Lynis

Lynis

Lynis is a battle-tested, open-source security auditing tool for Linux, macOS, and Unix-based systems that has been in active development since 2007. It performs comprehensive health scans to evaluate system defences, detect vulnerabilities, and provide actionable hardening guidance. Used by system administrators, IT auditors, and security professionals worldwide, Lynis runs hundreds of individual tests across every component of your system and delivers clear, step-by-step recommendations for improving your security posture.

Key Features

  • Comprehensive security auditing — Runs hundreds of individual tests (controls) across kernel configuration, file permissions, user accounts, services, software, networking, and firewalls, each with a unique identifier
  • System hardening guidance — Reports warnings and suggestions with clear actionable steps for improving the security of your system
  • Compliance testing — Helps audit against PCI DSS, HIPAA, ISO 27001, SOC 2, and GDPR; maps to CIS benchmarks, NIST, and NSA hardening guides
  • Agentless architecture — No installation required — just extract the tarball and run ./lynis audit system. No dependencies, no daemons, no leftover log pollution
  • Opportunistic scanning — Automatically detects installed software and tools, tailoring each scan to the actual system — no two audits are ever the same
  • Modular plugin system — Extensible via plugins that add additional tests and data collection points; enterprise plugins provide deeper compliance insights
  • Vulnerability detection — Identifies security weaknesses and misconfigurations on the host that network-based scanners (like Nessus or OpenVAS) would miss
  • Cross-platform shell implementation — Written entirely in Shell script, runs on virtually any Unix-like system without language runtime dependencies

Why Use Lynis?

Lynis delivers deep, host-based security analysis that network scanners simply cannot match — running directly on the system lets it inspect configuration files, permissions, service settings, and installed software at a granular level. It is completely free (GPLv3), agentless (no installation, no daemon, no log pollution), and will not break your system by automatically applying changes you did not approve. With 15,800+ GitHub stars and continuous development since 2007, it is one of the most mature and trusted open-source security audit tools available. A full audit takes seconds, not hours.

Use Cases

  • Daily security health scans — Run Lynis regularly (via cron) to detect new weaknesses and track security drift over time
  • Compliance auditing — Validate controls against PCI DSS, HIPAA, ISO 27001, and GDPR frameworks
  • Penetration testing — Discover host-level security weaknesses on client systems that could lead to compromise
  • DevSecOps and container hardening — Scan Docker images and deployed web applications to ensure proper hardening before production release

Platform

Linux · macOS · Unix (including FreeBSD, OpenBSD, Solaris, AIX, HP-UX)

Licence

GNU General Public License v3 (GPL-3.0)

Website

cisofy.com/lynis/

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.