Lynis Security Audit Guide: Complete Hardening 2026

Imagine hiring a security expert to walk through your entire organization, checking every door, window, alarm system, and policy—then providing you with a detailed report of every vulnerability and exactly how to fix it. That’s what Lynis does for your Linux system.

Lynis is an open-source security auditing tool that performs comprehensive system scans, identifies vulnerabilities, and provides actionable recommendations for hardening. In 2026, with security compliance becoming increasingly complex, Lynis has become an essential tool for system administrators, security professionals, and compliance officers.

This comprehensive guide will walk you through installing, configuring, and using Lynis to audit and harden your Linux systems.

What is Lynis?

Lynis is a security auditing tool developed by CISOfy that performs:

• System hardening assessment
• Vulnerability detection
• Configuration review
• Compliance checking (PCI-DSS, HIPAA, ISO 27001)
• Security framework testing

Key Features

Why Lynis in 2026?

# Growing Security Requirements
- 85% of organizations require regular security audits
- Compliance mandates increasing
- Automated auditing essential

# Cost-Effective Solution
- Free and open-source
- No license costs
- Reduced need for external consultants

# Comprehensive Coverage
- Tests 30+ security categories
- Hardens 200+ areas
- Provides 500+ recommendations

Installing Lynis

Ubuntu/Debian Installation

# Standard installation
sudo apt update
sudo apt install lynis -y

# Verify installation
lynis --version

# Check documentation
lynis --help

CentOS/RHEL/Rocky Linux Installation

# Enable EPEL repository
sudo dnf install epel-release -y

# Install Lynis
sudo dnf install lynis -y

# Verify installation
lynis --version

Manual Installation (Latest Version)

# Download latest version
cd /tmp
wget https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz

# Extract
sudo tar -xzf lynis-3.1.1.tar.gz -C /opt

# Create symbolic link
sudo ln -s /opt/lynis/lynis /usr/local/bin/lynis

# Set permissions
sudo chown -R root:root /opt/lynis

# Verify
lynis --version

Docker Installation

# Pull Lynis image
docker pull cisofy/lynis

# Run audit
docker run --rm -it --name lynis \
    --volume /:/host:ro \
    cisofy/lynis \
    audit system --sk

# Mount custom config
docker run --rm -it --name lynis \
    --volume /:/host:ro \
    --volume /path/to/custom.prf:/opt/lynis/custom.prf \
    cisofy/lynis \
    audit system --profile custom.prf

Basic Lynis Usage

Running a System Audit

# Quick system audit
sudo lynis audit system

# Audit with no interaction (cron mode)
sudo lynis audit system --cronjob

# Audit with skipping questions
sudo lynis audit system --sk

# Audit with detailed output
sudo lynis audit system --verbose

# Audit specific categories
sudo lynis audit system --tests "authentication,networking"

# Quick scan (faster, less detailed)
sudo lynis --quick

Understanding Audit Output

# Output sections
[+] Lynis is scanning...
  - System Information
  - Boot and Services
  - Kernel
  - Memory and Processes
  - Users, Groups, and Authentication
  - Shells
  - File Systems
  - Storage
  - NFS
  - Name Services
  - Ports and Packages
  - Networking
  - Printers and Spoolers
  - Software: e.g., SSH, Apache, MySQL
  - Compliance
  - Security Frameworks

# Results categories
# [OK]   - No issue found
# [WARNING] - Potential issue
# [SUGGESTION] - Recommendation for improvement
# [FOUND] - Security issue detected
# [NOTICE] - Informational message

