Professional Documents
Culture Documents
NULL BYTE
LO C K I N G D OWN L I N U X
Y ou've protected your Ubuntu system from physical attacks, annoyed network hackers, and
sandboxed potentially malicious applications. Great! Now, the next logical steps to locking
down your OS include thoroughly auditing Ubuntu for weak points, using antivirus software
that respects your privacy, and monitoring system logs like a boss.
This is the final part of our mini-series on strengthening your primary Ubuntu system. You'll
learn about hardening weak points in the OS using a well-respected, open-source auditing tool.
Besides that, we'll check out ClamAV, an antivirus software that won't send your sensitive files
to for-profit company servers. You'll also see how to allow or deny web access for all the apps
on your computer. And when I say "monitoring system logs like a boss," I'm talking about the
/var/log/ directory.
If you missed the beginning of this article series, you should check out the first part to learn
more about my motivations for starting this four-part guide.
Lock Down Your Ubuntu System to Protect It from Being Hacked [Tutorial]
Step 1
Downloading Lynis
Lynis is available on GitHub and can be downloaded using the sudo wget
'github.com/CISOfy/lynis/archive/master.zip' command, as seen here:
---- https://github.com/CISOfy/lynis/archive/master.zip
Resolving github.com (github.com)... 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 2/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
master.zip 100%[========================================
I'm using sudo for the following Lynis commands because the tool and its directories require
privileged access to certain areas of the Ubuntu operating system to properly audit everything.
Normally, it's unsafe to store and use binaries and applications in this way, but we'll be
deleting Lynis immediately after using it.
Decompressing the Download
With the Lynis ZIP downloaded, use sudo unzip master.zip to decompress the archive.
Archive: master.zip
6e0ac57b68bfd39dd7d464e93ec85203ee683313
creating: lynis-master/
extracting: lynis-master/.gitignore
inflating: lynis-master/.travis.yml
inflating: lynis-master/CHANGELOG.md
inflating: lynis-master/CODE_OF_CONDUCT.md
inflating: lynis-master/CONTRIBUTING.md
inflating: lynis-master/CONTRIBUTORS.md
inflating: lynis-master/FAQ
inflating: lynis-master/INSTALL
inflating: lynis-master/LICENSE
inflating: lynis-master/README
inflating: lynis-master/README.md
creating: lynis-master/db/
inflating: lynis-master/db/fileperms.db
inflating: lynis-master/db/hints.db
extracting: lynis-master/db/integrity.db
creating: lynis-master/db/languages/
inflating: lynis-master/db/languages/az
linking: lynis-master/db/languages/br -> pt
inflating: lynis-master/db/languages/cn
inflating: lynis-master/db/languages/de
inflating: lynis-master/db/languages/en
linking: lynis-master/db/languages/en-GB -> en
linking: lynis-master/db/languages/en-US -> en
inflating: lynis-master/db/languages/es
inflating: lynis-master/db/languages/fi
inflating: lynis-master/db/languages/fr
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 3/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
inflating: lynis-master/db/languages/gr
inflating: lynis-master/db/languages/he
inflating: lynis-master/db/languages/hu
inflating: lynis-master/db/languages/it
inflating: lynis-master/db/languages/ja
inflating: lynis-master/db/languages/nb-NO
inflating: lynis-master/db/languages/nl
linking: lynis-master/db/languages/nl-BE -> nl
linking: lynis-master/db/languages/nl-NL -> nl
inflating: lynis-master/db/languages/pl
inflating: lynis-master/db/languages/pt
inflating: lynis-master/db/languages/ru
inflating: lynis-master/db/languages/se
inflating: lynis-master/db/languages/tr
inflating: lynis-master/db/malware-susp.db
inflating: lynis-master/db/malware.db
extracting: lynis-master/db/sbl.db
inflating: lynis-master/db/tests.db
inflating: lynis-master/default.prf
inflating: lynis-master/developer.prf
creating: lynis-master/extras/
inflating: lynis-master/extras/README
creating: lynis-master/extras/bash_completion.d/
inflating: lynis-master/extras/bash_completion.d/lynis
inflating: lynis-master/extras/build-lynis.sh
