Get Started with Lynis

Installation guide for first-time users




Step 1: Download and Installation

Getting Lynis

To obtain a copy of Lynis, several options are available. We advise to choose the option you are most familiar with.

1. Package

Installing using your package manager. Supported packages in DEB and RPM format.

Select

2. Git

If you use Git, a great option. Always the latest version.

Select

3. Download

The latest stable version of Lynis, as a normal download. Good match for AIX, HPUX.

Select

4. Homebrew (macOS)

Great choice for users of macOS, to install Lynis and keep it up-to-date.

Select



Installing Lynis


1. Installation via package


Installing Lynis via a package manager is one option to get started with Lynis. For most operating systems and distributions, a port or package is available.

First install our software repository. You might otherwise end up with an old version.

Red Hat

This applies to systems running YUM, including CentOS, Fedora, Red Hat Enterprise Linux (RHEL).

$ yum install lynis

Debian

Systems running Debian, Linux Mint, Ubuntu or similar.

$ apt-get install lynis

openSUSE

$ zypper install lynis

After the installation, it is time to run Lynis for the first time.

NextTo First Run

2. Installation via Git


Clone project

The first step is cloning the project. Before doing so, select the parent directory. Git will create a 'lynis' subdirectory, which will contain the full program.

$ cd /usr/local
$ git clone https://github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 1733, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 1733 (delta 3), reused 0 (delta 0), pack-reused 1725
Receiving objects: 100% (1733/1733), 886.18 KiB | 378.00 KiB/s, done.
Resolving deltas: 100% (1204/1204), done.
Checking connectivity... done.
$ cd lynis

That is it. Time to run your first security audit:

$ lynis audit system

Although no configuration is required, there are a few useful commands to learn.

NextLearn Commands

3. Installation via direct download


Step 1. Create a directory

Lynis can be started from each directory. So choose a directory where you want to store Lynis. For our example purpose we use /usr/local/lynis, as the /usr/local directory exists on most distributions.

$ mkdir -p /usr/local/lynis
$ cd /usr/local

Step 2. Download

Next step is downloading the latest version of Lynis into the /usr/local directory. In this method we use the compressed tarball, which is an archive of all files.

Go to the Lynis download page. Copy the link to the Lynis tarball (ends with lynis-<version>.tar.gz).

Use this link together with wget (usually installed by default). macOS users can use curl tool, where BSD users could use fetch.

$ wget https://cisofy.com/files/lynis-<version>.tar.gz

or
$ curl https://cisofy.com/files/lynis-<version>.tar.gz -o lynis.tar.gz

Step 3. Unpack the tarball

$ tar xfvz lynis-<version>.tar.gz

After unpacking, it is time to run Lynis for the first time.

NextTo First Run


4. Installation via Homebrew


For users of macOS, Homebrew can be used as an alternative to manual installation and using Git.

$ brew install lynis

After the installation with Homebrew, it is time to run Lynis for the first time.

NextTo First Run

Step 2: First Run

Running Lynis

If Lynis was installed via a package or Homebrew, you can run Lynis from any directory.

For the other methods, ensure that you are in the right directory and add './' in front of the command, like:

$ ./lynis

Lynis can run without any preconfiguration. Configuration and fine-tuning is possible though and will be covered in later sections. For now we will run a basic scan:

$ lynis audit system

(use ./lynis audit system to start Lynis from the local directory if you didn't install it as a software package)

Lynis and pauses

By default Lynis starts and pauses after the first section. With CTRL+C you can stop the program. With ENTER it will continue to the next set of tests. If we want to run Lynis without any pauses, we could give it an additional parameter: --quick. This will enable the "quick" option, ideal for running Lynis while you do other things.

$ lynis audit system --quick

Common parameters

Lynis is started with at least one command, usually followed by one or more options.

Example Commands

Command Description
audit system Perform a system audit
show commands Show available Lynis commands
show help Provide a help screen
show profiles Display discovered profiles
show settings List all active settings from profiles
show version Display current Lynis version

The show command requires an up-to-date version of Lynis.

