Lynis

How it works

Lynis will perform hundreds of individual tests to determine the security state of the system. Many of these tests are also part of common security guidelines and standards. Examples include searching for installed software and determine possible configuration flaws. Lynis goes further and does also test individual software components, checks related configuration files and measures performance. After these tests, a scan report will be displayed with all discovered findings.

Typical use cases for Lynis:
  • Security auditing
  • Vulnerability scanning
  • System hardening

Why open source?

Open source software provides trust by having people look into the code. Adjustments are easily made, providing you with a flexible solution for your business. But can you trust systems and software with your data? Lynis provides you this confidence. It does so with extensive auditing of your systems. This way you can verify and stay in control of your security needs.

Example output:
Example output of a Linux security scan with Lynis

Our Lynis Enterprise Suite uses Lynis as a core component. This solution focuses on companies serious about information security and want to safeguard their network. Main audience is system administrators, security professionals and auditors working for these kind of companies.

Testing Lynis (free version)

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

 Copyright 2007-2014 - Michael Boelen, http://cisofy.com
 Enterprise support and plugins available via CISOfy - http://cisofy.com
################################################################################

[+] Initializing program
------------------------------------
  - Detecting OS...                                           [ DONE ]
  - Clearing log file (/var/log/lynis.log)...                 [ DONE ]

  ---------------------------------------------------
  Program version:           1.5.9
  Operating system:          Linux
  Operating system name:     Debian
  Operating system version:  7.6
  Kernel version:            3.2.0-4-amd64
  Hardware platform:         x86_64
  Hostname:                  vegas.somedomain.com
  Auditor:                   [Unknown]
  Profile:                   ./default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          ./plugins
  ---------------------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

  - Checking profile file (./default.prf)...
  - Program update status...                                  [ NO UPDATE ]

[+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
    - Checking /bin...                                        [ FOUND ]
    - Checking /sbin...                                       [ FOUND ]
    - Checking /usr/bin...                                    [ FOUND ]
    - Checking /usr/sbin...                                   [ FOUND ]
    - Checking /usr/local/bin...                              [ FOUND ]
    - Checking /usr/local/sbin...                             [ NOT FOUND ]
    - Checking /usr/local/libexec...                          [ NOT FOUND ]
    - Checking /usr/libexec...                                [ NOT FOUND ]
    - Checking /usr/sfw/bin...                                [ NOT FOUND ]
    - Checking /usr/sfw/sbin...                               [ NOT FOUND ]
    - Checking /usr/sfw/libexec...                            [ NOT FOUND ]
    - Checking /opt/sfw/bin...                                [ NOT FOUND ]
    - Checking /opt/sfw/sbin...                               [ NOT FOUND ]
    - Checking /opt/sfw/libexec...                            [ NOT FOUND ]
    - Checking /usr/xpg4/bin...                               [ NOT FOUND ]
    - Checking /usr/css/bin...                                [ NOT FOUND ]
    - Checking /usr/ucb...                                    [ NOT FOUND ]
    - Checking /usr/X11R6/bin...                              [ NOT FOUND ]
    - Checking /usr/X11R7/bin...                              [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Plugins (phase 1)
------------------------------------
  - Plugins enabled                                           [ NONE ]