Generating Reports

# Create report file
sudo lynis audit system --report-file /var/log/lynis-report.dat

# Generate HTML report (requires lynis-html)
sudo lynis audit system --html

# Generate with timestamp
sudo lynis audit system --report-file /var/log/lynis-report-$(date +%Y%m%d).dat

# Export to JSON
sudo lynis audit system --json

# Export to CSV
sudo lynis audit system --csv

# Show only warnings and suggestions
sudo lynis audit system --quiet | grep -E "WARNING|SUGGESTION"

Lynis Configuration

Main Configuration File

# Edit configuration
sudo nano /etc/lynis/lynis.conf

# Or create custom profile
sudo nano /etc/lynis/custom.prf

Essential Configuration Options

# Configuration file: /etc/lynis/lynis.conf

# Log directory
logdir=/var/log/lynis

# Report directory
reportdir=/var/log/lynis

# Plugin directory
plugin-dir=/etc/lynis/plugins.d

# Exclude specific tests
skip-tests=AUTH-9328,FILE-6310

# Include specific tests
include-tests=SSH-7408,PKGS-7394

# Set default profile
profile=/etc/lynis/custom.prf

# Mail settings
mailto=admin@yourdomain.com

# Upload report (optional)
# upload-url=https://your-report-server.com/api

# Color output
color=always

# Verbosity level (0=quiet, 1=normal, 2=verbose, 3=debug)
verbose-level=1

# Cron mode (non-interactive)
cronjob=true

# User to run as (for specific tests)
audit-run-user=root

Custom Profile Example

# /etc/lynis/custom.prf
# Custom security profile

# General settings
test-skip: AUTH-9328
test-skip: FILE-6310

# SSH settings
test: SSH-7408
test: SSH-7412

# Web server settings
test: APACHE-2110
test: APACHE-2114
test: NGINX-2210

# Include custom plugin
plugin: /etc/lynis/plugins.d/custom-plugin

Understanding Audit Results

Key Security Categories

1. Boot and Services

# Example findings
[WARNING] GRUB boot password not set
  - Risk: Unauthorized boot modifications
  - Recommendation: Set GRUB password

[SUGGESTION] Services running as root
  - Risk: Privilege escalation
  - Recommendation: Run services as non-root

2. Kernel Security

# Kernel hardening checks
[NOTICE] Kernel parameters not optimized
  - Check: sysctl -p
  - Recommendation: Apply secure sysctl settings

[WARNING] Core dumps not restricted
  - Risk: Information disclosure
  - Recommendation: Set fs.suid_dumpable=0

3. File System Security

# File system checks
[WARNING] Mount options not hardened
  - /tmp partition without noexec,nosuid,nodev
  - Recommendation: Update /etc/fstab

[FOUND] World-writable files
  - Risk: Unauthorized modifications
  - Recommendation: Fix permissions

4. Authentication and Users

# User security
[WARNING] Default user account exists
  - Risk: Default credentials
  - Recommendation: Remove disabled accounts

[SUGGESTION] Password aging not enabled
  - Recommendation: Implement password aging
  - chage -M 90 username

5. Network Security

# Network hardening
[WARNING] IPv6 enabled but not configured
  - Risk: Potential attack vector
  - Recommendation: Configure or disable IPv6

[NOTICE] IP forwarding enabled
  - Risk: System acting as router
  - Recommendation: Disable if not needed

Priority Classification

Advanced Lynis Features

1. Custom Tests and Plugins

Creating custom plugins:

# Plugin directory
sudo mkdir -p /etc/lynis/plugins.d

# Create custom plugin
sudo nano /etc/lynis/plugins.d/custom-plugin

# Example plugin content
#!/bin/bash
# Plugin: custom-plugin
# Description: Check for custom security settings

function test_custom_security() {
    # Check custom setting
    if [ -f /etc/myapp/secure ]; then
        echo "[OK] Custom security enabled"
    else
        echo "[WARNING] Custom security missing"
    fi
}

# Execute test
test_custom_security

# Make executable
sudo chmod +x /etc/lynis/plugins.d/custom-plugin

# Run with plugin
sudo lynis audit system --plugin custom-plugin

2. Integration with Configuration Management

Ansible Integration

# ansible-playbook -i inventory playbooks/lynis-audit.yml
---
- name: Run Lynis audit
  hosts: all
  become: yes
  
  tasks:
    - name: Install Lynis
      apt:
        name: lynis
        state: present
      when: ansible_os_family == "Debian"
    
    - name: Run Lynis audit
      command: >
        lynis audit system
        --cronjob
        --report-file /var/log/lynis/lynis-report.dat
      register: audit_result
    
    - name: Save report
      copy:
        content: "{{ audit_result.stdout }}"
        dest: "/tmp/lynis-audit-{{ ansible_hostname }}.txt"
    
    - name: Send report
      mail:
        to: admin@domain.com
        subject: "Lynis Audit - {{ ansible_hostname }}"
        body: "{{ audit_result.stdout }}"
      when: audit_result.changed

