Lynis 2.1.1 - Security Auditing Tool for Unix/Linux Systems

Thursday, July 23, 2015

Lynis is an open source security auditing tool. Commonly used by system administrators, security professionals and auditors, to evaluate the security defenses of their Linux/Unix based systems. It runs on the host itself, so it can perform very extensive security scans.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

No installation required

The tool is very flexible and easy to use. It is one of the few tools, in which installation is optional. Just place it on the system, give it a command like "audit system", and it will run. It is written in shell script and released as open source software (GPL).

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

--auditor "Given name Surname"     Assign an auditor name to the audit (report)
--checkall  -c  Start the check
--check-update     Check if Lynis is up-to-date
--cronjob     Run Lynis as cronjob (includes -c -Q)
--help  -h  Shows valid parameters
--manpage     View man page
--nocolors     Do not use any colors
--pentest     Perform a penetration test scan (non-privileged)
--quick  -Q  Don't wait for user input, except on errors
--quiet     Only show warnings (includes --quick, but doesn't wait)
--reverse-colors   Use a different color scheme for lighter backgrounds
--version  -V  Check program version (and quit)

Lynis 2.1.1
=  Lynis 2.1.1 (2015-07-22)  =

    This release adds a lot of improvements, with focus on performance, and
    additional support for common Linux distributions and external utilities.
    We recommend to use this latest version.

    * Operating system enhancements
    Support for systems like CentOS, openSUSE, Slackware is improved.

    * Performance
    Performance tuning has been applied, to speed up execution of the audit on
    systems with many files. This also includes code cleanups.

    * Automatic updates
    Initial work on an automatic updater has been implemented. This way Lynis
    can be scheduled for automatic updating from a trusted source.

    * Internal functions
    Not all systems have readlink, or the -f option of readlink. The
    ShowSymlinkPath function has been extended with a Python based check, which
    is often available.

    * Software support
    Apache module directory /usr/lib64/apache has been added, which is used on

    Support for Chef has been added.

    Added tests for CSF's lfd utility for integrity monitoring on directories and
    files. Related tests are FINT-4334 and FINT-4336.

    Added support for Chrony time daemon and timesync daemon. Additionally NTP
    sychronization status is checked when it is enabled.

    Improved single user mode protection on the rescue.service file.

    * Other
    Check for user permissions has been extended.
    Python binary is now detected, to help with symlink detection.
    Several new legal terms have been added, which are used for usage in banners.
    In several files old tests have been removed, to further clean up the code.

    * Bug fixes
    Nginx test showed error when access_log had multiple parameters.
    Tests using locate won't be performed if not present.
    Fix false positive match on Squid unsafe ports [SQD-3624].
    The hardening index is now also inserted into the report if it is not displayed
    on screen.

    * Functions
    Added AddSystemGroup function

    * New tests
    Several new tests have been added:

    [PKGS-7366] Scan for debsecan utility on Debian systems
    [PKGS-7410] Determine amount of installed kernel packages
    [TIME-3106] Check synchronization status of NTP on systemd based systems
    [CONT-8102] Docker daemon status and gather basic details
    [CONT-8104] Check docker info for any Docker warnings
    [CONT-8106] Check total, running and unused Docker containers

    * Plugins

    [PLGN-2602] Disabled by default, as it may be too slow for some machines
    [PLGN-3002] Extended with /sbin/nologin

    * Documentation
    A new document has been created to help with the process of upgrading Lynis.
    It is available at


Subscribe via e-mail for updates!