Get Started with Lynis

Installation guide for first-time Lynis users

Step 1: Download and Installation

Getting Lynis

To obtain a copy of Lynis, several options are available. We advise to choose the option you are most familiar with.

1. Package

Installing using your package manager. Supported packages in DEB and RPM format.

Select

2. Git

If you use Git, a great option. Always the latest version.

Select

3. Download

The latest stable version of Lynis, as a normal download. Good match for AIX, HPUX.

Select

4. Homebrew (macOS)

Great choice for users of macOS, to install Lynis and keep it up-to-date.

Select

Installing Lynis

1. Installation via package

Installing Lynis via a package manager is one option to get started with Lynis. For most operating systems and distributions, a port or package is available.
First add our software repository. This way the latest version will be available to your system.
Red Hat
This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).
$ yum install lynis
Debian
Systems running Debian, Linux Mint, Ubuntu, or are based on one of these.
$ apt-get install lynis
openSUSE
$ zypper install lynis
After the installation, it is time to run Lynis for the first time.
To First Run

2. Installation via Git

Clone project
The first step is cloning the project. Before doing so, select the parent directory. Git will create a 'lynis' subdirectory with the full program in it.
$ cd /usr/local
$ git clone https://github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 1733, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 1733 (delta 3), reused 0 (delta 0), pack-reused 1725
Receiving objects: 100% (1733/1733), 886.18 KiB | 378.00 KiB/s, done.
Resolving deltas: 100% (1204/1204), done.
Checking connectivity... done.
$ cd lynis
That is it. Time to run your first security audit:
$ lynis audit system
Although no configuration is required, there are a few useful commands to learn.
Learn Commands

3. Installation via direct download

Step 1. Create a directory
Lynis can be started from each directory. So choose a directory where you want to store Lynis. For our example purpose we use /usr/local/lynis, as the /usr/local directory exists on most distributions.
$ mkdir -p /usr/local/lynis
$ cd /usr/local
Step 2. Download
Next step is downloading the latest version of Lynis into the /usr/local directory. In this method we use the compressed tarball, which is an archive of all files.
Go to the Lynis download page. Copy the link to the Lynis tarball (ends with lynis-<version>.tar.gz).
Use this link together with wget (usually installed by default). macOS users can use curl tool, where BSD users could use fetch.
$ wget https://cisofy.com/files/lynis-<version>.tar.gz
or
$ curl https://cisofy.com/files/lynis-<version>.tar.gz -o lynis.tar.gz
Step 3. Unpack the tarball
$ tar xfvz lynis-<version>.tar.gz
After unpacking, it is time to run Lynis for the first time.
To First Run

4. Installation via Homebrew

For users of macOS, Homebrew can be used as an alternative to manual installation and using Git.
$ brew install lynis
After the installation with Homebrew, it is time to run Lynis for the first time.
To First Run

Step 2: First Run

Running Lynis

If Lynis was installed via a package or Homebrew, you can run Lynis from any directory.

For the other methods, ensure that you are in the right directory and add './' in front of the command, like:

$ ./lynis

Lynis can directly run after installation. Configuration and fine-tuning is optional and will be covered in later sections. For now we will run a basic scan:

$ lynis audit system

(use ./lynis audit system to start Lynis from the local directory if you didn't install it as a software package)

Lynis and pauses

By default Lynis starts and pauses after the first section. With CTRL+C you can stop the program. With ENTER it will continue to the next set of tests. If we want to run Lynis without any pauses, we could give it an additional parameter: --quick. This will enable the "quick" option, ideal for running Lynis while you do other things.

$ lynis audit system --quick

Common parameters

Lynis is started with at least one command, usually followed by one or more options.

Example Commands

Command	Description
audit system	Perform a system audit
show commands	Show available Lynis commands
show help	Provide a help screen
show profiles	Display discovered profiles
show settings	List all active settings from profiles
show version	Display current Lynis version

The show command requires an up-to-date version of Lynis.

