1. Home
  2. Linux

How To Check The Security Of A Linux PC With Lynis

If your Linux security is lacking, a good idea is to audit your system. A great way to run an audit is to use a program that tests security and offers concrete solutions. One such auditing tool is Lynis. It’s a a tool that can check the security of a Linux PC. It scans any Linux PC, tests its security, and prints out a list of possible issues and fixes. The best part of this tool is that it’s very simple to use and anyone can use it.

Ubuntu/Debian

Lynis has excellent support for Debian and Ubuntu through their own software repository. Enabling this software repository is a little different from other software sources, as it’s a traditional software repository. There are no PPAs or anything. This is so that Lynis works on both Debian and Ubuntu without issue.

To start the installation, launch a terminal window and download the correct GPG key.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F

With the key working, add the new Lynis software source to the system.

sudo -s
echo '#Lynis repo ' >> /etc/apt/sources.list

echo 'deb https://packages.cisofy.com/community/lynis/deb/ stable main' >> /etc/apt/sources.list

The Lynis software repo needs a special package. This package will allow Ubuntu (or Debian) to interact with HTTPS software sources.

sudo apt install apt-transport-https

or

sudo apt-get install apt-transport-https

With the Apt-transport-https package working on your system, it’s safe to refresh the software sources. Run update in the terminal.

sudo apt update

or

sudo apt-get update

Finally, install Lynis.

sudo apt install lynis

or

sudo apt-get install lynis

Arch Linux

Like most programs, Arch has the Lynis security tool in the AUR. To install it, launch a terminal and install Git and the Base-devel packages. Then pull the code down and generate a new Arch package.

Note: please understand that installing software directly from the Arch AUR, rather than the official software sources means that sometimes dependencies do not install. You may need to install these packages manually if this happens during the Lynis installation process. Dependencies can be found at the bottom of this page here.

sudo pacman -S git base-devel
git clone https://aur.archlinux.org/lynis-git.git

cd lynis-git

makepkg -si

Fedora

Lynis has support for Fedora, though it requires a third-party software source to install it. Enable the software source by launching a terminal and using the touch and echo commands.

sudo -s

touch /etc/yum.repos.d/cisofy-lynis.repo
echo '[lynis]' >> /etc/yum.repos.d/cisofy-lynis.repo
echo 'name=CISOfy Software - Lynis package' >> /etc/yum.repos.d/cisofy-lynis.repo
echo 'baseurl=https://packages.cisofy.com/community/lynis/rpm/' >> /etc/yum.repos.d/cisofy-lynis.repo
echo 'enabled=1' >> /etc/yum.repos.d/cisofy-lynis.repo
echo 'gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key' >> /etc/yum.repos.d/cisofy-lynis.repo
echo 'gpgcheck=1' >> /etc/yum.repos.d/cisofy-lynis.repo

Next, update the following packages on your system:

sudo dnf update ca-certificates curl nss openssl -y

Finally, install Lynis with dnf install.

sudo dnf install lynis -y

OpenSUSE

The Lynis tool has a software repository available for all versions of OpenSUSE. Turn it on with the following commands in a terminal window.

sudo rpm --import https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
sudo zypper addrepo --gpgcheck --name "CISOfy Lynis repository" --priority 1 --refresh --type rpm-md https://packages.cisofy.com/community/lynis/rpm/ lynis

With the repo on Suse, it’s time to refresh the system.

sudo zypper refresh

Finish up the setup process by using Zypper to install Lynis.

sudo zypper install lynis

 Generic Linux

The Lynis auditing tool has a generic Tarball for those on Linux distributions that don’t have direct support from the developer. Thankfully, this downloadable Tar archive requires no compilation of any kind. Instead, users just download it and run the program as is.

To install Lynis via a downloadable  Tar archive, use the wget tool and download the package, then extract it.

wget https://downloads.cisofy.com/lynis/lynis-2.6.8.tar.gz
tar -zxvf lynis-2.6.8.tar.gz 

cd lynis

Run the Lynis tool with:

./lynis

Using Lynis

Lynis is a simple tool with a lot of options. For the average user, basic options will do. The most basic (yet comprehensive) operation that the program can do is to do a complete audit of the system. To run the audit, open up a terminal and enter the following command into it.

lynis audit system

Running the above command without any Sudoer privileges will scan many aspects of the system. However, it won’t get everything. Running a full scan requires sudo.

sudo lynis audit system --pentest

Need to save the results for later? Pipe them to a text file.

sudo lynis audit system >> /home/username/Documents/lynis-results.txt

Scan Docker File

Docker is becoming increasingly popular on Linux systems. With all of the pre-made Docker images out there, security breaches are bound to happen. Thankfully, Lynis allows users to scan Docker files and test them for issues. To run a test, try the following command.

lynis audit dockerfile /home/username/path/to/dockerfile

Quick Scan

Lynis can do many different types of scans. A scan that may be useful if you’re in a hurry is the “quick” scan mode. This mode tests basic areas of the system, for fasts results.

Run a quick system audit with:

lynis audit system -Q

Leave a comment