Scan your Linux security with Lynis

Discussion in 'all things UNIX' started by guest, Aug 10, 2020.

  1. guest

    guest Guest

    How to read Lynis reports to improve Linux security
    Use Lynis' scans and reports to find and fix Linux security issues
    August 10, 2020
    https://opensource.com/article/20/8/linux-lynis-security
    Scan your Linux security with Lynis (May 12, 2020)
     
  2. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Lynis for Linux, macOS, and Unix-based systems 3.0.7 Released (January 18, 2022)
    Homepage
    ## Lynis 3.0.7 ( 2022-01-18 )

    ### Added
    - MALW-3290 - Show status of malware components
    - OS detection for RHEL 6 and Funtoo Linux
    - Added service manager openrc

    ### Changed
    - DBS-1804 - Added alias for MariaDB
    - FINT-4316 - Support for newer Ubuntu versions
    - MALW-3280 - Added Trend Micro malware agent
    - NETW-3200 - Allow unknown number of spaces in modprobe blacklists
    - PKGS-7320 - Support for Garuda Linux and arch-audit
    - Several improvements for busybox shell
    - Russian translation of Lynis extended
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,095
    Location:
    Canada
    I hadn't seen this until today. Thanks @mood and @1PW !

    Installed and ran Audit option. This seems best suited for experienced IT personnel in an enterprise environment.

    I think for most home users of Linux, basic security measures such as enabling the firewall, requiring sudo elevation, a password to login to account, sticking to the recommended repositories and keeping everything up to date are probably adequate.
     
  4. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Hello @wat0114

    I strongly agree with your assessment of Lynis. The tool can also find weak implementations of home user systems and application setups using the audit's notifications. In my own audit run, I may have found at least one security exposure that I'll need to investigate.

    Thank you @wat0114 for your post and to @mood creating this topic.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,095
    Location:
    Canada
    I did follow the recommendation to strengthen file permissions on my home directory using the chmod command :thumb:
     
  6. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    I too likely have the same (HOME-9304) suggestion.
    Similarly, I also have a sensible suggestion in one of my computer's /opt directory. Excellent!

    Approximately twenty years ago, I first started using Michael Boelen's RKHunter when my then Red Hat Linux system had to "live" in a dangerous environment, and when his Lynis was released, I didn't need much convincing. Lynis has matured nicely.
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,127
    Location:
    Member state of European Union
    Most suggestions on mine non-standard install of Debian are not important for not-shared home user, but I have also find something worth correction. Thanks @mood
     
    Last edited: Jan 22, 2022
  8. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Lynis for Linux, macOS, and Unix-based systems 3.0.8-100 (stable) was released. (17-May-2022)

    Homepage | Changelog | Download

    ### Added
    - MALW-3274 - Detect McAfee VirusScan Command Line Scanner
    - PKGS-7346 Check Alpine Package Keeper (apk)
    - PKGS-7395 Check Alpine upgradeable packages
    - EOL for Alpine Linux 3.14 and 3.15

    ### Changed
    - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
    - FILE-7524 - Test enhanced to support symlinks
    - HTTP-6643 - Support ModSecurity version 2 and 3
    - KRNL-5788 - Only run relevant tests and improved logging
    - KRNL-5820 - Additional path for security/limits.conf
    - KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
    - KRNL-5830 - Add a presence check for /boot/vmlinuz
    - PRNT-2308 - Bug fix that prevented test from storing values correctly
    - Extended location of PAM files for AARCH64
    - Some messages in log improved

    I apologize to all for not noticing this update earlier.
     
    Last edited: Dec 27, 2022
  9. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Lynis for Linux, macOS, and Unix-based systems 3.0.9 (stable) was released. (03-August-2023)

    Homepage | Changelog | Download | Installation

     
  10. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Lynis for Linux, macOS, and Unix-based systems 3.1.0 (stable) has been released. (11-March-2024)

    Homepage | Changelog | Download | Installation | GitHub | Documentation |

    SHA-256: ca192ac67411b07ec8421d579b1f16c038299ff727a53d739403b729817bc2e7

    ## Lynis 3.1.0 (2024-03-11)

    ### Added
    - Translation: Indonesian

    ### Changed
    - MALW-3280 - Correction to detect com.avast.daemon
    - OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded “nodistro”, and The Yocto Projects distro “Poky”
    - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023
    - STATUS_NOT_ACTIVE variable added to translation files
    - End-of-life dates updated
    - Fixing missing or erroneous test number comments
    - Detection of SentinelOne corrected
    - Wazuh for file integrity and tooling
    - Updated parsing output of arch-audit
    - Added support for SentinelOne detection
    - Replacing deprecated option -i for xargs
    - Path detection for PostgreSQL improved
     
    Last edited: Mar 11, 2024
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,888
  12. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Lynis for Linux, macOS, and Unix-based systems 3.1.1 (stable) has been released. (17-March-2024)

    Homepage | Changelog | Download | Installation | GitHub | Documentation |

    SHA256 hash: d72f4ee7325816bb8dbfcf31eb104207b9fe58a2493c2a875373746a71284cc3

    ## Lynis 3.1.1 (2024-03-17)

    ### Added
    - Detection of ArcoLinux

    ### Changed
    - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf)
    - DBS-1882 - Check /snap directory location for Redis configuration file
     
  13. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    2,105
    Location:
    .
    Lynis for Linux, macOS, and Unix-based systems 3.1.2 (stable) has been released. (26-September-2024)

    Homepage | Changelog | Download | Installation | GitHub | Documentation |

    SHA-256: b0ed01d30a4415beb78acc47867f8e0779c9966d4febc5f4a31594ba2a0bd44d

    Changelog is Pending

    Updated to macOS 15 Sequoia compatibility.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.