Security audits with Lynis
Professional Hardening

© Photo by FLY:D on Unsplash
The complexity of modern distributions offers many potential attack vectors for malware. Lynis lets you find these vulnerabilities before an attacker does.
Virtually nobody uses a computer without Internet access. Unfortunately, the network of networks is teeming with malicious programs that exploit vulnerabilities in operating systems, firmware, and application programs looking to inject malware or steal personal data.
Sys admins protect their systems against these attacks as part of their daily grind. Home users also need to protect their systems by keeping their computers up to date and running an occasional security scan to detect any vulnerabilities. Lynis [1], a free software tool from CISOfy, covers a wide range of problem scenarios and lets you perform regular system checks in no time at all.
First Launch
Lynis, a command-line program, comes with a collection of scripts for Unix-style systems. These scripts check various vulnerable system components for insecure settings and display color-coded results.
You will find Lynis in the repositories of many distributions and can install it using any of the popular package management tools. You also can download Lynis from the CISOfy website. I recommend this approach because you will always find the latest version there [2]. CISOfy (located in Vlijmen, Netherlands) offers the community variant of Lynis free of charge. The download contains the actual application, but some additional programs and the Collector are missing. Lynis comes with some community plugins out of the box.
Lynis Enterprise
For companies that need to monitor more than 10 workstations, CISOfy offers Lynis Enterprise, which is available as a software as a service (SaaS, a licensing and sales model where the provider operates software on their own infrastructure and offers a subscription model for use). Lynis Enterprise comes with numerous plugins and additionally generates web-based reports in line with various standards. The Enterprise variant also lets you check Docker files in container environments and monitor remote computer systems.
CISOfy offers the SaaS version of Lynis Enterprise as a subscription for $3 per month. For larger organizations that require monitoring of more than 100 workstations, a self-hosted package is available for setting up a local Lynis instance on the intranet. The self-hosted Enterprise variant also includes all of the additional packages and is suitable for services that provide security audits for other companies [3].
At Your Command
You will find detailed instructions for installing the Lynis community variant on various distributions [4] on the CISOfy website. You then execute the program by typing lynis <parameter>
in a terminal window. To access the available command parameters, type lynis show
.
The central command for auditing the local system is lynis audit system
. The application now runs over 200 test parameters and displays the results in a simple table after a short wait (Figure 1). To the right of each test category, the results appear in green, yellow, or red. If the results are displayed in yellow, you need to check the setting, but if the text color is red, you will want to reconfigure the service in question. Lynis grays out components that are not available on the system, provided that their absence does not affect the security of the system as a whole.
The individual tests are divided into categories. If you launch the software as a normal user, Lynis skips some checks that can only be executed if you are root. The program outputs messages to point out the skipped test routines. After the test results, Lynis also displays a hardening index and shows potential for improvement. Lynis makes suggestions based on the individual test categories on how you can upgrade problematic settings to improve your system's security. You can open these tips by following the links in your web browser (Figure 2).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Fedora 39 Beta is Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.
-
Star Labs Reveals a New Surface-Like Linux Tablet
If you've ever wanted a tablet that rivals the MS Surface, you're in luck as Star Labs has created such a device.
-
SUSE Going Private (Again)
The company behind SUSE Linux Enterprise, Rancher, and NeuVector recently announced that Marcel LUX III SARL (Marcel), its majority shareholder, intends to delist it from the Frankfurt Stock Exchange by way of a merger.