Lynis Security Audit
Run Lynis to perform a security audit on your Linux server, get a hardening score and actionable recommendations
Lynis is an open-source security auditing tool for Linux. It scans your system, checks configurations, and produces a hardening index score along with a prioritized list of improvements. Useful after initial setup and periodically to catch misconfigurations.
Installation
sudo apt update
sudo apt install lynis -y
lynis --versionAlternatively, install the latest version directly from the official repo:
sudo apt-key adv --fetch-keys https://packages.cisofy.com/keys/cisofy-software-public.key
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | \
sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update
sudo apt install lynis -yRun a full audit
sudo lynis audit systemThe scan takes 2-5 minutes. It will:
- Check OS and kernel configuration
- Audit SSH, PAM, cron, and user accounts
- Scan installed software (web server, databases, mail, etc.)
- Check file permissions and SUID/SGID binaries
- Verify firewall and logging configuration
- Test for rootkits and malware indicators
Reading the output
At the end of the scan you'll see:
Hardening index : 67 [############# ]
Tests performed : 261
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [V]
Lynis Suggestions:
* Install a PAM module for brute-force protection [AUTH-9262]
* Consider hardening SSH configuration [SSH-7408]
* Enable logging to a remote syslog server [LOGG-2154]
...Hardening index ranges from 0 to 100. A fresh minimal Ubuntu server typically scores 55-65. Aim for 75+.
Acting on suggestions
Each suggestion includes a test ID (e.g., SSH-7408). Look up details:
sudo lynis show details SSH-7408Or check the full log:
sudo cat /var/log/lynis.log | grep SSH-7408Common improvements and how to fix them:
| Suggestion | Fix |
|---|---|
SSH-7408: SSH hardening | Disable root login, set MaxAuthTries 3, use key auth only |
AUTH-9262: PAM brute force | Install libpam-pwquality or fail2ban |
FIRE-4513: Firewall | Enable UFW: ufw enable |
KRNL-5820: Kernel hardening | Add sysctl settings (/etc/sysctl.d/) |
TOOL-5002: Malware scanner | Install ClamAV or rkhunter |
LOGG-2154: Remote logging | Configure rsyslog remote server |
PKGS-7392: Package updates | apt upgrade |
Scan results and log files
| File | Description |
|---|---|
/var/log/lynis.log | Full detailed log of all checks |
/var/log/lynis-report.dat | Machine-readable report (key=value format) |
Extract only warnings:
grep "^warning" /var/log/lynis-report.datExtract suggestions:
grep "^suggestion" /var/log/lynis-report.datRun specific tests only
# Audit only SSH configuration
sudo lynis audit system --tests-from-group ssh
# Audit only firewall
sudo lynis audit system --tests-from-group firewall
# Audit only file permissions
sudo lynis audit system --tests-from-group file_permissionsAvailable groups:
sudo lynis show groupsAutomate monthly audits
Create a cron job to run Lynis monthly and save the report:
sudo nano /etc/cron.d/lynis0 3 1 * * root /usr/sbin/lynis audit system --cronjob > /var/log/lynis-monthly.log 2>&1Compare audit over time
Lynis generates a report ID for each scan. To track improvement:
# View previous report
cat /var/log/lynis-report.dat | grep "^hardening_index"
# Run a new scan and compare
sudo lynis audit system --quiet
grep "^hardening_index" /var/log/lynis-report.datQuick hardening checklist from common Lynis findings
# Disable SSH root login
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
# Set correct permissions on cron directories
sudo chmod 700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.weekly /etc/cron.monthly
# Secure /tmp with noexec
echo "tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0" | sudo tee -a /etc/fstab
sudo mount -o remount /tmp
# Enable process accounting
sudo apt install acct -y
sudo systemctl enable acct
sudo systemctl start acctNot every Lynis suggestion needs to be implemented, some are informational or apply to specific environments. Prioritize warnings over suggestions, and test changes on a non-production server first.