Vulnerability Scanning With 'lynis' (discovery of specific vulnerabilities) Presented by Dave Mawdsley, DACS Member, Linux SIG May 15, 2013

What Does 'lynis' Do? 1 lynis is a computer/server scannning tool running at the root level to find potential security issues. It looks for holes in the ways that the computers are set up and makes recommendations for improvements. Each item checked is described with: OK, WARNING, FOUND, WEAK, etc. Kinds of things that lynis can study: System tools, Boot loaders, startup services, Kernel: run level, loaded modules, kernel configuration, core dumps, Memory and processes: zombie processes, IO waiting processes, Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask, File systems: mount points, /tmp files, root file system, Storage: usb-storage, firewire ohci, NFS Software: name services: DNS search domain, BIND Ports and packages: vulnerable/upgradable packages, security repository, Software: firewalls: iptables, pf,Software: webserver: Apache, nginx. SSH support: SSH configuration, SNMP support Databases: MySQL root password LDAP services, Software: php: php options, Scheduled tasks: crontab/cronjob, atd, Time and synchronization: ntp daemon, Cryptography: SSL certificate expiration, Security frameworks: AppArmor, SELinux, grsecurity status, Software: file integrity, Software: malware scanners, Home directories: shell history files, and other items.

Installing and Running lynis 2 In terminal the utility can installed with: sudo apt-get install lynis then get updates with: sudo lynis –check-update and then run the tool with interactive continuing with: sudo lynis -c

The lynis Logs 3 Once the scan is complete, it's time to see the issues. The full log is at: sudo nano /var/log/lynis.log The list of warnings is at: sudo grep Warning /var/log/lynis.log The list of suggestions is at: sudo grep Suggestion /var/log/lynis.log

A Few Other lynis Options 4 Scan options: --auditor "<name>" : Auditor name --check-all (-c) : Check system --no-log : Don't create a log file --profile <profile> : Scan the system with the given profile file --quick (-Q) : Quick mode, don't wait for user input --tests "<tests>" : Run only tests defined by <tests> --tests-category "<category>" : Run only tests defined by <category> Layout options: --no-colors : Don't use colors in output --quiet (-q) : No output, except warnings --reverse-colors : Optimize color display for light backgrounds Misc options: --check-update : Check for updates --view-manpage (--man) : View man page --version (-V) : Display version number and quit

Final Thoughts on lynis 6 Final Thoughts on lynis While the utility can find vulnerabilities, decisions have to be made as to the seriousness of the particular situation. For example, a file server in a LAN doesn't need as many protections as an Internet facing webserver making use of databases, DNS and e-mail. The more programs that are running on a server and particularly those that face the Internet, the more protections that are needed. Turning off unneeded programs certainly helps and would be a good first step. Any computer or server making use of money transactions in any form need special protections. Credit card transactions have strict rules that must be followed. Decisions related to fixing the vulnerabilities involve people, costs, politics, etc. Each situation brings with it the good, the bad and the ugly. A safe balance is what's needed.

Vulnerability Scanning With 'lynis' (discovery of specific vulnerabilities) This OpenOffice.org Presentation 'lynis.odp' can be downloaded from http://madmod.com/freebies.html