How to deal with Lynis suggestions?

How to deal with Lynis suggestions?

Lynis (Linux/Unix auditing tool) screenshot

Screenshot of a Unix security audit performed with Lynis.

After finishing an audit with Lynis, the screen is usually filled with a lot of suggestions. Most users don’t know where to start with hardening and how to deal with these Lynis suggestions in particular. We provide you some tips!

Before we start, we strongly suggest to use the latest version of Lynis. If you are using an outdated version from the software repositories, the output could be slightly different.

The latest version can be downloaded on the downloads page.

Step 1: Follow the link

After each warning or suggestion a link is displayed, which is related to the security control. The website contains more information regarding this control, to prevent the screen filled up with long pieces of text. This text will give an initial idea on what could be improved.

Step 2: Check the log

During the Lynis run, it will collect a lot of additional information. This information can be considered as debug information and is very useful after the scan process. It includes information from the start of the program, OS and binary file detection and the outcomes of each individual test.

To quickly determine what has been discovered during a particular test, open the log file with the less command and perform a search for the related control.

# less /var/log/lynis.log

Step 3: Check the source

The big benefit of using open source software components, is the ability to look in the source code. Normally this isn’t easy for novice people, as you require some programming knowledge to understand the logic. Fortunately Lynis is written in shell script and the logic is easy to understand.

When looking why some Lynis suggestions showed up, go to the include directory. Perform a grep to check what files is performing a particular test.

# cd include


# grep FILE-1234 *

The related filename will show up and with less (or your favorite text editor) the contents can be reviewed. Usually it will quickly become clear what files were tested and what particular text strings are related.


While we strongly believe that most people can harden their systems, we still see that most companies and people don’t properly perform this hardening. This is why we created an Enterprise version to help simplifying this process.

If you have more than 10 systems to manage, we strongly suggest to avoid manual hardening. Automation is the key in getting and keeping your systems secure. Whatever method you use, focus on automation and use software configuration management tools like cfengine, Chef and Puppet.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *