1Lynis(8) Unix System Administrator's Manual Lynis(8)
2
6 Lynis - System and security auditing tool
7
9 lynis [scan mode] [other options]
10
12 Lynis is a security auditing tool for Linux, macOS, and other systems
13 based on UNIX. The tool checks the system and the software configura‐
14 tion, to see if there is any room for improvement the security
15 defenses. All details are stored in a log file. Findings and other dis‐
16 covered data is stored in a report file. This can be used to compare
17 differences between audits. Lynis can run interactively or as a cron‐
18 job. Root permissions (e.g. sudo) are not required, however provide
19 more details during the audit.
20 The following system areas may be checked:
22 - Boot loader files
24 - Configuration files
26 - Software packages
28 - Directories and files related to logging and auditing
30
32 When running Lynis for the first time, run: lynis audit system
33
36 audit <type>
37 Perform an audit of the selected type
38 upload-only
40 Upload the available report data file
41 See HELPERS section for more commands.
43
46 audit system
47 Performs a system audit, which is the most common audit.
48 audit system remote <host>
50 Provide commands to do a remote scan.
51 For more scan modes, see the helper utilities.
53
56 --auditor <name>
57 Define the name of the auditor/pentester. When a full name is
58 used, add double quotes, like "Your Name".
59 --cronjob
61 Perform automatic scan with cron safe options (no colors, no
62 questions, no breaks).
63 --debug
65 Display debug information to screen for troubleshooting pur‐
66 poses.
67 --developer
69 Display detailed information useful for developers when creating
70 tests.
71 --forensics
73 Perform the audit on a running or mounted system (see --rootdir)
74 --help Show available commands and most-used options.
76 --logfile </path/to/logfile>
78 Defines location and name of log file, instead of default
79 /var/log/lynis.log.
80 --man Show the man page. Useful for systems that do not have the man
82 page installed.
83 --no-colors
85 Disable colored output.
86 --no-log
88 Redirect all logging information to /dev/null, prevents sensi‐
89 tive information to be written to disk.
90 --no-plugins
92 Do not run any of the enabled plugins.
93 --pentest
95 Run a non-privileged scan, usually used for penetration testing.
96 Some of the tests will be skipped if they require root permis‐
97 sions.
98 --plugin-dir </path/to/plugins>
100 Define location where plugins can be found.
101 --profile <file>
103 Provide alternative profile to perform the scan.
104 --quick (-Q)
106 Do a quick scan (default: don't wait for user input).
107 --quiet (-q)
109 Run quietly and do not show anything to the screen. Will also
110 enable quick mode.
111 --report-file <file>
113 Provide an alternative name for report file.
114 --reverse-colors
116 Optimize screen output for light backgrounds.
117 --tests TEST-IDs
119 Only run the specific test(s). When using multiple tests, add
120 quotes around the line.
121 --tests-from-category <category>
123 Tests are only performed if they belong to the defined category.
124 Use the command 'show categories' to determine all valid
125 options.
126 --tests-from-group <group>
128 Similar to --tests-from-category. Only perform tests from a par‐
129 ticular group. Use 'show groups' to determine valid options.
130 --use-cwd
132 Run from the current working directory.
133 --upload
135 Upload data to Lynis Enterprise server (profile option:
136 upload=yes).
137 --verbose
139 Show more details on screen, such as components that could not
140 found. These details are hidden by default.
141 --wait Wait for user to continue. This adds a break after each section
143 (opposed of --quick).
144 --warnings-only
146 Run quietly, except show warnings.
147 Multiple parameters are allowed, though some parameters can only
149 be used together with others. When running Lynis without any
150 parameters, help will be shown and the program will exit.
151
153 Lynis has special helpers to do certain tasks. This way the framework
154 of Lynis is used, while at the same time storing most of the function‐
155 ality in a separated file. This speeds up execution and keeps the code
156 clean.
157 audit Run audit on the system or on other targets
160 configure <parameter>
162 Change or add settings to the config file
163 generate <parameter>
165 Generate specific details such as host IDs
166 show <parameter>
168 Show information, such as configuration and paths
169 update <parameter>
171 Perform activities regarding updating
172 To use a helper, run 'lynis' followed by the helper name.
174
177 Lynis uses exit codes to signal any invoking script. Currently the fol‐
178 lowing codes are used:
179 0 Program exited normally
181 1 Fatal error
183 64 An unknown parameter is used, or incomplete
185 65 Incorrect data encountered
187 66 Can't open file or directory
189 78 Lynis found 1 or more warnings or configurations errors (with
191 error-on-warnings=yes)
192
195 Bugs can be reported via GitHub at https://github.com/CISOfy/lynis or
196 via support@cisofy.com
197
200 Supporting documentation can be found via https://cisofy.com/support/
201
204 Lynis is licensed as GPLv3. The tool was created by Michael Boelen in
205 2007. Since 2013 its development has been taken over by CISOfy under
206 the management of Michael Boelen. Plugins may have a different license.
207
210 Support requests and project related questions can be addressed via e-
211 mail: lynis-dev@cisofy.com.
2121.32 14 Feb 2020 Lynis(8)