Lynis - System and
security auditing tool
lynis [scan mode] [other options]
Lynis is a security auditing tool for Linux, Mac OSX, and
UNIX systems. It checks the system and the software configuration, to see if
there is any room for improvement the security defenses. All details are
stored in a log file. Findings and other discovered data is stored in a
report file. This can be used to compare differences between audits.
Lynis can run interactively or as a cronjob. Root permissions (e.g.
sudo) are not required, however provide more details during the audit.
The following system areas may be checked:
- - Boot loader files
- - Configuration files
- - Software packages
- - Directories and files related to logging and auditing
-
When running Lynis for the first time, run: lynis audit
system
- audit <type>
- Perform an audit of the selected type
- show <parameter>
- Show varies information details like configuration and paths
- update <parameter>
- Perform activities regarding updating
- upload-only
- Upload the available report data file
- audit system
- Performs a system audit, which is the most common audit.
- audit system remote <host>
- Provide commands to do a remote scan.
For more scan modes, see the helper utilities.
- --auditor <full
name>
- Define the name of the auditor/pen-tester. When a full name is used, add
double quotes, like "Your Name".
- --checkall (or
-c)
- Lynis performs a full check of the system, printing out the results
of each test to stdout. Additional information will be saved into a log
file (default is /var/log/lynis.log). This option invokes scan mode
"audit system".
- In case the outcome of a scan needs to be automated, use the report
file.
- --config
- Show which settings file or profile is being used, then quit.
- --cronjob
- Perform automatic scan with cron safe options (no colors, no questions, no
breaks).
- --debug
- Display debug information to screen for troubleshooting purposes.
- --developer
- Display developer information when creating tests.
- --dump-options
- Show all available parameters.
- --logfile
</path/to/logfile>
- Defines location and name of log file, instead of default
/var/log/lynis.log.
- --no-colors
- Do not use colors for messages, warnings and sections.
- --no-log
- Redirect all logging information to /dev/null, prevent sensitive
information to be written to disk.
- --pentest
- Run a non-privileged scan, usually for penetration testing. Some of the
tests will be skipped if they require root permissions.
- --plugin-dir
</path/to/plugins>
- Define location where plugins can be found.
- --profile
<file>
- Provide alternative profile to perform the scan.
- --quick (-Q)
- Do a quick scan (don't wait for user input).
- --quiet (-q)
- Run quietly and do not show anything to the screen. Will also enable quick
mode.
- --report-file
<file>
- Provide an alternative name for report file.
- --reverse-colors
- Optimize screen output for light backgrounds.
- --skip-plugins
- Do not run plugins.
- --tests
TEST-IDs
- Only run the specific test(s). When using multiple tests, add quotes
around the line.
- --tests-from-group
<group>
- Only perform tests from particular group of tests. Use 'show groups' to
determine valid options.
- --upload
- Upload data to Lynis Enterprise server.
- --wait
- Wait for user to continue. This adds a break after each section (opposed
of --quick).
- --warnings-only
- Run quietly, except warnings.
Multiple parameters are allowed, though some parameters
can only be used together with others. When running Lynis without any
parameters, help will be shown and the program will exit.
Lynis has special helpers to do certain tasks. This way the
framework of Lynis is used, while at the same time storing most of the
functionality in a separated file. This speeds up execution and keeps the
code clean.
- audit
- Run audit on the system or on other targets
- show
- Provide details about Lynis
- update
- Run updater utility
To use a helper, run Lynis followed by the helper name.
Lynis uses exit codes to signal any invoking script. Currently the
following codes are used:
- 0
- Program exited normally
- 1
- Fatal error
- 64
- An unknown parameter is used, or incomplete
- 65
- Incorrect data encountered
- 66
- Can't open file or directory
- 78
- Lynis found 1 or more warnings or configurations errors (with
error-on-warnings=yes)
Bugs can be reported via GitHub at
https://github.com/CISOfy/lynis
Supporting documentation can be found via
https://cisofy.com/support/
Lynis is licensed as GPL v3. It was created by Michael Boelen in
2007. Development has been taken over by CISOfy. Plugins may have a
different license.
Support requests and project related questions can be addressed
via e-mail: lynis-dev@cisofy.com.