Linux Security System Auditing with Lynis

In today's cybersecurity landscape, proactive system auditing is essential for maintaining secure Linux environments. Lynis, an open-source security auditing tool, provides administrators with a powerful solution for identifying vulnerabilities, configuration weaknesses, and compliance issues across their Linux systems. This guide explores how to effectively implement Lynis for comprehensive security assessments.

Introduction

Security auditing should be a cornerstone of any organization's IT security strategy. Lynis helps automate this process by scanning your system for security vulnerabilities, misconfigurations, and opportunities for hardening. Unlike many commercial tools, Lynis is lightweight, non-intrusive, and specifically designed for Unix/Linux environments.

By the end of this tutorial, you'll understand how to:

  • Install and configure Lynis on your Linux system
  • Perform comprehensive security audits
  • Interpret and act on Lynis audit reports
  • Establish recurring audits for continuous security monitoring
  • Extend Lynis functionality with custom tests

Prerequisites

Before diving into Lynis, ensure you have:

  • A Linux system (this guide uses Ubuntu/Debian, but Lynis works across distributions)
  • Root or sudo privileges
  • Basic command-line familiarity
  • At least 100MB of free disk space

Step 1: Installing Lynis

You have several options for installing Lynis. Here are the most common methods:

Option A: Package Manager Installation

The simplest approach is using your distribution's package manager:

# For Debian/Ubuntu
sudo apt update
sudo apt install lynis

# For CentOS/RHEL
sudo yum install epel-release
sudo yum install lynis

# For Fedora
sudo dnf install lynis

Option B: Direct Download (Recommended for Latest Version)

For the most recent release with all features, download directly from the Lynis repository:

# Create directory for Lynis
sudo mkdir -p /usr/local/lynis

# Download latest version
cd /tmp
wget https://downloads.cisofy.com/lynis/lynis-3.0.8.tar.gz

# Extract and install
sudo tar xzf lynis-3.0.8.tar.gz --strip-components=1 -C /usr/local/lynis

# Create symbolic link for system-wide access
sudo ln -s /usr/local/lynis/lynis /usr/local/bin/lynis

Note: Always check the official Lynis website for the latest version number.

Option C: Git Repository

For developers or those wanting to contribute to Lynis:

sudo git clone https://github.com/CISOfy/lynis /usr/local/lynis
sudo ln -s /usr/local/lynis/lynis /usr/local/bin/lynis

Step 2: Verifying Installation

Confirm Lynis installed correctly:

lynis --version
lynis show version

This should display the installed Lynis version and build date.

Step 3: Performing Your First Audit

To run a complete system audit with Lynis:

sudo lynis audit system

This command initiates a comprehensive scan of your system, checking hundreds of security controls across multiple categories:

  • Boot and kernel security
  • User authentication and authorization
  • File system permissions and integrity
  • Firewall configuration
  • Installed software and services
  • System logging and auditing
  • Malware detection
  • Network security

The audit may take several minutes to complete, depending on your system's complexity.

Step 4: Understanding Lynis Output

Lynis produces color-coded output with three severity levels:

  • Suggestions (blue): Recommendations for improved security
  • Warnings (yellow): Potential security issues requiring attention
  • Cautions (red): Critical security risks demanding immediate action

At the end of the audit, Lynis provides a summary with:

  • Tests performed
  • Security warnings and suggestions
  • Hardening index score (0-100)
  • Report location

The detailed report is saved to /var/log/lynis.log, while report data is stored in /var/log/lynis-report.dat.

Step 5: Interpreting Results and Hardening Your System

Review your audit results to prioritize security improvements:

# View warnings only
grep "Warning" /var/log/lynis.log

# Check suggestions
grep "Suggestion" /var/log/lynis.log

Address findings in this recommended order:

  1. Critical vulnerabilities (red warnings)
  2. Important security configurations
  3. System hardening opportunities
  4. Compliance-related items

For each finding, Lynis provides a test ID (e.g., SSH-7408) which you can research using:

lynis show details TEST-ID

Step 6: Advanced Lynis Usage

Targeted Audits

Run specific audit categories to focus on particular aspects of security:

# Audit authentication mechanisms
sudo lynis audit system --tests-from-group authentication

# Check file system security
sudo lynis audit system --tests-from-group filesystems

# Examine malware protection
sudo lynis audit system --tests-from-group malware

Generating Reports

Create custom reports in different formats:

# Generate a detailed text report
sudo lynis audit system --report-file ~/lynis-report.txt

# Create CSV output (Enterprise version)
sudo lynis audit system --report-file ~/lynis-report.csv --report-format csv

Customizing Lynis Configuration

Tailor Lynis to your environment by creating a custom profile:

sudo cp /usr/local/lynis/default.prf /etc/lynis/custom.prf
sudo nano /etc/lynis/custom.prf

Common customizations include:

# Skip specific tests
skip-test=SSH-7408:PHP-2320

# Define maximum allowed values
maximum-password-age=60

# Set warning thresholds
warning=ssh-root-login:authpriv-priv-separation

Run Lynis with your custom profile:

sudo lynis audit system --profile /etc/lynis/custom.prf

Troubleshooting Section

Common Issues and Solutions

1. Permissions Problems

Problem: "Fatal: Incorrect permissions..." error message.

