Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
Supported operating systems
The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
It even runs on systems like the Raspberry Pi and several storage devices!
Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system” to start the security scan. It is written in shell script and released as open source software (GPL).
How it works
Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.
Determine operating system
Search for available tools and utilities
Check for Lynis update
Run tests from enabled plugins
Run security tests per category
Report status of security scan
Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.
Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.
In-depth security scans
By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!
Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
Compliance testing (e.g. PCI, HIPAA, SOx)
Vulnerability detection and scanning
Resources used for testing
Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)
lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.Changelog
* Lynis 2.3.4 (2016-09-27) *Changes:——–* Skip update message when using the ‘show’ helper* Instead of opening the log file, you can now use ‘lynis show details’ followedby the test ID. It will show the relevant section.* Several tests have extended log details* Many style improvements as part of ongoing refactoring of the code* Detection of nftables improved* Replaced cut, sed, tr and others commands with binary variable (for forensicsand future intrusion checking capabilities)* Swedish translation provided by Peter Carlsson* Support for arch-audit to scan for presence of vulnerable packages on Arch Linux* OS detection improvedTests:——* CONT-8107 – New test checking number of Docker containers* CRYP-7902 – Gather more details regarding certificates* DBS-1816 – Define skip reason* FILE-6344 – Adjusted /proc test for hidepid option* FILE-6362 – Removed warning and add skip reason* FIRE-4520 – Change test to use detected binary* FIRE-4520 – New test to check for empty nftables ruleset* KRNL-5820 – Corrected function and style improvements* LOGG-2146 – Textual change* NAME-4408 – Check localhost to IP mapping* PKGS-7320 – Test for arch-audit tool* PKGS-7322 – Check vulnerable packages on Arch Linux* PKGS-7381 – Extended vulnerable package detection for FreeBSD* TIME-3104 – timedatectl test now detects NTP synchronization properly