Options

Option	Abbreviated	Description
--auditor "Given name Surname"		Assign an auditor name to the audit (report)
--cronjob		Run Lynis as cronjob (implies quick mode)
--debug		Show debug information, useful for troubleshooting and development
--help	-h	Shows valid parameters
--man-page		View man page
--no-colors		Do not use any colors
--pentest		Perform a penetration test scan (non-privileged)
--quick	-Q	Don't wait for user input, except on errors
--quiet	-q	Only show warnings (includes --quick, but doesn't wait)
--reverse-colors		Use a different color scheme for lighter backgrounds
--verbose		Show more screen output

Tips

If Lynis is not installed as package (with included man page), use --man or nroff -man ./lynis.8
For systems where the shell background is light, use --nocolors or --reverse-colors
Use command show options to see all available parameters of Lynis

Step 3: Report and Logging

Lynis performs an in-depth audit and reports its findings to the following outputs:

Screen
Logging
Report

1. Screen output

Lynis scans the system and performs hundreds of tests. For most of these tests, a result will be displayed on the screen.

Possible tests results include:

OK or Warning
Found or Not found
A value

2. Log file

The results are displayed on screen during the system scan. Additional details are logged in a separate file (default: /var/log/lynis.log). This information is useful for advanced testers, to see what the program did in the background, or where anomalies showed up.

Information in the log file:

Time of an action/event
Reason(s) why a test failed or was skipped
Output of (internal) tests
Suggestions about configuration options or how to fix/improve things
Threat/impact score

Remark: the log file is purged every scan. If you need debugging or logging information for previous scans, schedule log rotation or make a backup before running Lynis again.

3. Report files

During the audit process, Lynis will gather findings and other data points. This information is stored in the report file, which is by default /var/log/lynis-report.dat.

Lynis supports one report format, which can be used to gather results and display them in a custom or (more) friendly presentation. The report file can also be used to compare scan results from the past with a current scan. Lynis Enterprise has much more possibilities to display data, including extended reports in several formats.

Contents of report file:

Remarks = #<remark>
Section = [<section name>]
Option/value = <option name>=<value of option>

When an option could have multiple values (like installed packages for example), brackets ([]) are added. Example: installed_package[]=Package-1.0.0

Tips and Suggestions

Staying up-to-date
Staying up-to-date with software is important. Some options to ensure your Lynis installation is up-to-date:
Notification list (see Downloads page)
Twitter (@cisofy_is)
Run lynis update info for details

Frequently Asked Questions

Is Lynis really free?
Yes, Lynis is open source and free to use. Lynis is released under GPL and comes without warranties or support. If you still prefer support or Enterprise features, then Lynis Enterprise is a better choice.

Is Lynis restricted in functionality compared with the Enterprise version?
There are no limitations regarding functionality. Lynis is also part of the Enterprise version. Therefore it has similar functionality, with the exception of (some) plugins.

What systems are supported?
All common systems based on UNIX are supported. Examples include Linux, AIX, *BSD, HP-UX, macOS, and Solaris.
For package management are the following tools supported:
- apt/dpkg, DNF, pacman, pkg_info, ports, RPM, YUM, zypper

The colors used are hard to read with my white background, how can I solve this?
Disable color usage or use the --reverse-colors option

What is the difference between a normal test and a plugin?
Both look very similar in what they can do. A normal test has the main goal of performing a check, and conclude. Something is present or not, the outcome is good or bad etc.
The purpose of plugins is to collect data for later analysis. In particular the Lynis Enterprise solution will use plugins to collect extra data which will be later analyzed. One example would be to determine exceptions or outliers. It would not make sense to have everyone build up databases of data, while all information is already centrally stored.

Can I create my own tests or plugins?
A good start is using the development guide for Lynis plugins.

Where can I report any issues?
The best way to discuss any findings or issues, is using the Lynis project page on GitHub.

Lynis is licensed under the GPLv3 license.