Lynis Deep Dive¶
Platform: Linux | Binary: lynis | Type: Unix/Linux security auditor
Overview¶
Lynis is a battle-tested security auditing tool for Unix/Linux systems. It performs an extensive health scan of your systems to support system hardening and compliance testing.
How CISentinel Uses Lynis¶
1. Scan Execution¶
CISentinel runs Lynis in non-interactive, non-colored mode and captures both stdout and the log file.
2. Output Capture¶
Lynis produces two key artifacts: - stdout: Human-readable audit output with findings - report-data file: Machine-parseable .dat file with structured findings
3. Result Parsing¶
CISentinel's parser reads the Lynis .dat file to extract: - Hardening index (0-100 score) - Individual test results - Suggestions and warnings - Severity levels mapped to CISentinel's standard schema
Installation per Distro¶
| Distro | Package | Manager | Notes |
|---|---|---|---|
| Ubuntu | lynis | apt | Directly available |
| Debian | lynis | apt | Directly available |
| AlmaLinux | epel-release, lynis | dnf | Requires EPEL repo |
| openSUSE | lynis | zypper | Directly available |
| Kali | lynis | apt | Often pre-installed |
| Arch | lynis | pacman | AUR/community |
Verification¶
CISentinel uses the verify_cmd configuration to ensure Lynis is functional after installation.
Output Artifacts¶
| Artifact | Format | Location |
|---|---|---|
| Audit Output | Text | ~/.cis-sentinel/reports/<scan_id>/lynis-output.log |
| Report Data | DAT | ~/.cis-sentinel/reports/<scan_id>/lynis-report.dat |
| Stdout | Text | Captured and displayed in CLI/GUI |
Hardening Index¶
Lynis produces a Hardening Index — a score from 0-100 representing the overall security posture:
| Score Range | Assessment |
|---|---|
| 80-100 | Hardened system |
| 60-79 | Good baseline |
| 40-59 | Needs attention |
| 0-39 | Critical issues |
Key Features Tested¶
Lynis tests hundreds of items including: - Boot and authentication - Kernel hardening - Memory and process restrictions - Software packages and updates - Networking and firewalls - SSH configuration - File permissions and integrity - Logging and auditing - Cryptography settings - Malware detection
Common Issues¶
| Issue | Cause | Solution |
|---|---|---|
| EPEL not found | AlmaLinux/CentOS without EPEL | CISentinel auto-installs epel-release first |
| Permission denied | Not running as root | Use sudo |
| Outdated version | Distro repos have old version | Consider manual install from lynis.io |