Lynis 2.5.5 Released – Security Auditing and Scanning Tool for Linux Systems

Lynis is an open source and much powerful auditing tool for Unix/Linux like operating systems. It scans system for security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.

A new major upgrade version of Lynis 2.5.5 is released just now, after months of development, which comes with some new features and tests, and many small improvements. I encourage all Linux users to test and upgrade to this most recent version of Lynis.

In this article we are going to show you how to install Lynis 2.5.5 (Linux Auditing Tool) in Linux systems using source tarball files.

Please Read Also :

  1. Install ConfigServer Security & Firewall (CSF)
  2. Install Linux Rkhunter (Rootkit Hunter)
  3. Install Linux Malware Detect (LMD)

Installation of Lynis

Lynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under /usr/local/lynis.

# mkdir /usr/local/lynis

Download stable version of Lynis source files from the trusted website using wget command and unpack it using tar command as shown below.

# cd /usr/local/lynis
# wget https://cisofy.com/files/lynis-2.5.5.tar.gz
Download Lynis Linux Audit Tool

Download Lynis Linux Audit Tool

Unpack the tarball

# tar -xvf lynis-2.5.5.tar.gz
Unpack Lynis Tool

Unpack Lynis Tool

Running and Using Lynis Basics

You must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. To run Lynis execute the following command.

# cd lynis
# ./lynis

By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt. See figure below.

Lynis Basic Options and Help

Lynis Basic Options and Help

To start Lynis process, you must define a --check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with parameters as shown below.

# ./lynis --check-all

Once, you execute above command it will start scanning your system and ask you to Press [Enter] to continue, or [CTRL]+C to stop) every process it scans and completes. See figure attached below.

Lynis: Scanning Entire Linux System

Lynis: Scanning Entire Linux System

Lynis Security Scan Details

Lynis Security Scan Details

To prevent such acknowledgment (i.e. “press enter to continue”) from user while scanning, you need use -c and -Q parameters as shown below.

# ./lynis -c -Q

It will do complete scan without waiting for any user acknowledgment. See the following screencast.

Lynis: Scanning Linux File System

Lynis: Scanning Linux File System

Creating Lynis Cronjobs

If you would like to create a daily scan report of your system, then you need to set a cron job for it. Run the following command at the shell.

# crontab -e

Add the following cron job with option --cronjob all the special characters will be ignored from the output and the scan will run completely automated.

30	22	*	*	*	root    /path/to/lynis -c -Q --auditor "automated" --cronjob

The above example cron job will run daily at 10:30pm in the night and creates a daily report under /var/log/lynis.log file.

Lynis Scanning Results

While scanning you will see output as [OK] or [WARNING]. Where [OK] considered as good result and [WARNING] as bad. But it doesn’t mean that [OK] result is correctly configured and [WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log.

In most cases, the scan provides suggestion to fix problems at the end of the scan. See the attached figure that provides a list of suggestion to fix problems.

Lynis Suggestions Tips

Lynis Suggestions Tips

Updating Lynis

If you want to update or upgrade current lynis version, simple type the following command it will download and install latest version of lynis.

# ./lynis update info         [Show update details]
# ./lynis update release      [Update Lynis release]

See the attached output of the above command in the figure. It says our lynis version is Up-to-date.

Update Lynis Auditing Tool

Update Lynis Auditing Tool

Lynis Parameters

Some of the Lynis parameters for your reference.

  1. --checkall or -c : Start the scan.
  2. --check-update : Checks for Lynis update.
  3. --cronjob : Runs Lynis as cronjob (includes -c -Q).
  4. --help or -h : Shows valid parameters
  5. --quick or -Q : Don’t wait for user input, except on errors
  6. --version or -V : Shows Lynis version.

That’s it, we hope this article will be much helpful you all to figure out security issues in running systems. For more information visit the official Lynis page at https://cisofy.com/download/lynis/.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

19 Responses

  1. Piers says:

    This article should be updated. The newest version of this is now 2.5.5. If you’re an ARCH user all you need to do is run a ↵ “sudo pacman -S lynis” and you’ll get this: “community/lynis 2.5.5-1“.

    • Ravi Saive says:

      @Piers,

      Thanks for informing us about new Lynis update, we’ve updated the installation instructions in the article to latest Lynis version..

  2. c4ifford says:

    So what security criteria standards does this check against?

  3. Bobses says:

    I receive the following error when I try to update Lynis from 2.1.1 to 2.2.0:

    “Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)[-30C”

    What can I do in this situation?
    Thanks.

  4. Deezl says:

    is there a way to scan a remote server or workstation with Lynis? or does the client have to be installed on the local machine in order to run the scan?

    • Ravi Saive says:

      @Deezl,

      Unfortunately, you can’t scan a remote Linux server or workstation with Lynis and there isn’t any client that do the job as you looking for, all you need to do is install the Lynis tool on each machine and set a auto cron to do the scan..

  5. SURYANARAYANA says:

    you are so great sir..you have guided so many newbee of linux like me..keep it up..

  6. Hany says:

    Hi Ravi
    Thanks for easy to follow instructions. Also thanks with help with RKhunter but have since removed it and installed Lynis 2.1.1 as from what I gather RKhunter has been replaced by Lynis.

    I have 1 question. How do I get the daily scanned results to be emailed to me.

    • Ravi Saive says:

      @Hany,

      Thanks for finding these instructions easy to follow, yes you right even I noticed last that RKhunter replaced by Lynis and think Rkhunter no more into development. Regarding daily mail from cron, you need to set the following parameter with email id shown:

      [email protected]
      
      • Hany says:

        Hi Ravi,

        Thanks for reply. I followed instructions and yes I got an email, right on specified time. However I receive an error in my message as follows:

        /bin/sh: root: command not found

        Can you please let me know what I need to change.

        • Ravi Saive says:

          @Hany,

          It seems may be there’s something wrong with your cron entry, I suggest you to add like this:

          * * * * * /script-to-path.sh
          
  7. Young man says:

    Hello,
    does lynis is only used to scan The server or also i can scan one user(One Website)?

    Thanks

  8. Young man says:

    Am i wrong what i do is the following

    1. mkdir /usr/local/lynis
    2. cd /usr/local/lynis
    3. wget http://cisofy.com/files/lynis-1.6.3.tar.gz
    4. tar -xvf lynis-1.6.3.tar.gz
    5. cd /lynis-1.6.3 i got this message (-bash: cd: /lynis-1.6.3: No such file or directory)

    What is wrong with me
    Hope to help

    • Ravi Saive says:

      Step 5th is wrong, as you extracted the content of lynis-1.6.3.tar.gz in current working directory, so the command is:

      # cd lynis-1.6.3
      
  9. John says:

    I tried to download lynis but it failed to download after hitting save and clicking twice on option to open.

Leave a Reply to SURYANARAYANA Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.