*Basic Linux Security - Installation of Lynis*
7 September 2009
Regardless of operating system you choose, computer security is of vast importance to the stability and security of today's Internet. Each operating system has its own strengths and weaknesses, thus will be vulnerable in different ways. In this article, I will be concentrating on Debian and FreeBSD information. However, the tools and tricks that I outline are likely to work with minimal 'hacking' on most any *nix system.
This article makes the following assumptions with regards to you and your operating system:
1. You are running a Linux or BSD based operating system (e.g. Ubuntu, Debian, Slackware, FreeBSD, NetBSD, etc).
2. You have root access to the machine in question.
3. You are using bash as your command shell and are familiar with the basic commands. Very limited knowledge of commands will be required. I will explain, in detail, the more advanced operations.
One final note before we get going: Any time I refer to Debian, the commands will work equally as well in any other Debian-based OS--Ubuntu is a classic example.
Taking Stock of your Security:
The first tool I will discuss is a little scanner called lynis. Lynis runs in the bash shell, and conducts a pretty comprehensive scan of the system it's running on. This program returns a report on where your potential security flaws are and recommends actions to repair them. Lynis can be obtained from its home page, from the apt repository in Debian, or from the Ports system in FreeBSD.
Issue the following command as root from the bash shell to install Lynis:
# apt-get install lynis
Personally, I do not recommend this method. The version in the repository always seems to be a little out of date, but this is the simplest method available for new users.
Lynis is also available in the FreeBSD ports system if you have the ports tree installed. The ports tree will be required in FreeBSD for almost all of the following examples, so we will start there. Issue the following as root if you don't have the tree (you can check by seeing if /usr/ports is populated with folders):
# portsnap fetch && portsnap extract
If you have already installed the ports tree, issue:
# portsnap fetch && portsnap update
That command updates the tree and makes sure you're working with the latest sources. Then, you can install Lynis as follows:
# cd /usr/ports/security/lynis # make install clean
I will be covering two different manual installations. The first method is to install from a Debian package, the second is installing the scripts from a tarball. These are the most involved methods of installation and will work on just about any *nix system. Lets dive in!
In Debian-based systems, if you wish to install the latest and greatest (highly recommended) obtain the .deb package from:
At the time of this writing, the latest version of Lynis is 1.2.6. Once the package has been downloaded, pull up your trusty terminal and follow along. I downloaded the package to my home directory. Modify the following commands to match your chosen folder and the current version of lynis:
# cd ~ # dpkg -i lynis_1.2.6-2_all.deb
Once you get your command prompt back, as long as no errors were displayed, you're done.
The other method we will cover is a manual install from a tarball. The tarball can be obtained from:
Again, I downloaded this to my home directory. Modify the following commands to match your chosen folder:
# cd ~ # tar -zxvf lynis-1.2.6.tar.gz # mv lynis-1.2.6 /usr/local/lynis
When using this alternate installation method, you will need to either place /usr/local/lynis in your $PATH (outside the scope of this article), or use the complete path when executing the program. For example:
# /usr/local/lynis/lynis -c
With all of the other install methods, you will be able to simply issue the command without the path. For example:
# lynis -c
Now that Lynis is installed, run a check with the `lynis -c` command as root. Pay close attention to any warnings and suggestions. There will, most likely, be quite a few. This report will also be placed in /var/log/lynis.log and /var/log/lynis-report.dat for review later.
Tackle the items in the report that you understand (the rest of this article will cover a few), but try not to lose too much sleep over the ones that you don't. I have never seen a system get its hardening index to 100. The thing to keep in mind, in computer security, is that you are constantly walking a fine line between security and usability. If you go too far to the secure side, the users of your system (thats you!) will have a hard time conducting daily business--Not a good thing.
Once lynis is all set up and you have an idea of where your system is, as far as security is concerned, we can start working on increasing your level of hardening.
In the next installment, we will begin with one of the most basic concepts in computer security: malware. Malware comes in many varities, so we will be installing a few different tools to help us detect and prevent them. ClamAV is a virus scanner for Linux. ClamAV is installed in conjuntion with FreshClam, a script to keep your ClamAV database up to date.
Once we've immunized your system to viruses, we will subsequently install rkhunter and chkrootkit--two rootkit detection programs. Rootkits are software packages that are installed after a successful attack to allow attackers to maintain their access to your machine. Rootkits pose a very grave security threat. Even though I have found them to be pretty rare, in practice, we definitely don't want to let one slip in un-noticed.
All materials at this site not otherwise credited are Copyright © 1996 - 2010 Trip Williams. All rights reserved. May be reproduced for personal use only. Use of any material contained herein is subject to stated terms or written permission.