Lynis is a security auditing and system hardening tool available for operating systems such as macOS, Linux, and other UNIX-alike systems. Through its extensive scans, it is able to carry out security checks that can aid in hardening the defense of the system in question. The tool can handle general system scans but can further probe specific issues like finding configurations that may be corrupted and software packages that may put the system at risk.
After performing a scan Lynis offers useful suggestions that can be used to boost system security. As a result, this open-source tool is widely used by security professionals, system administrators, penetration testers and auditors.
Lynis: System Auditing and Hardening Tool
As a security and system hardening tool Lynis can be used to detect system vulnerabilities, perform security audits that are automated and can also be used when executing a compliance test within a system. The tool also has the ability to manage issues that may involve software patches. All these functions give Lynis its flexible nature which makes it very convenient in handling system based security flaws.
Lynis (Open-source)– Free, open-source
– No installation, nor compilation
– Quick security scan
– Quick results
– Limited support
– Powerful scanner, single user
Lynis Enterprise– Web based management interface
– Integration options
– Extensive security auditing and reporting
– Ready code snippets for system hardening
– Plugins and Lynis scanner
– Can be run on 10+ systems/environments
How it works?
Lynis operates by performing individual tests which are all based on the components that are present in your system. Through this, there will be no need for installing other security tools to assist with the audit. Each audit that is performed by Lynis is unique because each component within the system has different properties.
Since the tool majorly relies on the components that can be detected it is especially effective in cases where a large number of components are discovered. This enables the tool to broaden the level of the system audit that is being performed. Lynis also has unique system identifiers which enable it to tune all the security scans that t runs. This function allows a Lynis user to choose the type of security scan to be performed.
As a modular tool, it can also allow you to run tests that you have created and allows you to run customized scans that may suit your personal preference. It also maximizes on information gathering through the use of plugins, this enables it to carry out additional security tests within the system. After completing a security scan Lynis stores all the technical data in the
lynis.log file. The tips on how to harden the security of the system are kept in the
- System Hardening
- Intrusion detection
- Continuous Monitoring
- Reporting(allows you to show the status of the environment in use)
- Linux, macOS, OpenBSD ,AIX, HP-UX, FreeBSD and other Unix-based systems
Clone or download, no installation required:
$ git clone https://github.com/CISOfy/lynis
Once the download process is complete, execute:
$ cd lynis
$ ./lynis audit system
-h to get a list of available options/commands:
Usage: lynis command [options] Command: audit audit system : Perform local security scan audit system remote
: Remote security scan audit dockerfile : Analyze Dockerfile show show : Show all commands show version : Show Lynis version show help : Show help update update info : Show update details Options: --no-log : Don't create a log file --pentest : Non-privileged scan (useful for pentest) --profile : Scan the system with the given profile file --quick (-Q) : Quick mode, don't wait for user input Layout options --no-colors : Don't use colors in output --quiet (-q) : No output --reverse-colors : Optimize color display for light backgrounds Misc options --debug : Debug logging to screen --view-manpage (--man) : View man page --verbose : Show more details on screen --version (-V) : Display version number and quit Enterprise options --plugin-dir " " : Define path of available plugins --upload : Upload data to central node