Harden your systems with Lynis
The Tester

© Lead Image © Leo Blanchette , 123RF.com
The Lynis testing tool looks for potential security problems and even suggests possibly remedies.
To safeguard your system from attack, you'll need to check many components and configuration files for vulnerabilities. This task is worthy of Sisyphus, but never fear – a small tool named Lynis can help you roll that rock. In addition to identifying problems, Lynis offers tips for how to resolve them.
When launched, Lynis [1] performs several hundred individual tests. In each test, the software checks the security of many components. Lynis takes a close look at the configuration files of the installed programs, checks the firewall rules, discovers expired SSL certificates, reports user accounts without a password, and more. According to the company behind Lynis, CISOfy, the tool follows generally accepted security guidelines and standards.
At the end of these tests, Lynis outputs a test report in which it points to the problems it has identified and gives the administrator tips on how to harden the system more effectively. Lynis thus identifies security problems, but it cannot resolve them autonomously; the interpretation of the results is left to the administrator. CISOfy sees the main applications for the tool as security audits, vulnerability scanning, and the first step toward system hardening.
You can launch Lynis directly; there is no need to install. Administrators can thus easily add it to a collection of tools on a rescue USB stick. Lynis also supports plugins to extend the feature scope. In addition to Linux, Lynis runs on other Unix-style systems, including OS X.
Choosing a License
Lynis is available under the GPLv3 and can thus be used without charge in the enterprise. CISOfy also offers a commercial version called Lynis Enterprise, which extends Lynis to include additional features and tools. The tools include a Lynis Collector component, which collects the test results from several computers and feeds the results to a central management console. Lynis Enterprise delivers more comprehensive reports. Among other things, administrators receive an assessment of the computers that are particularly endangered. Finally, CISOfy offers support – but not for the free variant. Lynis Enterprise is available under a subscription model with several levels. The simplest variant costs $1.50 per month and per system. If you need the full feature scope, you can expect to pay $3 per system per month. For more details on Lynis Enterprise, check out the website [2].
Installation
Many Linux distributions have the free Lynis version in their repositories – typically in the lynis package. In most cases, the repository will have an older version of the tool. For example, the package manager in Ubuntu 14.10 still offers version 1.5.5, although the latest version when this article was written was Lynis 1.6.4. Because newer versions may be able to discover additional issues, administrators will want always to use the latest version from the Lynis homepage. If you are thinking of using the tool in the long term, you need to keep it up to date yourself.
Once you have the .tar.gz
archive with Lynis on your hard disk, it makes sense to validate the download by checking the SHA1 or SHA256 checksum. To do so on Linux, for example, type:
sha256sum lynis-version.tar.gz
Now compare the generated hash with the values that CISOfy provides in the File Integrity Information box on the download page [3]. You can only be sure that the archive has not been manipulated if the checksums match. If you want to be double sure, you can also download the digital signature, which is also available from the File Integrity Information box. You can then verify the source using GnuPG:
wget https://cisofy.com/files/ cisofy-software.pub gpg --import cisofy-software.pub gpg --list-keys --fingerprint
Instead of wget
, users on Mac OS X can run curl
:
curl https://cisofy.com/files/ cisofy-software.pub \ -o cisofy-software.pub
The fingerprint for CISOfy output with the last command should now be identical to the one returned by the following command:
gpg --verify lynis-1.6.4.tar.gz.asc lynis-1.6.4.tar.gz
You might need to change the version numbers. Also, the fingerprint must match the one printed in the official documentation [4].
Checking Privileges Before Starting
If the checksum and the fingerprint are good, you can finally start up Lynis. To do so, simply unpack the archive and launch the lynis
script with the -c
parameter:
./lynis -c
The -c
parameter tells Lynis to perform a full set of tests. Without it, Lynis would simply display the help. The command
./lynis --view-manpage
lets you view the fairly sparse man page. To check whether you have the latest version of Lynis, you can run:
./lynis --check-update
To inspect all the nooks and crannies of your system, Lynis needs root or administrative privileges. If you launch it as a normal user, the tool might not find all the problems. In any case, Lynis needs write privileges for the directories /tmp
and /var/log
. (Test reports will land in the /var/log
directory.)
After launching, Lynis states the privileges with which it is running, whether or not it can perform all the tests, and whether it can write a logfile below /var/log
(Figure 1). If you agree with all the settings, you can start the test run by pressing Enter.

Under certain circumstances, Lynis will complain about not having the right file permissions or ownership. You need to remedy this with the commands shown by Lynis; only then can you run the tool. On Linux, the following command will remedy all the ownership problems Lynis complains about with one action:
sudo chown root:root ./include/*
Once Lynis agrees with the ownership, it again summarizes the scenario. Among other things, Lynis states its program version, the operating system, and the storage location of the logfile and report file. If the logfile and report file end up in the black hole of /dev/null
, you can assume that Lynis is unable to write to the /var/log
directory. Currently, there is no option for defining a different storage location. Users can only suppress the logfile by stipulating the --no-log
parameter.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
Mozilla VPN Now Available for Linux
The promised subscription-based VPN service from Mozilla is now available for the Linux platform.
-
Wayland and New App Menu Coming to KDE
The 2021 roadmap for the KDE desktop environment includes some exciting features and improvements.
-
Deepin 20.1 has Arrived
Debian-based Deepin 20.1 has been released with some interesting new features.
-
CloudLinux Commits Over 1 Million Dollars to CentOS Replacement
An open source, drop-in replacement for CentOS is on its way.
-
Linux Mint 20.1 Beta has Been Released
The first beta of Linux Mint, Ulyssa, is now available for downloading.
-
Manjaro Linux 20.2 has Been Unleashed
The latest iteration of Manjaro Linux has been released with a few interesting new features.
-
Patreon Project Looks to Bring Linux to Apple Silicon
Developer Hector Martin has created a patreon page to fund his work on developing a port of Linux for Apple Silicon Macs.
-
A New Chrome OS-Like Ubuntu Remix is Now Available
Ubuntu Web looks to be your Chrome OS alternative.
-
System76 Refreshes the Galago Pro Laptop
Linux hardware maker has revamped one of their most popular laptops.
-
Dell Will Soon Enable Privacy Controls for Linux Hardware
Dell makes it possible for Linux users to disable webcams and microphones.