Solution: Ensure proper ownership of Lynis files:

sudo chown -R root:root /usr/local/lynis
sudo chmod -R 500 /usr/local/lynis

2. Missing Dependencies

Problem: Lynis suggests tools are missing.

Solution: Install required utilities:

sudo apt install iptables ncurses-bin

3. Tests Failing or Being Skipped

Problem: Several tests show as "SKIPPED".

Solution: Some tests require specific services or configurations. Review the test details:

lynis show details TEST-ID

4. Slow Performance

Problem: Audit takes too long to complete.

Solution: Run targeted audits or adjust test group selection:

sudo lynis audit system --tests-from-group malware,authentication

Best Practices & Optimization Tips

Establish a Regular Audit Schedule

  • Weekly scans: Set up recurring audits via cron to monitor security posture
  • After major changes: Run Lynis following system updates or configuration changes
  • Baseline comparison: Track security scores over time to identify trends
# Add weekly cron job (runs every Sunday at 2 AM)
echo "0 2 * * 0 root /usr/local/bin/lynis audit system --cronjob > /var/log/lynis-weekly.log" | sudo tee -a /etc/crontab

Implement Security Controls Methodically

  • Test before applying: Validate changes in a test environment first
  • Document modifications: Keep records of all security enhancements
  • Incremental improvements: Address findings in order of severity
  • Verify fixes: Re-run specific tests after implementing changes

Extend Lynis with Custom Tests

Create organization-specific tests to align with your security policies:

sudo mkdir -p /usr/local/lynis/plugins/custom
sudo nano /usr/local/lynis/plugins/custom/custom_tests.db

Example custom test structure:

#################################################################################
# Test ID : CUST-0001
# Title   : Check for compliance with company password policy
# Description : Validates minimum password length
#################################################################################
register_test "CUST" "CUST-0001" "Check for minimum password length" "Check company password policy compliance"
if [ -f /etc/login.defs ]; then
    MINLEN=$(grep "^PASS_MIN_LEN" /etc/login.defs | awk '{ print $2 }')
    if [ $MINLEN -lt 12 ]; then
        report "warning" "Password minimum length ($MINLEN) below company policy (12)"
        register_finding "CUST-0001" "M" "Password policy does not meet company requirements"
    else
        logtext "Password minimum length meets company requirements"
    fi
fi

Automation & Monitoring

Integrate Lynis into your security operations workflow:

Automated Reporting

Create a simple script to email reports to security personnel:

#!/bin/bash
# File: /usr/local/bin/lynis-report.sh

# Run audit
/usr/local/bin/lynis audit system --cronjob > /tmp/lynis-output.txt

# Extract warnings and suggestions
grep "Warning" /var/log/lynis.log > /tmp/lynis-warnings.txt
grep "Suggestion" /var/log/lynis.log > /tmp/lynis-suggestions.txt

# Email report
cat /tmp/lynis-output.txt /tmp/lynis-warnings.txt /tmp/lynis-suggestions.txt | \
mail -s "Lynis Security Audit Report - $(date +%F)" [email protected]

# Clean up
rm /tmp/lynis-*.txt

Integration with Security Information and Event Management (SIEM)

Forward Lynis findings to centralized security monitoring:

# Configure log forwarding to SIEM
echo '*.info;local0.none;auth,authpriv.none @siem-server:514' >> /etc/rsyslog.d/lynis-siem.conf

# Create specific log format for Lynis
echo 'if $programname == "lynis" then @siem-server:514' >> /etc/rsyslog.d/lynis-siem.conf
echo '& ~' >> /etc/rsyslog.d/lynis-siem.conf

# Restart rsyslog
systemctl restart rsyslog

Conclusion

Implementing Lynis as part of your security operations provides critical visibility into your Linux systems' security posture. By regularly performing audits, addressing findings systematically, and integrating security checks into your workflow, you establish a robust defensive foundation.

Remember that security is an ongoing process, not a one-time effort. Lynis helps identify vulnerabilities, but the responsibility for implementing remediations and maintaining secure configurations remains with you. Make security auditing a regular practice, and leverage Lynis's comprehensive capabilities to stay ahead of potential threats.

By mastering Lynis, you're taking a significant step toward a more secure and compliant Linux environment—equipping yourself with the knowledge to identify, prioritize, and address security concerns before they can be exploited.