Assessment Methodologies: Auditing Fundamentals¶

Introduction to Security Auditing
Governance, Risk & Compliance
From Auditing to Penetration Testing

Introduction to Security Auditing¶

GRC¶

From Auditing to Penetration Testing¶

This is a Example Track

Lynis: A Security Auditing Tool¶

Lynis is a widely used open-source security auditing and compliance testing tool for Unix-based systems (including Linux, macOS, BSD, and similar platforms). Its primary purpose is to scan and evaluate the security posture of a system, checking for any vulnerabilities, misconfigurations, or security best-practice violations.

Background and Overview¶

Author/Maintainer: Lynis was created by Michael Boelen (CISOfy).
Open-source: Licensed under GPL (GNU Public License), so it's freely available on GitHub and other distribution channels.
Supported Operating Systems: Linux, macOS, FreeBSD, OpenBSD, NetBSD, and various Unix-like operating systems.
Use Cases:
1. Security auditing of production servers, endpoints, or development systems.
2. Compliance checks against standards like PCI-DSS, HIPAA, SOX, ISO27001, or internal organizational policies.
3. Hardening existing systems by discovering weak configurations.
4. Automating system checks on a scheduled basis (e.g., via cron).

How Lynis Works¶

Shell Script-based
- Lynis primarily consists of shell scripts. It does not require complex dependencies like databases or heavy libraries, making it easy to deploy.
- You can install it from repositories (if provided) or simply download and run the shell script as root.
Auditing Modes
- System Audit: Scans the local system for security misconfigurations, installed software versions, permission settings, etc.
- Compliance Mode: Checks the system against specific guidelines or frameworks to measure compliance.
Plugin-like Architecture
- Lynis uses a set of tests or modules (in the form of shell scripts or plugin files). Each module focuses on a specific area, like file permissions, kernel parameters, malware scanning, logging, network configuration, etc.
- The tool executes these modules sequentially, collecting data and logging findings.
Reporting
- When a scan completes, Lynis displays an interactive report in the terminal and also writes data to a log file (e.g., /var/log/lynis.log).
- This report highlights warnings, suggestions, or errors. It also includes a hardening index that approximates how securely configured the system is, based on Lynis's checks.

Key Features and Audit Categories¶

Lynis performs checks across a broad set of system components and configurations:

Operating System
- Verifies OS details and kernel parameters (e.g., sysctl settings), looking for unsafe defaults or recommended improvements.
File Systems and File Permissions
- Checks world-readable files in sensitive locations, permission issues on /etc/shadow, /etc/passwd, or key files like .ssh/authorized_keys.
User Accounts and Authentication
- Looks at password policies, idle timeout configurations, known default accounts, and usage of strong ciphers for SSH and other services.
Services and Daemons
- Identifies enabled services at boot, checks if unneeded or insecure services are running.
- Examines default configurations (e.g., Apache, MySQL) for potential misconfigurations.
Networking
- Inspects firewall settings (like iptables, nftables), listens on open ports, IP forwarding, and ephemeral port ranges.
Logging and Auditing
- Ensures system logs are stored properly, log rotation is configured, and solutions like Auditd or SELinux (where applicable) are properly enabled.
Cryptography Settings
- Checks if SSL/TLS or SSH uses weak ciphers or known vulnerable protocols (e.g., SSLv2, SSLv3).
Intrusion Detection
- Searches for the presence of intrusion detection or prevention systems (like AIDE, OSSEC).
- Suggests installing or activating these if not found.
Security Best Practices
- Provides suggestions for system hardening, such as restricting compilers, limiting the use of sudo, enabling SELinux or AppArmor, etc.
Malware Scanning Integration
While Lynis itself is not an anti-malware tool, it can check if you have solutions like ClamAV installed and configured properly.

Installing and Running Lynis¶

Installation Methods¶

Package Manager (If Available)
- On Debian-based systems:
```
sudo apt-get update
sudo apt-get install lynis
```
- On RPM-based systems:
```
sudo yum install lynis  # or dnf
```
- Not all distros include Lynis in the default repos, so you may need to install from source or the official Lynis tarball.
- Direct Download
- Obtain Lynis from https://cisofy.com/download/lynis/ or GitHub.
- Unpack the tarball (e.g., tar xvf lynis-xxxx.tar.gz) and move into the extracted directory.

Basic Usage¶

Full System Audit
```
sudo ./lynis audit system
```
- This is the most common command; it runs a comprehensive set of checks.
- You can run it as root to ensure it has the necessary permissions for thorough testing.
- Interactive Mode
- Some distribution versions of Lynis use c or -check-all:
```
sudo lynis -c
```
- The tool will stop or wait for confirmations on certain steps unless you specify Q (quick mode) to avoid prompts.
- Check Specific Tests
- You can specify a category or specific test:
```
sudo ./lynis audit system --tests-from-group malware,authentication
```
  This runs only the malware and authentication tests.
View the Log
- By default, Lynis logs its output to /var/log/lynis.log. Inspect that file for the raw details.
- The interactive on-screen report is more summarized.

Interpret the Output¶

Once Lynis completes, you'll see:

Hardening Score: A numeric representation of your overall security posture. While not an official standard, it gives a quick sense of whether the system is generally well-configured.
Warnings (Red) and Suggestions (Yellow):
- Warnings usually indicate misconfigurations or security issues that should be addressed quickly (e.g., "SSH root login is enabled!").
- Suggestions are recommended improvements (e.g., "Install and enable a firewall," or "Disable unneeded services").

A snippet of typical Lynis output might look like:

----------------------------
 System Audit Summary
----------------------------
  Hardening index : 75 [details: 53 tests done]
  Tests performed : 207
  Warnings        : 3
  Suggestions     : 5

Tips and Best Practices¶

Run Regularly
- Systems drift over time—configuration changes, updates, new software. Schedule Lynis runs (e.g., monthly) to track changes and ensure compliance.
Follow Up on Warnings
- Each warning typically comes with a unique identifier that you can use to look up details in Lynis's documentation or logs. Address them in your configuration or system setup.
Tie into Configuration Management
- If you use Chef, Ansible, or Puppet, you can incorporate Lynis checks or at least automate the scans post-deployment.
Automate Reporting
- You can parse the output logs or use the generated logs to create your own dashboards or compliance reports. Some security teams embed Lynis into CI/CD pipelines for continuous auditing.
Combine with Other Tools
- Lynis is great at analyzing local configurations. For external vulnerability or network scans, you might still rely on tools like Nmap, OpenVAS, or Nessus. Lynis complements these by focusing on the inside of the host.

Strengths and Limitations¶

Strengths¶

Lightweight: No heavy dependencies, easy to run from a single script.
Comprehensive: Covers many areas of system security—kernel, services, authentication, logging, etc.
Wide OS Support: Works across most Unix-like systems.
Open-Source: Transparent code and free to customize or extend.

Limitations¶

Focus on Configuration Auditing: Lynis is not a patching or remediation tool. It doesn't automatically fix issues (though it does give suggestions).
Local System Scope: It's primarily about analyzing the local host. For network or advanced application testing, you need other tools.
Command-Line Oriented: Lacks a polished GUI or fancy reporting—some folks prefer a user interface. However, it does integrate well with other automation or SIEM solutions.

Summary¶

Lynis is a powerful, straightforward, and script-based security auditing tool that every Linux/Unix administrator can benefit from. It provides:

Deep insights into the configuration and security posture of a system.
Actionable recommendations to fix misconfigurations or vulnerabilities.
Automation-friendly operation with no major dependencies.
Support for compliance with industry standards and best practices.

If you need a lightweight yet comprehensive solution to audit and harden your Linux/Unix systems, Lynis is an excellent tool to add to your toolbox. It serves as a solid first step in identifying potential problems before moving on to more specialized or external vulnerability assessments.