Linux Security System Auditing with Lynis
In today's cybersecurity landscape, proactive system auditing is essential for maintaining secure Linux environments. Lynis, an open-source security auditing tool, provides administrators with a powerful solution for identifying vulnerabilities, configuration weaknesses, and compliance issues across their Linux systems. This guide explores how to effectively implement Lynis for comprehensive security assessments.
Introduction
Security auditing should be a cornerstone of any organization's IT security strategy. Lynis helps automate this process by scanning your system for security vulnerabilities, misconfigurations, and opportunities for hardening. Unlike many commercial tools, Lynis is lightweight, non-intrusive, and specifically designed for Unix/Linux environments.
By the end of this tutorial, you'll understand how to:
- Install and configure Lynis on your Linux system
- Perform comprehensive security audits
- Interpret and act on Lynis audit reports
- Establish recurring audits for continuous security monitoring
- Extend Lynis functionality with custom tests
Prerequisites
Before diving into Lynis, ensure you have:
- A Linux system (this guide uses Ubuntu/Debian, but Lynis works across distributions)
- Root or sudo privileges
- Basic command-line familiarity
- At least 100MB of free disk space
Step 1: Installing Lynis
You have several options for installing Lynis. Here are the most common methods:
Option A: Package Manager Installation
The simplest approach is using your distribution's package manager:
# For Debian/Ubuntu
sudo apt update
sudo apt install lynis
# For CentOS/RHEL
sudo yum install epel-release
sudo yum install lynis
# For Fedora
sudo dnf install lynis
Option B: Direct Download (Recommended for Latest Version)
For the most recent release with all features, download directly from the Lynis repository:
# Create directory for Lynis
sudo mkdir -p /usr/local/lynis
# Download latest version
cd /tmp
wget https://downloads.cisofy.com/lynis/lynis-3.0.8.tar.gz
# Extract and install
sudo tar xzf lynis-3.0.8.tar.gz --strip-components=1 -C /usr/local/lynis
# Create symbolic link for system-wide access
sudo ln -s /usr/local/lynis/lynis /usr/local/bin/lynis
Note: Always check the official Lynis website for the latest version number.
Option C: Git Repository
For developers or those wanting to contribute to Lynis:
sudo git clone https://github.com/CISOfy/lynis /usr/local/lynis
sudo ln -s /usr/local/lynis/lynis /usr/local/bin/lynis
Step 2: Verifying Installation
Confirm Lynis installed correctly:
lynis --version
lynis show version
This should display the installed Lynis version and build date.
Step 3: Performing Your First Audit
To run a complete system audit with Lynis:
sudo lynis audit system
This command initiates a comprehensive scan of your system, checking hundreds of security controls across multiple categories:
- Boot and kernel security
- User authentication and authorization
- File system permissions and integrity
- Firewall configuration
- Installed software and services
- System logging and auditing
- Malware detection
- Network security
The audit may take several minutes to complete, depending on your system's complexity.
Step 4: Understanding Lynis Output
Lynis produces color-coded output with three severity levels:
- Suggestions (blue): Recommendations for improved security
- Warnings (yellow): Potential security issues requiring attention
- Cautions (red): Critical security risks demanding immediate action
At the end of the audit, Lynis provides a summary with:
- Tests performed
- Security warnings and suggestions
- Hardening index score (0-100)
- Report location
The detailed report is saved to /var/log/lynis.log
, while report data is stored in /var/log/lynis-report.dat
.
Step 5: Interpreting Results and Hardening Your System
Review your audit results to prioritize security improvements:
# View warnings only
grep "Warning" /var/log/lynis.log
# Check suggestions
grep "Suggestion" /var/log/lynis.log
Address findings in this recommended order:
- Critical vulnerabilities (red warnings)
- Important security configurations
- System hardening opportunities
- Compliance-related items
For each finding, Lynis provides a test ID (e.g., SSH-7408) which you can research using:
lynis show details TEST-ID
Step 6: Advanced Lynis Usage
Targeted Audits
Run specific audit categories to focus on particular aspects of security:
# Audit authentication mechanisms
sudo lynis audit system --tests-from-group authentication
# Check file system security
sudo lynis audit system --tests-from-group filesystems
# Examine malware protection
sudo lynis audit system --tests-from-group malware
Generating Reports
Create custom reports in different formats:
# Generate a detailed text report
sudo lynis audit system --report-file ~/lynis-report.txt
# Create CSV output (Enterprise version)
sudo lynis audit system --report-file ~/lynis-report.csv --report-format csv
Customizing Lynis Configuration
Tailor Lynis to your environment by creating a custom profile:
sudo cp /usr/local/lynis/default.prf /etc/lynis/custom.prf
sudo nano /etc/lynis/custom.prf
Common customizations include:
# Skip specific tests
skip-test=SSH-7408:PHP-2320
# Define maximum allowed values
maximum-password-age=60
# Set warning thresholds
warning=ssh-root-login:authpriv-priv-separation
Run Lynis with your custom profile:
sudo lynis audit system --profile /etc/lynis/custom.prf
Troubleshooting Section
Common Issues and Solutions
1. Permissions Problems
Problem: "Fatal: Incorrect permissions..." error message.
