Installation and Configuration of Lynis

This training module is sponsored by CISOfy


Lab machines

During this guide, the following machines are used: web01

Related Tools


Last updated at June 30, 2017

1. Introduction

Lynis is a system auditing tool focus on Linux, macOS, BSD, and other Unix-derivatives. It is written in shell script, which makes it easy to deploy and requires almost other software components. The Lynis project is created by Michael Boelen, who is also known as the author of Rootkit Hunter (rkhunter. Lynis was first released in 2007.

2. Deployment

Most software packages need to be installed. Lynis is an exception here, as installation is optional. In this section, we look at several options on how to deploy the software.

When possible, use the official software packages for installation


Via the website of CISOfy, download the tarball. Create a specific directory and extract the tarball.

tar xvzf tarball.tar.gz

Extract a tarball by using extract verbosely and using gzipped support


Another way to deploy Lynis is by using GitHub. With the 'git clone' command, you typically get a more recent version than using a tarball or package. If you are familiar with shell scripting, you can even chime in and provide improvements in the form of a pull request.

git clone

Clone the Lynis project with the 'git clone' command


Using a package is the most common method of installing Lynis. Simply use your package manager and tell it to install the latest version of Lynis.

When a vendor provides a repository, the packages are usually newer than the ones provided by the Linux distribution.


Automation is a great way to save time and do repeating tasks. The deployment of a software package like Lynis may be automated with tools like Ansible, Chef, Puppet, or Salt Stack.

3. First security scan

When Lynis is installed on the system, it is time to learn more about how the tool works. We will first look at the directory structure, its components, and important files. If you are using tmux, consider splitting the screen vertically. With the left pane look into the files, while having the structure at the right pane. Otherwise use two terminal windows, each at 50% width.

Directory and files


The 'lynis' command is the main software component. It is responsible for initializing the program and to guide the security scan. When using a package, this file is stored in a 'bin' directory, like /usr/bin.


The Lynis program has modular design. It retrieves the required components from the 'include' directory. This directory contains the required logic to test which operating system is being used. The generic program functions are being included as well, together with the collection of security tests.

To make Lynis even more modular, plugins can be added to the program. These are custom tests to be performed during the execution of the program.

Definitions and Terms

Below are the relevant definitions and terms for this training guide.


Auditing is the process of testing security policies, processes, and procedures. Typically an IT auditor will ask tailored questions. The goal is to ensure that the defined security policies are being adhered to and find room for improvement. During an audit, it is common that the auditor also requests samples to use as a proof that processes are in place and the right procedures are used.