Lessons learned developing Lynis, an open source security auditing tool

Get a copy of the upcoming book "Secure Operations Technology"

If you’ve been involved with information security for more than a decade, you’ve probably heard of Rootkit Hunter or rkhunter, a software whose primary goal is to discover malware and local exploits on Unix and Linux.

But Rootkit Hunter’s initiator and lead developer Michael Boelen later wanted to create something different, and so, in 2007, Lynis was born.

Lynis is an open source host based auditing tool for Unix-based systems. It unearths vulnerabilities, configuration errors, and provides tips for system hardening. It is written in shell script, installation is not required and can be performed with a privileged or non-privileged account. In other words, you can scan your systems and assess their security level in just a few minutes.

Development and recognition

When you’ve been developing a tool for several years, you’re bound to learn a few things along the way. Boelen shared the most important three:

1. Never underestimate the power of open source – By sharing your work as open source software, it becomes hard to track who is actually using it. This is surprisingly also a strength, as people can use it anonymously and share it easily with others.

2. Software development takes a lot of time – Creating a “simple” tool will take some time. The tricky part is in properly supporting it, resolving bugs, talking to people and keeping it up-to-date.

3. Development may provide great business opportunities – Development activities provide knowledge in specific areas and make you more valuable. You become passionate about a subject, willing to share the knowledge.

Michael Boelen in his office.

We live in very competitive times with tons of software titles available in every category. This means that merely developing a tool is not enough to grab people’s attention.

“The hardest part for each project is to be noticed by others. While it makes sense to build a great tool, promoting it should actually start from day one,” says Boelen. “Setup a Twitter account and build a mailing list. A software solution being open source does not mean the project will promote itself. These additional activities usually take more time than the actual development of new features.”

When I look back at conversations I’ve had with security developers and researchers at several events this year, one word stands out immediately: collaboration. The unabated enthusiasm I’ve seen at this year’s Black Hat Arsenal is increasingly spreading through the developer community.

Boelen’s attitude is no different: “When possible, team up with others. This is a great way to exchange information, get to learn new people and expand your network.” In fact, Lynis was recently added to GitHub, resulting in more people joining in the development process.

The future of Lynis

During seven years of development, Lynis has evolved significantly. While it was initially envisioned as a tool for discovering weak spots, a handful of additions can make it much more powerful. Boelen’s main future goal is for Lynis to become a true power tool for security professionals, and to see it installed on every Linux or Unix system.

“I want Lynis to support penetration testers during their security assessments. Other goals include compliance testing, forensics, malware detection and intrusion analysis. Each part will be modular, so you can instruct Lynis what its mission is,” says Boelen.

Lynis Enterprise modules.

This shift in focus means additional development is required. Since last year this development is entirely supported by Boelen’s company CISOfy, as Lynis became a core component in the Lynis Enterprise solution.

“With customers, we are able to build some new features into Lynis, to support these long-term goals and also to have the community enjoy a much better product than before,” says Boelen.