7.4.6 Scan For Vulnerabilities On A Linux Server

7.4.6 Scan for Vulnerabilities on a Linux Server

Vulnerability scanning is a foundational practice for maintaining the security posture of any Linux‑based system. By systematically probing services, configurations, and installed packages, administrators can uncover weaknesses before attackers exploit them. This guide walks through the entire process—from preparation to remediation—so you can conduct reliable scans on a Linux server and turn the findings into actionable security improvements.

Understanding Vulnerability Scanning

A vulnerability scan is an automated or semi‑automated assessment that compares the current state of a host against a database of known security issues. The scan typically checks for:

• Out‑of‑date software – missing patches or upgrades.
• Misconfigurations – insecure defaults, unnecessary services, or weak file permissions.
• Exposure of sensitive data – world‑readable logs, backup files, or credentials. * Potential attack vectors – open ports, weak authentication mechanisms, or vulnerable web applications.

Scanning does not guarantee that a system is invulnerable, but it dramatically reduces the attack surface by highlighting issues that can be patched or hardened.

Preparing the Linux Server Before launching any scanner, take a few preparatory steps to ensure accurate results and avoid unintended disruption.

1. Update the package manager

   sudo apt update && sudo apt upgrade -y   # Debian/Ubuntu
   sudo yum update -y                       # RHEL/CentOS/Fedora   sudo dnf upgrade -y                      # newer Fedora/RHEL
   

   An up‑to‑date baseline prevents the scanner from flagging issues that are already resolved.

2. Create a dedicated scan user (optional but recommended)

   sudo adduser --system --group vulnscan
   sudo usermod -aG sudo vulnscan
   

   This limits the privileges the scanner runs under and simplifies auditing.

3. Ensure time synchronization

   sudo timedatectl set-ntp true
   

   Accurate timestamps help correlate scan logs with other system events.

4. Backup critical configuration files
   Copy /etc/ssh/sshd_config, /etc/sudoers, and any custom service configs to a safe location before scanning, in case a test inadvertently changes a setting.

5. Verify network connectivity
   Confirm that the scanner can reach the target on the intended interfaces (usually localhost or a private IP). Use ping or nc -zv to test port reachability.

Choosing the Right Scanning Tool

Several open‑source and commercial tools excel at Linux vulnerability assessment. The choice depends on depth, reporting needs, and resource constraints.

For most administrators seeking a balance of depth and cost, Lynis for configuration auditing combined with OpenVAS for service‑level vulnerability detection provides a solid foundation.

Performing a Basic Scan with Lynis

Lynis is ideal for a first pass because it installs quickly, needs no daemon, and produces a clear hardening index.

Installation

# Debian/Ubuntu
sudo apt install lynis -y

# RHEL/CentOS
sudo yum install epel-release -y
sudo yum install lynis -y

Running the Scan

sudo lynis audit system

Lynis will:

• Examine boot loaders, kernel parameters, and loaded modules.
• Check SSH, FTP, and other daemon configurations.
• Review file permissions, user accounts, and sudoers rules. * Test for the presence of security tools (AppArmor, SELinux, firewalls). * Generate a report at /var/log/lynis.log and a summary on screen.

Interpreting the Output

Look for sections marked [WARNING] or [SUGGESTION]. Each entry includes:

• Test ID – e.g., TEST:SSH-7412.
• Description – what was checked.
• Finding – the observed condition.
• Recommendation – steps to remediate.

The final Hardening Index (0‑100) gives a quick gauge; aim for >80 after addressing high‑priority items.

Advanced Scanning with OpenVAS

OpenVAS (part of Greenbone Security Manager) performs network‑based checks against thousands of Network Vulnerability Tests (NVTs). It can run credentialed scans to inspect local packages, making it powerful for Linux servers.

Installation (Debian/Ubuntu example)

sudo apt update
sudo apt install -y gvm gvm-libs gvmd gsad openvas
sudo gvm-setup
sudo gvm-start

The setup script creates a default admin user; note the generated password.

Accessing the Web Interface

Open a browser to https://<server-ip>:9392 and log in with the admin credentials. The dashboard presents scan management, results, and asset groups.

Configuring a Target

1. Navigate to Configuration → Targets → New Target. 2. Enter a name (e.g., “Web‑Server‑01”).
2. Set the Hosts field to the server’s IP or hostname.
3. Under Credentials, add an SSH credential if you want authenticated checks (requires the scan user’s password or SSH key).
4. Save the target.

Creating a Scan Task

1. Go to Scans → Tasks → New Task.
2. Choose the target you just created.
3. Select a scan config:
   • Full and Fast – good balance of speed and depth.
   • Full and Very Deep – exhaustive, longer runtime.
   • Discovery – only identifies live hosts and open ports.
4. Adjust the Schedule if you want recurring scans (daily, weekly).
5. Launch the task.

Reviewing Results

When the scan finishes, open the task’s report. Findings are grouped by severity:

• Critical – remote code execution, privilege escalation.
• High – serious flaws that could lead to compromise.
• Medium – weaknesses that may aid an attacker.
• Low – informational

Leveraging OpenVAS Findings: FromScans to Remediation

While Lynis provides deep, host-based security insights, OpenVAS excels at identifying network-facing vulnerabilities and package-level issues. The severity classifications in OpenVAS reports (Critical, High, Medium, Low) are crucial for prioritization. Treat these findings as Lynis's external counterpart, offering a broader attack surface perspective.

Prioritizing and Remediating OpenVAS Results:

1. Critical & High Severity First: Focus remediation efforts on these findings immediately. They represent the highest risk of exploitation. For example:

   • CVE-2024-12345 (High): A known buffer overflow in a web server package. Patch the package immediately (sudo apt update && sudo apt upgrade or similar).
   • Unpatched Kernel Vulnerability (Critical): This requires urgent kernel patching (sudo apt update && sudo apt install linux-generic or similar, followed by reboot).
   • Weak SSH Configuration (High): Adjust sshd_config (e.g., disable root login, enforce strong ciphers) and restart SSH (sudo systemctl restart sshd).

2. Medium Severity: Address these systematically. They often represent configurations or vulnerabilities that, while less immediately critical, should be fixed for a hardened system. Examples include outdated software with known but less severe CVEs, or misconfigurations that could aid lateral movement.

3. Low Severity & Informational: Review these for completeness and potential indirect risks. They might indicate missing security features or outdated documentation.

Reporting and Integration:

The Greenbone Security Manager (GSM) web interface provides powerful reporting capabilities. Generate detailed PDF or HTML reports summarizing scan findings, severity breakdowns, and remediation recommendations. These reports can be integrated into your security documentation, compliance audits, or shared with stakeholders.

Automation and Scheduling:

Leverage the scheduling feature in GSM to run regular OpenVAS scans (e.g., weekly). Configure email notifications for critical findings to ensure rapid response. Integrate scan results with your configuration management system (e.g., Ansible) to track remediation progress.

Conclusion

Combining Lynis and OpenVAS creates a robust security posture for Linux servers. Lynis offers deep, host-centric insights into configuration hardening and local security controls, while OpenVAS provides critical external vulnerability scanning and package auditing. By systematically prioritizing and remediating findings from both tools, interpreting their outputs effectively, utilizing the reporting features of Greenbone Security Manager, and implementing automated scanning, you establish a proactive and continuous security monitoring and improvement cycle. This integrated approach ensures vulnerabilities are identified early, whether they originate from internal misconfigurations or external exploits, significantly enhancing the overall security resilience of your server infrastructure.