inflating: lynis-master/extras/check-lynis.sh
inflating: lynis-master/extras/files.dat
inflating: lynis-master/extras/lynis.spec
creating: lynis-master/extras/openbsd/
inflating: lynis-master/extras/openbsd/+CONTENTS
creating: lynis-master/extras/systemd/
inflating: lynis-master/extras/systemd/lynis.service
inflating: lynis-master/extras/systemd/lynis.timer
creating: lynis-master/extras/travis-ci/
extracting: lynis-master/extras/travis-ci/before_script.sh
creating: lynis-master/include/
inflating: lynis-master/include/binaries
inflating: lynis-master/include/consts
inflating: lynis-master/include/data_upload
inflating: lynis-master/include/functions
inflating: lynis-master/include/helper_audit_dockerfile
inflating: lynis-master/include/helper_configure
inflating: lynis-master/include/helper_show
inflating: lynis-master/include/helper_system_remote_scan
inflating: lynis-master/include/helper_update
inflating: lynis-master/include/osdetection
inflating: lynis-master/include/parameters
inflating: lynis-master/include/profiles
inflating: lynis-master/include/report
inflating: lynis-master/include/tests_accounting
inflating: lynis-master/include/tests_authentication
inflating: lynis-master/include/tests_banners
inflating: lynis-master/include/tests_boot_services
inflating: lynis-master/include/tests_containers
inflating: lynis-master/include/tests_crypto
inflating: lynis-master/include/tests_custom.template
inflating: lynis-master/include/tests_databases
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 4/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
inflating: lynis-master/include/tests_dns
inflating: lynis-master/include/tests_file_integrity
inflating: lynis-master/include/tests_file_permissions
inflating: lynis-master/include/tests_filesystems
inflating: lynis-master/include/tests_firewalls
inflating: lynis-master/include/tests_hardening
inflating: lynis-master/include/tests_homedirs
inflating: lynis-master/include/tests_insecure_services
inflating: lynis-master/include/tests_kernel
inflating: lynis-master/include/tests_kernel_hardening
inflating: lynis-master/include/tests_ldap
inflating: lynis-master/include/tests_logging
inflating: lynis-master/include/tests_mac_frameworks
inflating: lynis-master/include/tests_mail_messaging
inflating: lynis-master/include/tests_malware
inflating: lynis-master/include/tests_memory_processes
inflating: lynis-master/include/tests_nameservices
inflating: lynis-master/include/tests_networking
inflating: lynis-master/include/tests_php
inflating: lynis-master/include/tests_ports_packages
inflating: lynis-master/include/tests_printers_spools
inflating: lynis-master/include/tests_scheduling
inflating: lynis-master/include/tests_shells
inflating: lynis-master/include/tests_snmp
inflating: lynis-master/include/tests_squid
inflating: lynis-master/include/tests_ssh
inflating: lynis-master/include/tests_storage
inflating: lynis-master/include/tests_storage_nfs
inflating: lynis-master/include/tests_system_integrity
inflating: lynis-master/include/tests_time
inflating: lynis-master/include/tests_tooling
inflating: lynis-master/include/tests_usb
inflating: lynis-master/include/tests_virtualization
inflating: lynis-master/include/tests_webservers
inflating: lynis-master/include/tool_tips
inflating: lynis-master/lynis
inflating: lynis-master/lynis.8
creating: lynis-master/plugins/
inflating: lynis-master/plugins/README
inflating: lynis-master/plugins/custom_plugin.template
inflating: lynis-master/plugins/plugin_pam_phase1
inflating: lynis-master/plugins/plugin_systemd_phase1
finishing deferred symbolic links:
lynis-master/db/languages/br -> pt
lynis-master/db/languages/en-GB -> en
lynis-master/db/languages/en-US -> en
lynis-master/db/languages/nl-BE -> nl
lynis-master/db/languages/nl-NL -> nl
~$ cd lynis-master
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 5/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
The Lynis binary should already have permissions to execute on your machine, but in case it
doesn't, use the sudo chmod +x lynis command.
Running Lynis
To test Lynis and view the available options, use the help (-h) command, i.e., sudo ./lynis -h.
