Lynis : Security Audit2026/02/03 |
|
Install Lynis which is the Security Audit Tool. |
|
| [1] | Install Lynis. |
|
root@dlp:~ # pkg install -y lynis
|
| [2] | This is the Basic usage of Lynis. |
|
# run like follows for initial scanning root@dlp:~ # lynis audit system [ Lynis 3.1.6 ] ################################################################################ Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software. 2007-2025, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ################################################################################ [+] Initializing program ------------------------------------ - Detecting OS... [ DONE ] - Checking profiles... [ DONE ] --------------------------------------------------- Program version: 3.1.6 Operating system: FreeBSD Operating system name: FreeBSD Operating system version: 15.0-RELEASE End-of-life: UNKNOWN Kernel version: GENERIC Hardware platform: amd64 Hostname: dlp --------------------------------------------------- Profiles: /usr/local/etc/lynis/default.prf Log file: /var/log/lynis.log Report file: /var/log/lynis-report.dat Report version: 1.0 Plugin directory: /usr/local/share/lynis/plugins --------------------------------------------------- Auditor: [Not Specified] Language: en Test category: all Test group: all --------------------------------------------------- - Program update status... [ NO UPDATE ] [+] System tools ------------------------------------ - Scanning available tools... - Checking system binaries... ..... ..... ================================================================================ Notice: No OS entry was found in the end-of-life database What to do: Please submit a pull request on GitHub to include your OS version and the end date of this OS version is being supported URL: https://github.com/CISOfy/lynis ================================================================================ Lynis 3.1.6 Auditing, system hardening, and compliance for UNIX-based systems (Linux, macOS, BSD, and others) 2007-2025, CISOfy - https://cisofy.com/lynis/ Enterprise support available (compliance, plugins, interface and tools) ================================================================================ [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /usr/local/etc/lynis/default.prf for all settings) |
| [3] | The report of scanning result is saved on [/var/log/lynis-report.dat]. Search the file with words [warning] or [suggestion], then it shows recommended settings like follows. |
|
root@dlp:~ # grep -E "^warning|^suggestion" /var/log/lynis-report.dat warning[]=AUTH-9204|Multiple users with UID 0 found in passwd file|-|-| warning[]=AUTH-9208|Multiple accounts found with same UID|-|-| suggestion[]=AUTH-9218|Determine if account is needed, as shell /usr/local/libexec/uucp/uucico does not exist|-|-| suggestion[]=AUTH-9328|Umask in /etc/login.conf could be more strict like 027|-|-| warning[]=SHLL-6202|Found unprotected console in /etc/ttys|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-| suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-| warning[]=PKGS-7381|No vulnerability database available|pkg audit|text:Run pkg audit -F| suggestion[]=FIRE-4590|Configure a firewall/packet filter to filter incoming and outgoing traffic|-|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (set 3 to 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|LogLevel (set INFO to VERBOSE)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxAuthTries (set 6 to 3)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (set 10 to 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (set 22 to )|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|UseDNS (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (set YES to NO)|-| suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-| suggestion[]=ACCT-2754|Enable process accounting|-|-| suggestion[]=TIME-3128|Check ntpq peers output for time source candidates|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions| suggestion[]=HOME-9304|Double check the permissions of home directories as some might be not strict enough.|-|-| suggestion[]=HOME-9306|Double check the ownership of home directories as some might be incorrect.|-|-| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)| suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-| suggestion[]=HRDN-7230|Harden the system by installing at least one malware scanner, to perform periodic file system scans|-|Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh| |
|
|