
Lynis – Security Auditing Tool for Linux, MacOS, and Unix-Based Systems - cedricbonhomme
https://github.com/CISOfy/lynis
======
fizzbatter
On this note, i wonder if automated tools like this will become more
commonplace. I know next to knowing about security[1], but i'd love for there
to be some sort of self-updating simple service i can run that constantly
updates and checks my router, home servers, IoT devices, all ports, etc. for
known exploits.

Surely a lot of this stuff can be automated. The simpler the tool the better -
a single binary would be great. Is this a pipe dream?

 _edit_ : I feel like part of the problem would be shipping all the exploits.
Legal matters aside, it would at the very least mean having to code exploits
for thousands/millions of things. Though, perhaps a pluggable/linkable
framework for this security could be a sort of proof of work. Ie, whitehats
could publish the exploits by writing the plugin.

 _edit2_ : I'm aware that this tool is _sort_ of what i'm talking about, but
this mainly focuses on a single unix machine, right? Nor does it support
windows. I wonder why we can't just make this ultimately simple? Ie, single
binary?

[1]: Well, i know enough to know how little i know.. which is nearly nothing
heh.

~~~
ghostly_s
Constant monitoring for known exploits? Aren't you just describing an
antivirus?

~~~
Karunamon
More like a vulnerability scanner. Signature based antivirus apps are mostly
useless nowadays, but being able to tell me I'm running a broken version of
OpenSSL is very useful.

~~~
typicalrunt
Threatstack will do that. Their agent runs on your machine as a kernel mod and
will alert you to any libs being used (e.g. openssl, libcurl) whose version
matches a known CVE.

------
tbrock
This has been posted once before, its cool.

Do people actually use it though?

~~~
big_youth
Yes, I'm a security consultant and we often run this on client machines during
security tests. It provides a nice assessment of the machine.

~~~
Skunkleton
I am a total security novice, but I do have a Linux VPS that I host some low
importance stuff on. Would running a tool like this be appropriate?

~~~
AtheistOfFail
Think about the headache of remaking the VPS from scratch, rehosting
everything on it and having to reset any password that is shared with another
environment.

Also consider the cost of dealing with the data falling into the wrong hands.
Even data that is not personal can hurt you financially in the long-term.

The cost of running security tools is minimal when you take it all into
account.

~~~
Skunkleton
I guess I wasn't clear. I know I should be doing some sort of security
testing, I am just curious if this tool is appropriate.

------
djschnei
what would be the difference between something like this and say using puppet
to apply and manage CIS requirements?

~~~
antoncohen
I think that is a good point. If you can codify your security checks, there is
a good chance you can write automation to fix them with configuration
management.

I think there may be some cases where you don't feel comfortable automating
the full remediation, e.g., requires reboot, so separate audit system might be
useful. There is also something nice about writing your audit rules, being
able to show auditors "this is what we check for", and then running that
across your infrastructure. In that case InSpec
([http://inspec.io/](http://inspec.io/)) might be more useful for writing
custom compliance controls.

It would be nice if there was a $CONGIG_MANAGEMENT_SYSTEM_OF_CHOICE module
that did common security fixes, and you could just pick and choose which to
apply.

On a side note: Holy ^&$% Lynis has a lot of shell! Like a crazy amount of
POSIX shell code!

------
jazoom
This is awesome. Thanks.

