How to Audit Linux Security with Lynis on RHEL 8

December 19, 2025
Linux
Comment off

Lynis is a battle-tested open-source security auditing tool that scans your Linux system, identifies misconfigurations, and produces a prioritised list of hardening suggestions. On RHEL 8, it is available through the EPEL 8 repository and runs entirely from the command line without requiring a daemon or persistent service. After each scan, Lynis assigns a hardening index score from 0 to 100, giving you a concrete benchmark to track improvements over time. This tutorial walks you through installing Lynis, running a full system audit, interpreting the report, and scheduling recurring automated scans.

Prerequisites

RHEL 8 server with a non-root sudo user or direct root access
EPEL 8 repository enabled (dnf install -y epel-release)
Internet access or a local mirror containing the EPEL package
Basic familiarity with the Linux command line

Step 1 — Install Lynis from EPEL

Ensure the EPEL 8 repository is enabled, then install Lynis with DNF.

sudo dnf install -y epel-release
sudo dnf install -y lynis
lynis --version

The last command prints the installed version. Lynis is a shell script with no compiled binary, so it installs quickly and has minimal dependencies.

Step 2 — Update the Lynis Database

Before auditing, update the internal database to ensure the latest tests and signatures are used.

sudo lynis update info
sudo lynis update release

If your version is already current, Lynis prints a confirmation message. You can also check the online status with lynis show version.

Step 3 — Run a Full System Audit

Execute the full system audit as root to allow Lynis to inspect privileged files and configurations.

sudo lynis audit system

The scan takes one to three minutes. Lynis prints colour-coded results in real time: green OK entries indicate passing tests, yellow WARNING entries need attention, and red SUGGESTION entries are recommended improvements. At the end, the Hardening index score (0–100) is displayed. A score of 60–70 is typical for a default RHEL 8 install; above 80 is considered hardened.

Step 4 — Read the Report File

Lynis writes a machine-readable report to /var/log/lynis-report.dat and a human-readable log to /var/log/lynis.log.

# View the full report
sudo cat /var/log/lynis-report.dat

# Filter only warnings and suggestions
sudo grep -E "^warning|^suggestion" /var/log/lynis-report.dat

# Check your hardening index score
sudo grep "hardening_index" /var/log/lynis-report.dat

The report file uses simple key=value pairs, making it easy to parse with scripts or import into monitoring platforms. Each suggestion includes a test identifier such as AUTH-9328 that you can look up with lynis show details AUTH-9328.

Step 5 — Review Key Audit Categories

Lynis groups results into categories. The most important ones for a typical RHEL 8 server are listed below along with common findings.

Authentication — PAM password complexity, /etc/shadow permissions, root login restrictions
Networking — open ports, kernel IP forwarding settings, firewall status
Logging & Auditing — auditd running, rsyslog configuration, log rotation
Software & Package Updates — pending security patches detected via DNF
File Systems — /tmp noexec mount option, world-writable files, SUID/SGID binaries

# List all unique test categories found in the report
sudo grep "^category" /var/log/lynis-report.dat | sort -u

# Show details for a specific test
sudo lynis show details NETW-3012

Step 6 — Schedule Automated Audits with Cron

Use the --cronjob flag to suppress interactive prompts and colour codes, making output suitable for cron email or log aggregation.

# Test the cron-friendly invocation manually first
sudo lynis audit system --cronjob

# Add a daily job at 02:30 AM for root
sudo crontab -e

Add the following line in the crontab editor:

30 2 * * * /usr/bin/lynis audit system --cronjob >> /var/log/lynis-cron.log 2>&1

To receive email alerts, ensure mailx is installed and set MAILTO at the top of the crontab. Redirect the log to a dedicated file to keep /var/log/lynis.log clean for interactive runs.

Conclusion

You have installed Lynis on RHEL 8 from EPEL, executed a full system audit, interpreted the hardening index and report categories, and configured a daily automated scan via cron. Regularly reviewing Lynis output and incrementally addressing its suggestions is one of the most effective ways to maintain a hardened, audit-ready Linux server.

Next steps: Configure auditd for Advanced System Auditing on RHEL 8, Harden SSH on RHEL 8 with Key-Based Authentication and sshd_config Tuning, and Set Up Two-Factor Authentication for SSH with Google Authenticator on RHEL 8.