Using lynis for Local Checks
Programs are available on most Linux distributions that can run tests for local vul‐
nerabilities. Kali is no different. One of these programs is
lynis
, a vulnerability scan‐
ner that runs on the local system and runs through numerous checks for settings that
would be common in a hardened operating system installation. Operating systems
that are hardened are configured to be resistant to attacks. This can mean enabling
logging,
tightening permissions, and choosing other settings.
The program
lynis
has settings for different scan types. You can do quick scans or
complete scans, depending on the depth you want to go. There is also the possibility
of running in pentest mode, which is an unprivileged scan.
This limits what can be
checked. Anything that requires root access, like looking at some configuration files,
can’t be checked in pentest mode. This can provide you good insight into what an
attacker can do if they gain access to a regular, unprivileged account.
shows
partial output of a run of
lynis
against a basic Kali installation.
Example 4-3. Output from lynis
[
+
]
Memory and Processes
------------------------------------
- Checking /proc/meminfo
[
FOUND
]
-
Searching
for
dead/zombie processes
[
OK
]
- Searching
for
IO waiting processes
[
OK
]
[
+
]
Users, Groups and Authentication
------------------------------------
- Administrator accounts
[
OK
]
- Unique UIDs
[
OK
]
-
Consistency of group files
(
grpck
)
[
OK
]
- Unique group IDs
[
OK
]
- Unique group names
[
OK
]
- Password file consistency
[
OK
]
- Query system users
(
non daemons
)
[
DONE
]
- NIS+
authentication support
[
NOT ENABLED
]
- NIS authentication support
[
NOT ENABLED
]
- sudoers file
[
FOUND
]
- Check
sudoers file permissions
[
OK
]
- PAM password strength tools
[
SUGGESTION
]
- PAM configuration files
(
pam.conf
)
[
FOUND
]
- PAM configuration files
(
pam.d
)
[
FOUND
]
- PAM modules
[
FOUND
]
-
LDAP module in PAM
[
NOT FOUND
]
- Accounts without expire date
[
OK
]
- Accounts without password
[
OK
]
- Checking user password aging
(
minimum
)
[
DISABLED
]
-
User password aging
(
maximum
)
[
DISABLED
]
- Checking expired passwords
[
OK
]
- Checking Linux single user mode authentication
[
WARNING
]
