SOP: Automating Security Audits with Lynis on GhostBSD
Objective:
Establish a consistent and automated security audit process using Lynis to identify hardening opportunities and maintain system integrity.
Prerequisites:
- GhostBSD with superuser access
- Internet access for package installation
mail configured (optional, for report delivery)
Step 1: Install Lynis
Run the following command: sudo pkg install lynis
Step 2: Create a Report Directory
Create a dedicated location for storing audit logs:
sudo mkdir -p /var/log/lynis
sudo chown root:wheel /var/log/lynis
Step 3: Create the Audit Script
Save the script below as /usr/local/bin/lynis-scan.sh:
#!/bin/sh
DATE=$(date +"%Y-%m-%d_%H-%M")
REPORT="/var/log/lynis/lynis_report_$DATE.txt"
/usr/local/bin/lynis audit system --quiet > "$REPORT"
echo "Lynis scan complete. Report saved to $REPORT"
Make it executable: sudo chmod +x /usr/local/bin/lynis-scan.sh
Step 4: Automate the Scan with Cron
Edit the root user’s crontab: sudo crontab -e
Add this line to run weekly on Sundays at 3:15 AM:
15 3 * * 0 /usr/local/bin/lynis-scan.sh
Step 5: Review the Report
Each report includes:
- Hardening Index
- Warnings and suggestions
- Audited components (kernel, file permissions, services, users, etc.)
To view suggestions only: sudo lynis show suggestions
Step 6: Take Action
Regularly apply the recommendations from:
/var/log/lynis/lynis_report_<date>.txtlynis show suggestions
Update pkg, secure services, limit users, and review firewall and logging practices as needed.
