GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
Lynis(8) Unix System Administrator's Manual Lynis(8)

Lynis - System and security auditing tool

lynis [scan mode] [other options]

Lynis is a security auditing tool for Linux, macOS, and other systems based on UNIX. The tool checks the system and the software configuration, to see if there is any room for improvement the security defenses. All details are stored in a log file. Findings and other discovered data is stored in a report file. This can be used to compare differences between audits. Lynis can run interactively or as a cronjob. Root permissions (e.g. sudo) are not required, however provide more details during the audit.

The following system areas may be checked:

- Boot loader files
- Configuration files
- Software packages
- Directories and files related to logging and auditing

When running Lynis for the first time, run: lynis audit system

audit <type>
Perform an audit of the selected type
upload-only
Upload the available report data file

See HELPERS section for more commands.

audit system
Performs a system audit, which is the most common audit.
audit system remote <host>
Provide commands to do a remote scan.

For more scan modes, see the helper utilities.

--auditor <name>
Define the name of the auditor/pentester. When a full name is used, add double quotes, like "Your Name".
--cronjob
Perform automatic scan with cron safe options (no colors, no questions, no breaks).
--debug
Display debug information to screen for troubleshooting purposes.
--developer
Display detailed information useful for developers when creating tests.
--forensics
Perform the audit on a running or mounted system (see --rootdir)
--help
Show available commands and most-used options.
--logfile </path/to/logfile>
Defines location and name of log file, instead of default /var/log/lynis.log.
--man
Show the man page. Useful for systems that do not have the man page installed.
--no-colors
Disable colored output.
--no-log
Redirect all logging information to /dev/null, prevents sensitive information to be written to disk.
--no-plugins
Do not run any of the enabled plugins.
--pentest
Run a non-privileged scan, usually used for penetration testing. Some of the tests will be skipped if they require root permissions.
--plugin-dir </path/to/plugins>
Define location where plugins can be found.
--profile <file>
Provide alternative profile to perform the scan.
--quick (-Q)
Do a quick scan (default: don't wait for user input).
--quiet (-q)
Run quietly and do not show anything to the screen. Will also enable quick mode.
--report-file <file>
Provide an alternative name for report file.
--reverse-colors
Optimize screen output for light backgrounds.
--tests TEST-IDs
Only run the specific test(s). When using multiple tests, add quotes around the line.
--tests-from-category <category>
Tests are only performed if they belong to the defined category. Use the command  'show categories' to determine all valid options.
--tests-from-group <group>
Similar to --tests-from-category. Only perform tests from a particular group. Use 'show groups' to determine valid options.
--use-cwd
Run from the current working directory.
--upload
Upload data to Lynis Enterprise server (profile option: upload=yes).
--verbose
Show more details on screen, such as components that could not found. These details are hidden by default.
--wait
Wait for user to continue. This adds a break after each section (opposed of --quick).
--warnings-only
Run quietly, except show warnings.

Multiple parameters are allowed, though some parameters can only be used together with others. When running Lynis without any parameters, help will be shown and the program will exit.

Lynis has special helpers to do certain tasks. This way the framework of Lynis is used, while at the same time storing most of the functionality in a separated file. This speeds up execution and keeps the code clean.

audit
Run audit on the system or on other targets
configure <parameter>
Change or add settings to the config file
generate <parameter>
Generate specific details such as host IDs
show <parameter>
Show information, such as configuration and paths
update <parameter>
Perform activities regarding updating

To use a helper, run 'lynis' followed by the helper name.

Lynis uses exit codes to signal any invoking script. Currently the following codes are used:
0
Program exited normally
1
Fatal error
64
An unknown parameter is used, or incomplete
65
Incorrect data encountered
66
Can't open file or directory
78
Lynis found 1 or more warnings or configurations errors (with error-on-warnings=yes)

Bugs can be reported via GitHub at https://github.com/CISOfy/lynis or via support@cisofy.com

Supporting documentation can be found via https://cisofy.com/support/

Lynis is licensed as GPLv3. The tool was created by Michael Boelen in 2007. Since 2013 its development has been taken over by CISOfy under the management of Michael Boelen. Plugins may have a different license.

Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.
14 Feb 2020 1.32

Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.