Lab - Harden a Linux System

Objectives
= Use a security auditing tool to discover system vulnerabilities.
= Implement recommended solutions to harden the system.

Background / Scenario
Auditing a system for potential misconfigurations or unprotected services is an important aspect of system
hardening. Lynis is an open source security auditing tool with an automated set of scripts developed to test a
Linux system. Lynis performs an extensive health scan of your system. It includes a detailed report of
vulnerabilities and recommended actions. In this lab, you will use Lynis to scan your VM and then implement
solutions to harden your system.

Required Resources
PC with the CSE-LABVM installed in VirtualBox

Instructions

Part 1: Install and Update Lynis.

Step 1: Determine the installed Lynis version.

a. Launch the CSE-LABVM.
b. Double-click the Terminal icon to open a terminal.
c. To determine the latest version provided by CISOfy, enter the following command at the terminal.
cisco@labvm:~$ sudo apt-cache policy lynis
lynis:
Installed: 3.0.6-100
Candidate: 3.0.6-100
Version table:
*** 3.0.6-100 500
500 https://packages.cisofy.com/community/lynis/deb stable/main amd64 Packages
500 https://packages.cisofy.com/community/lynis/deb stable/main i386 Packages
100 /var/lib/dpkg/status
2.6.2-1 500
500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
500 http://archive.ubuntu.com/ubuntu focal/universe i386 Packages

d. Go to the next part if you have the latest Lynis version.

If Lynis is not installed or the latest version is not installed, go to the next step to install Lynis.

Step 2: Install Lynis

Lynis is security tool for systems running Unix-based OS, such as Linux and macOS. lynis will be used later
in another activity to harden a Linux system. The application Lynis is maintained by CISOfy. In this step, we
will add the software repository and install Lynis.

 2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5
Lab - Harden a Linux System

a. Copy and paste the following command into a terminal to import the key from the CISOfy keyserver. This
key is required to verify the integrity of your download when you download lynis:
cisco@labvm:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
013baa07180c50a7101097ef9de922f1c2fde6c4
b. Copy and paste the following command into a terminal to add the lynis repository maintained by CISOfy.
cisco@labvm:~$ echo "deb https://packages.cisofy.com/community/lynis/deb/
stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
c. Perform an update after adding a new repository. At the prompt, enter sudo apt-get update.
d. Use the command apt install to install Lynis if it is not already installed.
cisco@labvm:~$ sudo apt install lynis
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
lynis
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded.
Need to get 0 B/262 kB of archives.
After this operation, 1,681 kB of additional disk space will be used.
Selecting previously unselected package lynis.
(Reading database ... 205787 files and directories currently installed.)
Preparing to unpack .../lynis_3.0.6-100_all.deb ...
Unpacking lynis (3.0.6-100) ...
Setting up lynis (3.0.6-100) ...
Processing triggers for man-db (2.9.1-1) ...

e. Perform an upgrade after the installation to ensure that the installed Lynis is latest version. At the prompt,
enter sudo apt-get upgrade.

Part 2: Examine the current version of Lynis.

Change to the Lynis directory, and then enter the sudo lynis update info command to check the update
information for Lynis. Enter password for the sudo password. This command verifies that this is the latest
version and updates for the tool at the time of writing of this lab. If the installed Lynis version is not up to date,
enter sudo apt-get upgrade at the prompt.
cisco@labvm:~$ sudo lynis update info
[sudo] password for cisco: password

== Lynis ==

Version : 3.0.6
Status : Up-to-date
Release date : 2021-07-22
Project page : https://cisofy.com/lynis/
Source code : https://github.com/CISOfy/lynis
Latest package : https://packages.cisofy.com/

2007-2021, CISOfy - https://cisofy.com/lynis/

 2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5
Lab - Harden a Linux System

Part 3: Run the Lynis tool.

a. Enter the sudo lynis --auditor cisco command. You may or may not need to enter password as the
password again. The scan will take about a minute to run.
cisco@labvm:~$ sudo lynis --auditor cisco
b. You should receive output for a variety of system features starting with Boot and services and ending
with Hardening, Custom tests, and Plugins (phase 2). The next section is the Lynis 3.0.6 Results.
Your results most likely include the two Warnings shown below. You may also receive other warnings. In
addition, there will be a section with a listing of Suggestions, which lists 49 in the example output below.
Only the first suggestion is shown.

[ Lynis 3.0.6 ]

################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

2007-2021, CISOfy - https://cisofy.com/lynis/

Enterprise support available (compliance, plugins, interface and tools)
################################################################################

[+] Initializing program

------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]

<output omitted>
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB2 [ FOUND ]
<output omitted>
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ NOT FOUND ]
- Non-native binary formats [ NOT FOUND ]

[+] Custom tests

------------------------------------
- Running custom tests... [ NONE ]

[+] Plugins (phase 2)

------------------------------------

================================================================================

 2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5
Lab - Harden a Linux System

-[ Lynis 3.0.6 Results ]-

Warnings (2):
----------------------------
! Found one or more vulnerable packages. [PKGS-7392]
https://cisofy.com/lynis/controls/PKGS-7392/

! iptables module(s) loaded, but no rules active [FIRE-4512]

https://cisofy.com/lynis/controls/FIRE-4512/

Suggestions (49):
----------------------------
* Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot
in single user mode without password) [BOOT-5122]
https://cisofy.com/lynis/controls/BOOT-5122/
<output omitted>
================================================================================

Lynis 3.0.6

Auditing, system hardening, and compliance for UNIX-based systems

(Linux, macOS, BSD, and others)

2007-2021, CISOfy - https://cisofy.com/lynis/

Enterprise support available (compliance, plugins, interface and tools)

================================================================================

[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see

/home/cisco/Downloads/lynis/default.prf for all settings)

cisco@labvm:~$

Part 4: Review the results of your scan and address any warnings.
a. Scroll to the Results section in the output for your scan.
Questions:

How many Warnings did you receive?

Type your answers here
How many Suggestions did you receive?
Type your answers here.
b. You should address the warnings. Pick at least one warning and research how to fix that problem. You
can use the link provided in the warning output as a starting point for addressing a warning. But you may
also need to use your internet research skills to track down additional information.
Questions:

Which warning are you addressing?

Type your answers here.

 2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5
Lab - Harden a Linux System

What is your solution?

Type your answers here.
c. Implement your solution and run the sudo lynis --auditor cisco command again. If your chosen warning
is no longer listed in the Results section, then congratulations! You just increased the hardening of your
Ubuntu VM. If the warning is still listed, see if you can discover more information to help you get a clean
report from Lynis in which the warning is no longer reported.
End of document

 2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5