Lynis VS Nessus

Comparison of both products

Professionals ask us often how Lynis is different than Tenable Nessus. As the original author of Lynis, let me address that very interesting question.

Different goal

Nessus is focused on vulnerability scanning, or in other words, finding weaknesses in you environment. The huge amount of plugins and their actions show that this is the primary focus. Along the way it started to implement others services, like compliance checking.

Lynis also detects vulnerabilities, but that is not its main goal. Primary focus for Lynis is auditing the system and helping the user with follow-up: system hardening. Lynis is hungry for data, so it can combine things and give the user better advice.

Focus on Detection versus Prevention

Both tools focus on detection. Where Nessus definitely discovers a lot of weaknesses, Lynis checks for more than just that. It goes beyond just checking for a version number or configuration file, by also confirming that the configuration is working. Lets say you configured a few DNS servers, but some are not reachable. Lynis will discover this and tell you about it. Sometimes weaknesses are not software bugs, but simply configuration errors.

Another area in which Lynis goes further, is in the area of of prevention. It will actually encourage users to improve their security defenses by providing a hardening index, suggestions and follow-up steps. Sure, Nessus has reports, but do those really encourage hardening when they are also filled with a lot of informational data?

Logging Noise

Performing scans via the network will definitely give a lot of noise in your log files. Users of network based scanners know this and these scans are easy recognizable in your log files. This noise is caused by the “active” component of network scanners. It first has to complete the enumeration phase, to discover systems and services. They need to know what is running on a particular device, before starting with the next phase of exploiting them.

In the case of Lynis, a host based scanner, log files will remain calm. The tool will look directly in configuration files, check process listing and query version numbers locally. This means no guessing and providing factual details from the source itself. It also saves a lot of time and more information on the system can be detected than outside.

Nessus has an option to do SSH based logins, an addition to its active scans. It definitely helps detecting more details of the systems. Still, it does meet the detailed insights which an auditing tool provides.

Specialization

Regarding the platform there is a interesting difference. Nessus supports all operating systems and can even scan unknown devices. Great option for scanning whole networks.

Lynis is very specialized in Unix based systems, therefore only supports Linux, Unix and Mac OS. If you want to do a vulnerability scan of your full network, you may want to use Nessus. When auditing and hardening is your goal, a specialized tool is more precise and better for your follow-up. In that case Lynis is the way to go.

Conclusion

Both Nessus and Lynis bring interesting things to the table. Do we like Nessus? Sure! Do we like Lynis even more? Yes, we do. In the end it is about personal preferences, but more importantly, about the goal: Want to do only vulnerability scanner, then we can advise a tool like OpenVAS or Nessus. If auditing and hardening is the goal, Lynis will definitely win in that area.