Security audits with Lynis
Professional Hardening
The complexity of modern distributions offers many potential attack vectors for malware. Lynis lets you find these vulnerabilities before an attacker does.
Virtually nobody uses a computer without Internet access. Unfortunately, the network of networks is teeming with malicious programs that exploit vulnerabilities in operating systems, firmware, and application programs looking to inject malware or steal personal data.
Sys admins protect their systems against these attacks as part of their daily grind. Home users also need to protect their systems by keeping their computers up to date and running an occasional security scan to detect any vulnerabilities. Lynis [1], a free software tool from CISOfy, covers a wide range of problem scenarios and lets you perform regular system checks in no time at all.
First Launch
Lynis, a command-line program, comes with a collection of scripts for Unix-style systems. These scripts check various vulnerable system components for insecure settings and display color-coded results.
You will find Lynis in the repositories of many distributions and can install it using any of the popular package management tools. You also can download Lynis from the CISOfy website. I recommend this approach because you will always find the latest version there [2]. CISOfy (located in Vlijmen, Netherlands) offers the community variant of Lynis free of charge. The download contains the actual application, but some additional programs and the Collector are missing. Lynis comes with some community plugins out of the box.
Lynis Enterprise
For companies that need to monitor more than 10 workstations, CISOfy offers Lynis Enterprise, which is available as a software as a service (SaaS, a licensing and sales model where the provider operates software on their own infrastructure and offers a subscription model for use). Lynis Enterprise comes with numerous plugins and additionally generates web-based reports in line with various standards. The Enterprise variant also lets you check Docker files in container environments and monitor remote computer systems.
CISOfy offers the SaaS version of Lynis Enterprise as a subscription for $3 per month. For larger organizations that require monitoring of more than 100 workstations, a self-hosted package is available for setting up a local Lynis instance on the intranet. The self-hosted Enterprise variant also includes all of the additional packages and is suitable for services that provide security audits for other companies [3].
At Your Command
You will find detailed instructions for installing the Lynis community variant on various distributions [4] on the CISOfy website. You then execute the program by typing lynis <parameter>
in a terminal window. To access the available command parameters, type lynis show
.
The central command for auditing the local system is lynis audit system
. The application now runs over 200 test parameters and displays the results in a simple table after a short wait (Figure 1). To the right of each test category, the results appear in green, yellow, or red. If the results are displayed in yellow, you need to check the setting, but if the text color is red, you will want to reconfigure the service in question. Lynis grays out components that are not available on the system, provided that their absence does not affect the security of the system as a whole.
The individual tests are divided into categories. If you launch the software as a normal user, Lynis skips some checks that can only be executed if you are root. The program outputs messages to point out the skipped test routines. After the test results, Lynis also displays a hardening index and shows potential for improvement. Lynis makes suggestions based on the individual test categories on how you can upgrade problematic settings to improve your system's security. You can open these tips by following the links in your web browser (Figure 2).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.