Lynis: Security Auditing and System Hardening Tool


Lynis: Security Auditing and System Hardening Tool

Lynis is a security auditing and system hardening tool available for operating systems such as macOS, Linux, and other UNIX-alike systems. Through its extensive scans, it is able to carry out security checks that can aid in hardening the defense of the system in question. The tool can handle general system scans but can further probe specific issues like finding configurations that may be corrupted and software packages that may put the system at risk.

After performing a scan Lynis offers useful suggestions that can be used to boost system security. As a result, this open-source tool is widely used by security professionals, system administrators, penetration testers and auditors.

Lynis: CisoFY logo

Lynis: System Auditing and Hardening Tool

As a security and system hardening tool Lynis can be used to detect system vulnerabilities, perform security audits that are automated and can also be used when executing a compliance test within a system. The tool also has the ability to manage issues that may involve software patches. All these functions give Lynis its flexible nature which makes it very convenient in handling system based security flaws.

Lynis (Open-source)

– Free, open-source
– No installation, nor compilation
– Quick security scan
– Quick results
– Limited support
– Powerful scanner, single user

Lynis Enterprise

– Web based management interface
– Integration options
– Extensive security auditing and reporting
– Ready code snippets for system hardening
– Plugins and Lynis scanner
– Can be run on 10+ systems/environments

How it works?

Lynis operates by performing individual tests which are all based on the components that are present in your system. Through this, there will be no need for installing other security tools to assist with the audit. Each audit that is performed by Lynis is unique because each component within the system has different properties.

Since the tool majorly relies on the components that can be detected it is especially effective in cases where a large number of components are discovered. This enables the tool to broaden the level of the system audit that is being performed. Lynis also has unique system identifiers which enable it to tune all the security scans that t runs. This function allows a Lynis user to choose the type of security scan to be performed.

As a modular tool, it can also allow you to run tests that you have created and allows you to run customized scans that may suit your personal preference. It also maximizes on information gathering through the use of plugins, this enables it to carry out additional security tests within the system. After completing a security scan Lynis stores all the technical data in the lynis.log file. The tips on how to harden the security of the system are kept in the lynis-report.dat file.

Features:

  • System Hardening
  • Intrusion detection
  • Continuous Monitoring
  • Reporting(allows you to show the status of the environment in use)

Supported Platforms:

  • Linux, macOS, OpenBSD ,AIX, HP-UX, FreeBSD and other Unix-based systems

Lynis Install

Clone or download, no installation required:

$ git clone https://github.com/CISOfy/lynis 

Once the download process is complete, execute:

$ cd lynis
$ ./lynis audit system

Basic Usage

Run -h to get a list of available options/commands:

  Usage: lynis command [options]

  Command:
    audit
        audit system            : Perform local security scan
        audit system remote     : Remote security scan
        audit dockerfile        : Analyze Dockerfile

    show
        show                    : Show all commands
        show version            : Show Lynis version
        show help               : Show help

    update
        update info             : Show update details

  Options:

    --no-log                     : Don't create a log file
    --pentest                    : Non-privileged scan (useful for pentest)
    --profile                    : Scan the system with the given profile file
    --quick (-Q)                 : Quick mode, don't wait for user input

    Layout options
    --no-colors                  : Don't use colors in output
    --quiet (-q)                 : No output
    --reverse-colors             : Optimize color display for light backgrounds

    Misc options
    --debug                      : Debug logging to screen
    --view-manpage (--man)       : View man page
    --verbose                    : Show more details on screen
    --version (-V)               : Display version number and quit

    Enterprise options
    --plugin-dir ""               : Define path of available plugins
    --upload                      : Upload data to central node
Documentation Box
Download Box