How to Audit Linux Security with Lynis on RHEL 7

Maintaining a secure Linux server requires more than installing updates and setting strong passwords. A comprehensive security audit reveals configuration weaknesses, missing hardening measures, and potential vulnerabilities before attackers can exploit them. Lynis is an open-source security auditing tool that performs an in-depth scan of your system, scoring it with a hardening index and providing actionable recommendations. This guide walks you through installing Lynis on RHEL 7, running a full system audit, interpreting the report, and automating recurring scans so you can track your security posture over time.

Prerequisites

  • A running RHEL 7 system with root or sudo access
  • EPEL repository enabled, or internet access to add the CISOfy repository
  • Basic familiarity with the command line and reading log files

Step 1: Install Lynis from the CISOfy Repository

While Lynis is available in the EPEL repository, the CISOfy (Lynis vendor) repository always carries the latest stable release and is the recommended source for production systems.

First, create the repository file:

cat > /etc/yum.repos.d/lynis.repo <<'EOF'
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
EOF

Then install Lynis using yum:

yum install lynis -y

Alternatively, if you prefer EPEL:

yum install epel-release -y
yum install lynis -y

Verify the installation:

lynis show version

You should see output like 3.x.x. Always ensure you are running a version newer than 3.0 for the most complete RHEL 7 test coverage.

Step 2: Update the Lynis Database

Before running a scan, update Lynis’s built-in profiles and tests to ensure you have the latest definitions:

lynis update info
lynis update release

If the system is air-gapped, copy the latest tarball from another machine and extract it over /usr/share/lynis/.

Step 3: Run a Full System Audit

The primary command for a full security audit is:

lynis audit system

This single command performs hundreds of checks across authentication, filesystems, networking, malware detection, and more. The scan typically completes in one to three minutes. You will see output scrolling through each test category in real time.

To run a non-interactive audit suitable for cron or scripting, add the --no-colors and --quiet flags and redirect output:

lynis audit system --no-colors --quiet > /var/log/lynis-scan-$(date +%F).log 2>&1

For a more verbose report that includes all passed tests, use:

lynis audit system --verbose

Step 4: Reading the Lynis Report

After the scan completes, Lynis prints a summary to the terminal and writes a detailed report to /var/log/lynis.log and a machine-readable report to /var/log/lynis-report.dat.

Hardening Index

The hardening index is a score between 0 and 100 displayed at the bottom of the scan output:

  Hardening index : 62 [############        ]

Scores below 60 indicate significant hardening gaps. Most well-configured servers score between 65 and 80. Scores above 85 represent highly hardened systems.

Warnings

Warnings are serious findings that should be addressed promptly. They appear in the scan output prefixed with [WARNING] and are also listed in the summary section. Example:

  [WARNING]: Found one or more weak SSL/TLS protocols (SSLv3, TLSv1.0)

Suggestions

Suggestions are lower-priority hardening recommendations. They appear after warnings and represent best-practice improvements. Use the lynis show details command to get more context for any finding by its test ID:

lynis show details AUTH-9328

This prints the full description, rationale, solution, and reference links for that specific test.

Step 5: Key Audit Areas and What to Look For

Authentication

Lynis checks /etc/pam.d/ configuration, password complexity policies, account expiry, root login restrictions, and SSH settings. Common findings include missing password aging (PASS_MAX_DAYS in /etc/login.defs) and lack of account lockout policies:

grep PASS_MAX_DAYS /etc/login.defs
grep pam_faillock /etc/pam.d/system-auth

Filesystems

The tool audits mount options, looking for nodev, nosuid, and noexec on appropriate partitions such as /tmp and /var. It also checks for world-writable files and SUID/SGID binaries.

grep -E 's/tmps' /etc/fstab

Networking

Lynis reviews /etc/sysctl.conf for kernel hardening parameters such as IP forwarding, ICMP redirects, and SYN cookies:

sysctl net.ipv4.conf.all.accept_redirects
sysctl net.ipv4.tcp_syncookies

Malware and File Integrity

The tool checks whether antivirus software and file integrity monitoring (such as AIDE or Tripwire) are installed and whether their databases are current.

Step 6: Automating Lynis with Cron

Schedule weekly audits with cron to track changes over time. Create a dedicated script:

cat > /usr/local/bin/lynis-weekly.sh <<'EOF'
#!/bin/bash
REPORT_DIR="/var/log/lynis-reports"
mkdir -p "$REPORT_DIR"
DATESTAMP=$(date +%F)
lynis audit system --no-colors --quiet 
  --logfile "$REPORT_DIR/lynis-$DATESTAMP.log" 
  --report-file "$REPORT_DIR/lynis-$DATESTAMP.dat"
EOF
chmod +x /usr/local/bin/lynis-weekly.sh

Add a cron entry to run every Sunday at 2 AM:

echo "0 2 * * 0 root /usr/local/bin/lynis-weekly.sh" >> /etc/cron.d/lynis

Step 7: Comparing Results Over Time

By preserving report files with date stamps, you can compare hardening index scores and warning counts across weeks or months. A simple comparison using grep:

grep "hardening_index" /var/log/lynis-reports/lynis-*.dat | sort

For more structured diffing, extract key metrics from the .dat files:

for f in /var/log/lynis-reports/lynis-*.dat; do
  echo -n "$f: "
  grep "^hardening_index=" "$f"
done

A declining score between runs signals a configuration regression, while a rising score confirms that your hardening efforts are taking effect.

Conclusion

Lynis provides one of the most thorough automated security audits available for RHEL 7 systems. By installing it from the CISOfy repository, running lynis audit system, and carefully working through the warnings and suggestions, you can systematically raise your server’s hardening index. The real power of Lynis comes from running it regularly: scheduling weekly cron jobs and retaining timestamped reports lets you measure improvement over time, catch configuration drift introduced by updates or administrative changes, and demonstrate security due diligence to auditors. Combined with the detailed guidance available through lynis show details, Lynis transforms raw scan data into a practical roadmap for continuous Linux security hardening.