Tools compared: rkhunter VS Lynis

Rootkit Hunter and Lynis compared

The question about what the differences are between rkhunter and Lynis is showing up more and more. Time to share the purpose of both and show the difference in its usage. As the author of both tools, I should have done this nine years ago. So with some little delay, here it is.

Rootkit Hunter

Written in 2003, rkhunter had the goal to detect malware on Linux and UNIX-based systems. The main target was rootkits, with an occasional detection mechanism for a common backdoor. The secondary target was promoting a few best practices, like disabling direct root logins via SSH.

The rkhunter tool is written in shell script to allow portability and support more than just Linux systems.


Lynis was created in 2007, also as a set of shell scripts. Where rkhunter focuses on malware, Lynis takes a more generic approach. The primary goal is to provide tips for system hardening. It does so by detecting weak configurations, search for vulnerable software packages, and looking at several system characteristics. These include the processes that run or some files that may be present. Depending on the outcome of those, more tests will be executed.

The output of Lynis looks slightly similar to what rkhunter uses. This is because of some screen routines used to share any findings.

Which one should I use?

The primary difference between the two tools is that Rootkit Hunter focuses on malware detection, Lynis on performing a security assessment. For that reason, you should at least use Lynis, combined with a malware scanner. That could be rkhunter, ClamAV, LMD, or one of the commercial solutions. It mainly depends on what kind of malware could possibly reside on that particular system. A web server with file uploads has different threats than a mail server.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.