lynis

Check that Lynis is up-to-date

$ sudo lynis update info

$ sudo lynis audit system

$ sudo lynis audit dockerfile [path/to/dockerfile]

lynis <command> [options]

Common commands:
lynis audit system
lynis show commands
lynis show help

audit system
    Performs a full security audit of the entire system, checking hundreds of security controls.

show commands
    Displays a list of all available commands and their basic purpose.

show help
    Shows detailed help information about Lynis and its usage.

--checkall
    Ensures all tests are run. This is the default behavior for 'audit system'.

--profile <file>
    Specifies a custom profile file to use for the audit, allowing for tailored scanning.

--auditor <name>
    Defines the name of the auditor, which will be included in the report file.

--report-file <file>
    Sets an alternative path and filename for the audit report.

--no-colors
    Disables colored output in the terminal, useful for non-interactive scripts.

--quick
    Performs a faster audit by skipping some of the more time-consuming tests.

--debug
    Enables debug mode, providing more detailed output for troubleshooting.

--verbose
    Increases the verbosity of the output, showing more information during the scan.

Lynis is a free, open-source security auditing and hardening tool for Unix-like operating systems, including Linux, macOS, BSD, and others.

It performs an extensive health check of your system, checking for hundreds of potential security vulnerabilities, misconfigurations, and weak points. Unlike tools that fix issues automatically, Lynis is non-invasive; it doesn't make any changes to your system. Instead, it provides a detailed report with security status, warnings, and actionable recommendations for improving your system's security posture.

Key areas scanned include boot services, kernel, memory and processes, shells, file systems, storage, networking, user accounts, authentication, databases, web services, SSH, and more. It's a valuable tool for system administrators and security professionals looking to enhance the security and compliance of their environments.

Root Privileges: Lynis requires root privileges to perform a comprehensive system audit. Running it as a non-root user will result in incomplete results.

Recommendations, Not Fixes: Lynis identifies issues and provides recommendations; it does not automatically fix vulnerabilities or misconfigurations. Manual intervention is required to implement the suggested hardening steps.

Resource Usage: A full audit can be resource-intensive on some systems, potentially impacting performance during the scan.

False Positives: While rare, some warnings or suggestions might be false positives or not applicable to specific system configurations, requiring careful review and interpretation of the report.

Regular Updates: For the most accurate and up-to-date checks, it's crucial to keep Lynis itself updated regularly.

Lynis can typically be installed via your operating system's package manager (e.g., apt install lynis on Debian/Ubuntu, yum install lynis on RHEL/CentOS) or by downloading the latest tarball from the official website and extracting it to a desired location (e.g., /opt/lynis).

After installation, the typical usage involves running sudo lynis audit system to initiate a full scan. The output is displayed in the terminal, and a detailed report is saved (by default to /var/log/lynis-report.dat). Review this report to identify security weaknesses and follow the provided recommendations to harden your system, then re-run Lynis to verify improvements.

Lynis was first released in 2007 by Michael van der Veen as a robust, open-source solution for security auditing. Initially developed to help system administrators harden Unix-based systems, it quickly gained traction due to its comprehensive nature and non-invasive approach. Over the years, it has seen continuous development and improvements, adding new tests, compliance standards, and features, establishing itself as a go-to tool for security professionals and sysadmins worldwide to assess and enhance system security.

OpenVAS, Nessus, chkrootkit(8), rkhunter(8), oscap(8)