 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
When developing for cloud or containers, you know you’re probably going to be working with Linux, UNIX, or some similar operating system. When that’s the case, you should also know how imperative that the OS be as secure as possible. After all, with the numerous moving parts of containers and the cloud, if your foundation is weak, everything could crumble.
That means you need to know the ins and outs and minutia of those platforms, especially regarding security.
The problem can be if you’re coming from either a MacOS or Windows background and you’re unfamiliar with Linux. That’s when a tool like Lynis comes in handy.
Lynis simplifies the security audits for operating systems such as:
With Lynis, you can perform tasks like:
Lynis is also opportunistic, which means it will only use and test components within an OS that it discovers. In other words, if a component isn’t installed on your OS, Lynis won’t test for it. Lynis is also quite easy to install and use for system auditing, which is something you should be doing for every OS you use for cloud and container development and/or deployment.
I’m going to walk you through the steps of installing Lynis on both Ubuntu Server and Rocky Linux 9. Once installed, we’ll run security audits to see what’s what. The good news is that the auditing process is the same, regardless of the OS.
To install and use Lynis, you’ll need either a running instance of Ubuntu Server (I’m using v22.04) or Rocky Linux (v9). You’ll also need a user with sudo privileges.
That’s all you need. Let’s get to the installation.
The installation of Lynis on both Ubuntu Server and Rocky Linux is similar.
To install Lynis on Ubuntu Server, the command is:
sudo apt-get install lynis -y
The command to install Lynis on Rocky Linux (or another RHEL clone), the command is:
sudo dnf install lynis -y
If you don’t want to fully install Lynis, you can do the following:
We can now run our first security audit with Lynis. The basic command for the audit is:
sudo lynis audit system
You need to run the lynis command with sudo, otherwise you miss out on a number of checks. If you are using Lynis from source, the same command would be (run from within the lynis directory):
sudo ./lynis audit system
The command will execute all of the checks (based on what’s installed on the system) and will report (in most cases) considerable output, which will look something like this:
* Determine if protocol ‘tipc’ is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
https://cisofy.com/lynis/controls/HTTP-6640/
* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
https://cisofy.com/lynis/controls/HTTP-6643/
* Consider hardening SSH configuration [SSH-7408]
– Details : AllowTcpForwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : ClientAliveCountMax (set 3 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : Compression (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : LogLevel (set INFO to VERBOSE)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : MaxAuthTries (set 6 to 3)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : MaxSessions (set 10 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : Port (set 22 to )
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
– Details : TCPKeepAlive (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
As you can see, when Lynis finds a possible issue, it will offer a suggestion by way of a link. Open any one of those links to read a description of how to mitigate the issue.
One caveat to using Lynis is the output can be fairly lengthy. If you’re on a headless server (or using it via a remote cloud host), you might not have the ability to scroll through the output. Fortunately, Lynis also writes to a log file at /var/log/lynis.log. You can view the log file with the command:
sudo less /var/log/lynis.log
Scroll through the file to see if you find anything that must be taken care of immediately.
Keep in mind, however, that each time you run Lynis it will overwrite the log file. So make sure you either rename the previous log file (if you’ve not read through it) or move it. You can rename it with a command like:
sudo mv /var/log/lynis.log /var/log/lynis.log.old
You’ll probably find that Lynis reports that a lot needs to be done to harden your server, which can be rather daunting. Go through the Lynis log file, line by line, and mitigate anything you deem necessary and your server will thank you by being considerably more secure than it was prior to using this tool.
Just remember, Lynis doesn’t fix things for you, it simply lets you know what needs to be addressed.
