Application security

Lynis: Walkthrough

Chiragh Dewan
April 20, 2017 by
Chiragh Dewan

Lynis is an open-source security audit tool used to check the security of Linux and UNIX based systems. Since it is self-hosted, it performs extensive security scans when compared to other vulnerability scanners. Lynis is a tool released by CISOFY.

Lynis works on a variety of UNIX-based systems such as:

  • FreeBSD
  • Linux
  • MacOS
  • OpenBSD
  • NetBSD
  • AIX
  • HP-UX
  • Solaris
  • Raspberry Pi
  • Backtrack Linux
  • Kali Linux
  • CentOS
  • Linux Mint
  • Debian
  • Arch Linux
  • Fedora
  • Ubuntu
  • Red Hat Enterprise Linux
  • Lynis can also be used to audit additional services such as:

    • Apache
    • Nginx
    • Oracle Database
    • MySQL
    • PostgreSQL

    Lynis can be downloaded from

    An important feature of Lynis is its Opportunistic Scanning which means that it only scans for what it comes across. Say the system you are scanning has an Apache server running on it. Lynis will scan for only the vulnerabilities related to Apache. While doing so, if it comes across an SSL/TLS configuration, only then it will scan for additional vulnerabilities thus saving time. In short, it will always perform a customized scan depending on the system.


    Once downloaded, simply go into the folder and start by typing:

    $ ./lyins

    This will show us the various commands and options we can do with it:

    To get further information, we can type:

    $ ./lynis show options

    Mainly, Lynis is used for the following purposes:

    • System hardening
    • Vulnerability detection and scanning
    • Security auditing
    • Compliance testing (PCI, HIPPA, SOx)

    Additional plugins can be used to perform additional tests.

    Running a Basic Scan

    To run a basic scan on your system with Lynis, simply type:

    $ ./lynis audit system

    Note: By adding the parameter --quick will enable Lynis to run without any pauses and would enable us to work on other things while it scans.

    Lynis will show us any important warnings that we might need to be aware of

    as well as the location of the log files generated along with the report data.

    How it works

    • It starts off by detecting the Operating System
    • It will then search for the available tools and utilities
    • It will check whether Lynis needs to be updated
    • It will run tests from enabled plugins
    • It will run relevant tests for each category
    • Finally, it will end by reporting the status of the scan

    Sample of Log File

    Sample of Report File

    As you can see, Lynis includes impacts and suggestions (highlighted in blue) for anything that might be harmful to the system.

    Running Specific Tests

    Lynis also gives us the option to run specific tests on specific modules. However, we need to know the TEST ID of that tests. To do that, we do need to have a log file of the complete scan so that we can fetch the TEST ID's from.

    Here's a list of TEST ID's available in Lynis:

    • BOOT
    • KRNL (Kernel)
    • PROC (Processor)
    • AUTH (Authentication)
    • SHELL
    • FILE
    • STRG (Storage)
    • NAME (DNS)
    • PKGC (Packages)
    • NETW (Network)
    • PRNT (Printer)
    • MAIL
    • FIRE (Firewall)
    • HTTP (Web Server)
    • SSH
    • SNMP
    • DBS (Database)
    • PHP
    • LDAP
    • SQD (Squid Proxy)
    • LOGG (Logging)
    • INSE (Insecure Services - Inetd)
    • SCHD (Scheduling - Cron Jobs)
    • ACCT (Accounting)
    • TIME (Time Protocol - NTP)
    • CRYP (Cryptography)
    • VIRT (Virtualization)
    • HOME
    • HRDN (Hardening)
    • MALW (Malware)
    • MACF (AppArmour - SELINUX)

    By using a simple GREP command, we can fetch the relevant TEST ID from the log file and perform specific tests:

    $ cat /var/log/lynis.log | grep MALW

    Moreover, as we can see, it shows us all the TEST ID's associated with Malware scanning along with that they do. Now if we want to check for Rootkit Hunter, we will simply run:

    $ ./lynis --tests "MALW-3276"

    We can also run multiple specific tests say for Rootkit Hunter and LMD by:

    $ ./lynis --tests "MALW-3276 MALW-3278"

    We can do this with different test modules as well.

    We can also use the GREP command to filter out the Warnings and Suggestions from that long log file.

    Updating Lynis

    It is always recommended to keep your scanners up-to-date, and Lynis is not an exception to that. A simple command can help us to do the same:

    $ ./lynis update info

    Making a Cron Job

    We can create a simple bash script and make it run Lynis on a daily basis and save its report so as to be extra careful:



    DATE=$(date +%Y%m%d)





    cd /opt/lynis

    ./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}

    mv /var/log/lynis-report.dat ${DATA}

    Just save the above code in:

    $ vi /etc/cron.daily/

    and give it the proper permissions by:

    11 courses, 8+ hours of training

    11 courses, 8+ hours of training

    Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

    $ sudo chmod 755 /etc/cron.daily/

    Chiragh Dewan
    Chiragh Dewan

    A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.