lynis Command
Intermediate Firewall & Security man(8)Security auditing and hardening tool
📅 Updated: Mar 16, 2026
SYNTAX
lynis [COMMAND] [OPTIONS]
What Does lynis Do?
The lynis command performs comprehensive security audits on Linux, macOS, and Unix systems. It checks system configuration, installed software, security settings, and potential vulnerabilities, then provides a hardening index score and actionable recommendations.
Lynis examines hundreds of security aspects including: boot and authentication, kernel hardening, memory and process protection, software integrity, networking, firewall, SSH configuration, file permissions, malware scanning, and compliance with security benchmarks (CIS, ISO 27001, PCI-DSS, HIPAA).
Unlike vulnerability scanners that look for known CVEs, Lynis focuses on system hardening — ensuring your configuration follows security best practices. It is agent-less (no daemon required), runs locally, and supports automation through cron scheduling and machine-readable output.
System administrators and security teams use Lynis for baseline security assessments, compliance auditing, post-installation hardening, and continuous security monitoring. The tool is open-source (GPLv3) with an optional enterprise version (Lynis Enterprise) offering centralized management.
Lynis examines hundreds of security aspects including: boot and authentication, kernel hardening, memory and process protection, software integrity, networking, firewall, SSH configuration, file permissions, malware scanning, and compliance with security benchmarks (CIS, ISO 27001, PCI-DSS, HIPAA).
Unlike vulnerability scanners that look for known CVEs, Lynis focuses on system hardening — ensuring your configuration follows security best practices. It is agent-less (no daemon required), runs locally, and supports automation through cron scheduling and machine-readable output.
System administrators and security teams use Lynis for baseline security assessments, compliance auditing, post-installation hardening, and continuous security monitoring. The tool is open-source (GPLv3) with an optional enterprise version (Lynis Enterprise) offering centralized management.
Options & Flags
| Option | Description | Example |
|---|---|---|
| audit system | Perform a full system security audit | sudo lynis audit system |
| audit system --quick | Run audit without waiting for user input | sudo lynis audit system --quick |
| show details TEST-ID | Show details of a specific test | lynis show details SSH-7408 |
| show profiles | List available audit profiles | lynis show profiles |
| --pentest | Non-privileged scan (penetration test mode) | lynis audit system --pentest |
| --log-file FILE | Specify custom log file location | sudo lynis audit system --log-file /tmp/lynis.log |
| --report-file FILE | Custom report file location | sudo lynis audit system --report-file /tmp/report.dat |
| --cronjob | Run for automation (no colors, no prompts) | sudo lynis audit system --cronjob |
Practical Examples
#1 Full system audit
Run a comprehensive security audit. Checks boot, kernel, memory, users, networking, firewall, SSH, files, and more. Interactive — press Enter to continue.
$ sudo lynis audit system#2 Quick non-interactive audit
Run the full audit without user prompts. Outputs results directly — ideal for scripts and scheduled runs.
$ sudo lynis audit system --quick#3 View hardening score
Extract the hardening index (0-100). Higher is better. Aim for 80+ on production servers.
$ sudo lynis audit system --quick 2>/dev/null | grep "Hardening index"
Output:
Hardening index : 72 [############## ]
#4 Show warnings and suggestions
Extract all warnings and suggestions from the report file for systematic remediation.
$ sudo grep -E "^warning|^suggestion" /var/log/lynis-report.dat#5 Scheduled audit with cron
Weekly Sunday 3 AM audit. --cronjob disables colors and prompts for clean automated output.
$ 0 3 * * 0 /usr/bin/lynis audit system --cronjob --report-file /var/log/lynis-weekly.dat#6 Check specific test details
View detailed information about a specific test — what it checks, why it matters, and how to remediate.
$ lynis show details SSH-7408#7 Compare audits over time
Compare hardening scores between audits to track security improvement over time.
$ diff <(grep "^hardening_index" /var/log/lynis-report-old.dat) <(grep "^hardening_index" /var/log/lynis-report.dat)Tips & Best Practices
Install lynis: Install: apt install lynis (Debian/Ubuntu), dnf install lynis (Fedora/RHEL), or clone from GitHub: git clone https://github.com/CISOfy/lynis. Run from git clone with ./lynis.
Report and log files: Audit log: /var/log/lynis.log (detailed). Report: /var/log/lynis-report.dat (machine-readable). These files contain the full audit results.
Not all suggestions apply: Lynis suggestions are generic. Not every recommendation applies to your use case. Evaluate each suggestion in your specific context before implementing.
Track improvements: After implementing hardening changes, re-run lynis to see your score improve. Aim to address all warnings first, then work through suggestions.
Frequently Asked Questions
How do I check if my Linux server is secure?
Run: sudo lynis audit system --quick. It checks hundreds of security aspects and provides a hardening score (0-100) with specific recommendations.
What is a good Lynis hardening score?
Below 60: Poor, needs immediate attention. 60-70: Average. 70-80: Good for most servers. 80+: Well-hardened. 90+: Excellent (difficult to achieve without sacrificing functionality).
Is Lynis free?
Yes. Lynis is open-source (GPLv3). Lynis Enterprise adds centralized management, compliance reporting, and dashboards but is not required for auditing.
How often should I run Lynis?
Weekly or after significant changes (new software, configuration changes, kernel updates). Schedule with cron using --cronjob flag.
Related Commands
More Firewall & Security Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books →