Article / 2018

Lynis - Linux Server Auditing

So you’ve got your system up and running the way you like it, but your wondering what else can I do to harden my server?

Published

serverslinux

So you’ve got your system up and running the way you like it, but your wondering what else can I do to harden my server?

Lynis to the rescue!

Lynis is an open-source auditing tool that will run through a suite of common vulnerability checks and general best practices and give you a summary of your system's status and a list of recommendations.

You're interested? Lets get started

I like to run it out of /opt, so we’ll cd there.

bash
cd /opt

Next, download the tool by checking the lynis download page for the newest version. In my case 2.6.2.

bash
sudo wget https://cisofy.com/files/lynis-2.6.2.tar.gz

and extract it

bash
 tar -xvf lynis-2.6.2.tar.gz
 cd lynis

And that was all there is to it!

You can execute ./lynis now to run a scan.

This isn’t the end of the journey, what if I want to run this as a cronjob and email me the output?

To run lynis as a cron job we’ll define the lynis command with the following options:

bash
./lynis audit system --cronjob

Unfortunately that will only run lynis and dump a report file on our local file system. In order to have it email us the results we’ll have to write a little script.

I've whipped up the following:

bash
#!/usr/bin/env bash
 
CURDATE=$(date '+%d-%m-%Y %H:%M')
FILEDATE=$(date '+%d%m%Y')
LYNIS_PATH=/opt/lynis
 
cd $LYNIS_PATH
 
./lynis audit system --cronjob > $LYNIS_PATH/scan_$FILEDATE.txt
 
MAILCONTENT=$(cat $LYNIS_PATH/scan_$FILEDATE)
 
echo "From: [from Name]
To: [to Address]
Subject: Lynis Scan - $CURDATE
 
$MAILCONTENT" | /usr/sbin/sendmail [to Address]

Save this script as lynis_mail.sh and don’t forget to mark it as executable:

bash
sudo chmod +x /path/to/your/script/lynis_mail.sh

Finally, setup your cronjob to run, for example, every Monday morning at 5:30 so it's ready for you to browse on your commute to work 😂

bash
sudo crontab -e
 
30 5 * * MON /path/to/your/script/lynis_mail.sh