[ Lynis 2.6.5 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
Options:
Layout options
--no-colors : Don't use colors in output
--quiet (-q) : No output
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 6/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Misc options
--debug : Debug logging to screen
--view-manpage (--man) : View man page
--verbose : Show more details on screen
--version (-V) : Display version number and quit
Enterprise options
--plugindir <path> : Define path of available plugins
--upload : Upload data to central node
More options available. Run './lynis show options', or use the man page.
To begin auditing the operating system, use the audit system arguments, such as sudo ./lynis
audit system.
[ Lynis 2.6.5 ]
---------------------------------------------------
Program version: 2.6.5
Operating system: Linux
Operating system name: Ubuntu Linux
Operating system version: 18.04
Kernel version: 4.15.0
Hardware platform: x86_64
Hostname: nullbyte
---------------------------------------------------
Profiles: /home/tokyoneon/Desktop/lynis-master/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: ./plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ UNKNOWN ]
================================================================================
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 7/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Great, no warnings
Suggestions (25):
----------------------------
* Set a password on GRUB bootloader to prevent altering boot configuration (e.
https://cisofy.com/controls/BOOT-5122/
* Install a PAM module for password strength testing like pam_cracklib or pam_
https://cisofy.com/controls/AUTH-9262/
* To decrease the impact of a full /home file system, place /home on a separat
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /tmp file system, place /tmp on a separated
https://cisofy.com/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separated
https://cisofy.com/controls/FILE-6310/
* Disable drivers like USB storage when not used, to prevent unauthorized stora
https://cisofy.com/controls/STRG-1840/
* Install debsums utility for the verification of packages with known good data
https://cisofy.com/controls/PKGS-7370/
* Check iptables rules to see which rules are currently not used [FIRE-4513]
https://cisofy.com/controls/FIRE-4513/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/controls/LOGG-2190/
* One or more sysctl values differ from the scan profile and could be tweaked
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysct
https://cisofy.com/controls/KRNL-6000/
* Harden the system by installing at least one malware scanner, to perform per
- Solution : Install a tool like rkhunter, chkrootkit, OSSEC
https://cisofy.com/controls/HRDN-7230/
================================================================================
Components:
- Firewall [V]
- Malware scanner [X]
Lynis Modules:
- Compliance Status [?]
- Security Audit [V]
- Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
After performing over 200 tests, the Lynis output can get quite long. I've omitted most of the
log but kept the "Suggestions" portion. I think this is one of Lynis' greatest strengths. It offers
some helpful starting points for users interested in remediation. For example, Lynis
recommends we "Harden the system by installating at least one malware scanner." This can be
easily resolved by following the next step in this guide and installing antivirus software.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-moni… 9/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Step 2
Command-line scanner. This will allow users to quickly scan files downloaded from the
internet from any terminal window.
Advanced database updater. ClamAV's virus database will update multiple times per day
with support for scripted updates and digital signatures.
Support for many archive formats. The ClamAV scanner is capable of safely analyzing Zip,
RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS, and other file formats.
Support for popular document formats. MS Office, MacOffice, HTML, Flash, RTF, and
PDFs.
Unlike Avast, a popular antivirus company that regularly exports personal user documents to
Avast servers, ClamAV scans filesystems for malware signatures locally. That's really all it
does. It does not, by any means, provide bulletproof protection against highly sophisticated
attacks, just common malware signatures found in the wild.
It's been said that Linux operating systems don't need antivirus software. I mostly agree with
this statement. However, ClamAV is an excellent open-source project and may provide comfort
to users who prefer to know their OS is safely analyzed for malware several times a day.
Installing ClamAV
ClamAV is available in the Ubuntu repositories and can be installed using the sudo apt install
clamav command.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 10/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
~$ clamscan --help
This is the scanner command in its simplest form. Clamscan will recursively (-r) scan
everything (/) and save the scan report (--log) to the /tmp directory. Running such a scan can
take a considerable amount of time, hours if you're scanning terabytes of data. It's
recommended to run such scans overnight and view the results in the morning.
Malware Detections
As a quick demo for this article, I downloaded a malware repository from GitHub and ran
clamscan against the directory containing the malware.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 13/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
In my example command, I included the -i argument, which tells clamscan to print only files
detected by the scanner. We can see 17,195 files were scanned, 23 infections were detected,
and the process took 71 seconds to complete.