[+] Boot and services
------------------------------------
  - Checking boot loaders
    - Checking presence GRUB2...                              [ FOUND ]
    - Checking presence LILO...                               [ NOT FOUND ]
    - Checking boot loader SILO                               [ NOT FOUND ]
    - Checking boot loader YABOOT                             [ NOT FOUND ]
  - Check services at startup (rc2.d)...                      [ DONE ]
    Result: found 19 services
  - Check startup files (permissions)...                      [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Kernel
------------------------------------
  - Checking default run level...                             [ 2 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported               [ FOUND ]
  - Checking kernel version and release                       [ DONE ]
  - Checking kernel type                                      [ DONE ]
  - Checking loaded kernel modules                            [ DONE ]
      Found 52 active modules
  - Checking Linux kernel configuration file                  [ FOUND ]
  - Checking default I/O kernel scheduler                     [ FOUND ]
  - Checking for available kernel update...                   [ UPDATE AVAILABLE                         ]
  - Checking core dumps configuration...                      [ DISABLED ]
    - Checking setuid core dumps configuration...             [ DEFAULT ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Memory and processes
------------------------------------
  - Checking /proc/meminfo...                                 [ FOUND ]
  - Searching for dead/zombie processes...                    [ OK ]
  - Searching for IO waiting processes...                     [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Users, Groups and Authentication
------------------------------------
  - Search administrator accounts...                          [ OK ]
  - Checking for non-unique UIDs...                           [ OK ]
  - Checking consistency of group files (grpck)...            [ OK ]
  - Checking non unique group ID's...                         [ OK ]
  - Checking non unique group names...                        [ OK ]
  - Checking password file consistency...                     [ OK ]
  - Query system users (non daemons)...                       [ DONE ]
  - Checking NIS+ authentication support                      [ NOT ENABLED ]
  - Checking NIS authentication support                       [ NOT ENABLED ]
  - Checking sudoers file                                     [ FOUND ]
    - Check sudoers file permissions                          [ OK ]
  - Checking PAM password strength tools                      [ SUGGESTION ]
  - Checking PAM configuration files (pam.conf)               [ FOUND ]
  - Checking PAM configuration files (pam.d)                  [ FOUND ]
  - Checking PAM modules                                      [ FOUND ]
  - Checking LDAP module in PAM                               [ NOT FOUND ]
  - Checking accounts without expire date                     [ OK ]
  - Checking accounts without password                        [ OK ]
  - Checking user password aging                              [ OK ]
  - Checking Linux single user mode authentication            [ OK ]
  - Determining default umask
    - Checking umask (/etc/profile)                           [ OK ]
    - Checking umask (/etc/login.defs)                        [ SUGGESTION ]
    - Checking umask (/etc/init.d/rc)                         [ SUGGESTION ]
  - Checking LDAP authentication support                      [ NOT ENABLED ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Shells
------------------------------------
  - Checking shells from /etc/shells...
    Result: found 12 shells (valid shells: 4).
    - Session timeout settings/tools                          [ FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point...                           [ SUGGESTION ]
    - Checking /tmp mount point...                            [ SUGGESTION ]
  - Querying FFS/UFS mount points (fstab)...                  [ NONE ]
  - Query swap partitions (fstab)...                          [ OK ]
  - Testing swap partitions...                                [ OK ]
  - Checking for old files in /tmp...                         [ OK ]
  - Checking /tmp sticky bit...                               [ OK ]
  - ACL support root file system...                           [ DISABLED ]
  - Checking Locate database...                               [ FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Storage
------------------------------------
  - Checking usb-storage driver (modprobe config)...          [ NOT DISABLED ]
  - Checking firewire ohci driver (modprobe config)...        [ NOT DISABLED ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] NFS
------------------------------------
  - Query rpc registered programs...                          [ DONE ]
  - Query NFS versions...                                     [ DONE ]
  - Query NFS protocols...                                    [ DONE ]
  - Check running NFS daemon...                               [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: name services
------------------------------------
  - Checking default DNS search domain...                     [ NONE ]
  - Checking search domains...                                [ FOUND ]
  - Checking /etc/resolv.conf options...                      [ NONE ]
  - Searching DNS domain name...                              [ FOUND ]
      Domain name: somedomain.local
  - Checking nscd status...                                   [ NOT FOUND ]
  - Checking BIND status...                                   [ NOT FOUND ]
  - Checking PowerDNS status...                               [ NOT FOUND ]
  - Checking ypbind status...                                 [ NOT FOUND ]
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)                        [ SUGGESTION ]
    - Checking /etc/hosts (hostname)                          [ OK ]
    - Checking /etc/hosts (localhost)                         [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Ports and packages
------------------------------------
  - Searching package managers...
    - Searching RPM package manager...                        [ FOUND ]
      - Querying RPM package manager...
error: db5 error(-30969) from dbenv->open: DB_VERSION_MISMATCH: Database environ                        ment version mismatch
error: cannot open Packages index using db5 -  (-30969)
error: cannot open Packages database in /root/.rpmdb
error: db5 error(-30969) from dbenv->open: DB_VERSION_MISMATCH: Database environ                        ment version mismatch
error: cannot open Packages database in /root/.rpmdb
    - Searching dpkg package manager...                       [ FOUND ]
      - Querying package manager...

