Lynis : Security Audit2026/06/12 |
|
Install Lynis which is the Security Audit Tool. |
|
| [1] | Install Lynis. |
|
root@dlp:~# apt -y install lynis
|
| [2] | This is the Basic usage of Lynis. |
|
# run like follows for initial scanning root@dlp:~# lynis audit system
[ Lynis 3.1.6 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2025, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.1.6
Operating system: Linux
Operating system name: Ubuntu
Operating system version: 26.04
End-of-life: UNKNOWN
Kernel version: 7.0.0
Hardware platform: x86_64
Hostname: dlp
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /etc/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
===============================================================================
Lynis might be outdated
===============================================================================
Current version is more than 6 months old
This version might be Please check if there is a more recent version available.
Please check if there is a more recent version available.
Download locations:
Packages (DEB/RPM) - https://packages.cisofy.com/
Website (TAR) - https://cisofy.com/downloads/
GitHub - https://github.com/CISOfy/lynis
===============================================================================
[+] System tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugin: debian
[
[+] Debian Tests
------------------------------------
- Checking for system binaries that are required by Debian Tests...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Authentication:
- PAM (Pluggable Authentication Modules):
[WARNING]: Test DEB-0001 had a long execution: 16.492365 seconds
- libpam-tmpdir [ Not Installed ]
.....
.....
================================================================================
Lynis security scan details:
Scan mode:
Normal [ ] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Details:
Hardening index : 68 [############# ]
Tests performed : 273
Plugins enabled : 1
Software components:
- Firewall [V]
- Intrusion software [V]
- Malware scanner [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Notice: This version of Lynis is older than 6 months and might be outdated. Check the project page if a newer version is available.
================================================================================
Notice: No OS entry was found in the end-of-life database
What to do:
Please submit a pull request on GitHub to include your OS version and the end date of this OS version is being supported
URL: https://github.com/CISOfy/lynis
================================================================================
Lynis 3.1.6
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2025, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
|
| [3] | The report of scanning result is saved on [/var/log/lynis-report.dat]. Search the file with words [warning] or [suggestion], then it shows recommended settings like follows. |
|
root@dlp:~# grep -E "^warning|^suggestion" /var/log/lynis-report.dat suggestion[]=DEB-0280|Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions|-|-| suggestion[]=DEB-0810|Install apt-listbugs to display a list of critical bugs prior to each APT installation.|-|-| suggestion[]=DEB-0811|Install apt-listchanges to display any significant changes prior to any upgrade via APT.|-|-| suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-| suggestion[]=BOOT-5180|Determine runlevel and services at startup|-|-| suggestion[]=BOOT-5264|Consider hardening system services|Run '/usr/bin/systemd-analyze security SERVICE' for each service|-| warning[]=KRNL-5830|Reboot of system is most likely needed||text:reboot| suggestion[]=AUTH-9229|Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values|-|-| suggestion[]=AUTH-9230|Configure password hashing rounds in /etc/login.defs|-|-| suggestion[]=AUTH-9282|When possible set expire dates for all password protected accounts|-|-| suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-| suggestion[]=AUTH-9328|Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /home file system, place /home on a separate partition|-|-| suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separate partition|-|-| suggestion[]=USB-1000|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|-|-| suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-| suggestion[]=PKGS-7346|Purge old/removed packages (3 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts.|-|-| suggestion[]=PKGS-7370|Install debsums utility for the verification of packages with known good database.|-|-| suggestion[]=PKGS-7394|Install package apt-show-versions for patch management purposes|-|-| suggestion[]=NETW-3200|Determine if protocol 'dccp' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'sctp' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'rds' is really needed on this system|-|-| suggestion[]=NETW-3200|Determine if protocol 'tipc' is really needed on this system|-|-| warning[]=MAIL-8818|Found some information disclosure in SMTP banner (OS or software name)|-|-| suggestion[]=MAIL-8818|You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf)|-|-| suggestion[]=MAIL-8820:disable_vrfy_command|Disable the 'VRFY' command|disable_vrfy_command=no|text:run postconf -e disable_vrfy_command=yes to change the value| suggestion[]=HTTP-6640|Install Apache mod_evasive to guard webserver against DoS/brute force attempts|-|-| suggestion[]=HTTP-6643|Install Apache modsecurity to guard webserver against web application attacks|-|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowTcpForwarding (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|ClientAliveCountMax (set 3 to 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|LogLevel (set INFO to VERBOSE)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxAuthTries (set 6 to 3)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|MaxSessions (set 10 to 2)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|Port (set 22 to )|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|TCPKeepAlive (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|X11Forwarding (set YES to NO)|-| suggestion[]=SSH-7408|Consider hardening SSH configuration|AllowAgentForwarding (set YES to NO)|-| suggestion[]=LOGG-2154|Enable logging to an external logging host for archiving purposes and additional protection|-|-| suggestion[]=LOGG-2190|Check what deleted files are still in use and why.|-|-| suggestion[]=BANN-7126|Add a legal banner to /etc/issue, to warn unauthorized users|-|-| suggestion[]=BANN-7130|Add legal banner to /etc/issue.net, to warn unauthorized users|-|-| suggestion[]=ACCT-9622|Enable process accounting|-|-| suggestion[]=ACCT-9628|Enable auditd to collect audit information|-|-| suggestion[]=FINT-4402|Use SHA256 or SHA512 to create checksums in AIDE|-|-| suggestion[]=TOOL-5002|Determine if automation tools are present for system management|-|-| suggestion[]=FILE-7524|Consider restricting file permissions|See screen output or log file|text:Use chmod to change file permissions| suggestion[]=KRNL-6000|One or more sysctl values differ from the scan profile and could be tweaked||Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)| suggestion[]=HRDN-7222|Harden compilers like restricting access to root user only|-|-| |
| Sponsored Link |
|
|