Lynis offers powerful security capabilities for Linux, macOS, or Unix-based systems. As part of its hardening and compliance testing capabilities, it performs an extensive health scan of the systems. There has been an open-source version of the project available since 2007 under the GPL license.
Step.1 Download the tool
https://downloads.cisofy.com/lynis/lynis-3.1.2.tar.gz
Copy the link and download to your system
wget https://downloads.cisofy.com/lynis/lynis-3.1.2.tar.gz
tar -xvf lynis-3.1.2.tar.gz
cd lynis
Step.2 To perform the scan use the below command
./lynis audit system -Q
Note: The Passing score = 70 %
Another way to install is using repo
https://packages.cisofy.com/community/
https://cisofy.com/documentation/lynis/get-started/
For Ubuntu OS
https://packages.cisofy.com/community/#debian-ubuntu
Step.1
Import key
For these commands, root access may be needed. Use sudo or run as root user.
Suggested method to download key and use it
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg –dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
echo “deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main” | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
Step.2
Add software repository
HTTPS is used for the secure transport of the software repository. It is recommended to install the ‘https’ method for APT if it is not already available.
sudo apt install apt-transport-https
Would you like to use your software in English? Configure APT to skip downloading translations. It saves bandwidth and reduces the load on the repository servers.
echo ‘Acquire::Languages “none”;’ | sudo tee /etc/apt/apt.conf.d/99disable-translations
The next step is adding the repository:
echo “deb https://packages.cisofy.com/community/lynis/deb/ stable main” | sudo tee
/etc/apt/sources.list.d/cisofy-lynis.list
Step.3
Install Lynis
Refresh the local package database with the new repository data and install Lynis as follows:
apt update
Then execute the following command to install the tool
apt install lynis
Note, older Ubuntu versions may need sudo apt-get install lynis
Step.4
Confirm Lynis version
lynis show version
Step.5
To perform the scan use the below command
lynis audit system -Q
Step.6
To check the status report
/var/log/lynis-report.dat
lynis audit system -Q –forensics
Lynis 3.1.2 – Help
==========================
Use ‘lynis show help <command>’ to see details
Command:
audit
audit system : Perform local security scan
audit system remote <host> : Remote security scan
audit dockerfile <file> : Analyze Dockerfile
show
show : Show all commands
show version : Show Lynis version
show help : Show help
update
update info : Show update details
Options:
Alternative system audit modes
–forensics : Perform forensics on a running or mounted system
–pentest : Non-privileged, show points of interest for pentesting
Layout options
–no-colors : Don’t use colors in output
–quiet (-q) : No output
–reverse-colors : Optimize color display for light backgrounds
–reverse-colours : Optimize colour display for light backgrounds
Misc options
–debug : Debug logging to screen
–no-log : Don’t create a log file
–profile <profile> : Scan the system with the given profile file
–view-manpage (–man) : View man page
–verbose : Show more details on screen
–version (-V) : Display version number and quit
–wait : Wait between a set of tests
–slow-warning <seconds> : Threshold for slow test warning in seconds (default 10)
Enterprise options
–plugindir <path> : Define path of available plugins
–upload : Upload data to central node
More options are available. Run ‘/usr/sbin/lynis show options’, or use the man page.