What Is Lynis?
If you manage Linux servers — whether it’s a personal VPS, a homelab VM, or a production system — chances are you’ve wondered: “Is this machine actually secure?” That’s exactly the question Lynis is built to answer.
Lynis is a free, open-source security auditing tool for Unix-based systems (Linux, macOS, BSD). Originally created by Michael Boelen and now maintained by CISOfy, it has been around since 2007 and is trusted by sysadmins and security professionals worldwide.
Unlike vulnerability scanners that probe systems from the outside, Lynis takes a host-based approach — it runs on the system being assessed. This means it can deeply inspect configuration files, installed packages, running services, user permissions, and kernel parameters that external scanners simply can’t see.
What Lynis Is NOT
It’s important to set the right expectations:
- Lynis is not a vulnerability scanner (like Nessus or OpenVAS).
- It does not exploit vulnerabilities or simulate attacks.
- It does not fix issues automatically — it reports and recommends.
Think of it as a knowledgeable friend who walks through your system, checks every cupboard, and hands you a detailed report with advice. The fixing is up to you.
How Lynis Works
Lynis follows a plugin-based, modular architecture. When you run an audit, it executes a series of tests grouped into categories called test categories or plugins. Each plugin targets a specific area of the system.
Audit Categories
| Category | What It Checks |
|---|---|
| BOOT | Bootloader configuration, GRUB security |
| AUTH | PAM settings, password policies, sudo rules |
| FILE | File permissions, SUID/SGID binaries, world-writable files |
| NETW | Firewall status, open ports, network parameters |
| KRNL | Kernel version, sysctl hardening parameters |
| LOGG | Syslog configuration, log file permissions |
| SOFT | Installed software, package manager configuration |
| SSH | SSH daemon configuration (a big one!) |
| CRYP | SSL/TLS certificates, cryptographic settings |
| MALW | Malware scanner detection (ClamAV, rkhunter, etc.) |
The Hardening Index
At the end of every audit, Lynis computes a Hardening Index — a score between 0 and 100. This score reflects how hardened the system is relative to what Lynis can test. It is not an absolute security score, but it’s an excellent benchmark for tracking improvement over time.
Hardening index : 67 [############# ]
The goal isn’t necessarily to hit 100 — some recommendations may not apply to your environment — but the score gives you a quick gauge of your security posture.
Installation & Setup
Lynis can be installed in multiple ways. The recommended approach for learning and lab environments is to install from the official repository or directly from source, which ensures you’re running the latest version.
Option 1: Install via Package Manager (Quick Start)
Debian / Ubuntu:
sudo apt update
sudo apt install lynis -y
RHEL / CentOS / Fedora:
sudo dnf install lynis -y
Note: Package manager versions can lag behind the latest upstream release. For production systems or when you need the most up-to-date tests, prefer the CISOfy repository or source install.
Option 2: Install from the CISOfy Repository (Recommended)
This keeps Lynis up-to-date automatically via your package manager.
For Debian/Ubuntu:
# Install prerequisites
sudo apt install apt-transport-https curl -y
# Add the CISOfy signing key
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | \
sudo gpg –dearmor -o /usr/share/keyrings/cisofy-software-archive-keyring.gpg
# Add the repository
echo “deb [signed-by=/usr/share/keyrings/cisofy-software-archive-keyring.gpg] \
https://packages.cisofy.com/community/lynis/deb/ stable main” | \
sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
# Update and install
sudo apt update
sudo apt install lynis -y
Option 3: Run from Source (No Installation)
This is ideal for auditing systems where you don’t want to install anything, or for running on systems with no internet access.
# Clone the repository
git clone https://github.com/CISOfy/lynis.git
# Change into the directory
cd lynis
# Run directly (no install needed)
sudo ./lynis audit system
Verify the Installation
lynis show version
# Output: Lynis 3.x.x
Running Your First Audit
Basic System Audit
The most common command you’ll use is:
sudo lynis audit system
Running as root (or via sudo) is required for Lynis to access privileged files and settings. Without root, many checks will be skipped.
