To home page

Installing and using the Lynis vulnerability scanner

Security audit guide for VPS and dedicated servers.

Lynis is a free, open-source security auditing tool for in-depth scanning of Linux/Unix systems. It checks hundreds of parameters: file permissions, service configurations, updates, kernel settings, firewall rules, potential malware, and more.

Lynis runs directly on the server, enabling more accurate analysis than external scanners. It's perfect for regular security checks on VPS and dedicated servers.

Installing Lynis

The simplest and recommended method is to download and install from the official site.

  1. Go to the temporary directory:
cd /tmp
  1. Download the latest version (as of writing — 3.0.3; always check the current version on cisofy.com):
wget https://downloads.cisofy.com/lynis/lynis-3.0.3.tar.gz
  1. Extract the archive:
tar xvfz lynis-3.0.3.tar.gz
  1. Move to a system directory and create a symlink for easy access:
sudo mv lynis /usr/local/lynis
sudo ln -s /usr/local/lynis/lynis /usr/local/bin/lynis
  1. Verify installation:
lynis update info

Example output:

Version    : 3.0.3
Status     : Up-to-date
Release date : 2021-01-07
Project page : https://cisofy.com/lynis/
Source code  : https://github.com/CISOfy/lynis

Running an audit

The simplest and most comprehensive system audit:

sudo lynis audit system

Or with extra checks (recommended):

sudo lynis audit system --wait

Lynis will run hundreds of tests and display a detailed report directly in the terminal.

Reading the results

After completion, you'll see:

  • Warnings — critical or potentially dangerous issues (red color, test code, link to fix).
  • Suggestions — recommendations for improvement (yellow color).
  • Details — detailed test information.
  • Hardening index — overall security score (higher is better).

Example warnings:

Warnings (3):
----------------------------
! Reboot of system is most likely needed [KRNL-5830]
  Solution : reboot
  https://cisofy.com/lynis/controls/KRNL-5830/

! Multiple accounts found with same UID [AUTH-9208]
  https://cisofy.com/lynis/controls/AUTH-9208/

! iptables module(s) loaded, but no rules active [FIRE-4512]
  https://cisofy.com/lynis/controls/FIRE-4512/

Each item includes a test code and a link to a detailed explanation with ready-to-apply fixes.

Useful Lynis commands

  • Check for updates:
sudo lynis update check
  • Run specific tests only:
sudo lynis audit system --tests KRNL-5830,AUTH-9208
  • Save the report to a file:
sudo lynis audit system --output-file /root/lynis-report.txt
  • Run audit quietly (log only, no terminal output):
sudo lynis audit system --quiet

Important notes

  • Lynis does not fix issues automatically — it only identifies and explains them.
  • Run audits monthly or after installing new software/updates.
  • For automation, add to cron (e.g., weekly on Monday at 3:00 AM):
0 3 * * 1 sudo lynis audit system --quiet --output-file /var/log/lynis-weekly-$(date +\%Y-\%m-\%d).txt
  • Lynis works without root privileges, but for a full audit, run with sudo.

Help

If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!

Updated at:
Need help?Our engineers will help you free of charge with any question in minutesContact us