What is Lynis?
Lynis is an open-source security auditing tool that scans your Linux system for misconfigurations, missing patches, and hardening opportunities.
Installation
sudo apt install -y lynis
# Or latest from source
cd /opt
sudo git clone https://github.com/CISOfy/lynisRunning an Audit
sudo lynis audit systemThe scan takes 2-5 minutes and checks:
- Boot and services
- Kernel configuration
- Memory and processes
- Users, groups, and authentication
- Shells and login settings
- File systems and storage
- USB devices
- Networking and firewall
- SSH configuration
- SNMP settings
- Web server configuration
- Database settings
- LDAP services
- PHP configuration
- Cryptography
- Logging and monitoring
- Malware scanning
Understanding Results
Hardening index : 72 [############## ]
Tests performed : 256
Plugins enabled : 2Suggestions are categorized:
| Priority | Action |
|---|---|
| Critical | Fix immediately — active vulnerability |
| High | Fix soon — missing security control |
| Medium | Improve — hardening opportunity |
| Low | Nice to have — minor improvement |
Common Findings and Fixes
Kernel Hardening
# /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0sudo sysctl -pFile Permissions
# Restrict cron access
sudo chmod 600 /etc/crontab
sudo chmod 700 /etc/cron.d /etc/cron.daily /etc/cron.hourly
# Restrict SSH config
sudo chmod 600 /etc/ssh/sshd_configAutomated Scanning
# Weekly scan with email report
echo "0 3 * * 0 root lynis audit system --cronjob 2>&1 | mail -s 'Lynis Report' admin@example.com" | sudo tee /etc/cron.d/lynis-weeklyTip Run Lynis after every major configuration change and compare the hardening score over time. Aim for a score above 80.