Did You Know?
Got a tip? Let us know

LFCS - Linux Foundation Certified SysAdmin - Exam Preparation Guide

Install Lynis (Linux Auditing Tool) in RHEL/CentOS 6.3/5.6, Fedora 17-12

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

Lynis is an open source and much powerful auditing tool for Unix like operating systems. It scans system for security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing etc.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.

Install Lynis

Install Lynis in RHEL / CentOS / Fedora


In this article we are going to see how to install Lynis (Linux Auditing Tool) in RHEL 6.3/6.2/6.1/6/5.8/5.6/4.0, CentOS 6.3/6.2/6.1/6/5.8/5.6/4.0 and Fedora 17,16,15,14,13,12 using source tarball files.

Please Read Also :

  1. Install ConfigServer Security & Firewall (CSF)
  2. Install Linux Rkhunter (Rootkit Hunter)
  3. Install Linux Malware Detect (LMD)

Installation of Lynis

Lynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under /usr/local/lynis.

# mkdir /usr/local/lynis

Download stable version of Lynis source files from the trusted website using wget command and unpack it using tar command as shown below.

# cd /usr/local/lynis
# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
# tar -xvf lynis-1.3.0.tar.gz

Running and Using Lynis Basics

You must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. To run Lynis execute the following command.

# cd lynis-1.3.0
# ./lynis

By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell promt. See figure below.

Lynis Help

Lynis Parameters

To start Lynis process, you must define a –check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with paramerts as shown below.

# ./lynis --check-all

Once, you execute above command it will start scanning your system and ask you to Press [Enter] to continue, or [CTRL]+C to stop) every process it scans and completes. See figure attached below.

Lynis Scan

Lynis Scan Progress

To prevent such acknowledgment (i.e. “press enter to continue”) from user while scanning, you need use -c and -Q parameters as shown below.

# ./lynis -c -Q

It will do complete scan without waiting for any user acknowledgment. See the following figure.

Lynis Complete Scan

Lynis Complete Scan

Creating Lynis Cronjobs

If you would like to create a daily scan report of your system, then you need to set a cron job for it. Run the following command at the shell.

# crontab -e

Add the folloiwng cron job with option –cronjob all the special characters will be ignored from the output and the scan will run completely automated.

30	22	*	*	*	root    /path/to/lynis -c -Q --auditor "automated" --cronjob

The above example cron job will run daily at 10:30pm in the night and creates a daily report under /var/log/lynis.log file.

Lynis Scanning Results

While scanning you will see output as [OK] or [WARNING]. Where [OK] considered as good result and [WARNING] as bad. But it doesn’t mean that [OK] result is correctly configured and [WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log.

In most cases, the scan provides suggestion to fix problems at the end of the scan. See the attached figure that provides a list of suggestion to fix problems.

Lynis Suggestions

Lynis Suggestions Tips

Updating Lynis

If you want to update or upgrade current lynis version, simple type the following command it will download and install latest version of lynis.

# ./lynis --check-update

See the attached output of the above command in the figure. It says our lynis version is Up-to-date.

Lynis Update

Lynis Update Check

Lynis Parameters

Some of the Lynis parameters for your reference.

  1. –checkall or -c : Start the scan.
  2. –check-update : Checks for Lynis update.
  3. –cronjob : Runs Lynis as cronjob (includes -c -Q).
  4. –help or -h : Shows valid parameters
  5. –quick or -Q : Don’t wait for user input, except on errors
  6. –version or -V : Shows Lynis version.

That’s it, we hope this article will be much helpful you all to figure out security issues in running systems. For more information visit the offical Lynis page at http://www.rootkit.nl/projects/lynis.html.

Ravi Saive

Owner at TecMint.com
Simple Word a Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux.
Download Free eBooks
Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Ubuntu Linux Toolbox: 1000+ Commands

6 Responses

  1. John says:

    I tried to download lynis but it failed to download after hitting save and clicking twice on option to open.

  2. Young man says:

    Am i wrong what i do is the following

    1. mkdir /usr/local/lynis
    2. cd /usr/local/lynis
    3. wget http://cisofy.com/files/lynis-1.6.3.tar.gz
    4. tar -xvf lynis-1.6.3.tar.gz
    5. cd /lynis-1.6.3 i got this message (-bash: cd: /lynis-1.6.3: No such file or directory)

    What is wrong with me
    Hope to help

    • Ravi Saive says:

      Step 5th is wrong, as you extracted the content of lynis-1.6.3.tar.gz in current working directory, so the command is:

      # cd lynis-1.6.3
      
  3. Young man says:

    Hello,
    does lynis is only used to scan The server or also i can scan one user(One Website)?

    Thanks

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.