9.1.14 Lab - Harden A Linux System
9.1.14 Lab - Harden A Linux System
Objectives
= Use a security auditing tool to discover system vulnerabilities.
= Implement recommended solutions to harden the system.
Background / Scenario
Auditing a system for potential misconfigurations or unprotected services is an important aspect of system
hardening. Lynis is an open source security auditing tool with an automated set of scripts developed to test a
Linux system. Lynis performs an extensive health scan of your system. It includes a detailed report of
vulnerabilities and recommended actions. In this lab, you will use Lynis to scan your VM and then implement
solutions to harden your system.
Required Resources
PC with the CSE-LABVM installed in VirtualBox
Instructions
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5
Lab - Harden a Linux System
a. Copy and paste the following command into a terminal to import the key from the CISOfy keyserver. This
key is required to verify the integrity of your download when you download lynis:
cisco@labvm:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
013baa07180c50a7101097ef9de922f1c2fde6c4
b. Copy and paste the following command into a terminal to add the lynis repository maintained by CISOfy.
cisco@labvm:~$ echo "deb https://packages.cisofy.com/community/lynis/deb/
stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
c. Perform an update after adding a new repository. At the prompt, enter sudo apt-get update.
d. Use the command apt install to install Lynis if it is not already installed.
cisco@labvm:~$ sudo apt install lynis
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
lynis
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded.
Need to get 0 B/262 kB of archives.
After this operation, 1,681 kB of additional disk space will be used.
Selecting previously unselected package lynis.
(Reading database ... 205787 files and directories currently installed.)
Preparing to unpack .../lynis_3.0.6-100_all.deb ...
Unpacking lynis (3.0.6-100) ...
Setting up lynis (3.0.6-100) ...
Processing triggers for man-db (2.9.1-1) ...
e. Perform an upgrade after the installation to ensure that the installed Lynis is latest version. At the prompt,
enter sudo apt-get upgrade.
== Lynis ==
Version : 3.0.6
Status : Up-to-date
Release date : 2021-07-22
Project page : https://cisofy.com/lynis/
Source code : https://github.com/CISOfy/lynis
Latest package : https://packages.cisofy.com/
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5
Lab - Harden a Linux System
[ Lynis 3.0.6 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
<output omitted>
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB2 [ FOUND ]
<output omitted>
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ NOT FOUND ]
- Non-native binary formats [ NOT FOUND ]
================================================================================
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5
Lab - Harden a Linux System
Warnings (2):
----------------------------
! Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/lynis/controls/PKGS-7392/
Suggestions (49):
----------------------------
* Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot
in single user mode without password) [BOOT-5122]
https://cisofy.com/lynis/controls/BOOT-5122/
<output omitted>
================================================================================
Lynis 3.0.6
================================================================================
cisco@labvm:~$
Part 4: Review the results of your scan and address any warnings.
a. Scroll to the Results section in the output for your scan.
Questions:
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5
Lab - Harden a Linux System
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5