Running a Lynis audit is the fastest way to get an honest picture of your Linux server’s security posture. Lynis is an open-source security auditing tool that performs over 300 checks — covering authentication, file system permissions, kernel hardening, network services, software vulnerabilities, and compliance controls — then produces a hardening index score between 0 and 100. In this guide you will install Lynis, interpret its output, apply the most impactful hardening recommendations, and automate recurring audits for continuous Linux compliance.
Prerequisites
- A Linux server (Ubuntu 20.04/22.04, Debian 11/12, RHEL/CentOS/AlmaLinux 8/9, or equivalent)
- Root or
sudoaccess - Basic familiarity with the command line and reading log output
- Optional:
auditdandaideinstalled for full test coverage
Installing Lynis
Lynis is available in standard package repositories, but the CISOfy-maintained repository always provides the latest version — which matters because Lynis tests are updated frequently as new CVEs are published.
Ubuntu / Debian:
sudo apt install -y apt-transport-https gnupg
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /usr/share/keyrings/cisofy.gpg
echo "deb [signed-by=/usr/share/keyrings/cisofy.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" \
| sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
sudo apt update && sudo apt install lynisRHEL / CentOS / AlmaLinux:
sudo rpm --import https://packages.cisofy.com/keys/cisofy-software-public.key
cat <<EOF | sudo tee /etc/yum.repos.d/cisofy-lynis.repo
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgcheck=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-public.key
EOF
sudo yum install lynisVerify the installation:
lynis show versionRunning Your First Lynis Audit
A full system audit takes 2-5 minutes and requires root to test all controls:
sudo lynis audit systemLynis streams results to the terminal and writes a detailed log to /var/log/lynis.log and a report to /var/log/lynis-report.dat. The terminal output uses colour-coded labels:
| Label | Meaning |
|---|---|
[OK] | Test passed |
[WARNING] | Security weakness — fix as a priority |
[SUGGESTION] | Improvement recommended — lower urgency |
[FOUND] | Item discovered (neutral) |
[NOT FOUND] | Tool or file not present |
At the end of the scan look for the Hardening index line:
Hardening index : 62 [############ ]A fresh Ubuntu 22.04 server with default settings typically scores around 60-65. Your goal is 80+.
Understanding and Prioritising Lynis Output
Warnings — fix first
Warnings indicate real security gaps. Common warnings on a default install include:
- SSH root login enabled —
PermitRootLogin yesin/etc/ssh/sshd_config - No password for GRUB — bootloader unprotected
- Compiler tools installed —
gccon a production server - No firewall active — no
ufw,firewalld, oriptablesrules found - World-writable files — files anyone can modify
For each warning, Lynis prints a test ID such as SSH-7412. Use it to look up the exact remediation:
lynis show details SSH-7412Suggestions — harden over time
Suggestions are security best practices that are not urgent but raise your score:
- Install
auditdfor kernel-level audit logging - Enable process accounting (
acct) - Configure
umask 027for stricter file creation permissions - Add
apt-listchangesto monitor package changelog security notices - Enable
AIDE(file integrity monitoring)
Key Hardening Actions After a Lynis Audit
Below are the highest-impact fixes that move the hardening index the most.
1. Harden SSH
sudo nano /etc/ssh/sshd_configSet these values:
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowTcpForwarding noRestart SSH: sudo systemctl restart sshd
2. Apply sysctl kernel hardening
Create /etc/sysctl.d/99-hardening.conf:
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Enable SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1Apply: sudo sysctl --system
3. Install and configure auditd
sudo apt install auditd audispd-plugins
sudo systemctl enable auditd --nowAdd rules for privileged command logging:
sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_commands4. Enable a firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enableAfter applying these four changes, a typical server score jumps from 62 to 75-80.
