Lynis – Security & System Auditing Tool for UNIX/Linux

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This is a tool that might be useful for both penetration testers performing white box tests and system admins trying to secure their own systems.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, CD/DVD).

What is Lynis NOT:
– Not a hardening tool: Lynis does not fix things automatically, it only reports (and makes suggestions).

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:

  • Available authentication methods
  • Expired SSL certificates
  • Outdated software
  • User accounts without password
  • Incorrect file permissions
  • Firewall auditing

You can download Lynis 1.1.7 here:


Or you can read more here.

Posted in: Countermeasures, Linux Hacking, Security Software

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

13 Responses to Lynis – Security & System Auditing Tool for UNIX/Linux

  1. razta July 17, 2008 at 10:17 pm #

    Great tool for auditing linux locally, no installation or dependencies, easy to use.

    Here are my results:

    Tests performed: 58
    Warnings: 4
    No password set on GRUB bootloader
    Couldn’t find 2 responsive nameservers
    iptables module(s) loaded, but no rules active
    No NTP daemon or client found

    All in all id say im pretty safe, could do with adding a password to GRUB. One problem I found with the software is that it crashed my machine when running a VPN at the same time. I used version 1.1.7 which is listed above, theres a newer version 1.1.8 which this bug may have been fixed in.

  2. splink July 17, 2008 at 11:05 pm #

    Very cool tool! Highly recommended for all linux users. razta, i had similar results as you although i am currently fixing all of them now.


  3. zupakomputer July 18, 2008 at 6:18 pm #

    Darknet: have you heard of dead zone firewalls using protocol switching?

    I ask because I got attacked by a complete moron (chort) at for mentioning them; I’ve known about them for ages (before I even got properly into doing networks at all) – and a mod there (unSpawn) banned me from posting (and deleted my post, so it looked like I’d written something else entirely and it was ok to ban me), for responding to their abuse and explaining that it isn’t me they should be attacking if they have issues with firewall systems.

    I bet they’re the same ones that come on here asking for people to ‘explain me how to hack this it’s for my own forgotten password honest’.

    I bet the likes of chort et al wouldn’t think their ‘highly professional super secure networks’ were anywhere near secure enough to publish the details of their gateway IP.

    Since when does anyone that actually has a clue about security need to ban anyone from posting, cause they mentioned some things they didn’t know about; that’s a great method yeah cause then nobody will ever be able to use one of many thousands of holes in TCP/IP against you – just pretend they don’t exist.

    If I had a bunch of rainbow tables made up justnow I know what I’d be using them for: removal of those assholes from those forums for a start.

  4. Navin July 19, 2008 at 11:03 am #

    Hey zupakomputer, its sad to hear tht U were the victim of someone else’s lack of knowledge. But tht’s the world man!! Sort of reminds me of a dialogue from the movie “The Prestige” in which Nikola Tesla (the brains behind so many inventions from light bulbs to death rays) :” If you give the world an amazingly new way to look at something, they’ll call you mad. You have to give them changes, one at a time, and only then will they accept you as a genius”.

    I’d tried using linuxquestions back when I’d just gotten into Linux. But I realised pretty soon tht the site is just a bunch of n00bs who frankly know only how to use linux but not about the internal workings of this amazing example of the magic of Open source.

    The meta description of the site claims “ offers a free Linux forum where Linux newbies can ask questions and Linux experts can offer advice.”……Its unfortunate tht their “EXPERTS” are a bunch of poorly Linux-educated people.

    As for your protocol switching point, Yes, i’ve heard of protocol switching (thru some articles I’d read a few months ago). Infact its possible (and this has been proven, will post the link if I get it) to have hybrid architectures in which the protocol switcher resides “above-all” and scans data to examine if it has the potential to be switched (without data-loss) and if this is not possible then the data is transmitted (widout switching protocols) frm the application to the protocol. And if swithcing is found to be viable, then the architecture is designed to buffer data as well to ensure smooth flow. However as far as firewalls using this proocedure, I have NO idea :(

  5. zupakomputer July 19, 2008 at 2:32 pm #

    Good guess there. This world needs to dump about 90% of the people before anything like Tesla tech can be allowed to be implemented; of course if they had allowed it =at the time= it originally arrived, well things would be very very different in the world today. But they reckon they can hold it off from being used, while they ruin the planet and fill it full of a bunch of a-holes using inferior noisy polluting technology; they’re not getting anything to keep any of that going.