Puppet Integration

# manifests/lynis.pp
class lynis {
  package { 'lynis':
    ensure => latest,
  }
  
  exec { 'run-lynis-audit':
    command => '/usr/bin/lynis audit system --cronjob --report-file /var/log/lynis/report.dat',
    creates => '/var/log/lynis/report.dat',
    require => Package['lynis'],
  }
  
  file { '/var/log/lynis/report.dat':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
  }
}

3. Scheduled Auditing

# Create audit script
sudo nano /usr/local/bin/lynis-audit.sh

#!/bin/bash
# Automated Lynis audit

DATE=$(date +%Y%m%d_%H%M%S)
LOG_DIR="/var/log/lynis"
REPORT_FILE="${LOG_DIR}/lynis-report-${DATE}.dat"

# Run audit
/usr/bin/lynis audit system \
    --cronjob \
    --report-file "${REPORT_FILE}" \
    --quiet

# Check for critical issues
if grep -q "CRITICAL" "${REPORT_FILE}"; then
    grep "CRITICAL" "${REPORT_FILE}" | mail -s "Lynis Critical Issues - ${DATE}" admin@domain.com
fi

# Generate summary
echo "Lynis Audit Summary - ${DATE}" > /tmp/lynis-summary.txt
echo "=====================================" >> /tmp/lynis-summary.txt
grep -E "WARNING|CRITICAL|SUGGESTION" "${REPORT_FILE}" >> /tmp/lynis-summary.txt

# Send summary
mail -s "Lynis Audit Summary - ${DATE}" admin@domain.com < /tmp/lynis-summary.txt

# Make executable
sudo chmod +x /usr/local/bin/lynis-audit.sh

# Schedule daily audit
sudo crontab -e
# Add:
0 3 * * * /usr/local/bin/lynis-audit.sh

# Schedule weekly full audit
0 4 * * 0 /usr/bin/lynis audit system --cronjob --verbose > /var/log/lynis/weekly-audit.log 2>&1

4. Compliance Checking

PCI-DSS Compliance

# Run PCI-DSS specific tests
sudo lynis audit system --tests "PCI-DSS"

# Generate PCI compliance report
sudo lynis audit system --tests "PCI-DSS" --report-file /var/log/lynis/pci-compliance.dat

# Check PCI requirements
sudo lynis audit system --tests "PCI-DSS" --verbose | grep -E "REQUIREMENT|OK|WARNING"

HIPAA Compliance

# Run HIPAA specific tests
sudo lynis audit system --tests "HIPAA"

# Generate HIPAA report
sudo lynis audit system --tests "HIPAA" --report-file /var/log/lynis/hipaa-report.dat

# Check HIPAA controls
sudo lynis audit system --tests "HIPAA" | grep -E "CONTROL"

5. Web Server Auditing

Apache Auditing

# Audit Apache
sudo lynis audit system --tests "APACHE-*"

# Check specific Apache settings
sudo lynis audit system --tests APACHE-2110,APACHE-2114

# Apache findings example
[NOTICE] Apache modules
[WARNING] ServerTokens not set
[SUGGESTION] Enable mod_security

Nginx Auditing

# Audit Nginx
sudo lynis audit system --tests "NGINX-*"

# Check Nginx configuration
sudo lynis audit system --tests NGINX-2210,NGINX-2212

6. Database Auditing

# Audit MySQL/MariaDB
sudo lynis audit system --tests "MYSQL-*"

# Audit PostgreSQL
sudo lynis audit system --tests "PGSQL-*"

# Common database checks
[WARNING] Default database user exists
[SUGGESTION] Enable query logging
[NOTICE] Database backup strategy missing

Remediation Guide

1. System Hardening Steps

#!/bin/bash
# remediation.sh
# Apply common Lynis recommendations

echo "=== Applying Security Hardening ==="

# 1. Configure sysctl
echo "Applying kernel hardening..."
cat >> /etc/sysctl.conf << EOF
# Network security
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Kernel security
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
fs.suid_dumpable = 0
EOF
sudo sysctl -p

# 2. Secure /tmp
echo "Securing /tmp..."
cat >> /etc/fstab << EOF
tmpfs /tmp tmpfs rw,noexec,nosuid,nodev 0 0
EOF

# 3. Set password policies
echo "Configuring password policies..."
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS   7/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE   14/' /etc/login.defs

# 4. Remove unnecessary accounts
echo "Cleaning up user accounts..."
for user in games news man uucp ftp; do
    if id "$user" &>/dev/null; then
        userdel -r "$user" 2>/dev/null
    fi
done

# 5. Install security tools
echo "Installing security tools..."
apt-get install -y fail2ban apparmor ufw

# 6. Configure SSH
echo "Hardening SSH..."
cat >> /etc/ssh/sshd_config << EOF
PermitRootLogin no
PasswordAuthentication no
Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 0
MaxAuthTries 3
EOF

# 7. Setup auditing
echo "Setting up system auditing..."
apt-get install -y auditd
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes

echo "Remediation complete!"