The audit typically takes 30–90 seconds depending on the system. You’ll see output scrolling through the terminal as each test category runs.
Useful Flags
| Flag | Description |
|---|---|
| –quick | Skip pauses between sections (faster run) |
| –no-colors | Plain text output (useful for piping or logging) |
| –log-file /path/to/file | Write logs to a custom location |
| –report-file /path/to/report | Save machine-readable report |
| –tests-from-group ssh | Run only a specific category of tests |
| –verbose | Show all tests, including passed ones |
Example — quick audit with custom log:
sudo lynis audit system –quick –log-file /var/log/lynis-audit.log
Running a Rootkit Check Only
sudo lynis audit system –tests-from-group malware
Interpreting the Results
After the audit completes, the terminal output is divided into clear sections. Here’s how to read it.
Section Structure
================================================================================
Lynis security scan details:
Hardening index : 67 [############# ]
Tests performed : 263
Plugins enabled : 1
Components:
– Firewall [V]
– Malware scanner [X]
Lynis Modules:
– Compliance status [?]
– Security audit [V]
– Vulnerability scan [V]
================================================================================
Status Indicators
When reading test results in the terminal, each line shows a test and its result:
| Indicator | Meaning |
|---|---|
| [OK] | Test passed; configuration looks good |
| [WARNING] | Potential issue found; review recommended |
| [SUGGESTION] | Not critical, but could be improved |
| [NOT FOUND] | A tool or service expected was not detected |
| [SKIPPED] | Test was skipped (often due to missing root or irrelevant OS) |
Where to Find the Full Report
After the run, Lynis writes two key files:
| File | Purpose |
|---|---|
| /var/log/lynis.log | Detailed human-readable log of every test |
| /var/log/lynis-report.dat | Machine-readable key-value report |
To view warnings and suggestions from the report file:
grep “^warning\|^suggestion” /var/log/lynis-report.dat
Reading Suggestions in the Terminal
Near the end of the terminal output, you’ll see a Suggestions section like this:
* Consider hardening SSH configuration [SSH-7408]
– Details : PermitRootLogin (YES –> NO)
– Solution : Change the OpenSSH configuration in /etc/ssh/sshd_config
* Install a file integrity tool to monitor changes [FINT-4350]
– Solution : Install aide, tripwire, or samhain
* Enable process accounting [ACCT-9622]
– Details : no accounting tool found
Each suggestion includes:
- A test ID in brackets (e.g., [SSH-7408]) — use this to look up more details.
- A description of what’s wrong.
- A solution pointing you in the right direction.
Hardening Tips Based on Lynis Output
Here are the most common Lynis findings and how to address them. These cover findings that appear on almost every default Linux installation.
1. SSH Hardening (SSH-7408)
SSH is one of the most targeted services on any internet-facing system.
Common Lynis findings:
- PermitRootLogin yes
- PasswordAuthentication yes
- Weak ciphers / MACs allowed
Fix — edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
Add or update these settings:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
AllowTcpForwarding no
MaxAuthTries 3
Protocol 2
# Use only strong ciphers and MACs
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Apply the changes:
sudo systemctl restart sshd
Before disabling password auth, make sure your SSH key is already in ~/.ssh/authorized_keys. Locking yourself out is a common mistake.
2. Firewall Not Enabled (FIRE-4512)
Lynis checks for an active firewall (UFW, firewalld, or iptables).
Fix — enable UFW (Ubuntu/Debian):
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh # Or: sudo ufw allow 22/tcp
sudo ufw enable
sudo ufw status verbose
Fix — enable firewalld (RHEL/CentOS):
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd –state
3. Kernel Hardening via sysctl (KRNL-6000)
The Linux kernel exposes many security-relevant parameters via /proc/sys/. Lynis checks whether these are set to hardened values.
