FreeBSD hardening with Lynis

FreeBSD hardening with Lynis

Lynis development has its roots on a FreeBSD system, therefore FreeBSD hardening is also easy and supported when using Lynis. People who want to audit and harden their FreeBSD system will discover Lynis to be a powerful tool for this purpose. In this article we will focus on how to audit your system with Lynis.


Lynis is an open source audit tool. It only requires root access and a normal shell and the tool is written in shell script. For companies who use Lynis and using it on more than 10 systems, they might consider using the Lynis Enterprise Suite. This suite consists of Lynis, management tooling, customized reports, dashboards and additional plugins. Especially system administrators, security professionals and auditors will benefit from these extra utilities.


Lynis is available from the ports tree and usually the version is close or at the latest version. To install Lynis this way:

cd /usr/ports/security/lynis/ && make install clean

or to add the package:

pkg install security/lynis

In case the Lynis version from the ports tree is not up-to-date, please create a PR for the port. In the meantime you could download Lynis manually from the CISOfy website and extract the tarball in a temporary directory.

Running Lynis

Running Lynis can be as simple as using the -c parameter to perform a scan with all tests enabled (unless some are marked to be skipped). Adding the -Q will avoid waiting for user feedback after each section has been finished.

lynis -c -Q

Lynis (Unix auditing tool) screenshot

Screenshot of a security scan performed with Lynis.

Note: if you manually unpacked the tarball, use ./lynis -c -Q from the local directory instead.

Usually FreeBSD installations are already pretty well hardened out of the box, as the installation requires you to install additional software. Still, it’s worth to perform an extensive audit and check the outcome of the tests. These will be displayed at the bottom of the screen, together with a hardening index and pointers to log file and report file.

After the scan you are advised to have a look at the log file (default /var/log/lynis.log) to determine what has been checked in each test and any further suggestions. Warnings and suggestions will be displayed also on screen.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.