2. Creating an Action Plan

# Generate prioritized action plan
sudo lynis audit system --report-file /tmp/lynis-report.dat

# Extract and categorize findings
echo "=== Security Action Plan ==="

echo -e "\nCRITICAL Issues:"
grep "^[[:space:]]*\[CRITICAL\]" /tmp/lynis-report.dat

echo -e "\nHIGH Priority Issues:"
grep "^[[:space:]]*\[WARNING\]" /tmp/lynis-report.dat

echo -e "\nMEDIUM Priority Issues:"
grep "^[[:space:]]*\[SUGGESTION\]" /tmp/lynis-report.dat

# Create action items
grep "^[[:space:]]*\[SUGGESTION\]" /tmp/lynis-report.dat | \
    awk -F']' '{print $2}' | \
    sed 's/^- //' > /tmp/lynis-actions.txt

echo "Action items saved to: /tmp/lynis-actions.txt"

Integration with Other Tools

1. SIEM Integration

# Forward Lynis logs to SIEM
sudo nano /etc/rsyslog.d/50-lynis.conf

# Add:
$InputFileName /var/log/lynis/lynis-report.dat
$InputFileTag lynis:
$InputFileStateFile stat-lynis
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor

# Restart rsyslog
sudo systemctl restart rsyslog

# Configure log forwarding
cat >> /etc/rsyslog.conf << EOF
*.* @logserver:514
EOF

2. Monitoring Integration

# Nagios check
sudo nano /usr/lib/nagios/plugins/check_lynis

#!/bin/bash
# Check Lynis audit results

REPORT_FILE="/var/log/lynis/lynis-report.dat"

if [ ! -f "$REPORT_FILE" ]; then
    echo "CRITICAL - No Lynis report found"
    exit 2
fi

WARNINGS=$(grep "^[[:space:]]*\[WARNING\]" "$REPORT_FILE" | wc -l)
CRITICAL=$(grep "^[[:space:]]*\[CRITICAL\]" "$REPORT_FILE" | wc -l)

if [ $CRITICAL -gt 0 ]; then
    echo "CRITICAL - $CRITICAL critical issues found"
    exit 2
elif [ $WARNINGS -gt 0 ]; then
    echo "WARNING - $WARNINGS warnings found"
    exit 1
else
    echo "OK - No issues found"
    exit 0
fi

# Make executable
sudo chmod +x /usr/lib/nagios/plugins/check_lynis

# Add to Nagios configuration
echo "command[check_lynis]=/usr/lib/nagios/plugins/check_lynis" >> /etc/nagios/nrpe.cfg

3. Ansible Integration

# playbooks/lynis-hardening.yml
---
- name: Apply Lynis recommendations
  hosts: all
  become: yes
  
  tasks:
    - name: Run Lynis audit
      command: >
        lynis audit system
        --cronjob
        --report-file /tmp/lynis-report.dat
      register: audit
    
    - name: Parse recommendations
      set_fact:
        recommendations: "{{ audit.stdout | regex_findall('SUGGESTION.*') }}"
    
    - name: Apply kernel hardening
      sysctl:
        name: "{{ item.name }}"
        value: "{{ item.value }}"
        state: present
      loop:
        - { name: 'kernel.randomize_va_space', value: '2' }
        - { name: 'kernel.kptr_restrict', value: '2' }
        - { name: 'net.ipv4.tcp_syncookies', value: '1' }
    
    - name: Configure SSH
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^{{ item.param }}"
        line: "{{ item.param }} {{ item.value }}"
      loop:
        - { param: 'PermitRootLogin', value: 'no' }
        - { param: 'PasswordAuthentication', value: 'no' }
        - { param: 'MaxAuthTries', value: '3' }
    