Fix — create a hardening config file:
sudo nano /etc/sysctl.d/99-hardening.conf
Add these settings:
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
# Disable IP forwarding (unless this is a router)
net.ipv4.ip_forward = 0
# Log martian packets (packets with impossible source addresses)
net.ipv4.conf.all.log_martians = 1
# Protect against time-wait assassination
net.ipv4.tcp_rfc1337 = 1
# Disable core dumps for SUID binaries
fs.suid_dumpable = 0
# Restrict dmesg to root
kernel.dmesg_restrict = 1
# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2
Apply the changes:
sudo sysctl –system
4. Password Policy (AUTH-9262, AUTH-9286)
Lynis flags weak or missing password aging policies.
Fix — configure password aging with chage:
# Set max password age to 90 days, minimum 7 days, warn 14 days before expiry
sudo chage -M 90 -m 7 -W 14 username
Fix — configure PAM for password complexity:
Install libpam-pwquality:
sudo apt install libpam-pwquality -y
Edit /etc/security/pwquality.conf:
minlen = 12
dcredit = -1 # At least 1 digit
ucredit = -1 # At least 1 uppercase
lcredit = -1 # At least 1 lowercase
ocredit = -1 # At least 1 special character
maxrepeat = 3 # No character repeated more than 3 times
5. Install a File Integrity Monitor (FINT-4350)
Lynis recommends tools like AIDE (Advanced Intrusion Detection Environment) to detect unauthorized file changes.
Install AIDE:
sudo apt install aide -y
# Initialize the database (takes a few minutes)
sudo aideinit
# Copy the generated database into place
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run a check against the baseline
sudo aide –check
Set up a daily cron job to run AIDE automatically:
echo “0 3 * * * root /usr/bin/aide –check | mail -s ‘AIDE Report’ root” | \
sudo tee /etc/cron.d/aide-daily
6. Disable Unused Services (BOOT-5180)
Every unnecessary running service is a potential attack surface.
Check what’s running:
sudo systemctl list-units –type=service –state=running
Disable services you don’t need:
sudo systemctl disable –now <service-name>
# Example:
sudo systemctl disable –now cups # Printer service (if not needed)
sudo systemctl disable –now avahi-daemon # mDNS/Zeroconf (if not needed)
7. Auditd — Enable System Call Auditing (ACCT-9628)
Lynis checks whether auditd (the Linux Audit Daemon) is installed and running. Auditd records security-relevant events like file access, authentication attempts, and privilege escalation.
sudo apt install auditd audispd-plugins -y
sudo systemctl enable –now auditd
sudo auditctl -l # List current audit rules
Add some baseline rules to /etc/audit/rules.d/audit.rules:
# Watch /etc/passwd for changes
-w /etc/passwd -p wa -k passwd_changes
# Watch sudo usage
-w /etc/sudoers -p wa -k sudoers_changes
# Monitor failed logins
-a always,exit -F arch=b64 -S open -F exit=-EACCES -k access_denied
Reload rules:
sudo augenrules –load
Conclusion
Lynis is one of the most practical and accessible tools for getting serious about Linux system security. It doesn’t require expert knowledge to run, but the depth of its output will challenge you to think like a security engineer.
Your Hardening Workflow
A healthy audit cycle looks like this:
Run Lynis → Review Suggestions → Apply Fixes → Re-run Lynis → Track Score Improvement
The first time you run Lynis on a fresh system, a score in the 55–70 range is common. After applying the hardening steps above, you should comfortably push into the 75–85 range or higher.
Key Takeaways
- Lynis is a host-based security auditing tool — it audits from the inside.
- The Hardening Index is your benchmark; track it over time.
- Prioritize SSH hardening, firewall configuration, and kernel parameters first — these cover the highest-impact findings on most systems.
- Combine Lynis with tools like AIDE (integrity monitoring) and auditd (event logging) for a layered defense posture.
- Re-run Lynis after every major configuration change or OS update.
Further Reading
- Lynis Official Documentation
- CIS Benchmarks for Linux
- NIST SP 800-123 — Guide to General Server Security
- Linux Audit Documentation
Happy hardening. The best time to audit your system was yesterday. The second best time is now.
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.