installing lynis on ubuntu 16.04 notes

auditing linux security

Security auditing on Ubuntu 16.04? If not you should be. One great tool you can use in your arsenal is Lynis security auditing. Yes this is completely redundant with OSSEC wazuh and third party Cloud Trail audits, but there is no harm in triple checking.

Why the paranoia? Because you can’t completely rely on any one system imho so human spot checks, particularly on your endpoints (or honeypots #heh) is an essential part of the process. Plus at AWS you can create a temp “hot” AMI and tear the thing apart while it is in an ACL/Security Group cage, and then delete it without an attacker ever knowing.

Regarding Lynis security auditing, the ubuntu apt package for lynis (e.g. apt install) is still on version 2.1 and the current version is 2.6. First off 2.6 is much faster. Secondarily it gives a lot fewer false positives on Ubuntu 16.04.

My notes from:

# auditing -posts age CHECK THE LINK ABOVE
sudo su
apt install lynis
wget -O - | sudo apt-key add -
apt install apt-transport-https
echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
echo "deb xenial main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
apt update
apt upgrade
lynis show version

Again – check your version! Note I specified xenial in my notes, because that particular server is on xenial. You might not be. Read the Lynis docs. And happy auditing!

Upgrade Linux kernel on Ubuntu 14.04.3 to Mainline v4.3.4-wily

The Linux Foundation

Upgrade Ubuntu 14.04 LTS to the newest kernel just in case you want to play with later versions of Dockers or systemd on an LTS release.


Step 1 – First check “” to find out the current mainline kernel. As I type this it is 4.3.4 but you may not want to copy and paste these as it has probably changed by the time you read this. It is software, right?

sudo su
 mkdir -p /home/ubuntu/kernels
 cd /home/ubuntu/kernels/

sudo dpkg -i linux-headers-4.3.4*.deb linux-image-4.3.4*.deb
 sudo reboot

NOTE: I have hit an error on this upgrade several times similar to this:

Errors were encountered while processing:

The fix was to run these

apt-get -f install
apt-get autoremove

Next you MUST REBOOT.  Then log back in and check what kernel you are running

uname -a

# from that you get a long string and in the string you should see something like this:


Keep googling for more, or duckduckgo-ing. My biggest advice would be to create a throw-away VM in the cloud to test this stuff. VMWare isn’t great for networking by “sox” imho.

Ubuntu Linux
Linux of the Ubuntu variant

RIP Ian Murdock – you will be remembered

RIP Ian Murdock, founder of Debian Linux which is what powers Tendenci. Without his work in the Open Source Community there could be no Tendenci Membership Software. This is a sad way to end 2015, but I would like to think Ian would want us to continue to invent and create greater freedom and transparency in the world.

I am not good at wording such a tragedy so I will leave you with the respectful post on the debian project blog and links to some news stories on the topid.


ImageMagick and Redmine on Ubuntu 12.04 LTS

Notes from the dungeon: ImageMagick and Redmine 2014-03-23

# abbreviated notes on installing redmine gems with imagemagick on ubuntu 12.04
# some of the following notes came from
# which is an open source library for subsurface exploration like “magma” (yes, I said “magma”)

sudo su
cd tmp
tar zxvf libpng-1.6.10.tar.gz
cd libpng-1.6.10
./configure --prefix=/usr/local
make install

# imagemagik still doesn’t install the gem. Found this on StackOverflow but lost the link:

apt-get install graphicsmagick-libmagick-dev-compat

/rant/ – global variables like PATH are needed. Windows has the registry. In this case for ImageMagick to work with PNGs we need to tell it the home globally defined as PNG_DIR. There are several ways to do this in unix and in Ubuntu/debian. I personally don’t like variables stuck in .bashrc if the variables are really user specific. The .bashrc for your profile is NOT global. And skeleton profile files for unix named user profiles are a one-time thing that you can’t update everyone globally later once their profile is created. GLOBAL_VARS in .profile or .bashrc make (specifically you the network admin) your life convenient. But it’s not all about us. .bashrc variables or custom entries in /etc/hosts suck. Magical profile specific path variables break the python rule of “no magic” which means that in every other way they completely suxor. Let’s be honest – it just tempts you to run applications as root, right? None of us have ever seen that. HmmmmHMMMM? /end-rant/

Better option: profile.d applies to all bash prompts as well as any GUI that gets launched so it is currently my preferred method. (note “preferred methods” for me frequently last either 48 hours or 20 years, one or the other. Educate me if you have a better way.)

In this case we need to specify one variable only. But it will expand so let’s do it the right way. We’ll make a .sh file in /etc/profile.d. In practice I usually put these with my project without execute rights and then sym link them into the /etc/profile.d/ folder with “chmod +x” etc…. But to keep it simple – let’s just make our shell script as follows.

cd /etc/profile.d
sudo touch
chmod 755
sudo nano
# for bash put this in the script file
export PNG_DIR=/usr/local

# exit. or call it manually with “source /etc/profile.d/”

PROGRESS? Let’s check it.

http:// your-domain-name-for-redmine/admin/info

NOoooooOOOOOoooo… Alas I still get a fail when I refresh the redmine page on the availability of ImageMagick. Major FAIL. I read a bunch more as it still didn’t work. Found this command and it executes properly.

sudo apt-get install libmagickwand-dev

#but did it work? Hmmmm.

bundle install --without test development

# still no

# Then tried this:

sudo apt-get install imagemagick libmagickwand-dev ruby-rmagick

# restarted

root@redmine:/var/data/redmine# touch tmp/restart.txt


Screen Shot 2014-03-23 at 3.12.46 PM