1 min read

HOWTO Automate the Lynis auditing tool

Often when working with a client I’ll have recommendations on server settings and configurations, but sometimes things are not obvious, and I want another set of eyes to audit security settings. External scanners are fine but are mostly relegated to be run by the security teams, so using an open source auditing tool can help with security auditing, hardening, and compliance while helping to determine if you have things configured and setup optimally. Enter Lynis, “an open source security auditing tool Linux, macOS, and Unix systems. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.” Sounds good, to make this easier to run I’ve written a simple script to pull the latest version of the scanner, unpack it and run it with the general settings. It’s helpful, give it a try and see what it sees on your system.

#!/bin/sh
# This script will automatically:
# * download [Lynis](https://cisofy.com/lynis/), an open source security auditing tool
# * run a full audit check, either privileged, or non-privileged if not logged in as root
# * cleanup by removing the downloaded archive, and the extracted directory it ran out of
# * save the audit report to your local directory (YYYYMMDD-lynis-report)
#
# This script requires:
# * awk
# * tar
# * curl
# * sha256sum
url="https://cisofy.com/files"
file="lynis-2.5.5.tar.gz" # if you change this version be sure to change the sum_target (sha256sum)
sum_target="638c587396fbd2e857d6a3d2229db3b071704c0e217e03055c9268b495ab8102"
date_stamp=`date +'%Y%m%d'`
echo "[ -- ] $file downloading"
curl -O -s $url/$file
sum_gen=`sha256sum $file | awk '{print $1}'`
if [ '$sum_target = $sum_gen' ]; then
echo "[ OK ] $file sha256 sum verified"
else
echo "[ FF ] $file sha256 sum FAILED!"
rm $file
echo "[ FF ] $file deleted!"
exit 1
fi
echo "[ -- ] $file extracting"
tar -zxf $file
echo "[ OK ] $file extracted"
echo "[ -- ] lynis preparing"
cd lynis
chmod 640 include/*
echo "[ ok ] lynis running"
./lynis audit system
echo "[ -- ] lynis complete"
cd ..
echo "[ -- ] lynis cleanup"
rm $file
echo "[ OK ] $file removed"
echo "[ -- ] lynis cleanup"
rm -rf lynis
echo "[ OK ] lynis direcotry removed"
echo "[ -- ] lynis report compilation"
mkdir $date_stamp-lynis-report
mv /tmp/lynis.log /tmp/lynis-report.dat $date_stamp-lynis-report
echo "[ OK ] lynis report in $date_stamp-lynis-report"
exit 0