lynis

System and security auditing tool

TLDR

Check that Lynis is up-to-date

>_ sudo lynis update info
copy

Run a security audit of the system

>_ sudo lynis audit system
copy

Run a security audit of a Dockerfile

>_ sudo lynis audit dockerfile [path/to/dockerfile]
copy

SYNOPSIS

lynis [scan mode] [other options]

SCAN TYPES

audit system Performs a system audit, which is the most common audit. audit system remote Provide commands to do a remote scan. For more scan modes, see the helper utilities.

COMMANDS

audit Perform an audit of the selected type show Show varies information details like configuration and paths update Perform activities regarding updating upload-only Upload the available report data file

DESCRIPTION

Lynis is a security auditing tool for Linux, Mac OSX, and UNIX systems. It checks the system and the software configuration, to see if there is any room for improvement the security defenses. All details are stored in a log file. Findings and other discovered data is stored in a report file. This can be used to compare differences between audits. Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however provide more details during the audit. The following system areas may be checked: - Boot loader files - Configuration files - Software packages - Directories and files related to logging and auditing

FIRST TIME USAGE

When running Lynis for the first time, run: lynis audit system

OPTIONS

--auditor Define the name of the auditor/pen-tester. When a full name is used, add double quotes, like "Your Name". --checkall (or -c) Lynis performs a full check of the system, printing out the re‐ sults of each test to stdout. Additional information will be saved into a log file (default is /var/log/lynis.log). This op‐ tion invokes scan mode "audit system". In case the outcome of a scan needs to be automated, use the re‐ port file. --config Show which settings file or profile is being used, then quit. --cronjob Perform automatic scan with cron safe options (no colors, no questions, no breaks). --debug Display debug information to screen for troubleshooting pur‐ poses. --developer Display developer information when creating tests. --dump-options Show all available parameters. --logfile Defines location and name of log file, instead of default /var/log/lynis.log. --no-colors Do not use colors for messages, warnings and sections. --no-log Redirect all logging information to /dev/null, prevent sensitive information to be written to disk. --pentest Run a non-privileged scan, usually for penetration testing. Some of the tests will be skipped if they require root permissions. --plugin-dir Define location where plugins can be found. --profile Provide alternative profile to perform the scan. --quick (-Q) Do a quick scan (don't wait for user input). --quiet (-q) Run quietly and do not show anything to the screen. Will also enable quick mode. --report-file Provide an alternative name for report file. --reverse-colors Optimize screen output for light backgrounds. --skip-plugins Do not run plugins. --tests TEST-IDs Only run the specific test(s). When using multiple tests, add quotes around the line. --tests-from-group Only perform tests from particular group of tests. Use 'show groups' to determine valid options. --upload Upload data to Lynis Enterprise server. --wait Wait for user to continue. This adds a break after each section (opposed of --quick). --warnings-only Run quietly, except warnings. Multiple parameters are allowed, though some parameters can only be used together with others. When running Lynis without any pa‐ rameters, help will be shown and the program will exit.

HELPERS

Lynis has special helpers to do certain tasks. This way the framework of Lynis is used, while at the same time storing most of the function‐ ality in a separated file. This speeds up execution and keeps the code clean. audit Run audit on the system or on other targets show Provide details about Lynis update Run updater utility To use a helper, run Lynis followed by the helper name.

EXIT CODES

Lynis uses exit codes to signal any invoking script. Currently the fol‐ lowing codes are used: 0 Program exited normally 1 Fatal error 64 An unknown parameter is used, or incomplete 65 Incorrect data encountered 66 Can't open file or directory 78 Lynis found 1 or more warnings or configurations errors (with error-on-warnings=yes)

BUGS

Bugs can be reported via GitHub at https://github.com/CISOfy/lynis

DOCUMENTATION

Supporting documentation can be found via https://cisofy.com/support/

LICENSING

Lynis is licensed as GPL v3. It was created by Michael Boelen in 2007. Development has been taken over by CISOfy. Plugins may have a different license.

CONTACT INFORMATION

Support requests and project related questions can be addressed via e- mail: lynis-dev@cisofy.com.

Copied to clipboard
free 100$ digital ocean credit