Solution: Ensure proper ownership of Lynis files:
sudo chown -R root:root /usr/local/lynis
sudo chmod -R 500 /usr/local/lynis
2. Missing Dependencies
Problem: Lynis suggests tools are missing.
Solution: Install required utilities:
sudo apt install iptables ncurses-bin
3. Tests Failing or Being Skipped
Problem: Several tests show as "SKIPPED".
Solution: Some tests require specific services or configurations. Review the test details:
lynis show details TEST-ID
4. Slow Performance
Problem: Audit takes too long to complete.
Solution: Run targeted audits or adjust test group selection:
sudo lynis audit system --tests-from-group malware,authentication
Best Practices & Optimization Tips
Establish a Regular Audit Schedule
- Weekly scans: Set up recurring audits via cron to monitor security posture
- After major changes: Run Lynis following system updates or configuration changes
- Baseline comparison: Track security scores over time to identify trends
# Add weekly cron job (runs every Sunday at 2 AM)
echo "0 2 * * 0 root /usr/local/bin/lynis audit system --cronjob > /var/log/lynis-weekly.log" | sudo tee -a /etc/crontab
Implement Security Controls Methodically
- Test before applying: Validate changes in a test environment first
- Document modifications: Keep records of all security enhancements
- Incremental improvements: Address findings in order of severity
- Verify fixes: Re-run specific tests after implementing changes
Extend Lynis with Custom Tests
Create organization-specific tests to align with your security policies:
sudo mkdir -p /usr/local/lynis/plugins/custom
sudo nano /usr/local/lynis/plugins/custom/custom_tests.db
Example custom test structure:
#################################################################################
# Test ID : CUST-0001
# Title : Check for compliance with company password policy
# Description : Validates minimum password length
#################################################################################
register_test "CUST" "CUST-0001" "Check for minimum password length" "Check company password policy compliance"
if [ -f /etc/login.defs ]; then
MINLEN=$(grep "^PASS_MIN_LEN" /etc/login.defs | awk '{ print $2 }')
if [ $MINLEN -lt 12 ]; then
report "warning" "Password minimum length ($MINLEN) below company policy (12)"
register_finding "CUST-0001" "M" "Password policy does not meet company requirements"
else
logtext "Password minimum length meets company requirements"
fi
fi
Automation & Monitoring
Integrate Lynis into your security operations workflow:
Automated Reporting
Create a simple script to email reports to security personnel:
#!/bin/bash
# File: /usr/local/bin/lynis-report.sh
# Run audit
/usr/local/bin/lynis audit system --cronjob > /tmp/lynis-output.txt
# Extract warnings and suggestions
grep "Warning" /var/log/lynis.log > /tmp/lynis-warnings.txt
grep "Suggestion" /var/log/lynis.log > /tmp/lynis-suggestions.txt
# Email report
cat /tmp/lynis-output.txt /tmp/lynis-warnings.txt /tmp/lynis-suggestions.txt | \
mail -s "Lynis Security Audit Report - $(date +%F)" [email protected]
# Clean up
rm /tmp/lynis-*.txt
Integration with Security Information and Event Management (SIEM)
Forward Lynis findings to centralized security monitoring:
# Configure log forwarding to SIEM
echo '*.info;local0.none;auth,authpriv.none @siem-server:514' >> /etc/rsyslog.d/lynis-siem.conf
# Create specific log format for Lynis
echo 'if $programname == "lynis" then @siem-server:514' >> /etc/rsyslog.d/lynis-siem.conf
echo '& ~' >> /etc/rsyslog.d/lynis-siem.conf
# Restart rsyslog
systemctl restart rsyslog
Conclusion
Implementing Lynis as part of your security operations provides critical visibility into your Linux systems' security posture. By regularly performing audits, addressing findings systematically, and integrating security checks into your workflow, you establish a robust defensive foundation.
Remember that security is an ongoing process, not a one-time effort. Lynis helps identify vulnerabilities, but the responsibility for implementing remediations and maintaining secure configurations remains with you. Make security auditing a regular practice, and leverage Lynis's comprehensive capabilities to stay ahead of potential threats.
By mastering Lynis, you're taking a significant step toward a more secure and compliant Linux environment—equipping yourself with the knowledge to identify, prioritize, and address security concerns before they can be exploited.