TL;DR, What is Lynis?
Lynis is an open-source security auditing tool for UNIX-based systems.
Keeping server configurations secure and compliant with standards like ISO 27001, PCI DSS, and HIPAA can be tough. Lynis helps by providing a lightweight, agentless scanner that runs directly on the target system. The tool performs a security assessment by checking system internals like file permissions, installed software, and network settings. The scanner helps you identify vulnerabilities and gives you clear guidance for system hardening, which simplifies compliance and security management.
Developed by CISOfy, Lynis helps security professionals improve their organization's security posture.
The Foolproof Framework to Cloud Data Compliance
This Guide to Data Governance and Compliance in the Cloud provides a straightforward, 7-step framework to help you strengthen your cloud governance approach with confidence.
At-A-Glance
GitHub: https://github.com/CISOfy/lynis
License: GPL-3.0
Primary Language: Shell
Stars: 14.7k ⭐
Last Release: v3.1.5 on July 29, 2025
Topics/Tags: security, hardening, audit, compliance, unix
Common use cases
1. DevSecOps CI/CD integration: Teams embed Lynis into their continuous integration and delivery pipelines to automate security scanning. Automating scans provides early validation of system and configuration security, including Dockerfiles, before a release to production, which helps shift security left in the development lifecycle.
2. Compliance auditing and reporting: Organizations use Lynis to run regular, automated assessments against standards like PCI DSS, HIPAA, and SOX. Lynis generates detailed reports that serve as evidence for auditors, identify compliance gaps, and help track remediation progress.
3. System hardening and configuration management: System administrators run Lynis to get a baseline security assessment and use its recommendations as a guide for hardening servers. Running periodic scans helps detect configuration drift and ensures systems stay compliant with internal security policies and best practices.
4. Incident response and forensics: During a security incident, response teams can deploy Lynis to quickly assess a potentially compromised system. Lynis helps identify configuration weaknesses that may have been exploited, detects unauthorized changes, and provides a snapshot of the system's state to support forensic analysis.
5. Automated security health checks: You can schedule Lynis to run automatically using cron or other task schedulers to perform continuous security health monitoring. You can then parse the output and feed it into centralized logging systems, security dashboards, or ticketing systems to create alerts and track remediation.
How does Lynis work?
Lynis uses a modular and opportunistic scanning design to adapt its audit to any UNIX-based system. The scan starts with initialization and privilege checks, then moves to a detection phase where Lynis identifies the operating system, installed software, and active services. The core scanning engine uses the information from this discovery step to activate only the relevant test modules. Using an adaptive approach ensures the security assessment is tailored to the specific system configuration for an efficient audit focused only on present components.
Dynamic detection: Lynis first discovers system components, services, and software. If the tool finds Apache, for example, it automatically activates a suite of web server security tests.
Modular test execution: The core engine runs many small, independent test plugins. Each plugin checks a specific security control, like file permissions, kernel settings, or package integrity.
Real-time reporting: As tests run, Lynis collects results and stores them in structured log files. The tool also presents findings in text-based terminal output (with warnings, suggestions, and a hardening index), giving you immediate, actionable feedback.
Core Capabilities:
1. Agentless security scanning: Lynis runs directly from its directory to perform security audits without needing any permanent agents. A lightweight, non-intrusive approach minimizes system impact and removes the overhead of maintaining a separate agent, making deployment easier across different environments.
2. Compliance testing: The tool provides automated checks against major regulatory and security standards, including PCI DSS, HIPAA, and ISO 27001. Lynis evaluates system configurations against these frameworks and generates detailed reports that highlight compliance gaps and offer general guidance for remediation. Detailed compliance mapping is available in Lynis Enterprise.
3. Hardening index and prioritized recommendations: Lynis calculates a “hardening index” to provide a score for a system's security posture. After an assessment, the tool delivers a prioritized list of actionable recommendations, including specific commands and configuration changes. The list helps administrators focus on the most important improvements first.
4. Multi-platform compatibility and opportunistic scanning: Lynis supports a wide range of UNIX- operating systems, including Linux, macOS, BSD, and AIX, using an opportunistic scanning model. The scanner automatically detects available system components and tailors its audit to them, which ensures relevant tests are performed without manual configuration.
