How it works

Lynis scanning is modular and opportunistic. This means it will only use and test the components that it can find, such as the available system tools and its libraries. The benefit is that no installation of other tools is needed, so you can keep your systems clean.

By using this scanning method, the tool can run with almost no dependencies. Also, the more components it discovers, the more extensive the audit will be. In other words: Lynis will always perform scans that are tailored to your system. No audit will be the same!

Example: When Lynis detects that you are running Apache, it will perform an initial round of Apache related tests. Then when it performs the specific Apache tests, it may also discover a SSL/TLS configuration. It then performs additional auditing steps based on that. A good example is collecting any discovered certificates, so that they can be scanned later as well.

Audit steps

This is what happens during a typical scan with Lynis:

Initialization Perform basic checks, such as file ownership Determine operating system and tools Search for available software components Check latest Lynis version Run enabled plugins Run security tests per category Perform execution of your custom tests (optional) Report status of security scan

Besides the report and information displayed on screen, all technical details about the scan are stored in a log file (lynis.log). Findings like warnings and suggestions are stored in a separate report file (lynis-report.dat).

Lynis tests (controls) Lynis performs hundreds of individual tests. Each test will help to determine the security state of the system. Most tests are written in shell script and have a unique identifier (e.g. KRNL-6000). Interested in learning more about the tests? Have a look at the Lynis controls and individual tests. Flexibility With the unique identifiers it is possible to tune a security scan. For example, if a test is too strict for your scanning appetite, simply disable it. This way you get an optimal system audit for your environment. Lynis is modular and allows to run your self-created tests. You can even create them in other scripting or programming languages.

Lynis Plugins Plugins are modular extensions to Lynis. With the help of the plugins, Lynis will perform additional tests and collect more system information. Each plugin has the objective to collect specific data. This data is stored in the Lynis report file (lynis-report.dat). Depending on your usage of Lynis, the collected data might provide valuable insights between systems or between individual scans. The plugins provide the most value in environments with more than 10 systems. Some plugins are available in the downloads section. Extra plugins As part of our Lynis Enterprise offering, the core developers maintain a set of plugins for our customers. The data that is collected centrally (SaaS or self-hosted), provide additional insights, such as available users, processes, and network details. Another important area is compliance testing, where the data points help to test against common standards and hardening guides. Lynis plugins overview