Lynis vs. Alternative Security Auditing Tools
| Tool | Type | Scope | CIS Benchmarks | Remediation | Best For |
|---|---|---|---|---|---|
| Lynis | Local agent | Linux/macOS | Partial | Suggestions | Sysadmin hands-on hardening |
| OpenSCAP | Local agent | Linux | Full SCAP/XCCDF | Automated | Compliance-driven orgs (DISA STIG) |
| CIS-CAT Lite | Local agent | Multi-OS | Full CIS | Report only | CIS benchmark scoring |
| Wazuh | Agent + server | Multi-OS | Yes | Alerts | Centralised SIEM + compliance |
| Nessus Essentials | Network scanner | Multi-OS | Yes | Report | External vulnerability scanning |
| Trivy | Container/code | Containers, IaC | Partial | Report | DevSecOps pipelines |
Lynis excels for individual server hardening by a sysadmin. For enterprise-wide compliance dashboards or container security, combine Lynis with Wazuh or OpenSCAP.
Real-World Scenario
You have a production web server running Ubuntu 22.04 with Nginx, MySQL, and a Node.js application. It was deployed six months ago and has never been audited. A security review is now required before the company’s ISO 27001 audit.
You run sudo lynis audit system and get a score of 58 with 7 warnings and 34 suggestions. The critical warnings are:
- SSH root login enabled — your deployment scripts still use the root account
- No firewall rules — the instance relies solely on the cloud security group
- MySQL listening on 0.0.0.0 — exposed to the internal network unnecessarily
/tmpmounted withexecpermissions — allows code execution from temp files
You work through each warning:
- Update deployment scripts to use a dedicated deploy user with sudo, then set
PermitRootLogin no - Add
ufwrules allowing only ports 22, 80, and 443 - Bind MySQL to
127.0.0.1in/etc/mysql/mysql.conf.d/mysqld.cnf - Add
noexecto the/tmpmount in/etc/fstaband remount
Re-running Lynis gives a score of 79. You address five more high-priority suggestions (install auditd, set umask 027, disable unused kernel modules) and reach 84 — well above the 80 threshold required for the audit.
Gotchas and Edge Cases
Score varies by what’s installed. Lynis skips tests for tools that are absent (e.g., if postfix is not installed, all mail-related tests are skipped). A minimal server may score higher simply because fewer attack surface tests apply — not because it is more hardened.
Some suggestions conflict with application requirements. Disabling compiler tools (gcc) scores points, but a server that compiles software (CI runner, build host) legitimately needs them. Apply judgment — Lynis is a guide, not an absolute rulebook.
Re-running without changes still varies slightly. Lynis tests system state in real time. If a process starts or stops between runs, scores can shift by 1-2 points. Consider this normal noise.
Root-only tests. Running Lynis as a non-root user will skip many privileged tests and produce a lower, less meaningful score. Always run with sudo.
Custom profiles. For environments with specific requirements (PCI-DSS, HIPAA), use --profile to load a custom Lynis profile that enables or disables specific test groups. Copy /etc/lynis/default.prf and modify it to suppress false positives for your environment.
Troubleshooting
“Warning: lynis executable not found” — the CISOfy repository package installs to /usr/bin/lynis. If you installed via a tarball, ensure the path is in your $PATH or call it with the full path.
Audit exits with permission errors — certain tests check /proc, /sys, and /etc/shadow. These require root. Run with sudo lynis audit system, not as a regular user.
Log file not written — /var/log/lynis.log requires write permissions. On SELinux-enforcing systems, check: ausearch -m avc -ts recent for denials related to lynis. You may need to add a custom SELinux policy or use --logdir /tmp as a workaround.
Score dropped after an OS update — package updates can install new software that Lynis now tests. Review new warnings and suggestions introduced by the update; they represent newly detected attack surface.
Cron job produces no output — run with --quiet --cronjob and redirect output to a file: sudo lynis audit system --quiet --cronjob >> /var/log/lynis-cron.log 2>&1. Use logrotate to manage the file size.
Summary
- Lynis audit scans over 300 security controls and produces a hardening index from 0 to 100
- Fresh Linux installs typically score 55-65; target 80+ for production servers
- Address WARNING items first (real vulnerabilities), then work through SUGGESTION items
- The highest-impact fixes are: disable SSH root login, enable a firewall, install auditd, and apply sysctl kernel hardening
- Lynis is read-only — it never modifies your system; all changes are applied manually
- Use
--profileto suppress false positives specific to your environment - Schedule weekly cron runs to maintain your hardening score over time as the system changes
- For enterprise compliance (CIS, DISA STIG), combine Lynis with OpenSCAP or Wazuh