« Back to Lynis

How to use Lynis

This article explains in a few quick steps how to start with using Lynis. A more extensive explanation can be found in the documentationExternal link of Lynis.

Option 1: install from package

Use your package manager and install the ’lynis’ package.

apt install lynis

or

dnf install lynis

Note: typically the package repository may have an outdated version of Lynis. Consider using the official repositoryExternal link .

Option 2: Download Lynis

wget https://cisofy.com/files/lynis-**version**.tar.gz

Unpack tarball

tar xfvz lynis-version.tar.gz

This will unpack the tarball with a Lynis directory.

Run Lynis

Go to the newly created directory named lynis.

cd lynis

When running Lynis for the very first time, use the audit system command. It will start the audit process and pauses after every batch of tests.

./lynis audit system

After reading the section, press ENTER to perform the next batch. Items which show up in white, can be considered to be normal. Green usually indicates a common, preferred or safe value.

Yellow or red might indicate an unexpected result, a suggestion or serious security weakness.

Dealing with findings

At the end of the Lynis scan a report is displayed with the findings, a hardening index and the location of several related files.

This audit overview can be used to determine what items are discovered and need more investigation. This might include serious vulnerabilities which were discovered, but also minor items. It’s even possible that some value is discovered, which is configured “weak” on purpose (e.g. depending on the role the system has).

Each finding can be found in the log file as well. The related test ID is displayed at the end of the line. For example:

  • Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]

Search for the related line in the log file:

# grep BANN-7126 /var/log/lynis.log  
[20:11:04] Performing test ID BANN-7126 (Check issue banner file contents)  
[20:11:04] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]

While this does give us positive search results, there is more information available. Therefore it’s better to open up the log file (e.g. with less) and search for the first line matching. This will be the first line as shown in the example, as this is also the start of the test.

The log file might also provide hints on what has been checked and where to fix them. Still, we advise to carefully read the documentation about every configuration file or parameter.

Lynis Enterprise Suite

For companies and people who need more than just vulnerability checking, there is the Lynis Enterprise SuiteExternal link . This includes Lynis, management reporting, dashboards, detailed explanation on fixing vulnerabilities and improve system security. To help with automation, the enterprise version also includes snippets.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • grep
  • lynis
  • tarcheat sheet
  • wget

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon