Lynis is an open source security auditing tool. Commonly used by system administrators, security professionals and auditors, to evaluate the security defenses of their Linux/Unix based systems. It runs on the host itself, so it can perform very extensive security scans.
Supported operating systems
The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
- Mac OS
- and others
It even runs on systems like the Raspberry Pi and several storage devices!
No installation required
The tool is very flexible and easy to use. It is one of the few tools, in which installation is optional. Just place it on the system, give it a command like "audit system", and it will run. It is written in shell script and released as open source software (GPL).
How it works
Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.
- Determine operating system
- Search for available tools and utilities
- Check for Lynis update
- Run tests from enabled plugins
- Run security tests per category
- Report status of security scan
During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file.
Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.
In-depth security scans
By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!
Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
- Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Vulnerability detection and scanning
- System hardening
Resources used for testing
Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
- Best practices
- OpenSCAP data
- Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)
--auditor "Given name Surname" Assign an auditor name to the audit (report)
--checkall -c Start the check
--check-update Check if Lynis is up-to-date
--cronjob Run Lynis as cronjob (includes -c -Q)
--help -h Shows valid parameters
--manpage View man page
--nocolors Do not use any colors
--pentest Perform a penetration test scan (non-privileged)
--quick -Q Don't wait for user input, except on errors
--quiet Only show warnings (includes --quick, but doesn't wait)
--reverse-colors Use a different color scheme for lighter backgrounds
--version -V Check program version (and quit)
= Lynis 2.1.1 (2015-07-22) =
This release adds a lot of improvements, with focus on performance, and
additional support for common Linux distributions and external utilities.
We recommend to use this latest version.
* Operating system enhancements
Support for systems like CentOS, openSUSE, Slackware is improved.
Performance tuning has been applied, to speed up execution of the audit on
systems with many files. This also includes code cleanups.
* Automatic updates
Initial work on an automatic updater has been implemented. This way Lynis
can be scheduled for automatic updating from a trusted source.
* Internal functions
Not all systems have readlink, or the -f option of readlink. The
ShowSymlinkPath function has been extended with a Python based check, which
is often available.
* Software support
Apache module directory /usr/lib64/apache has been added, which is used on
Support for Chef has been added.
Added tests for CSF's lfd utility for integrity monitoring on directories and
files. Related tests are FINT-4334 and FINT-4336.
Added support for Chrony time daemon and timesync daemon. Additionally NTP
sychronization status is checked when it is enabled.
Improved single user mode protection on the rescue.service file.
Check for user permissions has been extended.
Python binary is now detected, to help with symlink detection.
Several new legal terms have been added, which are used for usage in banners.
In several files old tests have been removed, to further clean up the code.
* Bug fixes
Nginx test showed error when access_log had multiple parameters.
Tests using locate won't be performed if not present.
Fix false positive match on Squid unsafe ports [SQD-3624].
The hardening index is now also inserted into the report if it is not displayed
Added AddSystemGroup function
* New tests
Several new tests have been added:
[PKGS-7366] Scan for debsecan utility on Debian systems
[PKGS-7410] Determine amount of installed kernel packages
[TIME-3106] Check synchronization status of NTP on systemd based systems
[CONT-8102] Docker daemon status and gather basic details
[CONT-8104] Check docker info for any Docker warnings
[CONT-8106] Check total, running and unused Docker containers
[PLGN-2602] Disabled by default, as it may be too slow for some machines
[PLGN-3002] Extended with /sbin/nologin
A new document has been created to help with the process of upgrading Lynis.
It is available at https://cisofy.com/documentation/lynis/upgrading/