Lynis Security Auditing

Lynis cheatsheet — run security audits on Linux/Unix systems. lynis audit system, lynis show details, review warnings and suggestions. Harden servers with Lynis.

5 min read

What it is

Lynis is an open-source security auditing tool that performs a deep scan of a Linux, macOS, or Unix-based operating system to identify security vulnerabilities and configuration weaknesses.

Installation

Linux (Debian/Ubuntu)

sudo apt update
sudo apt install lynis

Linux (RHEL/CentOS/Fedora)

sudo yum install epel-release
sudo yum install lynis

or

sudo dnf install lynis

macOS

brew install lynis

Windows

Lynis is primarily for Unix-like systems. For Windows, consider native tools or specialized security scanners.

Core Concepts

  • Auditing: Lynis systematically checks various aspects of your system against security best practices.
  • Plugins: Lynis supports plugins to extend its auditing capabilities, allowing for custom checks.
  • Vulnerabilities & Warnings: Lynis categorizes findings into suggestions, warnings, and security vulnerabilities.
  • Report: Lynis generates a detailed report that includes a summary, findings, and suggested remediation steps.
  • Profiles: Lynis can use predefined or custom profiles to tailor the audit to specific environments (e.g., hardening for web servers, databases).

Commands / Usage

Running a Basic Audit

sudo lynis audit system

Performs a comprehensive security audit of the entire system.

Running a Quick Audit

sudo lynis audit system --quick

Runs a faster, less intensive audit, skipping some deeper checks.

Running an Audit with a Specific Profile

sudo lynis audit system --profile /etc/lynis/profiles/CIS

Audits the system using the checks defined in the specified profile file (e.g., CIS benchmark).

Running an Audit with a Custom Profile

sudo lynis audit system --profile my_custom_profile.prf

Audits the system using a user-defined profile file.

Showing Available Tests

sudo lynis show tests

Lists all available security tests Lynis can perform.

sudo lynis show tests --category system

Lists all tests within the 'system' category.

Showing Test Details

sudo lynis show test detail sshd

Displays detailed information about the 'sshd' test, including its purpose and expected outcomes.

Showing Available Plugins

sudo lynis show plugins

Lists all available plugins that can extend Lynis’s functionality.

Showing Plugin Details

sudo lynis show plugin detail apparmor

Displays detailed information about the 'apparmor' plugin.

Showing Available Profiles

sudo lynis show profiles

Lists all built-in and user-defined profiles available for use.

Enabling Specific Tests

sudo lynis audit system --tests sshd,passwd,kernel

Runs the audit but only includes the 'sshd', 'passwd', and 'kernel' tests.

Excluding Specific Tests

sudo lynis audit system --skip-tests file-permissions,ports

Runs the audit but skips the 'file-permissions' and 'ports' tests.

Enabling Specific Categories

sudo lynis audit system --categories system,software

Runs the audit focusing only on tests within the 'system' and 'software' categories.

Excluding Specific Categories

sudo lynis audit system --skip-categories storage,networking

Runs the audit but excludes tests from the 'storage' and 'networking' categories.

Auditing a Remote Host (Requires SSH access and Lynis installed on the target)

sudo lynis audit remote --host 192.168.1.100

Audits the remote host 192.168.1.100 via SSH. You will be prompted for credentials.

sudo lynis audit remote --host 192.168.1.100 --sshkey ~/.ssh/id_rsa

Audits the remote host 192.168.1.100 using the specified SSH private key.

Running in Debug Mode

sudo lynis audit system --debug

Runs the audit with detailed debugging output, useful for troubleshooting Lynis itself.

Generating a Report in a Specific Format

sudo lynis audit system --report-format json

Generates the audit report in JSON format.

sudo lynis audit system --report-file /var/log/lynis-report.txt

Saves the audit report to the specified file instead of displaying it on the console.

Performing a Lite Audit (Minimal checks)

sudo lynis audit system --lite

Performs a very brief audit, suitable for quick checks or environments where a full audit might be too intrusive.

Updating Lynis Definitions

sudo lynis update check

Checks for available updates to Lynis’s security definitions and the tool itself.

Common Patterns

Daily Security Check Script

Combine Lynis with cron for regular security audits.

# Example crontab entry to run Lynis daily at 3 AM and save the report
0 3 * * * /usr/sbin/lynis audit system --cronjob --report-file /var/log/lynis-$(date +\%Y-\%m-\%d).log --quiet
  • --cronjob: Optimizes output for automated runs.
  • --report-file: Saves the output to a dated log file.
  • --quiet: Suppresses most output except for critical errors.

Auditing and Emailing Report

Pipe the output to mail for immediate notification.

sudo lynis audit system | mail -s "Lynis Security Audit Report - $(hostname)" admin@example.com

Auditing a Specific Service Configuration

Focus on a particular area, like SSH.

sudo lynis audit system --tests sshd

Auditing with a Pre-defined Hardening Profile

Use a standard profile like CIS or STIG.

sudo lynis audit system --profile /etc/lynis/profiles/CIS --report-file /var/log/lynis-cis-audit.log

Auditing and Analyzing Logs for Suspicious Activity

While Lynis isn’t a log analysis tool, its findings can point to areas to investigate further with tools like grep or awk.

sudo lynis audit system --tests file-permissions --report-file /tmp/lynis.log
grep "WARNING" /tmp/lynis.log | grep "world-writable"

Gotchas

  • Root Privileges Required: Most Lynis checks require root privileges (sudo) to access system files and configurations. Running without sudo will result in incomplete audits.
  • False Positives/Negatives: Lynis relies on heuristics and known best practices. It’s not infallible. Always review findings in context and cross-reference with your specific environment’s requirements. A "vulnerability" might be a deliberate configuration for your setup.
  • Remote Auditing SSH Configuration: Ensure SSH is properly configured on the target host, including key-based authentication if used. Firewalls must allow SSH traffic (port 22 by default). Lynis needs to be installed on the remote target as well.
  • Profile Paths: Ensure the path to custom or non-standard profiles is correct. Lynis looks in /etc/lynis/profiles/ by default.
  • Output Interpretation: The report provides suggestions, warnings, and vulnerabilities. Understand the severity and context of each finding before making changes. Not every warning requires immediate action.
  • Lynis Updates: Regularly run sudo lynis update check to ensure you are using the latest security definitions and tool version. Outdated definitions can lead to missed vulnerabilities.
  • Plugin Installation: Plugins are typically scripts placed in /usr/share/lynis/plugins/ or a custom directory specified via configuration. Ensure they are executable.
  • --cronjob vs. --quiet: --cronjob is generally preferred for automated runs as it provides a more concise output suitable for logging. --quiet can be used in conjunction with --cronjob to further reduce verbosity.