Lynis - Linux Server Auditing

So you’ve got your system up and running the way you like it, but your wondering what else can I do to harden my server?

Lynis to the rescue!

Lynis is an open-source auditing tool that will run through a ton a of vulnerability checks and general best practice type checks and give you a thorough summary of your system at the end.
The best part is, its super easy to run and even automate with a cronjob 1/week or 1/month.

So lets get started!

I like to run it out of /opt, so we’ll cd there.

cd /opt

Then we’ll download the tool. Please check the lynis download page for the newest version

sudo wget https://cisofy.com/files/lynis-2.6.2.tar.gz

and extract it

 tar -xvf lynis-2.6.2.tar.gz
cd lynis

And that was actually all there is to it!

You can run ./lynis now to run a scan.

Now of course this isn’t the end of your journey. I want to run this as a cronjob and email me the output.

So to run lynis as a cron job we’ll define the lynis command with the following options:

./lynis audit system --cronjob

Unfortunately that will only run lynis and dump a report file on our system. In order to have it email us the results we’ll have to write a little script.

I whipped up the following:

#!/bin/bash

###################
\# VARIABLES
###################

CURDATE=$(date '+%d-%m-%Y %H:%M')
FILEDATE=$(date '+%d%m%Y')
LYNIS_PATH=/opt/lynis

cd $LYNIS_PATH

./lynis audit system --cronjob > $LYNIS_PATH/scan_$FILEDATE.txt

MAILCONTENT=$(cat $LYNIS_PATH/scan_$FILEDATE)

echo "From: [from Name]
To: [to Address]
Subject: Lynis Scan - $CURDATE

$MAILCONTENT"
| /usr/sbin/sendmail [to Address]

This gets saved in, for example, lynis_mail.sh

Don’t forget to mark this as executable:

sudo chmod +x /path/to/your/script/lynis_mail.sh

And finally, set your cronjob like this for example to run every Monday morning at 5:30 so you can browse it on your commute to work in the train 😉

sudo crontab -e

30 5 * * MON /path/to/your/script/lynis_mail.sh