how to use use Lynis and does it really scan for malware and vulnerabilities in Ubuntu and can i run this with sudo privileges
i scanned by using this command $./lynis --check-all it successfully scanned and given some results
but in that results some suggestions and
Checking presence GRUB2 [ FOUND ]
Checking for password protection [ NONE ]
Checking default I/O kernel scheduler [ NOT FOUND ]
Password file consistency [ SUGGESTION ]
PAM password strength tools [ SUGGESTION ]
Checking user password aging (minimum) [ DISABLED ]
User password aging (maximum) [ DISABLED ]
Determining default umask
umask (/etc/profile) [ NOT FOUND ]
umask (/etc/login.defs) [ SUGGESTION ]
LDAP authentication support [ NOT ENABLED ]
[+] Kernel Hardening
Comparing sysctl key pairs with scan profile
fs.protected_hardlinks (exp: 1) [ OK ]
fs.protected_symlinks (exp: 1) [ OK ]
fs.suid_dumpable (exp: 0) [ DIFFERENT ]
kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
kernel.ctrl-alt-del (exp: 0) [ OK ]
kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
kernel.randomize_va_space (exp: 2) [ OK ]
kernel.sysrq (exp: 0) [ DIFFERENT ]
kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ]
net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
net.ipv4.tcp_syncookies (exp: 1) [ OK ]
net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
Lynis security scan details:
Hardening index : 69 [############# ]
Tests performed : 224
Plugins enabled : 0
Components:
Firewall [V]
Malware scanner [V]
Lynis modules:
Compliance status [?]
Security audit [V]
Vulnerability scan [V]
Files:
Test and debug information : /var/log/lynis.log
Report data : /var/log/lynis-report.dat
what this results mean some categories giving suggestions,some are not found some disabled what all those some one please explain clearly and can i share all this scanning results like this.
I am not going to try to answer your question as some of this is far too technical for me as well … But I am interested
It’s not a end user tool and not really a virus scanner in my opinion
More for the security of a system as the article suggests so for a multi user system
Yes it runs on Ubuntu but would not say you have a virus or solve it, if that is what your looking for I would go for clamav but others are available such as https://www.ubuntupit.com/best-linux-antivirus-top-10-reviewed-compared/
I too am newish to Linux and this is a great tool for picking up on vulnerabilities of your server, and as mentioned by callpaul, this is not an “Anti-Virus” or “root-kit” and also would recommend looking at clamav as a basic solution.
<== Back to Lynis
On Debian if you run the command “lynis audit system” you will get the feedback you have pasted in your question, but also further down you will get a section that may look something like this:
> [+] Plugins (phase 2)
> ------------------------------------
>
> ================================================================================
>
> -[ Lynis 2.6.2 Results ]-
>
> Warnings (4):
> ----------------------------
> ! Version of Lynis is very old and should be updated [LYNIS]
> https://cisofy.com/controls/LYNIS/
>
> ! No password set for single mode [AUTH-9308]
> https://cisofy.com/controls/AUTH-9308/
>
> ! Couldn't find 2 responsive nameservers [NETW-2705]
> https://cisofy.com/controls/NETW-2705/
>
> ! No MySQL root password set [DBS-1816]
> https://cisofy.com/controls/DBS-1816/
>
> Suggestions (48):
> ----------------------------
> * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280]
> https://your-domain.example.org/controls/CUST-0280/
>
> * Install libpam-usb to enable multi-factor authentication for PAM sessions [CUST-0285]
> https://your-domain.example.org/controls/CUST-0285/
>
> * Install apt-listbugs to display a list of critical bugs prior to each APT installation. [CUST-0810]
> https://your-domain.example.org/controls/CUST-0810/
>
> * Install apt-listchanges to display any significant changes prior to any upgrade via APT. [CUST-0811]
> https://your-domain.example.org/controls/CUST-0811/
>
> * Install debian-goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting. [CUST-0830]
> https://your-domain.example.org/controls/CUST-0830/
>
> * Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [CUST-0831]
> https://your-domain.example.org/controls/CUST-0831/
>
> * Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870]
> https://your-domain.example.org/controls/CUST-0870/
>
> * Install debsums for the verification of installed package files against MD5 checksums. [CUST-0875]
> https://your-domain.example.org/controls/CUST-0875/
>
> * Copy /etc/fail2ban/jail.conf to jail.local to prevent it being changed by updates. [DEB-0880]
> https://cisofy.com/controls/DEB-0880/
>
> * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122]
