Lynis Security Auditing
Lynis performs comprehensive security audits on Unix-based systems.
Installation
# Debian/Ubuntu
sudo apt install lynis
# RHEL/CentOS
sudo dnf install lynis
# From Git (latest)
git clone https://github.com/CISOfy/lynis.git
cd lynis && sudo ./lynis audit systemRunning Audits
# Full system audit
sudo lynis audit system
# Quick audit
sudo lynis audit system --quick
# Pentest profile
sudo lynis audit system --pentest
# Specific profile
sudo lynis audit system --profile /etc/lynis/custom.prfUnderstanding Results
Hardening Index
Hardening index : 67 [############# ]
Tests performed : 256
Plugins enabled : 0Score interpretation:
- 80+ : Good
- 60-79 : Needs improvement
- 40-59 : Vulnerable
- <40 : Critical
Warnings and Suggestions
# View suggestions
grep "Suggestion" /var/log/lynis.log
# View warnings
grep "Warning" /var/log/lynis.logAutomated Auditing
# Cron job for weekly audit
0 2 * * 0 /usr/sbin/lynis audit system --cronjob --quiet
# Email results
sudo lynis audit system --cronjob | mail -s "Lynis Report" [email protected]Common Findings
| Finding | Priority | Typical Fix |
|---|---|---|
| Weak permissions | High | chmod/chown |
| Missing updates | High | apt upgrade |
| SSH hardening | Medium | sshd_config |
| Kernel parameters | Medium | sysctl |
| File integrity | Low | AIDE/Tripwire |
- lynis
- security audit
- hardening
- compliance
- vulnerability