Lynis is an open-source security auditing tool. Its main goal is to audit and harden Unix and Linux-based systems.
It scans the system by performing many security control checks.
Examples include searching for installed software and determining possible configuration flaws.
Many tests are part of common security guidelines and standards, with top additional security tests. After the scan, a report will be displayed with all discovered findings.
To provide you with initial guidance, a link is shared with the related Lynis control.
Lynis is one of the most trusted automated auditing tools for software patch management, malware scanning, and vulnerability detecting in Unix/Linux-based systems.
This tool is useful for auditors, network and system administrators, security specialists, and penetration testers.
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS, and SOX (Sarbanes-Oxley) compliance audits.
Security specialists, Penetration Testers, System auditors, System/network managers, and Security Engineers.
In this Kali Linux Tutorial, To run it for the first time, it is recommended to use the -c parameter. -c parameter means doing all tests to check the systems. If you want to put the Auditor name, just add the –auditor parameter there. Here’s some
Download and Install the Lynis from GitHub
git clone https://github.com/CISOfy/lynis
$ cd lynis-2.7.3
# ./lynis
Once Installed then Start with Auditor or Pentester name.
# lynis -c –auditor “BALAJI”
Your system may not need to run all the tests. If your server not running a web server, you don’t need to test it. For this purpose, we can use –tests parameter. The syntax is :
# lynis –tests “Test-IDs”
there are more than 100 tests that we can do. Here is a list of Lynis Tests-ID.
Below is a sample command to run Check uptime of the system and Checking core dumps configuration tests. If you want to add more tests, just add more Test-ID separated by space.
To get more Tests-IDs, you can find them inside /var/log/lynis.log. Here’s a trick on how to do it.
1. First, we need to run lynis with the -c (check-all) parameter.
# ./lynis -c -Q
2. Then look at the inside /var/log/lynis.log file. Use the cat command and combine it with grep. Let’s say you want to search Test-ID which is related to Kernel. Use the keyword KRNL to find it.
Below is a complete keyword of Test-IDs that are available in Lynis.
BOOT
KRNL (kernel)
PROC (processor)
AUTH (authentication)
SHLL (shell)
FILE
STRG (storage)
NAME (dns)
PKGS (packaging)
NETW (network)
PRNT (printer)
MAIL
FIRE (firewall)
HTTP (webserver)
SSH
SNMP
DBS (database)
PHP
LDAP
SQD (squid proxy)
LOGG (logging)
INSE (insecure services – inetd)
SCHD (scheduling – cron job)
ACCT (accounting)
TIME (time protocol – NTP)
CRYP (cryptography)
VIRT (virtualization)
MACF (AppArmor – SELINUX)
MALW (malware)
HOME
HRDN (hardening)
If you feel that putting a lot of Test-IDs is painful, you can use the –test-category parameter.
With this option, Lynis will run Test-IDs which are included inside a specific category. For example, you want to run Firewall and Kernel tests. Then you can do this :
Since security needs consistency, you can automate Lynis to run periodically.
Let’s say you want to run it every month to see if there is any improvement since the last Lynis run. To do this, we can run Lynis as a cronjob.
Here’s a sample cronjob to run it every month.
#!/bin/sh
AUDITOR=”automated”
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR=”/var/log/lynis”
REPORT=”$LOG_DIR/report-${HOST}.${DATE}”
DATA=”$LOG_DIR/report-data-${HOST}.${DATE}.txt”
cd /usr/local/lynis
./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT}
mv /var/log/lynis-report.dat ${DATA}
# End
Save the script into /etc/cron.monthly/lynis. Don’t forget to add related paths (/usr/local/lynis and /var/log/lynis), otherwise, the script will not work properly.
You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated
Also, Read
Most Important Web Server Penetration Testing Checklist
Advanced Computer Hacker Professional Certification Course Bundle
GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, has emerged as a significant threat within the…
In a swift and highly coordinated attack, LockBit ransomware operators exploited a critical remote code…
A sophisticated phishing campaign impersonating OpenAI’s ChatGPT Premium subscription service has surged globally, targeting users…
A critical zero-day vulnerability in Parallels Desktop virtualization software has been publicly disclosed after seven…
A newly disclosed vulnerability in the Exim mail transfer agent (CVE-2025-26794) has sent shockwaves through…
In what has become the largest cryptocurrency theft in history, hackers infiltrated Bybit’s Ethereum cold…
View Comments