How to scan Linux for vulnerabilities with lynis

Last updated on December 7, 2020 by Dan Nanni

As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.

One such vulnerability scanner on Linux is lynis. This tool is open-source (GPLv3), and actually supported on multiple platforms including Linux, FreeBSD, and Mac OS.

Install lynis on Linux

lynis is available as a shell script. To install lynis on Linux, you can download it from the official source as follows.
$ wget https://downloads.cisofy.com/lynis/lynis-3.0.1.tar.gz
$ sudo tar xvfvz lynis-3.0.1.tar.gz -C /opt

Scan for Linux Vulnerability with lynis

To scan your Linux system for any vulnerabilities using lynis, run the following command.

$ cd /opt/lynis
$ sudo ./lynis --check-all -Q

Once lynis starts scanning your system, it will perform auditing in a number of categories:

The screenshot of lynis in action is shown below:

Once scanning is completed, the auditing report of your system is generated and stored in /var/log/lynis.log.

The audit report contains warnings for potential vulnerabilities detected by the tool. For example:

$ sudo grep Warning /var/log/lynis.log
[20:20:04] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
[20:20:04] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
[20:20:06] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]

The audit report also contains a number of suggestions that can help harden your Linux system. For example:

$ sudo grep Suggestion /var/log/lynis.log
[20:19:41] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
[20:19:41] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
[20:19:41] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
[20:19:41] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
[20:19:42] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
[20:19:42] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
[20:19:42] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
[20:20:03] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
. . . .

Scan Your System for Vulnerabilities as a Daily Cron Job

To get the most out of lynis, it is recommended to run it on a regular basis, for example, as a daily cron job. When run with --cronjob option, lynis runs in automatic, non-interactive scan mode.

The following is a daily cron job script that runs lynis in automatic mode to audit your system, and archives daily scan reports.

$ sudo vi /etc/cron.daily/scan.sh
#!/bin/sh

AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /opt/lynis
./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}

mv /var/log/lynis-report.dat ${DATA}
$ sudo chmod 755 /etc/cron.daily/scan.sh

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal (Credit Card) or Bitcoin (BTC Wallet: 1M161JGAkz3oaHNvTiPFjNYkeABox8rb4g).

Xmodulo © 2020 ‒ About ‒ Powered by DigitalOcean