    - name: Install security packages
      apt:
        name:
          - fail2ban
          - apparmor
          - auditd
        state: present
      when: ansible_os_family == "Debian"

Performance Optimization

1. Reducing Audit Time

# Skip time-consuming tests
sudo lynis audit system --skip-tests "KRNL-0000,KRNL-0001"

# Run specific category
sudo lynis audit system --tests "SSH"

# Use quick mode
sudo lynis audit system --quick

# Limit verbose output
sudo lynis audit system --quiet

2. Database Caching

# Enable Lynis cache
sudo lynis audit system --with-cache

# Update cache
sudo lynis update cache

3. Parallel Scanning

# Multiple systems in parallel
for server in server1 server2 server3; do
    ssh $server "lynis audit system --cronjob" &
done
wait

Troubleshooting

Common Issues

Issue 1: Permission Denied

# Run with sudo
sudo lynis audit system

# Check file permissions
sudo chown -R root:root /opt/lynis
sudo chmod -R 755 /opt/lynis

Issue 2: Tests Failing

# Run with verbose output
sudo lynis audit system --verbose

# Check specific test
sudo lynis audit system --tests TEST-ID

# Enable debugging
sudo lynis audit system --debug

Issue 3: Report Not Generated

# Create report directory
sudo mkdir -p /var/log/lynis
sudo chown root:root /var/log/lynis

# Check permissions
ls -la /var/log/lynis/

# Run with explicit report path
sudo lynis audit system --report-file /tmp/lynis-report.dat

Best Practices

1. Regular Auditing Schedule

# Daily quick scan
0 2 * * * /usr/bin/lynis audit system --cronjob --quiet

# Weekly full audit
0 3 * * 0 /usr/bin/lynis audit system --cronjob

# Monthly compliance audit
0 4 1 * * /usr/bin/lynis audit system --tests "PCI-DSS,HIPAA"

2. Baseline Management

# Create baseline
sudo lynis audit system --report-file /var/log/lynis/baseline.dat

# Compare with baseline
diff /var/log/lynis/baseline.dat /var/log/lynis/latest-report.dat

# Track changes over time
git init /var/log/lynis
git add baseline.dat
git commit -m "Initial baseline"

3. Continuous Improvement

# 1. Review recommendations monthly
# 2. Apply critical fixes immediately
# 3. Document all changes
# 4. Retest after remediation
# 5. Track security score over time

# Create trending script
#!/bin/bash
# score-trend.sh

for report in /var/log/lynis/lynis-report-*.dat; do
    DATE=$(basename $report | cut -d- -f3-4)
    WARNINGS=$(grep "^[[:space:]]*\[WARNING\]" $report | wc -l)
    SUGGESTIONS=$(grep "^[[:space:]]*\[SUGGESTION\]" $report | wc -l)
    echo "$DATE: $WARNINGS warnings, $SUGGESTIONS suggestions"
done

Lynis vs Other Audit Tools

Conclusion

Lynis is an invaluable tool for maintaining and improving Linux system security in 2026. Its comprehensive scanning, clear recommendations, and active development make it essential for security-conscious administrators.

Key Takeaways:

• Run regular Lynis audits (daily quick, weekly full)
• Prioritize and address findings systematically
• Use custom profiles for specific requirements
• Integrate with monitoring and configuration management
• Track security improvements over time
• Combine with other security tools for complete protection

Remember: Security is a journey, not a destination. Regular Lynis audits help you stay ahead of threats and maintain compliance with industry standards.

Strengthen your security posture: Explore our Complete Linux Security Guide for more comprehensive protection strategies.

Frequently Asked Questions (FAQs)

Q: How often should I run Lynis audits? A: Daily quick scans for production, weekly comprehensive audits, and monthly compliance checks.

Q: Does Lynis modify system files? A: No, Lynis is non-intrusive. It only reads system information and generates reports.

Q: Can Lynis detect all security issues? A: No single tool can detect everything. Use Lynis as part of a comprehensive security strategy.

Q: Is Lynis suitable for containerized environments? A: Yes, Lynis supports container auditing. Run inside containers or from the host.

Q: How do I address Lynis recommendations? A: Prioritize by severity (Critical > High > Medium > Low), test changes, and verify resolution.

Q: Can I customize Lynis for my organization? A: Yes, use custom profiles, plugins, and exclude/includespecific tests based on your requirements.