    I’m not going back there anyway, to those forums; they’re infected with that disease that most internet forums (and many offline places, more and more as time goes on – like the colleges I’ve been at) have: the same psycho is allowed to act up and be an arse, then the mods / anyone in charge don’t take action against the psycho, and they try to groom me and abuse me into some moron that lets them use their psychos against me and will just accept it like they have any right. They want me to be one of the insane like they are – that enjoys being a smarmy superiority-complex ‘teacher’ in charge of lots of unruly morons whom they then treat as babies. But I’m not for that – I only deal with those that deserve to be communicated with, that means they have to be mature in advance of any interactions.

    The firewall was based around using a dead zone where TCP/IP was changed to IPX / SPX in order to filter out the TCP/IP traffic, then back again if your internal LAN was using TCP/IP.

    This kind of thing (just picked it out of a search there) under the ‘Dead Zones and Protocol Switching’ heading:

  6. Changlinn July 20, 2008 at 11:27 pm #

    Zukakomputer – I think you are being too harsh, there are people everywhere who are aholes, and mods do abuse their power sometimes. Power corrupts its a fact. But occasionally on any forum on line there can be a gem of knowledge or wisdom.
    That being said I tend to stear clear of linuxquestions because it seems to be filled with kids, who are too immature to string a sentance together.
    But occasionally there is someone on there who knows what they are talking about.
    Onto Dead zone firewalls, couldn’t an attacker simply tunnel their tcp/ip attack through the deadzone, as you may still need to expose tcp/ip ports to the internet you would still be somewhat vulnerable. That being said I would love a more in depth article on it.
    Funnily enough I found this site while researching Darknets for a client, I heard a security expert on a podcast say these should be considered more important than an IDS. It is an interesting concept, routing all private subnets to a DMZ and then having nothing but a quite passive monitor on there. You would be surprised the occasional packets you see in there.
    I eventually found some info here:

    Oh and I just found this book has a section on Deadzones:

    Zukacomputer: I found the name of the book after some searching
    You can actually read inside the book at amazon, but there isn’t much more info on the advantages of Dead Zones (looks like a copy and paste almost from the article you posted), they say it protects against Ping Of Death, which has been patched and fixed, and protects against SYN flooding attacks, but the SYN’s would still hit your external router and possibly take it down. Of course if you are running a web server you would still be vulnerable to http-get floods.
    I still would like to see more on this as its advantages at present seem rather small.

  7. zupakomputer July 21, 2008 at 2:01 pm #

    There’s no way I’m being too harsh on the named assholes and all like them; it isn’t possible to be harsh enough on those types. If you act the **** then you can’t expect that whom you act the **** towards is going to see things your way. People like that – well they need to be eradicated or the worlds going to stay as awful and hellish as they make it. Maybe you need to read some about what ‘4D reptos’ and those kinds of peado cults etc are all about before you see what things they are actually a part of. Or maybe you’d understand it better – the real life version – from thinking about The Matrix since you’re into computers. It’s no accident there’s so many seemingly ‘different’ people that behave the same ways. They’re all just empty zombie shells that the demi-urge puppets.

    ” From the belief in human divinity proceed all the great evils humankind is heir to. Like Christ, they all begin with c: conversion, conquest, colonialization, consumption.

    And most lately, cyberspace.

    Where the Archons have migrated. Finally, they have a secure niche on the planet. As I write these words I stand before their Altar, as you may be doing when you read them. But I do not worship there. ”

    Keep your eyes wide open, and not shut.

  8. zupakomputer July 21, 2008 at 2:30 pm #

    As for your assessment of the DMZs, unsurprising really given you wish to side with a-holes and forgive them or something equally inappropiate – the point of the method is that anything that’s a TCP/IP exploit is immediately dropped – it can’t get into your network. The leaves you to only have to be filtering & monitoring the other traffic, which is far less an amount.

    Really, I think the only people that can’t see the value in having a deadzone in terms of the best security possible, or even the whole LAN on not TCP/IP, have some kind of vested interest in everyone else’s networks being open to them from the standard internet protocols.

