Lynis - Robust security audit tool, but is it for Linux home users?

Updated: June 28, 2024

Linux security is an interesting beast. Because Linux, by and large, is not a consumer-facing product, its security solutions also aren't consumer-facing. In other words, if you use Linux for work, there are lots of security programs and tools that can help you get the desired results. However, these are made for professionals, they are not easy to configure and use, or they are easy to use but also quite expensive.

This makes the home user security somewhat tricky. If you expect simple, GUI-driven tools to scan your system and give you a clean bill of health, you're probably going to struggle finding some, or any. Here on Dedoimedo, I've reviewed a number of Linux scanner utilities in the past. Most notably, chkrootkit and rkhunter, both command-line tools and quite nerdy at that. Interpreting the results of these tools was quite difficult, and you're more likely to have to deal with false positives than real infections. This brings me to Lynis, a security auditing, testing and hardening tool. Not for home users, then. But could they, perhaps, still somehow benefit from it without going overboard?

Lynis in action

All right. So I decided to run Lynis, taking into consideration that the results will probably be quite detailed, and will require some level of knowledge. This is true for most security tools, if one intends to use them effectively. The problem is, the world of Windows has "spoiled" the public perception into how security should be done. You run an anti-malware scanner of some sort, and it gives you a big CLEAN or INFECTED. Thus, people expect and desire similar results, no matter what.

To see what gives, I grabbed Lynis from the distro repository on a Kubuntu 22.04 system. It's not the latest version, but then, it's good enough to get a sense of how the utility works and whether it can offer Linux home users a scanner-like capability that is easy to run and interpret.

sudo apt install lynis

And then, for a comprehensive system check, simply run:

(sudo) lynis audit system

You can run Lynis without root, and it will execute in a so-called non-privileged scan mode. That means it won't be able to check every single aspect of the system. That doesn't make it useless, far from it, you can still get a lot of useful information.

No-privileged scan

I let the program run, and in parallel, I checked the results as they scrolled on the command line. Some of the information is obvious and self-explanatory, some isn't. Some of the results were also a bit alarming. For instance, in the Boot and service section, Lynis labeled most of the entries as UNSAFE, which means they haven't been hardened to the right security standard. But then, this is really not applicable for home use. This is important if you're running a server, and you provide services on the public network, or perhaps a private network where there might be potential attackers or other unwanted surprises.

Services

Some of the labels also aren't clear. The tool uses terms like FOUND, NOT FOUND, DONE, DEFAULT, DISABLED, SUGGESTION, NOT ENABLED, etc, plus the semaphore color code. Sometimes, it can be a bit difficult to understand good vs bad. Does green mean we're ok? Or is the wording more important?

Terms, colors

I am grossly oversimplifying what the tool does, of course, but this is an early indication that Lynis is definitely not a program for beginners. You must have an understanding of the system and system security to be able to use it effectively. Otherwise, the findings will just cause panic.

Results

Once the non-privileged scan completed, Lynis informed me that there were no warnings, and a whole bunch of suggestions. The warnings are what you need to consider carefully, for immediate remediation, whereas suggestions are healthy security practices for improved hardening.

Each of the recommendation is listed with a link back to the official page, which explains in detail what the suggestion does, and how it works. In a way, this is a starting point for making your system more robust. But, like before, you really need to understand the implications before you can make any changes.

Results

Results, details

Results, details, more

Most of the "problems" were around SSHD. Normally, this is not something that runs on a home system, and thus, if you have SSHD enabled, you transform your system from a closed home box into a server. But again, this doesn't necessarily mean there's a big problem. My test machine, where I used Lynis, is configured to run SSHD on local network only, and is not accessible or even routable from the Internet - a virtual machine, in fact. The results are valid, but there's no reason to make any hardening, as the usage risks are nil.

Running as root, the security score was a bit higher. Lynis considers the root run as normal run, whereas non-root falls under the "pentest" category. There's a wealth of options, configurations and tests you can run, and this article is only a very basic overview of what it does.

Results, running as root

I decided to check how useful the suggestions really are. TL;DR: They are. You get simple, concise, clear explanations, with actionable recommendations. The only downside is that Lynis does not tell you how to achieve the results - and frankly, it cannot/shouldn't, as it's designed to work on tons of different distributions and other UNIX-like systems, and they all do things slightly differently.

Results, web page

Conclusion

I didn't spend a lot of time testing Lynis. However, from what I've been able to glean in my half-hour stint, it's a good tool. It did its work as advertised, no surprises or snags. The output is readable, and categorized in a logical manner. You get suggestions and explanations for what you can do next. All that said, you do need to understand the results before you can do anything with them. But if you do, then you can considerably harden your system. Lynis will not "prevent" infections per se, and it won't really detect any, just observe the anomalies that could indicate potential problems - the easy GUI YES/NO conundrum - but if you apply its findings, you can make sure there's much less risk of something like that happening in the future.

This brings me to the Linux home user. Like the rest of the bunch, Lynis is not designed for the Linux distro at home. Nothing prevents you from using it, of course, but in most cases, the usage will be an overkill, for various reasons. Some of the results won't be applicable, and you will need to invest time and knowledge to get everything right. On its own, that's not a bad investment, but it cannot give easy, instant answers, and it will probably elevate your sense of security paranoia in the short term. All in all, this is an excellent tool, but mostly aimed for businesses running public-facing services. And we all know the Internet needs some solid hardening in this regard. Take care.

Cheers.