What is Lynis?
Lynis is a free and open source battle-tested security tool for systems running Linux, macOS, or Unix-based operating system.
It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007.
What can Lynis do?
Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
- Security auditing
- Compliance testing (e.g. PCI, HIPAA, SOx)
- Penetration testing
- Vulnerability detection
- System hardening
How does Lynis work?
Lynis runs a series of tests and checks on your system and its configuration, then it gives you a score (from 0 to 100) based on your hardening level.
After the test, it will give you a series of recommendations and tips to improve it even further.
Lynis scanning is modular and opportunistic. This means it will only use and test the components that it can find, such as the available system tools and its libraries.
The benefit is that no installation of other tools is needed, so you can keep your systems clean.
Lynis performs hundreds of individual tests. Each test will help to determine the security state of the system. Most tests are written in shell script and have a unique identifier (e.g. KRNL-6000).
Audience and use cases:
- Developers: Test that Docker image, or improve the hardening of your deployed web application.
- System administrators: Run daily health scans to discover new weaknesses.
- IT auditors: Show colleagues or clients what can be done to improve security.
- Penetration testers: Discover security weaknesses on systems of your clients, that may eventually result in system compromise.
What operating systems Lynis supports?
Lynis runs on almost all UNIX-based systems and versions, including: AIX, FreeBSD, HP-UX, Linux, macOS, NetBSD, NixOS, OpenBSD, Solaris and others.
It even runs on systems like the Raspberry Pi, IoT devices, and QNAP storage devices.
- Lynis tests (controls): Lynis performs hundreds of individual tests. Each test will help to determine the security state of the system.
- Flexibility: Lynis is modular and allows to run your self-created tests. You can even create them in other scripting or programming languages.
- Lynis Plugins: Plugins are modular extensions to Lynis. The plugins provide the most value in environments with more than 10 systems.
- Supported standards: Automate or test against security best practices from sources like CIS benchmarks, NIST, NSA, OpenSCAP data, Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat).