Lynis 2.3.3 - Security Auditing Tool for Unix/Linux Systems
We are excited to announce this major release of auditing tool Lynis. Several big
changes have been made to core functions of Lynis. These changes are the next of
simplification improvements we made. There is a risk of breaking your existing
configuration.
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
Supported operating systems
The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
- AIX
- FreeBSD
- HP-UX
- Linux
- Mac OS
- NetBSD
- OpenBSD
- Solaris
- and others
It even runs on systems like the Raspberry Pi and several storage devices!
Installation optional
Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL).
Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL).
How it works
Lynis performs hundreds of individual tests, to determine the
security state of the system. The security scan itself consists of
performing a set of steps, from initialization the program, up to the
report.
Steps
- Determine operating system
- Search for available tools and utilities
- Check for Lynis update
- Run tests from enabled plugins
- Run security tests per category
- Report status of security scan
Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.
Opportunistic scanning
Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an
initial round of Apache related tests. When during the Apache scan it
also discovers a SSL/TLS configuration,
it will perform additional auditing steps on that. While doing that,
it then will collect discovered certificates, so they can be scanned
later as well.
In-depth security scans
By performing opportunistic scanning, the tool can run with almost
no dependencies. The more it finds, the deeper the audit will be. In
other words, Lynis will always perform scans which are customized to
your system. No audit will be the same!
Use cases
Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
- Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Vulnerability detection and scanning
- System hardening
Resources used for testing
Many other tools use the same data files for performing tests.
Since Lynis is not limited to a few common Linux distributions, it uses
tests from standards and many custom ones not found
in any other tool.
- Best practices
- CIS
- NIST
- NSA
- OpenSCAP data
- Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)
Lynis Plugins
lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.
Changelog
Upgrade notelugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.
Changelog
----------------------
Customized profiles that included sysctl settings need to be altered. See default.prf for the correct format of the lines.
Additions
----------------------
OpenStack detection
Option to disable automatic refresh of software repository
Japanese translation added, contributed by Yukio Takahara
Some tests did not show a warning text
Typo in man page for tests-from-group
New --bin-dirs to define binary directories to scan
New option --root-dir to specify a different file system to scan
Rewrite of nginx configuration parsing
Support for PHP 5.6
Redis test to detect configuration files
Test Redis configuration for several best practices
Perform permission check on Redis configuration files
Experimental features (in development)
----------------------
--bin-dirs - set what directories should be scanned for binaries
--root-dir - define the root of the file system, to allow forensics
Settings
Many settings have a new alias (with dashes instead underscores)
New setting 'show-report-solution' to show solution in report
Functions
----------------------
ExitFatal can now exit program with optional text
IsNotebook can detect if system is a notebook (or not)
ShowSymlinkPath and FileIsReadable test for at least one argument
StoreNginxSettings will save parsed nginx configuration
Tests
----------------------
BOOT-5108 - Support for Syslinux bootloader
DBS-1882 - Redis configuration detection
DBS-1884 - Redis 'requirepass' check
DBS-1886 - Redis 'rename-command CONFIG' check
DBS-1888 - Redis 'bind localhost' check
FILE-6374 - Improved logging
KRNL-5830 - Improved logging for detected Linux kernels
KRNL-6000 - Support for multiple profiles and new format style
LOGG-2190 - Ignore MySQL files in /tmp from early MySQL 5.x releases
LOGG-2192 - New test to check opened log files that are empty
Lynis Enterprise integration
----------------------
Tag 'redis-server' is added for systems running Redis
Lynis 2.3.3 - Security Auditing Tool for Unix/Linux Systems
Reviewed by Zion3R
on
11:27 AM
Rating: