devices by minimizing their attack surface.
The process of hardening your system takes on many forms as the whole is made up of several individual components that, when combined, formulate a profile for minimizing the attack surface of your devices. Like a defense in depth strategy, which forms the crux of cybersecurity best practices, hardening of computer systems is but one cog in the wheel of client security, where that in turn is a portion of the overall security posture for the environment.
Among the many tasks' IT can perform to keep client devices as secure as possible, one such method that can aid IT pros to verify if these tasks are helping to secure devices is a hardening scan. Lynis provides just that type of verification by scanning supported devices--macOS & Linux clients and servers--to yield a plethora of actionable data, providing administrators the opportunity to course correct any issues that can potentially lead to a compromise.
SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)
What is Lynis?
Lynis is different to other, more popular security packages such as Nessus and OpenVAS, in that while the latter both focus on assessing vulnerabilities for the purposes of exploiting the findings; the former analyzes systems and compares the findings to a known set of ever-expanding criteria in an effort to determine an index, or score, that is assigned to systems after a number of checks have been completed and how the device compares to the criteria of known best practices.
Lynis is open-source software that runs on macOS and multiple Unix/Linux distributions from a small, lightweight utility that runs locally on each device. No agent or root permissions are necessary for the scan to complete, although there are a few tests that will require admin privileges to run successfully, but ultimately root access is optional, not a requirement for the scans to complete, and the report to be printed. Speaking of reporting, there are several options to export reports for review and mitigation.
Lastly, built directly into the reports are a line-by-line breakdown of what tests were performed and their results. For tests that result in positive findings, links to information for remediation are provided within the reports for each line item making it dead simple for IT to address all issues found.
Before we get into the install process and running our first report, we'll run through the installation process for Macs.
Lynis runs only on the following OSes:
- Raspberry Pi
- IoT devices
- QNAP storage appliances
Installing Lynis via Git
- After logging on to the system, launch the Terminal.
- Choose the working directory that Lynis will be cloned to by entering: cd /usr/loca
- Next, clone the project by entering: git clone https://github.com/cisofy/lynis
Installing Lynis on macOS using HomeBrew
- Log in to macOS and launch the Terminal.
- Install Lynis using homebrew by entering:
brew install lynis
Running a scan using Lynis
1. From the Terminal, entering the following command will begin a full-system scan:
lynis audit system
There are also a number of commands and options that may be used to modify the default configuration and/or the way Lynis behaves. By entering Lynis a listing of choices will be printed on-screen. If the suffix show options is added, more options will be displayed. Additionally, there is a man page available by appending the man prefix argument which breaks down the many ways Lynis can be run (Figure A).
- 3 security threats businesses need to prepare for by 2021 (TechRepublic)
- Hackers are collecting payment details, user passwords from 4,600 sites (ZDNet)
- How to quickly audit a Linux system from the command line (TechRepublic)
- How to install the homebrew package manager for macOS with one command (TechRepublic)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)