Skip to main content

Why

From https://cisofy.com/lynis/:
Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.
Lynis provides an automated, comprehensive security audit that helps identify vulnerabilities, misconfigurations, and areas for improvement in your server’s security posture.

Goals

  • Lynis installed and ready to perform security audits
  • Regular security scans to identify and address vulnerabilities

Notes

  • CISOFY provides packages for many distributions
  • Check https://packages.cisofy.com/ for distribution-specific installation instructions
  • Lynis is actively maintained and regularly updated

References

Installation and Setup

1

Install prerequisites

On Debian based systems, install required packages:
sudo apt install ca-certificates apt-transport-https
2

Add CISOFY repository

Add CISOFY’s community software repository:
sudo apt install ca-certificates host
sudo mkdir -p /etc/apt/keyrings
wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/keyrings/cisofy-lynis.gpg
echo "deb [signed-by=/etc/apt/keyrings/cisofy-lynis.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
3

Install Lynis

Update package lists and install Lynis:
sudo apt update
sudo apt install lynis
4

Update Lynis

Check for and apply any updates:
sudo lynis update info

Running a Security Audit

To perform a comprehensive security audit of your system: 
sudo lynis audit system
This will:
  1. Scan your entire system
  2. Check for security issues and vulnerabilities
  3. Report findings with severity ratings
  4. Provide suggestions for improvement
The audit is read-only and does not make any changes to your system. It’s safe to run at any time.

Understanding the Output

Lynis provides detailed output organized into sections:

Status Indicators

  • [OK] - Check passed, no issues found
  • [WARNING] - Potential issue that should be reviewed
  • [SUGGESTION] - Recommendation for improvement
  • [FOUND] - Item was detected
  • [NOT FOUND] - Item was not detected

Sections Audited

Lynis checks numerous areas including:
  • System tools and commands
  • Boot and services
  • Kernel configuration
  • File system integrity
  • Users and authentication
  • File permissions
  • SSH configuration
  • Network configuration
  • Firewall settings
  • Software packages
  • Logging and auditing

Hardening Index

At the end of the scan, Lynis provides a hardening index score (0-100) indicating your system’s overall security posture.

Reviewing Results

1

Review warnings

Pay special attention to items marked as WARNING. These often indicate security issues that should be addressed.
2

Review suggestions

Examine the SUGGESTION items. These are recommendations that can improve your security posture.
3

Check the log file

Detailed results are saved to /var/log/lynis.log:
sudo less /var/log/lynis.log
4

Review the report

A summary report is also saved to /var/log/lynis-report.dat:
sudo less /var/log/lynis-report.dat

Common Findings and Actions

After running Lynis, you’ll likely see suggestions such as:
  • Install additional security tools (like fail2ban, rkhunter)
  • Harden SSH configuration (disable root login, change port)
  • Configure a firewall (UFW, iptables)
  • Enable automatic security updates
  • Set up file integrity monitoring (AIDE)
  • Configure audit logging (auditd)
  • Review user accounts and permissions
Many of the items Lynis suggests are covered in other sections of this guide. Use Lynis results to verify you’ve implemented the security measures appropriately.

Additional Lynis Commands

# Show Lynis version
lynis show version

# Show available commands
lynis show commands

# Show available options
lynis show options

# Update Lynis
sudo lynis update info

# Run specific test group
sudo lynis audit system --tests-from-group malware

# Run with specific profile
sudo lynis audit system --profile /path/to/profile

Automated Audits

You can set up Lynis to run automatically: 
# Create a cron job for weekly audits
sudo crontab -e
Add: 
0 3 * * 0 /usr/bin/lynis audit system --cronjob | mail -s "Lynis Weekly Report" root
This runs Lynis every Sunday at 3 AM and emails the results to root.

Customizing Scans

Create a custom profile in /etc/lynis/custom.prf: 
# Skip specific tests
skip-test=FILE-1234
skip-test=AUTH-5678

# Set custom values
config:ssh_daemon_port:2222

Next Steps

After running Lynis:
  1. Document the findings - Keep a record of your security audit results
  2. Prioritize issues - Address critical warnings first
  3. Implement suggestions - Work through recommendations systematically
  4. Re-run audits - After making changes, run Lynis again to verify improvements
  5. Schedule regular audits - Make security audits part of your routine maintenance
Do not blindly implement all suggestions. Understand each recommendation and how it applies to your specific environment and use case before making changes.

Build docs developers (and LLMs) love

Get started for freeTalk to us