Step 3
The OpenSnitch network statistics interface provides an overview of all of the previously
allowed and denied connections.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 14/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Unfortunately, that's about all the interface has to offer at the moment. Later releases of
OpenSnitch will no doubt contain more features and control over how this information is
managed. While OpenSnitch is still very much in its infancy, I decided to include it in this
article. Windows 10 users who are more comfortable with graphical applications (GUI) may
find OpenSnitch useful for monitoring traffic originating from installed applications.
Command-line enthusiasts with an interest in raw, unfiltered packet analysis may prefer using
Tshark to monitor traffic.
Installing Dependencies
Use the below command to install the dependencies required to run OpenSnitch.
Use go to clone the Protocol Buffers repository. This command will not produce an output in
the terminal.
~$ go get github.com/golang/protobuf/protoc-gen-go
Then, use Python3's pip to install the gRPC tools and other dependencies.
Collecting grpcio-tools
Downloading https://files.pythonhosted.org/packages/fb/8f/fc0c7cf8a5ed2aea405a
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 15/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
~$ go get github.com/evilsocket/opensnitch
Update the Golang PATH in the terminal using the below command. This will allow future
terminal sessions to know where Go binaries and projects are stored.
Then, use the source command to update the current Golang PATH. This will allow the
preceding commands to execute properly.
~$ source ~/.bashrc
~$ make
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 16/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Use the make install command with sudo to complete the installation.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 17/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Reboot for the changes to take effect. OpenSnitch can be found in the icon tray. Click the
"Statistics" button to bring up the user interface.
As applications attempt to access the internet, OpenSnitch will prompt you with the ability to
allow or deny the activity.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 18/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Step 4
To monitor logs in real time, use the find /var/log/ -type f \( -name "*.log" \) -exec tail -f "$file"
{} + command.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 19/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
This command will find any file (-type f) with the .log extension (\( -name "*.log" \)) in the
/var/log directory and use tail to print updates in the files as they occur (-f). Each log file will
be encased in ascii arrows (==> filename.log <==). Anyone looking for find abnormalities on
their system will find this useful.
We've Barely Scratched the Surface!
That concludes our series on strengthening your primary Ubuntu system...for now.
As I stated at the start of this series, this guide isn't a complete or comprehensive approach to
securing a Linux system. There are many Kernel level modifications users can do to further
improve Ubuntu's susceptibility to various attacks. We can also do more to secure the
bootloader, enforce better login password policies, secure shared memory, browse the internet
anonymously, and so much more.
Linux operating systems have incredible potential as a platform for security-focused users. I
encourage readers to download the Beginning Ubuntu for Windows and Mac Users and
Practical Linux Security Cookbook to gain a better understanding of the Ubuntu OS and its
inner workings.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 22/23
26/07/2023, 17:23 Locking Down Linux: Using Ubuntu as Your Primary OS, Part 4 (Auditing, Antivirus & Monitoring) « Null Byte…
Don't Miss: How to Protect Yourself from Being Hacked (Advice from a Real
Hacker)
Want to start making money as a white hat hacker? Jump-start your hacking career with our
2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and
get over 60 hours of training from cybersecurity professionals.
97% off The Ultimate 2021 White Hat Hacker Certification Bundle
99% off The 2021 All-in-One Data Scientist Mega Bundle
98% off The 2021 Premium Learn To Code Certification Bundle
62% off MindMaster Mind Mapping Software: Perpetual License
Don't Miss:
All the New iOS 16.5 Features for iPhone You Need to Know About
Your iPhone Has a Secret Button That Can Run Hundreds of Actions
7 Hidden iPhone Apps You Didn’t Know Existed
You’re Taking Screenshots Wrong — Here Are Better Ways to Capture Your iPhone’s Screen
Keep Your Night Vision Sharp with the iPhone’s Hidden Red Screen
Your iPhone Finally Has a Feature That Macs Have Had for Almost 40 Years
If You Wear Headphones with Your iPhone, You Need to Know About This
By using this site you acknowledge and agree to our terms of use & privacy policy.
We do not sell personal information to 3rd parties.
https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-4-auditing-antivirus-mo… 23/23