    - Query unpurged packages...                              [ NONE ]
egrep: /etc/apt/sources.list.d: Is a directory
  - Checking security repository in sources.list file...      [ OK ]

  - Checking vulnerable packages...                           [ WARNING ]
  - Checking package audit tool...                            [ INSTALLED ]
    Found: apt-get

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Networking
------------------------------------
  - Checking configured nameservers...
    - Testing nameservers...
        Nameserver: 10.1.21.143...                            [ OK ]
        Nameserver: 10.1.22.143...                            [ OK ]
    - Minimal of 2 responsive nameservers...                  [ OK ]
  - Checking default gateway...                               [ DONE ]
  - Getting listening ports (TCP/UDP)...                      [ DONE ]
      * Found 5 ports
  - Checking promiscuous interfaces...                        [ OK ]
  - Checking waiting connections...                           [ OK ]
  - Checking status DHCP client...                            [ NOT ACTIVE ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]

[+] Printers and Spools
------------------------------------
  - Checking cups daemon...                                   [ NOT FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: e-mail and messaging
------------------------------------
  - Checking Exim status...                                   [ NOT FOUND ]
  - Checking Postfix status...                                [ NOT FOUND ]
  - Checking Qmail status...                                  [ NOT FOUND ]
  - Checking Sendmail status...                               [ NOT FOUND ]
  - Checking Qmail smtpd status...                            [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: firewalls
------------------------------------
  - Checking iptables kernel module                           [ NOT FOUND ]
  - Checking pf                                               [ NOT FOUND ]
  - Checking host based firewall                              [ NOT ACTIVE ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: webserver
------------------------------------
  - Checking Apache                                           [ NOT FOUND ]
  - Checking nginx                                            [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] SSH Support
------------------------------------
  - Checking running SSH daemon...                            [ FOUND ]
    - Searching SSH configuration...                          [ FOUND ]
    - Checking defined SSH options...                         [ DONE ]
    - SSH option: PermitRootLogin...                          [ DISABLED ]
    - SSH option: Protocol...                                 [ OK ]
    - SSH option: StrictModes...                              [ OK ]
    - SSH option: AllowUsers...                               [ NOT FOUND ]
    - SSH option: AllowGroups...                              [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon...                           [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Databases
------------------------------------
  - MySQL process status...                                   [ NOT FOUND ]
  - PostgreSQL processes status...                            [ NOT FOUND ]
  - Oracle processes status...                                [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance...                             [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: PHP
------------------------------------
  - Checking PHP...                                           [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Squid Support
------------------------------------
  - Checking running Squid daemon...                          [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Logging and files
------------------------------------
  - Checking for a running log daemon...                      [ OK ]
    - Checking Syslog-NG status                               [ FOUND ]
      - Checking Syslog-NG consistency                        [ OK ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ NOT FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
    - Checking klogd                                          [ NOT FOUND ]
    - Checking minilogd instances                             [ NOT FOUND ]
  - Checking logrotate presence                               [ OK ]
  - Checking remote logging                                   [ ENABLED ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ DONE ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Insecure services
------------------------------------
  - Checking inetd status...                                  [ NOT ACTIVE ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Banners and identification
------------------------------------
  - /etc/motd...                                              [ FOUND ]
    - /etc/motd permissions...                                [ OK ]
    - /etc/motd contents...                                   [ WEAK ]
  - /etc/issue...                                             [ FOUND ]
    - /etc/issue contents...                                  [ WEAK ]
  - /etc/issue.net...                                         [ FOUND ]
    - /etc/issue.net contents...                              [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]
  - Checking atd status                                       [ RUNNING ]
    - Checking at users                                       [ DONE ]
    - Checking at jobs                                        [ NONE ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Accounting
------------------------------------
  - Checking accounting information...                        [ NOT FOUND ]
  - Checking sysstat accounting data                          [ NOT FOUND ]
  - Checking auditd                                           [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Time and Synchronization
------------------------------------
  - Checking running NTP daemon (ntpd)...                     [ FOUND ]
  - Checking running NTP daemon (timed)...                    [ NOT FOUND ]
  - Checking running NTP daemon (dntpd)...                    [ NOT FOUND ]
  - Checking NTP client in crontab file (/etc/crontab)...     [ NOT FOUND ]
  - Checking NTP client in cron.d files...                    [ NOT FOUND ]
  - Checking event based ntpdate (if-up)...                   [ FOUND ]
  - Checking for a running NTP daemon or client               [ OK ]
  - Checking valid association ID's                           [ FOUND ]
  - Checking high stratum ntp peers                           [ OK ]
  - Checking unreliable ntp peers                             [ NONE ]
  - Checking selected time source                             [ OK ]
  - Checking time source candidates...                        [ OK ]
  - Checking falsetickers...                                  [ OK ]
  - Checking NTP version...                                   [ FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Cryptography
------------------------------------
  - Checking SSL certificate expiration...                    [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Virtualization
------------------------------------