5. Modular and extensible plugin architecture: Built with a flexible plugin system, Lynis allows you to extend its capabilities by creating custom tests for specific applications or internal security policies. The tool's modularity makes integration with other security tools easier and encourages community contributions, helping Lynis adapt to new threats and organizational needs.
Limitations
1. Not a real-time protection tool: Lynis is an audit and assessment tool designed for point-in-time scans. The scanner identifies configuration weaknesses, missing patches, and compliance deviations but does not provide real-time intrusion detection (IDS/IPS), malware prevention, or active response to block ongoing attacks.
2. Requires high-privilege execution: To perform a complete audit of system files, kernel parameters, and process configurations, you must run Lynis with root or equivalent high-level privileges. A requirement for high privileges can pose a security risk if not managed carefully and may conflict with security policies that enforce the principle of least privilege.
3. Primarily a host-based configuration auditor: The tool's scope focuses on the security configuration and hardening of the host operating system. Lynis does not perform network-level vulnerability scanning, penetration testing, or dynamic analysis of web application vulnerabilities (DAST), making the tool one component of a broader security strategy.
4. Effectiveness depends on host integrity: As an agentless tool, Lynis relies on the system's own binaries and utilities to gather information. For this reason, its results can be compromised if the underlying system is already subverted. An attacker or rootkit could modify system commands to hide malicious activity, potentially leading to an inaccurate security assessment.
5. Potential for information overload: On complex or poorly configured systems, Lynis can generate a large number of findings and suggestions. Without a centralized management interface or careful filtering, security teams managing many servers may find it challenging to parse, prioritize, and track remediation for all the data produced.
Running audits with Lynis is a great way to harden individual systems. While Lynis gives you a deep report on a single host's configuration, it doesn’t provide broader cloud context. Tools like Wiz can complement host-level checks by showing how misconfigurations combine with cloud permissions or network exposure to form attack paths to sensitive data. This helps you prioritize the fixes that actually reduce risk. 👉 See Wiz in action — request a demo
Getting Started:
Step 1: Download Lynis by cloning the repository:
git clone https://github.com/CISOfy/lynisStep 2: Change into the Lynis directory:
cd lynisStep 3: Run a security audit of your system:
./lynis audit systemStep 4: For best results and to avoid permission warnings, you may run as root or with sudo. sudo ./lynis audit system
sudo ./lynis audit system
FAQ
Alternatives
| Feature | Lynis | OpenSCAP | Prowler | Rkhunter |
|---|---|---|---|---|
| Primary Focus | Security auditing, hardening, and compliance for UNIX systems | SCAP-based vulnerability scanning and compliance checking | Cloud security posture management (AWS, Azure, GCP) | Rootkit, backdoor, and local exploit scanning |
| Scanning Scope | In-depth system configuration, software, and security controls | Checks against standardized SCAP content (e.g., CIS Benchmarks) | Cloud provider configurations and services | Filesystem, kernel modules, and system binaries for signs of compromise |
| Agentless | Yes | Yes | Yes | Yes |
| Compliance Frameworks | HIPAA, ISO 27001, PCI DSS, SOX | CIS, DISA STIG, USGCB, and other SCAP-based policies | CIS, PCI DSS, ISO 27001, GDPR, HIPAA, SOC 2, etc. | Not a primary feature |
| Extensibility | Custom plugins and tests | Supports custom SCAP content creation | Custom checks and integrations | Primarily relies on signature and database updates |
| Reporting | On-screen report, log files, and enterprise reporting options | Detailed HTML reports, Oval results, and various export formats | JSON, CSV, and HTML reports; integrates with security hubs | Plain text log files |
| Target Environment | On-premises servers, workstations, and cloud instances | Primarily on-premises and cloud-based Linux systems | Cloud environments (AWS, Azure, GCP, Kubernetes) | On-premises and cloud-based UNIX-like systems |
| Maintenance Status | Actively maintained | Actively maintained | Actively maintained | Actively maintained |