Options

Option Abbreviated Description
--auditor "Given name Surname"   Assign an auditor name to the audit (report)
--cronjob   Run Lynis as cronjob (includes -c -Q)
--debug   Show debug information, useful for troubleshooting and development
--help -h Shows valid parameters
--man-page   View man page
--no-colors   Do not use any colors
--pentest   Perform a penetration test scan (non-privileged)
--quick -Q Don't wait for user input, except on errors
--quiet -q Only show warnings (includes --quick, but doesn't wait)
--reverse-colors   Use a different color scheme for lighter backgrounds
--verbose   Show more screen output

Tips
  • If Lynis is not installed as package (with included man page), use --man or nroff -man ./lynis.8
  • For systems where the shell background is light, use --nocolors or --reverse-colors
  • Use command show options to see all available parameters of Lynis


Step 3: Report and Logging

Lynis performs an in-depth audit and reports its findings to the following outputs:

  1. Screen
  2. Logging
  3. Report

1. Screen output

Lynis scans the system and performs hundreds of tests. For most of these tests, a result will be displayed on the screen.

Possible tests results include:

  • OK or Warning
  • Found or Not found
  • A value

2. Log file

The results are displayed on screen during the system scan. Additional details are logged in a separate file (default: /var/log/lynis.log). This information is useful for advanced testers, to see what the program did in the background, or where anomalies showed up.

Information in the log file:
  • Time of an action/event
  • Reason(s) why a test failed or was skipped
  • Output of (internal) tests
  • Suggestions about configuration options or how to fix/improve things
  • Threat/impact score

Remark: the log file is purged every scan. If you need debugging or logging information for previous scans, schedule log rotation or make a backup before running Lynis again.

3. Report files

During the audit process, Lynis will gather findings and other data points. This information is stored in the report file, which is by default /var/log/lynis-report.dat.

Lynis supports one report format, which can be used to gather results and display them in a custom or (more) friendly presentation. The report file can also be used to compare scan results from the past with a current scan. Lynis Enterprise has much more possibilities to display data, including extended reports in several formats.


Contents of report file:

  • Remarks: #<remark>
  • Section: [<section name>]
  • Option/value: <option name>=<value of option>

When an option may have multiple values (like installed packages for example), brackets ([]) are added. Example: installed_package[]=Package-1.0.0


Tips and Suggestions


Staying up-to-date

Staying up-to-date with software is important. Some options to ensure your Lynis installation is up-to-date:

  • Notification list (see Downloads page)
  • Twitter (@cisofy_is)
  • Run lynis update info for details


Frequently Asked Questions


Is Lynis really free?

Yes, Lynis is open source and free to use. Lynis is released under GPL and comes without warranties or support. If you still prefer support or Enterprise features, then Lynis Enterprise is a better choice.


Is Lynis restricted in functionality compared with the Enterprise version?

There are no limitations regarding functionality. Lynis is also part of the Enterprise version. Therefore it has similar functionality, with the exception of (some) plugins.


What systems are supported?

All common systems based on UNIX are supported. Examples include Linux, AIX, *BSD, HP-UX, macOS, and Solaris.

For package management are the following tools supported:
- apt/dpkg, DNF, pacman, pkg_info, ports, RPM, YUM, zypper


The colors used are hard to read with my white background, how can I solve this?

Disable color usage or use the --reverse-colors option


What is the difference between a normal test and a plugin?

Both look very similar in what they can do. A normal test has the main goal of performing a check, and conclude. Something is present or not, the outcome is good or bad etc.

The purpose of plugins is to collect data for later analysis. In particular the Lynis Enterprise solution will use plugins to collect extra data which will be later analyzed. One example would be to determine exceptions or outliers. It would not make sense to have everyone build up databases of data, while all information is already centrally stored.


Can I create my own tests or plugins?

A good start is using the development guide for Lynis plugins.


Where can I report any issues?

The best way to discuss any findings or issues, is using the Lynis project page on GitHub.



Lynis is licensed under the GPLv3 license.