Scribd
Upload
58 views7 pages

Hardening A Linux System-1

This document outlines a lab exercise focused on hardening a Linux system using the Lynis security auditing tool. It includes objectives for discovering vulnerabilities and implementing solutions, along with detailed instructions for installing Lynis, running scans, and addressing any identified warnings. The lab emphasizes the importance of system auditing and provides steps for ensuring the system is secure and up-to-date.

Uploaded by

Neldhyde Quizon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
58 views7 pages

Hardening A Linux System-1

This document outlines a lab exercise focused on hardening a Linux system using the Lynis security auditing tool. It includes objectives for discovering vulnerabilities and implementing solutions, along with detailed instructions for installing Lynis, running scans, and addressing any identified warnings. The lab emphasizes the importance of system auditing and provides steps for ensuring the system is secure and up-to-date.

Uploaded by

Neldhyde Quizon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Lab - Harden a Linux System

Objectives

 Use a security auditing tool to discover system vulnerabilities.


 Implement recommended solutions to harden the system.

Background / Scenario

Auditing a system for potential misconfigurations or unprotected services is


an important aspect of system hardening. Lynis is an open source security
auditing tool with an automated set of scripts developed to test a Linux
system. Lynis performs an extensive health scan of your system. It includes
a detailed report of vulnerabilities and recommended actions. In this lab, you
will use Lynis to scan your VM and then implement solutions to harden your
system.

Required Resources

PC with the CSE-LABVM installed in VirtualBox

Instructions

Part 1: Install and Update Lynis.

Step 1: Determine the installed Lynis version.

a. Launch the CSE-LABVM.

b. Double-click the Terminal icon to open a terminal.

c. To determine the latest version provided by CISOfy, enter the following


command at the terminal.

cisco@labvm:~$ sudo apt-cache policy lynis


lynis:
Installed: 3.0.6-100
Candidate: 3.0.6-100

Version table:

*** 3.0.6-100 500


500 https://packages.cisofy.com/community/lynis/deb
stable/main amd64 Packages
500 https://packages.cisofy.com/community/lynis/deb
stable/main i386 Packages
100 /var/lib/dpkg/status
2.6.2-1 500
500 http://archive.ubuntu.com/ubuntu focal/universe amd64
Packages
500 http://archive.ubuntu.com/ubuntu focal/universe i386
Packages

d. Go to the next part if you have the latest Lynis version.

If Lynis is not installed or the latest version is not installed, go to the next
step to install Lynis.

Step 2: Install Lynis

Lynis is security tool for systems running Unix-based OS, such as Linux
and macOS. lynis will be used later in another activity to harden a
Linux system. The application Lynis is maintained by CISOfy. In this
step, we will add the software repository and install Lynis.

a. Copy and paste the following command into a terminal to import the key
from the CISOfy keyserver. This key is required to verify the integrity of your
download when you download lynis:

cisco@labvm:~$ sudo apt-key adv --keyserver


keyserver.ubuntu.com --recv-keys
013baa07180c50a7101097ef9de922f1c2fde6c4

b. Copy and paste the following command into a terminal to add the lynis
repository maintained by CISOfy.

cisco@labvm:~$ echo 'deb


https://packages.cisofy.com/community/lynis/deb/ stable main' |
sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

c. Perform an update after adding a new repository. At the prompt, enter


sudo apt-get update.

d. Use the command apt install to install Lynis if it is not already installed.

cisco@labvm:~$ sudo apt install lynis


Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
lynis
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded.
Need to get 0 B/262 kB of archives.
After this operation, 1,681 kB of additional disk space will be
used.
Selecting previously unselected package lynis.
(Reading database ... 205787 files and directories currently
installed.)
Preparing to unpack .../lynis_3.0.6-100_all.deb ...
Unpacking lynis (3.0.6-100) ...
Setting up lynis (3.0.6-100) ...
Processing triggers for man-db (2.9.1-1) ...

e. Perform an upgrade after the installation to ensure that the installed


Lynis is latest version. At the prompt, enter sudo apt-get upgrade.

Part 2: Examine the current version of Lynis.

Change to the Lynis directory, and then enter the sudo lynis update info
command to check the update information for Lynis. Enter password for the
sudo password. This command verifies that this is the latest version and
updates for the tool at the time of writing of this lab. If the installed Lynis
version is not up to date, enter sudo apt-get upgrade at the prompt.

cisco@labvm:~$ sudo lynis update info


[sudo] password for cisco: password
== Lynis ==

2007-2021, CISOfy - https://cisofy.com/lynis/


Part 3: Run the Lynis tool.

a. Enter the sudo lynis --auditor cisco command. You may or may not
need to enter password as the password again. The scan will take
about a minute to run.

cisco@labvm:~$ sudo lynis --auditor cisco

b. You should receive output for a variety of system features starting with
Boot and services and ending with Hardening, Custom tests, and Plugins
(phase 2). The next section is the Lynis 3.0.6 Results. Your results most likely
include the
two Warnings shown below. You may also receive other warnings. In
addition, there will be a section with a listing of Suggestions, which lists 49
in the example output below. Only the first suggestion is shown.

[ Lynis 3.0.6 ]
################################################################
################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free
software, and you are
welcome to redistribute it under the terms of the GNU General
Public License.
See the LICENSE file for details about using this software.
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface
and tools)
################################################################
################
[+] Initializing program
[+] Plugins (phase 2)

================================================================
================
-[ Lynis 3.0.6 Results ]-
Warnings (2):

! Found one or more vulnerable packages. [PKGS-7392]

https://cisofy.com/lynis/controls/PKGS-7392/

! iptables module(s) loaded, but no rules active [FIRE-4512]

https://cisofy.com/lynis/controls/FIRE-4512/

Suggestions (49):

* Set a password on GRUB boot loader to prevent altering boot


configuration (e.g. boot in single user mode without password)
[BOOT-5122]
https://cisofy.com/lynis/controls/BOOT-5122/

==============================================
====================
==============
Lynis 3.0.6
Auditing, system hardening, and compliance for UNIX-based
systems
(Linux, macOS, BSD, and others)
2007-2021, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface
and tools)

==============================================
====================
==============

[TIP]: Enhance Lynis audits by adding your settings to


custom.prf (see /home/cisco/Downloads/lynis/default.prf for all
settings)
cisco@labvm:~$

Part 4: Review the results of your scan and address any warnings.

a. Scroll to the Results section in the output for your scan.

How many Warnings did you receive?


Answer Area

How many Suggestions did you receive?


Answer Area

b. You should address the warnings. Pick at least one warning and research
how to fix that problem. You can use the link provided in the warning output
as a starting point for addressing a warning. But you may also need to use
your internet research skills to track down additional information.

Which warning are you addressing?


Answer Area
What is your solution?
Answer Area

You might also like