Harden your system with Lynis

September 2017

Hardening - (in computing) the process of securing a system by reducing its surface of vulnerability.

You may need to check many components, features and configuration files in order to safeguard your system from attack. There are some tools available around, made to make your live easier. OpenVAS, Lynis, and MBSA (for Microsoft users) just to name a few. In this blog post I will present how you can identify security concerns on UNIX-based operating systems using Lynis. Keep in mind that default baselines provided with scanners may not be sufficient to detect all incorrectly configured services on the target machine.

Background information


Many distributions have the free Lynis version available in their repositories. You can also clone or download project files from GitHub (no compilation required):

# git clone https://github.com/CISOfy/lynis
# cd lynis
# ./lynis 

Example of output:


If you have installed Lynis some time ago - check for update:

# ./lynis update info

Example of output:


Now Lynis should be ready at your command.


To perform system audit, using the default profile provided by vendor of Lynis, execute below command:

# ./lynis audit system

And here is result of such an audit for a default Ubuntu Xenial (16.04.2 LTS) image I got from Atlas at the time of writing:

  • Password policies:
  • Package manager related stuff:
  • Firewall not being configured:
  • Tips for openssh daemon:

As you see, suggestions include links to knowledge base provided by the vendor.

The results show that in case of default installation of Ubuntu 16.04.2 LTS there is a clearly a huge margin for improvement. But do not be suprised - from my experience there is no such thing like default installation of Linux/UNIX distribution being fully secured.

All details are also stored in a log file. Findings and other discovered data are stored in a report file. This can be used to compare difference between audits. Lynis can run as a cronjob (use --cron option to perform scan with cron safe options - no colors, no questions, no breaks).


Want to create your own tests? Have a look at Lynis SDK.

30 seconds demo

Everybody loves to read blog posts, right? If not - here is 30 seconds demo made by CISOfy.

Additional resources