CAATTs for Linux: Lynis

Within the field of the audit profession the usage of CAAT (Computer-assisted audit techniques) or CAATTs (computer-assisted audit tools and techniques) is growing. Lynis is filling this gap for Linux and Unix based systems. It’s a well-known and stable tool in this area and improves the audit process by automation. Only a few items could then be checked manually. This saves time, makes the audit more predictable and increases the quality of the overall audit.


Based on common shell scripting, Lynis has low requirements to run. It can extract information or directly give advice on how to improve the security defenses, by performing an in-depth security audit. Lynis will check configuration files, installed packages, check the network configuration and more. Vulnerable packages, an incorrectly configured SSH daemon or missing firewall, will be noticed and reported back to the auditor running the tool.


Lynis was created by Michael Boelen in 2007 and released as a GPLv3 licensed project. During the years it received much feedback from the open source community and many releases made the tool rock-solid.

Development efforts have been increased since last year, as part of the foundation of CISOfy. Lynis is now also an integrated part of the Lynis Enterprise Suite and will continue to get updates this way. The community benefit from the releases of the open source product, while the enterprise users benefit from the many users of the tool. The latter is important to ensure stability, integrity and proper support of the tool.


Lynis focuses on the automation of technical audits. This way it can help auditors to do their job faster, improve the quality and without having to know all the technical updates in the field.

Some tips when performing an audit with Lynis:

  • Check for the latest version before performing an audit
  • Create your custom scan profile and include company specific files and settings
  • Use the -auditor option to define who performed the audit at that time
  • Store the lynis.log and lynis-report.dat files as evidence

Easy deployment

Within an audit it is common to use a tool for many systems at once. Lynis is flexible for that reason and does not need to be installed. The default tar archive can be used from a temporary directory on the target system. Another option is being executed from local or remote storage (e.g. USB stick or NFS share).


With the usage of plugins, the functionality of Lynis can be extended. Especially auditors benefit from a more extensive scan, so they can better help their clients by giving the appropriate advice. For more information of the available plugins, have a look at the website.

Enterprise support

As there aren’t much CAATTs for Linux, it’s good to know that auditors will benefit from the flexible options within the Lynis Enterprise Suite. No expensive licenses, but a simple system with credits. Pay what you need and help your clients with their auditing needs in just a matter of hours or even minutes (full scan, set-up and reporting)!

Happy hardening!


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon