Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Using Lynis : Basics
To run Lynis you should meet a few requirements:
- You have to be root (log in as normal user, su to root)
or have equivalent rights (for example by using sudo).
- Have write access to /var/log (for using a log/debug and report file)
- Have write access to /tmp (temporary files)

Depending on the installation or the path you run Lynis from, you can start it with 'lynis' (if installed and the file is available in
your binary path) or 'sh lynis' or './lynis'.

Without parameters, Lynis will give you a valid list of parameters and return back to the shell prompt. At least the '-c' (--check-all) parameter is needed, to start the scan process.

- For the update check, outgoing DNS requests should be allowed. Lynis will try to query a TXT record (for example
- Lynis needs write access to /var/log/lynis.log (unless logging is disabled, which disables debugging information as well).

--auditor "Given name Surname"
Assign an auditor name to the audit (report)
Start the check
Check if Lynis is up-to-date
Run Lynis as cronjob (includes -c -Q)
Shows valid parameters
View man page
Do not use any colors
Don't wait for user input, except on errors
Only show warnings (includes --quick, but doesn't wait)
Use a different color scheme for lighter backgrounds
Check program version (and quit)