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ NOT FOUND ]
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
  - Checking for implemented MAC framework                    [ NONE ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: file integrity
------------------------------------
  - Checking file integrity tools...
    - AFICK...                                                [ NOT FOUND ]
    - AIDE...                                                 [ FOUND ]
      - AIDE config file                                      [ FOUND ]
      - AIDE config (Checksum)                                [ OK ]
    - Osiris...                                               [ NOT FOUND ]
    - Samhain...                                              [ FOUND ]
    - Tripwire...                                             [ NOT FOUND ]
    - OSSEC (syscheck)...                                     [ NOT FOUND ]
    - mtree...                                                [ NOT FOUND ]
  - Checking presence integrity tool...                       [ FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: System tooling
------------------------------------
  - Checking automation tooling...
  - Automation tooling                                        [ NOT FOUND ]
./lynis: 64: ./include/tests_tooling: ReportSuggest: not found

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Software: Malware scanners
------------------------------------
  - Checking chkrootkit...                                    [ NOT FOUND ]
  - Checking Rootkit Hunter...                                [ NOT FOUND ]
  - Checking commercial anti-virus scanners                   [ NONE FOUND ]
  - Checking ClamAV scanner...                                [ FOUND ]
  - Checking ClamAV daemon...                                 [ NOT FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] System Tools
------------------------------------
  - Starting file permissions check...
    /etc/lilo.conf                                            [ NOT FOUND ]
    /root/.ssh                                                [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Home directories
------------------------------------
  - Checking shell history files...                           [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile...
    - kernel.core_uses_pid (exp: 1)                           [ DIFFERENT ]
    - kernel.ctrl-alt-del (exp: 0)                            [ OK ]
    - kernel.sysrq (exp: 0)                                   [ DIFFERENT ]
    - net.ipv4.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv4.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv4.conf.all.bootp_relay (exp: 0)                  [ OK ]
    - net.ipv4.conf.all.forwarding (exp: 0)                   [ OK ]
    - net.ipv4.conf.all.log_martians (exp: 1)                 [ DIFFERENT ]
    - net.ipv4.conf.all.mc_forwarding (exp: 0)                [ OK ]
    - net.ipv4.conf.all.proxy_arp (exp: 0)                    [ OK ]
    - net.ipv4.conf.all.rp_filter (exp: 1)                    [ DIFFERENT ]
    - net.ipv4.conf.all.send_redirects (exp: 0)               [ DIFFERENT ]
    - net.ipv4.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv4.conf.default.accept_source_route (exp: 0)      [ DIFFERENT ]
    - net.ipv4.conf.default.log_martians (exp: 1)             [ DIFFERENT ]
    - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)           [ OK ]
    - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)     [ OK ]
    - net.ipv4.tcp_syncookies (exp: 1)                        [ OK ]
    - net.ipv4.tcp_timestamps (exp: 0)                        [ OK ]
    - net.ipv6.conf.all.accept_redirects (exp: 0)             [ DIFFERENT ]
    - net.ipv6.conf.all.accept_source_route (exp: 0)          [ OK ]
    - net.ipv6.conf.default.accept_redirects (exp: 0)         [ DIFFERENT ]
    - net.ipv6.conf.default.accept_source_route (exp: 0)      [ OK ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Hardening
------------------------------------
    - Installed compiler(s)...                                [ FOUND ]
    - Installed malware scanner...                            [ FOUND ]

[ Press [ENTER] to continue, or [CTRL]+C to stop ]


[+] Custom Tests
------------------------------------
  - Running custom tests...                                   [ NONE ]

================================================================================

  -[ Lynis 1.5.9 Results ]-

  Warnings:
  ----------------------------
  - Found one or more vulnerable packages. [PKGS-7392]
      http://cisofy.com/controls/PKGS-7392/

  - klogd is not running, which could lead to missing kernel messages in log fil                        es [LOGG-2138]
      http://cisofy.com/controls/LOGG-2138/

