Open source auditing
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. It is also the client in our Lynis Enterprise offering.
Supported operating systems
Lynis runs on almost all UNIX-based systems and versions, including:
- and others
It even runs on systems like the Raspberry Pi, IoT devices, and QNAP storage devices.
Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). Software packages are available from our software repository.
How it works
Lynis performs hundreds of individual tests. Each help to determine the security state of the system. This is what happens during a scan with Lynis:
- Determine operating system
- Search for available tools and utilities
- Check for Lynis update
- Run tests from enabled plugins
- Run security tests per category
- Report status of security scan
Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.
30 Seconds Demo
Time is precious. So look how quick you can install Lynis and have it perform a security scan. That is hard to beat, right?
Lynis scanning is "opportunistic". That means it only uses what it can find. No installation of other tools needed, so you can keep your systems clean.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. It then will collect these discovered certificates so that they can be scanned later as well.
In-depth security scans
By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans that are customized to your system. No audit will be the same!
Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
- Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Vulnerability detection and scanning
- System hardening
Why open source software?
Open source software provides additional trust, by allowing people to look into the source code. Adjustments are easily made, providing you with a flexible solution for your business.
Lynis is one of the few security auditing solutions that is available as open source software. This explains also its success, as we get feedback from both customers and the community.
You can use and install Lynis with:
Security tests and knowledge sources
Many other tools use the same data files for performing tests. Since Lynis is not limited to a specific Linux distribution, it uses a wide range of tests.
- Best practices
- OpenSCAP data
- Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)
Plugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin. It performs specific tests related to one or more standards.
Comparison with other tools
Lynis has a different way of doing things, so you have more flexibility. After all, you should be the one deciding what security controls make sense for your environment. We have some comparison with some other well known tools:
Bastille was for a long time the best known utility for hardening Linux systems. It focuses mainly on automatically hardening the system.
Differences with Bastille
Automated hardening tools are helpful, but at the same time might give a false sense of security. Instead of just turning on some settings, Lynis perform an in-depth security scan. You are the one to decide what level of security is appropriate for your environment. After all, not all systems have to be like Fort Knox, unless you want it to be.
Benefits of Lynis
- Supports more operating systems
- Won't break your system
- More in-depth audit
OpenVAS / Nessus
These products focus primarily on vulnerability scanning. They do this via the network by polling services. Optionally they will log in to a system and gather data.
Differences with Nessus or OpenVAS
Lynis runs on the host itself. Therefore it can perform a deeper analysis compared with network-based scans. This means less risk to impact your business processes and log files remain clean from connection attempts and incorrect requests.
Although Lynis is an auditing tool, it will discover vulnerabilities as well. It does so by using existing tools and analyzing configuration files.
Lynis and OpenVAS are both open source and free to use. Nessus is commercial proprietary software.
Benefits of Lynis
- Much faster
- No pollution of log files
- Much lower risk of disruption to business services
- Host-based scans provide a more in-depth audit
Lynis is open source software and freely available. To help with the installation, we suggest the Get Started guide.
Upgrade to Lynis Enterprise
Our Lynis Enterprise Suite uses Lynis as a core component. Lynis can run as a standalone security tool, and become a data collection client for Lynis Enterprise.Continuous auditing
Security is not a one-time event. For companies who want to do continuous auditing, we provide Lynis Enterprise. This security suite provides central management, plugins, reporting, hardening snippets, and more.
Read more about Lynis Enterprise and discover all benefits.