// the find
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Lynis is a shell-based security auditing tool that runs locally on a system and produces a prioritized list of hardening suggestions, misconfigurations, and compliance gaps. It covers a wide surface: SSH config, kernel parameters, file permissions, PAM, cron, package state, and more. The target audience is sysadmins and auditors who want a quick, no-dependency baseline audit without installing an agent.
1. Zero dependencies beyond POSIX shell — runs on any UNIX-like system by dropping a single directory, no compilation, no runtime. 2. Test coverage is genuinely broad: 200+ checks across SSH, kernel hardening (sysctl), file integrity, PAM, firewall state, scheduled jobs, and container detection. 3. Profile system (`.prf` files) lets you suppress irrelevant findings or tune thresholds per environment, which matters when running against heterogeneous fleets. 4. Output is machine-readable (report file + syslog) so it plugs into SIEM pipelines or CI without extra tooling.
1. Shell code at this scale becomes opaque fast — the `include/functions` file is thousands of lines with global variables everywhere; tracking state across tests is a debugging nightmare and contributes to occasional false positives. 2. Compliance mapping is shallow: it flags findings and tags them PCI-DSS or HIPAA, but doesn't tell you *which control* is implicated or whether you're actually failing — that gap matters when you're doing a real audit. 3. No built-in diffing between runs — you get a flat report each time; tracking regressions or improvements over time requires external tooling or the paid enterprise version. 4. The open-source version has no remediation automation — it tells you SSH PermitRootLogin is on, but you're on your own to fix it; the hardening snippets are enterprise-only.