How to Audit and Harden a Linux System With Lynis

Curious how to secure your Linux system without guesswork? Use Lynis to pinpoint risky Linux configurations and apply practical fixes.

Back to blog

Try the NVMe cloud.

Start your 7-day free trial with no commitment. Explore freely and continue if it’s right for you.

Start free trial

Some time ago I was presented with a very interesting question, how do I harden a Linux system without having to make wild guesses?

The answer was lynis, a program that scans your Linux system, highlights potentially dangerous configurations, and even suggests improvements.

Why Use Lynis to Secure Linux?

lynis helps you identify system vulnerabilities with concrete suggestions for remedial actions. It prevents guesswork and ensures you can systematically secure your Linux server.

How Do I Install lynis Using Git?

1. First, we need to download lynis using git to ensure we have the latest version. For our example, we’re using Ubuntu 24.04. Before proceeding, install git by running:

    apt update; apt install git -y

    Note: The semicolon (;) separates one command from another so they will run in succession.

    2. Once git is installed, clone the lynis repository by typing inline code:

    git clone https://github.com/CISOfy/lynis.git

    Note: Wherever you run this command, the repository will be cloned in that directory, so be mindful of your location.

    How Do I Run lynis on Ubuntu 24.04?

    1. Change into the lynis directory and run lynis by typing:

    sudo ./lynis audit system

    2. The process can take a variable amount of time depending on your system and resources. You will see progress as it goes through all the default options.

    3. After it finishes, a report is saved in the /var/log folder. To view the most important items (warnings or suggestions), run:

    grep "warning\|suggestion" /var/log/lynis-report.dat

    The screenshot above is an example of the information returned by lynis in its report. After running a script that automatically fixes some of these items, the list becomes much shorter. (Keep in mind that the list shown is longer than what is captured in the screenshot.)

    Can I Automate Fixes With a Script?

    Yes, there’s a script that addresses some of lynis’s findings automatically. It can be downloaded via git:

    git clone https://github.com/vicosurge/Lynis-autofix.git

    We did not fix all the findings from lynis. It’s important to exercise caution when running any script that makes automatic changes – especially on production systems that have been running for a while.

    What About Other Security Measures Like Log Collection?

    lynis also mentions critical points about log collection, file integrity monitoring, and malware scanning, suggesting tools like OSSEC or Wazuh. In another instance, we will install Wazuh and configure it to properly monitor our hosts.

    By following these steps and using lynis along with its automated scripts, you can significantly harden a Linux system without guesswork while maintaining a clear view of your server’s security posture.

    Picture of Vicente Muñoz

    Vicente Muñoz

    Vicente has a background in History, through formal education, and IT with 15 years of experience including 8 years focusing on cybersecurity. He has also worked as an author of books in the subjects of cybersecurity, programming, fantasy, and science fiction. Moreover, he managed and created an e-zine titled "El Futuro del Ayer, Hoy" (The Future of Yesterday, Today), with the core objective of giving new writers a voice.

    Useful insights?

    Help others discover this article by sharing it.

    Products
    Features
    Solutions
    Resources
    Company

    © 2025 LifeinCloud LTD  |  London W1S 1HN, United Kingdom
    Registered in England and Wales, Company No. 15844051

    Linkedin Facebook X-twitter Youtube Instagram Threads
    Sign Up