So you’ve got your system up and running the way you like it, but your wondering what else can I do to harden my server?
Lynis to the rescue!
Lynis is an open-source auditing tool that will run through a suite of common vulnerability checks and general best practices and give you a summary of your system's status and a list of recommendations.
You're interested? Lets get started
I like to run it out of /opt, so we’ll cd there.
cd /optNext, download the tool by checking the lynis download page for the newest version. In my case 2.6.2.
sudo wget https://cisofy.com/files/lynis-2.6.2.tar.gzand extract it
tar -xvf lynis-2.6.2.tar.gz
cd lynisAnd that was all there is to it!
You can execute ./lynis now to run a scan.
This isn’t the end of the journey, what if I want to run this as a cronjob and email me the output?
To run lynis as a cron job we’ll define the lynis command with the following options:
./lynis audit system --cronjobUnfortunately that will only run lynis and dump a report file on our local file system. In order to have it email us the results we’ll have to write a little script.
I've whipped up the following:
#!/usr/bin/env bash
CURDATE=$(date '+%d-%m-%Y %H:%M')
FILEDATE=$(date '+%d%m%Y')
LYNIS_PATH=/opt/lynis
cd $LYNIS_PATH
./lynis audit system --cronjob > $LYNIS_PATH/scan_$FILEDATE.txt
MAILCONTENT=$(cat $LYNIS_PATH/scan_$FILEDATE)
echo "From: [from Name]
To: [to Address]
Subject: Lynis Scan - $CURDATE
$MAILCONTENT" | /usr/sbin/sendmail [to Address]Save this script as lynis_mail.sh and don’t forget to mark it as executable:
sudo chmod +x /path/to/your/script/lynis_mail.shFinally, setup your cronjob to run, for example, every Monday morning at 5:30 so it's ready for you to browse on your commute to work 😂
sudo crontab -e
30 5 * * MON /path/to/your/script/lynis_mail.sh