> https://cisofy.com/controls/BOOT-5122/
>
> * Protect rescue.service by using sulogin [BOOT-5260]
> https://cisofy.com/controls/BOOT-5260/
>
> * Determine why /vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788]
> - Details : /vmlinuz
> https://cisofy.com/controls/KRNL-5788/
>
> * Check the output of apt-cache policy manually to determine why output is empty [KRNL-5788]
> https://cisofy.com/controls/KRNL-5788/
>
> * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262]
> https://cisofy.com/controls/AUTH-9262/
>
> * Configure minimum password age in /etc/login.defs [AUTH-9286]
> https://cisofy.com/controls/AUTH-9286/
>
> * Configure maximum password age in /etc/login.defs [AUTH-9286]
> https://cisofy.com/controls/AUTH-9286/
>
> * Set password for single user mode to minimize physical access attack surface [AUTH-9308]
> https://cisofy.com/controls/AUTH-9308/
>
> * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
> https://cisofy.com/controls/AUTH-9328/
>
> * To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310]
> https://cisofy.com/controls/FILE-6310/
>
> * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
> https://cisofy.com/controls/FILE-6310/
>
> * To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
> https://cisofy.com/controls/FILE-6310/
>
> * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
> https://cisofy.com/controls/STRG-1840/
>
> * Check DNS configuration for the dns domain name [NAME-4028]
> https://cisofy.com/controls/NAME-4028/
>
> * Install debsums utility for the verification of packages with known good database. [PKGS-7370]
> https://cisofy.com/controls/PKGS-7370/
>
> * Install package apt-show-versions for patch management purposes [PKGS-7394]
> https://cisofy.com/controls/PKGS-7394/
>
> * Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
> https://cisofy.com/controls/NETW-2705/
>
> * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
> https://cisofy.com/controls/NETW-3032/
>
> * Check iptables rules to see which rules are currently not used [FIRE-4513]
> https://cisofy.com/controls/FIRE-4513/
>
> * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
> https://cisofy.com/controls/HTTP-6640/
>
> * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
> https://cisofy.com/controls/HTTP-6643/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : AllowTcpForwarding (YES --> NO)
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : ClientAliveCountMax (3 --> 2)
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : Compression (YES --> (DELAYED|NO))
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : LogLevel (INFO --> VERBOSE)
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : MaxAuthTries (3 --> 2)
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : MaxSessions (10 --> 2)
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : Port (22 --> )
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : TCPKeepAlive (YES --> NO)
> https://cisofy.com/controls/SSH-7408/
>
> * Consider hardening SSH configuration [SSH-7408]
> - Details : AllowAgentForwarding (YES --> NO)
> https://cisofy.com/controls/SSH-7408/
>
> * Check what deleted files are still in use and why. [LOGG-2190]
> https://cisofy.com/controls/LOGG-2190/
>
> * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
> https://cisofy.com/controls/BANN-7126/
>
> * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
> https://cisofy.com/controls/BANN-7130/
>
> * Enable process accounting [ACCT-9622]
> https://cisofy.com/controls/ACCT-9622/
>
> * Enable sysstat to collect accounting (no results) [ACCT-9626]
> https://cisofy.com/controls/ACCT-9626/
>
> * Enable auditd to collect audit information [ACCT-9628]
> https://cisofy.com/controls/ACCT-9628/
>
> * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
> https://cisofy.com/controls/FINT-4350/
>
> * Determine if automation tools are present for system management [TOOL-5002]
> https://cisofy.com/controls/TOOL-5002/
>
> * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
> - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
> https://cisofy.com/controls/KRNL-6000/
>
> Follow-up:
> ----------------------------
> - Show details of a test (lynis show details TEST-ID)
> - Check the logfile for all details (less /var/log/lynis.log)
> - Read security controls texts (https://cisofy.com)
> - Use --upload to upload data to central system (Lynis Enterprise users)
>
> ================================================================================
>
> Lynis security scan details:
>
> Hardening index : 61 [############ ]
> Tests performed : 226
> Plugins enabled : 1
As you can see is the “Suggestions” section it provides a recommended solution, with sometimes a workable link providing more information about the solution. Hope this helps ``
``