Lab – Hardening a Linux System

Objectives
Demonstrate the use of a security auditing tool to harden a Linux system.

Background / Scenario
Auditing a system for potential misconfigurations or unprotected services is an important aspect of system
hardening. Lynis is an open source security auditing tool with an automated set of scripts developed to test a
Linux system.

Required Resources
 PC with Ubuntu 16.04 Desktop LTS installed in a VirtualBox or VMware virtual machine.

Step 1: Open a terminal window in Ubuntu.

a. Log in to Ubuntu using the following credentials:
User: cisco
Password: password

b. Click the terminal icon to open a terminal window.

Step 2: The Lynis Tool

a. At the command prompt, enter the following command to change to the lynis directory:
cisco@ubuntu:~$ cd Downloads/lynis/

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5
Lab – Hardening a Linux System

b. At the command prompt, enter the following command and enter the password password when
prompted:
cisco@ubuntu:~/Dowloads/lynis$ sudo ./lynis update info

This command verifies that this is the latest version and updates for the tool at the time of writing of this
lab.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5
Lab – Hardening a Linux System

Step 3: Run the Tool

a. Type the following command in terminal and press Enter:
cisco@ubuntu:~/Downloads/lynis$ sudo ./lynis --auditor ciscosu

As displayed above, the tool will begin auditing using the user cisco as the auditor.
Notice: You will receive warnings.
b. To continue with each stage of the audit press Enter. You will receive warnings as shown below.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5
Lab – Hardening a Linux System

c. You will receive suggestions, as shown below.

d. You will receive a notification for any configuration that is weak as shown below:

e. You will receive detailed security enhancement suggestions as well as a final summary which provides
the location where you can find the log file.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5
Lab – Hardening a Linux System

Step 4: Review Results

a. Scroll up to the results section after the tool is finished running.
How many Warnings did you receive? 4___________________________
How many Suggestions did you receive? 35________________________
b. Scroll through the suggestions and select one. You will research a suggestion that you can implement to
address the issue.
Which suggestion are you addressing?
_set a password on GRB bootloader to prevent altering boot configuration e.g. boot in single user mode
without password) [BOOT-5122]
___________________________________________________________________________________
____________________________________________________________________________________
What is your suggested solution?
_ La protección con contraseña del cargador de arranque GRUB protege contra el reinicio y el inicio de
sesión no deseados en su sistema, y evita que los usuarios no deseados obtengan acceso al modo de
usuario único.
El modo de usuario único le permite iniciar Ubuntu en un modo especial que incluye privilegios de root.
Eso significa que, sin conocer la contraseña de root de un servidor, alguien podría (con la comprensión
de cómo funciona el modo de usuario único) modificar u obtener acceso a su sistema. Por supuesto, el
usuario malintencionado necesitaría acceso físico a la computadora para hacerlo, pero no se debe dejar
nada al azar. Es por eso que siempre debe proteger con contraseña su cargador de arranque GRUB en
Ubuntu (y otras distribuciones de
Linux).______________________________________________________________________________
_____
____________________________________________________________________________________
References
Lynis: https://cisofy.com/lynis/

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5