Lynis — Security Auditing and Hardening Tool for Linux

Introduction

Lynis is an open-source security auditing tool developed by CISOfy for Linux, macOS, and other Unix-based systems. It performs deep system scans to detect security issues, misconfigurations, and areas for hardening, producing actionable reports that help administrators strengthen their infrastructure.

What Lynis Does

• Scans system configuration, file permissions, user accounts, and installed software for security issues
• Checks compliance against standards like CIS benchmarks, HIPAA, and PCI DSS
• Detects rootkits, malware indicators, and suspicious file attributes
• Tests firewall rules, kernel parameters, and network configuration
• Generates a hardening index score with prioritized remediation suggestions

Architecture Overview

Lynis is written entirely in POSIX shell script, making it portable across Unix-like systems with zero dependencies. It runs hundreds of individual tests organized into test groups (authentication, networking, storage, etc.). Each test produces findings categorized as warnings, suggestions, or informational. Results are logged to a report file and an optional JSON output for integration with SIEM or ticketing systems.

Self-Hosting & Configuration

• Clone from GitHub or install via package managers (apt, yum, brew)
• No compilation or runtime dependencies required beyond a POSIX shell
• Customize scan profiles in /etc/lynis/custom.prf to skip or add tests
• Schedule automated scans via cron for continuous compliance monitoring
• Use --cronjob flag for non-interactive runs suitable for automation

Key Features

• Over 300 individual security tests covering all major system components
• Compliance mapping to CIS, NIST, ISO 27001, and PCI DSS frameworks
• Plugin system for extending with custom tests and organization-specific checks
• Hardening index score (0-100) for tracking security posture over time
• Works on bare-metal, VMs, containers, and cloud instances without agents

Comparison with Similar Tools

• OpenSCAP — focuses on SCAP/XCCDF policy enforcement; Lynis is lighter and needs no XML profiles
• Tiger — older Unix auditing tool with fewer tests; Lynis is actively maintained with broader coverage
• CIS-CAT — official CIS benchmark scanner but requires a license; Lynis is free and open source
• Wazuh — agent-based SIEM/XDR platform; Lynis is agentless and runs standalone scans

FAQ

Q: Does Lynis modify the system during a scan? A: No. Lynis is read-only and makes no changes to the system. It only inspects and reports.

Q: Can it scan Docker containers? A: Yes. Run Lynis inside a container or mount the container filesystem for auditing.

Q: Is there a paid version? A: Lynis Enterprise by CISOfy adds a web dashboard, scheduled scans, and team collaboration features.

Q: How do I fix the issues it finds? A: Each finding includes a suggestion ID. Run lynis show details SUGGESTION-ID for remediation guidance.

Sources

• https://github.com/CISOfy/lynis
• https://cisofy.com/lynis/