Tutorial Install Lynis in Linux

Scan your Linux server for Malware and Rootkits

Servers connected to the internet are seeing a constant level of attacks and scans all day. While a firewall and regular system updates are a good first defense to keep the system safe, you should also check regularly that no attacker got in. The tools described in this tutorial are made for these sanity checks, they scan for malware, viruses and rootkits. Malicious software plague computers, it is hard to think this threat will ever stop. The Linux platform definitely has their share of malware, although many people never experienced it firsthand.

A. The types of malware

To understand the risks, you have to understand the threats and weaknesses. When we talk about malware, there are different family types, each with their own threat and method of attack. The most common five families are:
Virus – attaches itself to binaries
Worm – spreads via the network, e-mail, file transfers
Rootkit – alters the system with a specific purpose
Backdoor or Trojan horse – allows for secret access
Dropper – disguises itself as legitimate, while performing secret actions
Lynis and RkHunter are tools which focus on Linux rootkits and backdoors. ClamAV and Linux Malware Detect focus more on backdoors (e.g. PHP) and generic malware, including samples used on Windows. Combining them will give you the most chance to detect any trace of malware.

B. About Lynis (auditing tool)

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
More info about Lynis

C. Install  Lynis

This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).
[root@www ~]# yum install lynis
Systems running Debian, Linux Mint, Ubuntu or similar.
[root@www ~]# apt-get install lynis

D. Running Lynis

After install Lynis, next step is Running Lynis
To check Lynis informations you using
[root@www ~]# lynis update info
Lynis can run without any preconfiguration. Configuration and fine-tuning is possible though and will be covered in later sections. Now you can scan your system for rootkits by running::
[root@www ~]# lynis audit system
And wait until lynis scanning finished

Please wait, it will take a long time depending on the system to be scanned

And at the end, it will show you a summary of the scan :

E.  Run Lynis Automatically

And to run Lynis automatically, we nedd to create a cron job like this:
[root@www ~]# nano /etc/crontab
And then add this line in /etc/crontab :
0 2 * * * lynis --quick 2>&1 | mail -s "Lynis Result Scan of Server" youremail@yourdomain.com
And then save and exit with type ctrl+x and type Y, and restart crond.
[root@www ~]# /etc/init.d/crond restart
That mean, every 2:00 AM the script runs automatically to scan and send a report to your email.

Note : About Option
--quick -Q Don't wait for user input, except on errors
and for more info about Option or Command in Lynis you can type lynis -h to help
[root@www ~]# lynis -h

F. Logs Checking

[root@www ~]# tail -f /var/log/lynis.log
[root@www ~]# cat /var/log/lynis-report.dat

Similar Preventive :

Install Advanced Policy Firewall In Linux
Install Linux Malware Detect (LMD) with ClamAV Centos 6.7
Tutorial Install mod_evasive In Centos
Tutorial Install RkHunter in Linux