How to install and Use Lynis on Fedora 35

In this guide we are going to learn how to install and use Lynis on Fedora 35.

Lynis is an open-source, battle-tested security tool for systems running Linux, MacOS and Unix-based operating system. It performs an extensive health scan of your system in order to support hardening and compliance testing.

Lynis gives complete information about the current operating system, current operating system version, hardware running on the Linux machine, firmware information etc.

Uses of Lynis Software

  • It is used for auditing systems entirely
  • It is used for Penetration testing purposes
  • It is used for system hardening
  • It is used for checking any vulnerability issues in the system.
  • It is used for checking compliance in the system.


To follow along make sure you have the following:

  • Fedora 35 server up and running
  • user account with sudo privileges
  • Internet connection
  • Conversant with Linux terminal

Table of Contents

  1. make sure that the server is up to date.
  2. Install Lynis
  3. Run System Audit

1. Update Fedora 35 server

First we need to ensure taht our server is up to date. To do that we need to run the following command in in our terminal dnf update -y

$ sudo dnf update -y

When the update is complete, then we can move on to install Lynis software.

2. Download Lynis software

Download Lynis software from Lynis download page. We can use wget command to download directly from the terminal. type the following command into your terminal.

$ wget

If you are using a fresh install server like me you will probably get an error message “wget not found”, what you nedd to do is to install wget with the following command:

$ sudo dnf install wget

Press y to allow the installation to continue.

Sample output

# sudo dnf install wget
DigitalOcean Droplet Agent                                                        29 kB/s | 3.3 kB     00:00    
Dependencies resolved.
 Package                     Architecture           Version                        Repository               Size
 wget                        x86_64                 1.21.2-2.fc35                  updates                 805 k
Installing dependencies:
 libmetalink                 x86_64                 0.1.3-15.fc35                  fedora                   31 k

Transaction Summary
Install  2 Packages

Total download size: 835 k
Installed size: 3.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): libmetalink-0.1.3-15.fc35.x86_64.rpm                                      1.3 MB/s |  31 kB     00:00    
(2/2): wget-1.21.2-2.fc35.x86_64.rpm                                             9.4 MB/s | 805 kB     00:00    
Total                                                                            3.5 MB/s | 835 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                         1/1 
  Installing       : libmetalink-0.1.3-15.fc35.x86_64                                                        1/2 
  Installing       : wget-1.21.2-2.fc35.x86_64                                                               2/2 
  Running scriptlet: wget-1.21.2-2.fc35.x86_64                                                               2/2 
  Verifying        : libmetalink-0.1.3-15.fc35.x86_64                                                        1/2 
  Verifying        : wget-1.21.2-2.fc35.x86_64                                                               2/2 

  libmetalink-0.1.3-15.fc35.x86_64                           wget-1.21.2-2.fc35.x86_64                          


Now you can run the download again, this time round it will go through because we now have wget in our system.

$ wget

We now need to extract our tarball into the folder you have chosen your file to be downloaded to. For my case I have downloaded to the default download folder. So I will extract it here. You can check the repository where you are with the following command:

$ pwd
$ ls

Do an ls to confirm if indeed the download goes through.

# ls

As you can see the file exist in my root folder. Now we can extract to the root folder still.

$ tar xfvz lynis-3.0.6.tar.gz

After the extraction is complete, it is now time for us to run our Lynis to give us the state of our system.

To audit the system we can run the following command, but you need to cd into lynis directory first

$ cd lynis

Run this command now

$ ./lynis audit system

You will get the following results, It is is a long list

# ./lynis audit system

[ Lynis 3.0.6 ]

  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2021, CISOfy -
  Enterprise support available (compliance, plugins, interface and tools)

[+] Initializing program
  - Detecting OS...                                           [ DONE ]
  - Checking profiles...                                      [ DONE ]

  Program version:           3.0.6
  Operating system:          Linux
  Operating system name:     Fedora Linux
  Operating system version:  35
  Kernel version:            5.14.10
  Hardware platform:         x86_64
  Hostname:                  fedora-35
  Profiles:                  /root/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          ./plugins
  Auditor:                   [Not Specified]
  Language:                  en
  Test category:             all
  Test group:                all
  - Program update status...                                  [ SKIPPED ]

[+] Plugins (phase 1)
 Note: plugins have more extensive tests and may take several minutes to complete
  - Plugins enabled                                           [ NONE ]

figuration file                  [ FOUND ]
  - Checking default I/O kernel scheduler                     [ NOT FOUND ]
  - Checking core dumps configuration
    - configuration in systemd conf files                     [ DEFAULT ]
    - configuration in etc/profile                            [ DEFAULT ]
    - 'hard' configuration in security/limits.conf            [ DEFAULT ]
    - 'soft' configuration in security/limits.conf            [ DEFAULT ]
    - Checking setuid core dumps configuration                [ PROTECTED ]
  - Check if reboot is needed                                 [ YES ]

[+] Storage
  - Checking firewire ohci driver (modprobe config)           [ NOT DISABLED ]

[+] Networking
  - Checking IPv6 configuration                               [ ENABLED ]
      Configuration method                                    [ AUTO ]
      IPv6 only                                               [ NO ]
  - Checking configured nameservers
    - Testing nameservers
      Nameserver:                                 [ SKIPPED ]
      Nameserver:                                 [ SKIPPED ]
    - Minimal of 2 responsive nameservers                     [ SKIPPED ]
    - DNSSEC supported (systemd-resolved)                     [ NO ]
  - Checking default gateway                                  [ DONE ]
  - Getting listening ports (TCP/UDP)                         [ DONE ]
  - Checking promiscuous interfaces                           [ OK ]
  - Checking waiting connections                              [ OK ]
  - Checking status DHCP client
  - Checking for ARP monitoring software                      [ NOT FOUND ]
  - Uncommon network protocols                                [ 0 ]

[+] Printers and Spools
  - Checking cups daemon                                      [ NOT FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]

[+] Software: firewalls
  - Checking iptables kernel module                           [ FOUND ]
  - Checking host based firewall                              [ ACTIVE ]

[+] LDAP Services
  - Checking OpenLDAP instance                                [ NOT FOUND ]

[+] Logging and files
  - Checking for a running log daemon                         [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking systemd journal status                         [ FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ NOT FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
    - Checking minilogd instances                             [ NOT FOUND ]
  - Checking logrotate presence                               [ OK ]
  - Checking remote logging                                   [ NOT ENABLED ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ SKIPPED ]

[+] Home directories
  - Permissions of home directories                           [ OK ]
  - Ownership of home directories                             [ OK ]
  - Checking shell history files                              [ OK ]

[+] Hardening
    - Installed compiler(s)                                   [ NOT FOUND ]
    - Installed malware scanner                               [ NOT FOUND ]
    - Non-native binary formats                               [ NOT FOUND ]


  -[ Lynis 3.0.6 Results ]-

  Warnings (1):
  ! Reboot of system is most likely needed [KRNL-5830] 
    - Solution : reboot

  Suggestions (36):
  * Consider hardening system services [BOOT-5264] 
    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]

  * Configure password hashing rounds in /etc/login.defs [AUTH-9230]

  * Configure minimum password age in /etc/login.defs [AUTH-9286]

  * Configure maximum password age in /etc/login.defs [AUTH-9286]

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000]

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]

  * Check DNS configuration for the dns domain name [NAME-4028]

  * Split resolving between localhost and the hostname of the system [NAME-4406]

  * Consider using a tool to automatically apply upgrades [PKGS-7420]

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200]

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200]

  * Determine if protocol 'rds' is really needed on this system [NETW-3200]

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200]

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (set YES to NO)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (set 3 to 2)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (set YES to NO)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (set INFO to VERBOSE)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (set 6 to 3)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (set 10 to 2)

  * Consider hardening SSH configuration [SSH-7408] 

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (set 22 to )

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (set YES to NO)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (set YES to NO)

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (set YES to NO)

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]

  * Add legal banner to /etc/, to warn unauthorized users [BANN-7130]

  * Enable process accounting [ACCT-9622]

  * Enable sysstat to collect accounting (no results) [ACCT-9626]

  * Determine if automation tools are present for system management [TOOL-5002]

  * Consider restricting file permissions [FILE-7524] 
    - Details  : See screen output or log file
    - Solution : Use chmod to change file permissions

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC

  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (
  - Use --upload to upload data to central system (Lynis Enterprise users)


  Lynis security scan details:

  Hardening index : 64 [############        ]
  Tests performed : 231
  Plugins enabled : 0

  - Firewall               [V]
  - Malware scanner        [X]

  Scan mode:
  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]

  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]

  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat


  Lynis 3.0.6

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2021, CISOfy -
  Enterprise support available (compliance, plugins, interface and tools)


  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /root/lynis/default.prf for all settings)

Commands commonly used with Lynis

Audit system

Pass it in order to run the audit on the entire system

$ ./lynis audit system

show commands :

When you want to check the available lynis commands you can run show commands

$ ./lynis show commands 

lynis audit
lynis configure
lynis generate
lynis show
lynis update
lynis upload-only

show help:

If you want to get any help from command line pass show help and it will launch an help screen

$ ./lynis show help
Lynis 3.0.6 - Help


show profiles:

It is used to show discovered profiles from the system

$ ./lynis show profiles 

show settings:

It is used to show lynis discovered settings

$ ./lynis show settings

show version

It is used to display the version of lynis

$ ./lynis show version


Congratulations you have learn how to install and use Lynis audit software tool.

About Kipkoech Sang

I am a technology enthusiast who loves to share gained knowledge through offering daily tips as a way of empowering others. I am fan of Linux and all other things open source.
View all posts by Kipkoech Sang →

Leave a Reply

Your email address will not be published. Required fields are marked *