Lynis Security Audits

Lynis Security Audits

Lynis is an open-source security auditing tool that performs a comprehensive automated security scan of your Ubuntu system. It checks hundreds of security-relevant settings, from SSH configuration to file permissions to kernel parameters, and provides a prioritized list of findings. It is one of the fastest ways to assess the security posture of a new or existing server and generate a concrete hardening todo list.

What is Lynis?

# Lynis checks:
# - Authentication configuration (SSH, PAM, sudo)
# - Network settings and open ports
# - File permissions on sensitive files
# - Kernel security parameters
# - Installed software and package updates
# - Logging and audit configuration
# - Malware and rootkit indicators
# - Compliance with security frameworks (CIS, PCI-DSS)

# Install Lynis (use the official Lynis repo for latest version)
sudo apt install -y lynis

Running a Lynis audit

# Run a full system audit
sudo lynis audit system

# Quiet mode (only findings, no progress output)
sudo lynis audit system --quiet 2>/dev/null

# Save output to a file
sudo lynis audit system 2>/dev/null | tee /tmp/lynis-report-$(date +%Y%m%d).txt

# Check only specific category
sudo lynis audit system --tests-from-group authentication

Reading Lynis output

Lynis output categories

[+] Scanning...
  [WARNING]  Found one or more warnings        ← Immediate attention needed
  [SUGGESTION] Consider hardening further       ← Should evaluate and apply
  [OK]  Setting is compliant                   ← No action needed

Example findings:
  [WARNING]  PermitRootLogin is set to 'yes'
  [SUGGESTION] Consider disabling core dumps
  [SUGGESTION] Install a malware scanner (clamd, chkrootkit, rkhunter)

Hardening index: 64 (scale 0-100)
  Below 65: significant hardening needed
  65-80: good baseline
  80+: well-hardened

# View only warnings and suggestions (skip OK/informational)
sudo lynis audit system 2>/dev/null | grep -E "^\[WARNING\]|^\[SUGGESTION\]"

# View findings from the report file
sudo cat /var/log/lynis-report.dat | grep "warning\|suggestion" | head -30

Acting on suggestions

# Kernel hardening suggested by Lynis:
sudo nano /etc/sysctl.d/99-hardening.conf

Common kernel hardening parameters

kernel.dmesg_restrict = 1          # Restrict dmesg to root
kernel.kptr_restrict = 2           # Hide kernel pointers
net.ipv4.conf.all.log_martians = 1 # Log packets with impossible addresses
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1    # Enable reverse path filtering
net.ipv4.tcp_syncookies = 1        # SYN flood protection

sudo sysctl --system    # Apply immediately

Scheduling regular audits

# Run Lynis monthly and save results for comparison
sudo nano /etc/cron.d/lynis-audit

/etc/cron.d/lynis-audit

0 2 1 * * root /usr/bin/lynis audit system --cronjob > /var/log/lynis-$(date +\%Y\%m).log 2>&1

# Compare two Lynis reports to see what changed
diff /var/log/lynis-202605.log /var/log/lynis-202606.log | grep "^\[WARNING\]"

Conclusion

Run sudo lynis audit system on every new server as part of your deployment checklist. Focus on WARNING findings first, then SUGGESTIONS. The hardening index number is a useful relative measure — track it over time to verify that your hardening efforts are moving in the right direction. Schedule monthly Lynis audits to catch configuration drift and new findings. Lynis is not exhaustive (it does not do penetration testing) but it is an excellent automated baseline assessment that surfaces the most common misconfigurations.