  Suggestions:
  ----------------------------
  - Determine priority for available kernel update [KRNL-5788]
      http://cisofy.com/controls/KRNL-5788/
  - Install a PAM module for password strength testing like pam_cracklib or pam_                        passwdqc [AUTH-9262]
      http://cisofy.com/controls/AUTH-9262/
  - Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
      http://cisofy.com/controls/AUTH-9328/
  - Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328]
      http://cisofy.com/controls/AUTH-9328/
  - To decrease the impact of a full /home file system, place /home on a separat                        ed partition [FILE-6310]
      http://cisofy.com/controls/FILE-6310/
  - To decrease the impact of a full /tmp file system, place /tmp on a separated                         partition [FILE-6310]
      http://cisofy.com/controls/FILE-6310/
  - Disable drivers like USB storage when not used, to prevent unauthorized stor                        age or data theft [STRG-1840]
      http://cisofy.com/controls/STRG-1840/
  - Disable drivers like firewire storage when not used, to prevent unauthorized                         storage or data theft [STRG-1846]
      http://cisofy.com/controls/STRG-1846/
  - L [NAME-4402]
      http://cisofy.com/controls/NAME-4402/
  - Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrad                        e and/or unattended-upgrades [PKGS-7392]
      http://cisofy.com/controls/PKGS-7392/
  - Configure a firewall/packet filter to filter incoming and outgoing traffic [                        FIRE-4590]
      http://cisofy.com/controls/FIRE-4590/
  - Check why klogd is not running [LOGG-2138]
      http://cisofy.com/controls/LOGG-2138/
  - Add legal banner to /etc/motd, to warn unauthorized users [BANN-7122]
      http://cisofy.com/controls/BANN-7122/
  - Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
      http://cisofy.com/controls/BANN-7126/
  - Enable process accounting [ACCT-9622]
      http://cisofy.com/controls/ACCT-9622/
  - Enable sysstat to collect accounting (no results) [ACCT-9626]
      http://cisofy.com/controls/ACCT-9626/
  - Enable auditd to collect audit information [ACCT-9628]
      http://cisofy.com/controls/ACCT-9628/
  - One or more sysctl values differ from the scan profile and could be tweaked                         [KRNL-6000]
      http://cisofy.com/controls/KRNL-6000/
  - Harden the system by removing unneeded compilers. This can decrease the chan                        ce of customized trojans, backdoors and rootkits to be compiled and installed [H                        RDN-7220]
      http://cisofy.com/controls/HRDN-7220/
  - Harden compilers and restrict access to world [HRDN-7222]
      http://cisofy.com/controls/HRDN-7222/

  Follow-up:
  ----------------------------
  - Check the logfile (less /var/log/lynis.log)
  - Read security controls texts (http://cisofy.com)
  - Use --upload to upload data (Lynis Enterprise users)

================================================================================
  Lynis Scanner (details):

  Hardening index : 69 [#############       ]
  Tests performed : 181
  Plugins enabled : 0

  Lynis Modules:
  - Heuristics Check [NA] - Security Audit [V] - Vulnerability Scan [V]

  Compliance Checks:
  - HIPAA [NA] - PCI [NA] - SOx [NA]

  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat
================================================================================
  Tip: Disable all tests which are not relevant or are too strict for the
       purpose of this particular machine. This will remove unwanted suggestions
       and also boost the hardening index. Each test should be properly analyzed
       to see if the related risks can be accepted, before disabling the test.
================================================================================
  Lynis 1.5.9
  Copyright 2007-2014 - Michael Boelen, http://cisofy.com
  Enterprise support and plugins available via CISOfy - http://cisofy.com
================================================================================

Summary:  Lynis 1.6.4 is a interesting little tool.  Found it over http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/

If you are in a PCI DSS environment it could be a nice tool to have to get your Linux System up to speed before your PCI Auditors come and suprise you.  Unfortunaly the free version doesn't have the plugins to check against PCI compliance.  You need to buy a Enterprise license inorder to do so and only the "Premium" license is getting you the PCI compliance tests.   I don't think I would have a problem paying $50 or $60 for it at a one-time cost, but paying $3 per month and per system...The tool it self is great, would get it in a blink if it wouldn't have this monthly cost per server.

 

Update:  20.02.2015.  I have been working with the people from Lynis and I am starting to really like the product.  Our company will be paying 50 license in order to help in facilitating the 2015 PCI DSS audit.

Picture of the Day

You have always a choice!

TML Technologies wants you to give Open Source a chance.

Try the many tools available today and safe money.

Features

netwars

Ralf's Biography

11227027 469662006556702 4286901489162897682 n

Contact Ralf Wiegand

20161014145358 IMG 0151

Visitors

UNITED STATES 27.4%UNITED STATES
GERMANY 9.4%GERMANY
INDIA 6.4%INDIA
RUSSIAN FEDERATION 4.3%RUSSIAN FEDERATION
SPAIN 3.8%SPAIN
CANADA 2.7%CANADA
FRANCE 2.6%FRANCE
JAPAN 2.3%JAPAN
UNITED KINGDOM 2.3%UNITED KINGDOM
BRAZIL 2.3%BRAZIL

Today: 35
Yesterday: 44
This Week: 79
Last Week: 200
This Month: 339
Last Month: 917
Total: 61928