Installation and Configuration of Lynis

Lynis is a system auditing tool with the focus on Linux, macOS, BSD, and other Unix-derivatives. The tool is written in shell script, which makes it easy to deploy. Another benefit is that it requires almost no other software components. The Lynis project is created by Michael Boelen, who is also known as the author of Rootkit Hunter (or rkhunter). Lynis was first released in 2007 under the GPL license.

Most software packages need to be installed. Lynis is an exception here, as installation is optional. In this section, we look at several options on how to deploy the software.

Via the website of CISOfy, download the tarball. Create a specific directory and extract the tarball.

Another way to deploy Lynis is by using GitHub. With the 'git clone' command, you typically get a more recent version than using a tarball or package. If you are familiar with shell scripting, you can even chime in and provide improvements in the form of a pull request.

Using a package is the most common method of installing Lynis. Simply use your package manager and tell it to install the latest version of Lynis.

Automation is a great way to save time and do repeating tasks. The deployment of a software package like Lynis may be automated with tools like Ansible, Chef, Puppet, or Salt Stack.

When Lynis is installed on the system, it is time to learn more about how the tool works. We will first look at the directory structure, its components, and important files. If you are using tmux, consider splitting the screen vertically. With the left pane look into the files, while having the structure at the right pane. Otherwise use two terminal windows, each at 50% width.

lynis
The 'lynis' command is the main software component. It is responsible for initializing the program and to guide the security scan. When using a package, this file is stored in a 'bin' directory, like /usr/bin.

include
The Lynis program has modular design. It retrieves the required components from the 'include' directory. This directory contains the required logic to test which operating system is being used. The generic program functions are being included as well, together with the collection of security tests.

plugins
To make Lynis even more modular, plugins can be added to the program. These are custom tests to be performed during the execution of the program.

Even without any configuration, Lynis can be started directly after its installation.

During the execution of Lynis, the system is analyzed extensively. Most of the system parts will be tested, including the boot loader, software packages, and running processes. This means that a lot of information will be available. Lynis will separate this information into multiple levels of detail.

High-level information will be displayed on the screen output. This is what is visible when running Lynis with the basic parameters in an interactive shell.

More specific data is available in the report file, which contains interesting details on the system itself, like installed packages. This file is typically stored in the /var/log directory and has the name lynis-report.dat. When running Lynis as a normal user, then this file might be stored in /tmp.

Then finally there is the log file, stored in the same directory as the report. It goes by the name lynis.log and has the most detailed information available. This file is useful for diving into the details of the tests performed by Lynis.