How to Audit System Security with Lynis
Lynis is an open-source security auditing tool that performs an extensive scan of your Linux system, checking for security issues, misconfigurations, and hardening opportunities. Running Lynis on your Breeze instance provides a comprehensive security posture assessment with actionable recommendations.
Installing Lynis
On Ubuntu or Debian:
sudo apt update
sudo apt install -y lynisOn AlmaLinux or Rocky Linux:
sudo dnf install -y epel-release
sudo dnf install -y lynisFor the latest version, install from the official repository:
wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update
sudo apt install -y lynisRunning a Full System Audit
sudo lynis audit systemThe audit scans dozens of categories including boot and services, kernel settings, memory and processes, users and groups, networking, software packages, file systems, storage, name services, logging, and more.
Understanding the Output
Lynis provides a structured report with three severity levels:
- Warnings — critical issues requiring immediate attention (red)
- Suggestions — recommended improvements to harden the system (yellow)
- Hardening Index — an overall score from 0 to 100 indicating your security posture
At the end of the scan, review the summary:
# View the detailed report
sudo cat /var/log/lynis-report.dat
# View just warnings
sudo grep "warning\[\]" /var/log/lynis-report.dat
# View suggestions
sudo grep "suggestion\[\]" /var/log/lynis-report.datCommon Findings and Fixes
Lynis frequently flags these issues on Breeze instances:
SSH Hardening
# /etc/ssh/sshd_config
PermitRootLogin no
MaxAuthTries 3
X11Forwarding no
AllowTcpForwarding no
ClientAliveCountMax 2
ClientAliveInterval 300
LoginGraceTime 30Kernel Hardening
# /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.sysrq = 0
net.ipv4.conf.all.log_martians = 1Apply the settings:
sudo sysctl -p /etc/sysctl.d/99-hardening.confFile Permission Fixes
# Secure cron directories
sudo chmod 700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.weekly /etc/cron.monthly
# Secure SSH directory
sudo chmod 600 /etc/ssh/sshd_config
# Remove world-writable files
sudo find / -xdev -type f -perm -0002 -exec chmod o-w {} \;Automating Lynis Audits
Schedule regular audits with cron:
# Create audit script
cat <<'SCRIPT' | sudo tee /usr/local/bin/lynis-audit.sh
#!/bin/bash
REPORT_DIR="/var/log/lynis"
mkdir -p "$REPORT_DIR"
DATE=$(date +%Y%m%d)
lynis audit system --quiet --no-colors > "$REPORT_DIR/audit-$DATE.log" 2>&1
SCORE=$(grep "hardening_index" /var/log/lynis-report.dat | cut -d= -f2)
echo "Lynis audit complete. Hardening index: $SCORE" | mail -s "Lynis Audit Report" admin@yourdomain.com
SCRIPT
sudo chmod +x /usr/local/bin/lynis-audit.sh
# Schedule weekly audit
echo "0 5 * * 0 root /usr/local/bin/lynis-audit.sh" | sudo tee /etc/cron.d/lynis-auditComparing Audits Over Time
Track your hardening progress by comparing reports:
# Compare hardening index between two reports
grep "hardening_index" /var/log/lynis/audit-20260301.log
grep "hardening_index" /var/log/lynis/audit-20260201.logBest Practices
- Run audits after every major change — new software installations, configuration changes, or OS updates
- Address warnings first — focus on critical findings before working through suggestions
- Track your hardening index — aim to improve the score with each audit cycle
- Use profiles — create custom Lynis profiles for different Breeze instance roles
- Combine with other tools — use Lynis alongside OSSEC, rkhunter, and CIS benchmarks for comprehensive coverage
Regular Lynis audits help you maintain a strong security posture on your Breeze instances by identifying weaknesses before attackers can exploit them.