    Have you ever used say EtherApe or similar and had a look at how even one single webpage – like this one here – generates a lot of different connections to different IPs, the amount of packets that are sent. Then multiply that by however many users on a large network, and it’s likely many of them are going to visit sites with much more traffic than on here – given free net access folks will tend to do whatever high-bandwidth surfing and downloading they can from it, it’s quicker. There’s a tendency to visit heavier traffic sites cause they take too long to load at home. Look at the stats for zombie botnets – sure many are home computers but a lot of them are compromised non-home machines. Not all that comes from TCP/IP traffic directly, but it sure makes it much easier to get infected.
    Or put it this way: say instead of using IPs you did indeed have your machines being identified by their MAC address, as with IPX / SPX. That’d make it more than difficult for them to be utilised as a botnet.

    It’s the sort of thing of course, if you think in a certain way by default yourself then you see how easily people are manipulated into setting things up to allow breaches, merely by finding out about the mechanisms in use. Some folks seem to see things in terms of ‘that’ll make life easier for me’ but I’m one of those that sees everything like ‘that can be exploited in this way’ and ‘they just want you to accept that so they can use you in this way’.

    As far as other requests to your LAN from the internet – it’s very possible to ensure to a high degree that they are all permitted requests – either from your own people via a VPN or similar, or they are return requests that ought to match to internally-generated requests (again from your own people) for webpages or ftps or whatever they asked for.

  9. Changlinn July 22, 2008 at 5:59 am #

    zupacomputer: I just mentioned that like all places you have to take the good with the bad. You seem to be forsaking the good due to the bad. That is what I meant on being to harsh on them.
    Well not ether-ape (not in a long time), but wireshark, and a constant running netstat on my machine. Yes there are a lot of connections, but a dead zone would translate these across the IPX/SPX connection one would assume, otherwise you may as well not have a wan link. I didn’t say that Deadzones were useless, I just wanted to read more. You piqued my interest, but even that book I linked had no real info, and I looked for you but could only find that. So I guess you can post on Darknet when you find some/write some up and we can all have a read.

  10. yeah right July 22, 2008 at 10:00 am #

    But – that’s your belief and your projected reality tunnel. It isn’t a truth that anyone has to put up with anything f**ed up at all – people believe that, it’s programmed into them and they go and they repeat it to other people to make them manifest it as reality – which is what you are trying to do to me. Whether you’re aware you are doing that or not, which I’d call it as saying you know very fine well what you are doing.
    A better way is: if it don’t fit, then you reject it, until the universe or whatever manifests you up what you actually want.

    And besides I wasn’t implying everyone & everything at linuxquestions was useless. I said they were infected by the usual archon etc problem – anyone spiritually unaware is as infected by the same thing, and that’s a lot of people. So don’t reply to me as if I write every reply here or am some psycho that posts to themselves using a different name! Can’t you read who posted what in this thread?

    I asked Darknet if they had heard of the protocol switch; so where do you get off on replying when you say you don’t know much about it – but then you reply again saying that I’m the one who needs to link sources here……go look it up yourself. I’m the one asking the question about it – you don’t write suggestions that I should use google for you, there’s plenty online about it.

    Also – everytime these kinds of stupid people are exposed, there’s always someone that shows up replying saying “oh I just found this place co-incidently” and then they try to defend the stupids; it’s obvious why you posted. Don’t bother me with your 4D archon ahrimanic bs. Do something useful and tell us who 24.64.*.* is.

  11. zupakomputer July 22, 2008 at 10:12 am #

    What backward church is that from anyway – ‘you have to take the good with the bad’? the Church of the Useless Salesman? The Church of Your Family Says it so it Must Be True? Our Lady of the Perpetually Pointless Proverb?

  12. Mr. Ree July 23, 2008 at 12:49 pm #

    FreeBSD provides a similar tool called PortAudit, it maintains a list of known vulnerabilities and can scan your installed ports for them.

    If it’s installed on a system it’s automatically queried when you’re installing new software, in case you try to ‘upgrade’ to a buggy version.

  13. Navin July 24, 2008 at 4:43 pm #

    I like portaudit…..

    The nice part is if you try to make a port that has been found vulnerable, the program pushes forward its point of view and stops U from building it sometimes even suggesting cvsup-ing the ports tree and downloading the latest patched version !!

    kool na??