Lynis cheat sheet
Summary
This cheat sheet provides security teams and sysadmins with a quick-reference guide to Lynis commands, audit options, and configuration details. Use it to streamline security auditing, system hardening, and compliance validation on Linux, macOS, and Unix systems.
Introduction #
Lynis is an open source security auditing tool for Linux, macOS, and other UNIX-based operating systems. You can use it to assess system configuration, detect security weaknesses, and support compliance and hardening tasks.
Synopsis #
lynis [command] [subcommand] [options] [arguments]
Commands #
This section lists common Lynis commands that you use to start audits and manage basic operations.
Audit command #
The audit command is used to perform security audits on the local system or on supported targets. It is the primary entry point for running Lynis security checks.
| Command | Description |
|---|---|
audit system | Runs a full security audit on the local operating system. |
audit system --quick | Runs a reduced system audit without pauses or user interaction. |
audit system remote <host> | Runs an audit against a remote host when supported by the configuration. |
audit dockerfile <file> | Audits a Dockerfile for security and configuration issues. |
audit docker | Audits Docker daemon configuration and related components on the host. |
Show command #
The show command displays internal Lynis information such as configuration values, paths, and available test metadata. It is mainly used for inspection and discovery.
| Command | Description |
|---|---|
show | Displays a general overview of available show options. |
show configuration | Displays the active Lynis configuration and effective settings. |
show settings | Shows configurable settings and their current values. |
show tests | Lists all available test identifiers. |
show categories | Lists all available test categories. |
show groups | Lists all available test groups. |
show profiles | Displays available profiles that can be used for scans. |
show version | Displays the Lynis version and build information. |
help | Shows available commands and commonly used options. |
Update command #
The update command handles update-related tasks for Lynis. It allows you to check for updates and retrieve version information.
| Command | Description |
|---|---|
update | Performs the default update action based on configuration. |
update check | Checks whether a newer Lynis version is available. |
update info | Displays detailed update and version information. |
Configure command #
The configure command is used to change or add configuration settings in the Lynis configuration file. It allows you to manage settings without editing files manually.
| Command | Description |
|---|---|
configure | Displays available configuration parameters. |
configure <parameter> | Adds or updates a specific configuration parameter. |
configure audit-mode | Sets or modifies the audit execution mode. |
configure upload | Enables or disables uploading data when using Lynis Enterprise. |
Generate command #
The generate command creates specific internal data used by Lynis for identification and reporting. Generated values are stored for reuse in later scans.
| Command | Description |
|---|---|
generate | Displays available generate options. |
generate hostid | Generates a unique host identifier for the system. |
generate uuid | Generates a universally unique identifier (UUID) for Lynis usage. |
Options #
This section documents frequently used Lynis command-line options. You can combine these options with commands to customize how scans are executed and reported.
| Option | Description |
|---|---|
--auditor <name> | Defines the name of the auditor or penetration tester. Use double quotes when specifying a full name. |
--cronjob | Runs an automated scan using cron-safe settings with no colors, prompts, or pauses. |
--debug | Displays debug output on screen for troubleshooting purposes. |
--developer | Shows detailed output intended for test and development work. |
--forensics | Performs an audit on a running or mounted system, typically used with --rootdir. |
--help | Displays available commands and commonly used options. |
--logfile </path/to/logfile> | Sets a custom path and filename for the log file instead of /var/log/lynis.log. |
--man | Displays the Lynis manual page, useful when the local man page is not installed. |
--no-colors | Disables colored terminal output. |
--no-log | Redirects all log output to /dev/null to avoid writing data to disk. |
--no-plugins | Prevents execution of all enabled plugins. |
--pentest | Runs a non-privileged scan intended for penetration testing; tests requiring root access are skipped. |
--plugin-dir </path/to/plugins> | Defines a custom directory where Lynis plugins are located. |
--profile <file> | Uses an alternative profile file to control scan behavior. |
--quick (-Q) | Performs a quick scan without waiting for user input. |
--quiet (-q) | Suppresses all screen output and implicitly enables quick mode. |
--report-file <file> | Sets a custom filename or path for the report output. |
--reverse-colors | Optimizes terminal colors for light backgrounds. |
--tests TEST-IDs | Runs only the specified test identifiers. Use quotes when specifying multiple tests. |
--tests-from-category <category> | Runs only tests that belong to the specified category. |
--tests-from-group <group> | Runs only tests that belong to the specified test group. |
--use-cwd | Executes Lynis from the current working directory. |
--upload | Uploads audit data to a Lynis Enterprise server when enabled in the profile. |
--verbose | Displays additional details that are hidden in default output. |
--wait | Pauses execution after each section and waits for user confirmation. |
--warnings-only | Runs quietly and displays only warning messages. |
Example usage #
lynis audit system --quick --auditor "Security Team"
Important files & locations #
These key directories and files control Lynis’ behavior, store results, and enable customization.
/etc/lynis/ # Configuration directory
/usr/share/lynis/ # Program files
/var/log/lynis.log # Log file
/var/log/lynis-report.dat # Report data (for enterprise)
~/.lynisrc # Custom settings (optional)
Key audit areas #
Lynis checks these main categories:
- Authentication - PAM, password policies
- Filesystems - Mount options, partitions
- Kernel - Hardening, runtime protection
- Memory & Processes - ASLR, exec-shield
- Networking - Firewalls, DNS, SSH
- Ports & Packages - Listening services, updates
- Software - Vulnerable packages
- Storage - Encryption, disk health
- Custom Tests - User-defined checks
FAQ's #
Most common questions and brief, easy-to-understand answers on the topic:
What is Lynis used for?
Lynis is used to perform host-based security audits on Linux, macOS, and other UNIX-based systems by checking configuration, permissions, and installed software.
Do you need root privileges to run Lynis?
You can run Lynis as an unprivileged user, but running it with sudo or as root provides more complete audit results.
Does Lynis make changes to the system?
No, Lynis is a read-only auditing tool and does not modify system configuration or files.
Where are Lynis reports stored?
By default, reports are written to /var/log/lynis-report.dat and logs to /var/log/lynis.log.
Further readings #
Sources and recommended, further resources on the topic:
Author
Jonas Jared Jacek (J15k)
Jonas works as project manager, web designer, and web developer since 2001. On top of that, he is a Linux system administrator with a broad interest in things related to programming, architecture, and design. See: https://www.j15k.com/License
Lynis cheat sheet by Jonas Jared Jacek is licensed under CC BY-SA 4.0.
This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, for noncommercial purposes only. To give credit, provide a link back to the original source, the author, and the license e.g. like this:
<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://www.ditig.com/lynis-cheat-sheet">Lynis cheat sheet</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://www.j15k.com/">Jonas Jared Jacek</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="license noopener noreferrer">CC BY-SA 4.0</a>.</p>For more information see the Ditig legal page.
