How to Audit System Security with `lynis` on Arch Linux

How to Audit System Security with lynis on Arch Linux
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Ensuring the security of your Linux system is a critical task for any system administrator, security enthusiast, or desktop user who values their data. Arch Linux, with its rolling release model and minimalist philosophy, gives users exceptional control over their systems—but it also means the responsibility for security falls squarely on the user’s shoulders.

One of the most powerful and flexible tools available for auditing Unix-like systems is Lynis. This open-source security auditing tool is widely used by system administrators to assess the security posture of their systems, identify configuration issues, and receive actionable recommendations.

In this article, we’ll take a comprehensive look at how to install, configure, and use lynis on Arch Linux to audit system security, interpret its results, and take appropriate actions based on its recommendations.

📌 What Is Lynis?

lynis is a security auditing tool for Unix-based systems, including Linux, BSD, and macOS. It performs an in-depth scan of your system to check for:

  • System configuration issues
  • Security misconfigurations
  • Insecure software settings
  • Compliance with security standards (e.g., PCI-DSS, HIPAA)
  • Potential vulnerabilities and risk factors

Unlike vulnerability scanners that look for known CVEs (Common Vulnerabilities and Exposures), Lynis focuses on misconfigurations, best practices, and hardening.

It’s written in shell script and doesn’t require any agent to be installed or a client-server setup—making it lightweight and easy to use.

🛠️ Installing Lynis on Arch Linux

Arch Linux users can install Lynis directly from the official Arch User Repository (AUR) using an AUR helper like yay:

yay -S lynis

If you don’t have yay installed, you can follow these steps:

git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

Alternatively, download and run Lynis manually:

git clone https://github.com/CISOfy/lynis
cd lynis
./lynis audit system

However, for convenience and system-wide usage, the AUR package is the better route.

🔍 Running a Basic Audit

Once installed, running Lynis is as simple as executing the following command with superuser privileges:

sudo lynis audit system

This command launches a full system audit, scanning:

  • Kernel parameters
  • Installed packages
  • Running services
  • Firewall configuration
  • User and authentication settings
  • Logging systems
  • File system permissions
  • And much more

Depending on your system configuration, the audit might take a couple of minutes. You’ll see colored output in your terminal, with warnings and suggestions highlighted.

📄 Understanding the Audit Report

After completing a scan, Lynis summarizes its findings in a readable format. Here’s a breakdown of the types of output you’ll encounter:

✅ [OK]

These items passed the test and require no action.

⚠️ [WARNING]

These items highlight potential issues that may need attention.

🛠️ [SUGGESTION]

Recommendations for improving system security or hardening configuration.

📈 Hardening Index

At the end of the audit, Lynis provides a hardening index—a numeric value (e.g., 61 out of 100) that represents the current security level of the system. A higher number indicates a more secure and hardened setup.

📁 Report File

The results of the scan are saved in:

/var/log/lynis.log
/var/log/lynis-report.dat

The lynis-report.dat file is particularly useful for scripting and automation, as it’s a key-value pair format.

🔧 Common Issues and How to Fix Them

Let’s go through some typical Lynis findings on an Arch Linux system and how you can address them.

🔐 1. No Password Required for Single-User Mode

Finding:

[WARNING] /etc/inittab or GRUB allows single-user mode without password

Fix:

Edit your GRUB configuration to require a password for single-user mode.

sudo grub-mkpasswd-pbkdf2

Copy the hash and add it to /etc/grub.d/40_custom:

set superusers="admin"
password_pbkdf2 admin <your-password-hash>

Then update GRUB:

sudo grub-mkconfig -o /boot/grub/grub.cfg

🧱 2. No Firewall or Inactive Firewall Detected

Finding:

[SUGGESTION] Install and configure a firewall (e.g., iptables, nftables)

Fix:

Install and configure nftables:

sudo pacman -S nftables
sudo systemctl enable --now nftables

Create a basic ruleset:

sudo nano /etc/nftables.conf

Example:

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        iif "lo" accept
        ct state established,related accept
        ip protocol icmp accept
        tcp dport { 22, 80, 443 } accept
    }
}

Test and reload:

sudo nft -f /etc/nftables.conf

🔍 3. Unnecessary Services Running

Finding:

[SUGGESTION] Disable unused services to reduce attack surface

Fix:

List running services:

systemctl list-units --type=service

Disable unused ones:

sudo systemctl disable --now service-name

For example, if you’re not using Bluetooth:

sudo systemctl disable --now bluetooth.service

👥 4. Root Account Usage

Finding:

[WARNING] Direct root login is allowed

Fix:

Edit the SSH configuration:

sudo nano /etc/ssh/sshd_config

Set:

PermitRootLogin no

Restart SSH:

sudo systemctl restart sshd

Also, use sudo for administrative tasks rather than logging in as root.

📦 Scheduling Regular Audits

To ensure ongoing security, it’s good practice to schedule regular Lynis scans.

Create a cron job or systemd timer. For example, using cron:

sudo crontab -e

Add:

@weekly /usr/bin/lynis audit system --quiet

Or use systemd:

Create /etc/systemd/system/lynis-audit.service:

[Unit]
Description=Weekly Lynis Security Audit

[Service]
ExecStart=/usr/bin/lynis audit system --quiet

Create /etc/systemd/system/lynis-audit.timer:

[Unit]
Description=Run Lynis weekly

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=timers.target

Enable the timer:

sudo systemctl enable --now lynis-audit.timer

📚 Tips for Effective Use

  • Always run Lynis as root (sudo) for a complete scan.
  • Review /var/log/lynis.log after each scan for detailed info.
  • Track changes in the hardening index over time.
  • Combine Lynis with tools like fail2ban, auditd, and ufw for broader coverage.
  • Use Lynis as part of a security baseline for multiple systems.
  • Integrate reports into a centralized logging or monitoring solution (e.g., ELK stack).

🔐 Final Thoughts

Lynis is an essential tool for proactive system hardening and continuous security assessment. Especially on Arch Linux—where much of the configuration is manual—Lynis acts as a safety net to ensure nothing falls through the cracks.

While it won’t replace penetration testing or vulnerability scanners, it’s a lightweight, reliable tool that helps users stay aware of potential security gaps and follow best practices. Whether you’re managing a home server, workstation, or cloud-based instance, running Lynis regularly can go a long way toward building a resilient Linux system.

With just a few commands, you can gain deep insights into your system’s security posture and start hardening your setup immediately.

Security is a journey, not a destination. Let Lynis guide you through that journey on Arch Linux.


< How to Use AppArmor for Security on Arch LinuxHow to Disable Root Login Over SSH on Arch Linux >