If you administer Linux servers, you know that malicious code and vulnerabilities can find their way onto the system. This could be from an attack, from a user saving an infected file, from a malicious payload in a vulnerable package or a misconfigured service. Although finding out how the malicious code made it onto your system is important, the immediate issue is detecting and mitigating it.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

And, yes, even though you’re using Linux, this is a task you need to know how to take care of. One such route to success is using the Lynis auditing scanner. For those who’ve been around for a while, you might remember Lynis as it was previously dubbed–rkhunter.

But Lynis is more than just a rootkit detector, as it makes it possible to run detailed auditing of your Linux servers (and desktops) for numerous security issues as well as misconfigurations.

I want to walk you through the process of installing Lynis and running a scan on AlmaLinux.

What you’ll need

To get Lynis installed and working, you’ll need a running instance of AlmaLinux and a user with sudo privileges. That’s it, let’s get to scanning.

How to install Lynis

The first thing we’ll do is install the necessary dependencies. Log into your server and issue the command:

sudo dnf install ca-certificates curl nss openssl -y

Once that completes, we’ll create a new repository with the command:

sudo nano /etc/yum.repos.d/cisofy-lynis.repo

In that file, paste the following:

[lynis]

name=CISOfy Software - Lynis package

baseurl=https://packages.cisofy.com/community/lynis/rpm/

enabled=1

gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key

gpgcheck=1

priority=2

Save and close the file.

Install Lynis with the command:

sudo dnf install lynis -y

The installation should go off without a hitch.

How to scan with Lynis

We can now run a security audit on our AlmaLinux machine with the command:

sudo lynis audit system

The scan will take some time (depending on the speed of your hardware and the number of packages installed). You see plenty of output pass by (Figure A).

Figure A

The output of the Lynis system audit.
The output of the Lynis system audit.

You can sit back and watch the output, as the scan shouldn’t take more than 2 to 5 minutes. Besides, you’ll probably want to watch the “magic” happen. If in the output you see anything red, that’s a problem that you’ll most likely need to resolve. In the end, like me, you might find that Lynis has detected the server lacking a malware scanner (Figure B).

Figure B

Lynis has audited the system and one big issue is the lack of a malware scanner.
Lynis has audited the system and one big issue is the lack of a malware scanner.

You can scroll through the output of the scan (if your terminal window allows), or you can re-run the scan and send the output to a file for later viewing. To do that, issue the command:

sudo lynis audit system > audit_results

The only downfall of viewing the above file is that the lack of formatting can make it hard to read. Fortunately, there’s a better way.

How to add a Lynis cron job

You might also want to create a cron job to run the Lynis scanner daily. Create a new daily script with the command:

sudo nano /etc/cron.daily/lynis

In that script paste the following:

#!/bin/sh

 

set -u

DATE=$(date +%Y%m%d)

HOST=$(hostname)

LOG_DIR="/var/log/lynis"

REPORT="$LOG_DIR/report-${HOST}.${DATE}"

DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

 

# Run Lynis

lynis audit system --cronjob > ${REPORT}

 

# Optional step: Move report file if it exists

if [ -f /var/log/lynis-report.dat ]; then

mv /var/log/lynis-report.dat ${DATA}

fi

# The End

Save and close the file. Make sure to create the log directory with:

sudo mkdir /var/log/lynis

The new cron job will now run with the daily jobs and will report its findings in /var/log/lynis.

And that’s all there is to running a security audit on AlmaLinux, with the help of Lynis. Add this to your daily cron job and then make a habit of checking the log file every morning.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday