How to Audit Linux Security with Lynis on RHEL 9

November 22, 2025
Linux
Comment off

Security auditing is a critical practice for any Linux administrator responsible for maintaining compliant and hardened systems. Lynis is a free, open-source security auditing tool that performs deep system scans and produces actionable hardening recommendations. On RHEL 9, Lynis integrates seamlessly and covers hundreds of security controls across authentication, networking, storage, and more. This tutorial walks you through installing, running, and acting on Lynis audits to improve your system’s security posture.

Prerequisites

RHEL 9 system with root or sudo access
EPEL repository enabled, or internet access to add the CISOfy repository
Basic familiarity with the Linux command line

Step 1 — Install Lynis from EPEL or the CISOfy Repository

The simplest installation method on RHEL 9 is via the EPEL repository. Enable EPEL first if you haven’t already, then install Lynis.

dnf install -y epel-release
dnf install -y lynis

Alternatively, add the official CISOfy repository to get the latest upstream release, which is often newer than the EPEL package:

cat > /etc/yum.repos.d/cisofy-lynis.repo << 'EOF'
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgcheck=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
priority=2
EOF

dnf install -y lynis

Confirm the installation and check the version:

lynis show version

Step 2 — Run a Full System Audit

The primary Lynis command performs a comprehensive security audit of the local system. Run it as root for full access to all system files and settings:

lynis audit system

The scan typically takes one to three minutes. Lynis tests hundreds of items grouped into categories such as boot loader, file systems, authentication, processes, networking, printers, software, and malware detection. Progress is printed to the terminal in real time. To suppress interactive prompts and make the output suitable for scripting or cron jobs, add the --quick flag:

lynis audit system --quick

Step 3 — Understand the Report Output

After the scan, Lynis prints a summary at the bottom of the terminal output. The most important metric is the Hardening Index — a score from 0 to 100 representing overall security posture. A freshly installed RHEL 9 system typically scores in the 60–70 range; the goal is to push this above 80.

The report uses three severity levels:

Warnings — High-priority issues that should be addressed promptly (shown in red/orange).
Suggestions — Lower-priority hardening improvements (shown in yellow).
OK — Controls that passed (shown in green).

Full details are written to the log and report files:

# Human-readable log
cat /var/log/lynis.log

# Machine-readable report (key=value pairs)
cat /var/log/lynis-report.dat

# View only warnings from the report
grep "^warning" /var/log/lynis-report.dat

# View all suggestions
grep "^suggestion" /var/log/lynis-report.dat

Step 4 — Act on High-Priority Warnings

Warnings represent the most critical findings. A common example is an unset default umask. Lynis provides a test ID with every finding — use lynis show details <TEST-ID> to get extended guidance:

# Show details and remediation advice for a specific test
lynis show details AUTH-9328

# Example: Harden the default umask in /etc/login.defs
sed -i 's/^UMASK.*/UMASK           027/' /etc/login.defs

# Example: Disable core dumps
echo "* hard core 0" >> /etc/security/limits.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-hardening.conf
sysctl -p /etc/sysctl.d/99-hardening.conf

After making changes, re-run lynis audit system --quick to verify the findings are resolved and watch your Hardening Index climb.

Step 5 — Schedule Automated Periodic Audits

Run Lynis on a regular schedule so new issues are caught quickly. Create a cron job that runs nightly and saves output with a datestamp:

# Create a dedicated log directory
mkdir -p /var/log/lynis-reports

# Add a cron job (runs at 02:30 every night)
cat > /etc/cron.d/lynis <&1
EOF

chmod 644 /etc/cron.d/lynis

Step 6 — Generate an HTML Report

Lynis does not natively produce HTML output, but you can pipe the report data through a simple tool or use the companion lynis-report-converter community script. A quick approach is to save the log and parse it:

# Run audit and capture output
lynis audit system --quick 2>&1 | tee /var/log/lynis-reports/latest.txt

# Use ansi2html (install via pip) to produce a coloured HTML file
pip install ansi2html
lynis audit system --quick --nocolors 2>&1 | ansi2html > /var/www/html/lynis-report.html
chmod 640 /var/www/html/lynis-report.html

Restrict access to the HTML report — it contains sensitive system information that should not be publicly accessible.

Conclusion

Lynis is one of the most thorough free security auditing tools available for RHEL 9. By regularly running audits, reviewing the Hardening Index and warnings, and systematically addressing suggestions, you can measurably reduce your system’s attack surface. Integrate Lynis into your change management workflow so every configuration change is validated against security baselines.

Next steps: How to Configure SELinux Policies on RHEL 9, How to Set Up Two-Factor Authentication for SSH on RHEL 9, and How to Detect Rootkits with rkhunter and chkrootkit on RHEL 9.