How to harden your macOS systems with Lynis

Regularly checking your macOS systems for properly configured systems, apps, and services with Lynis helps administrators harden devices by minimizing their attack surface.

The process of hardening your system takes on many forms as the whole is made up of several individual components that, when combined, formulate a profile for minimizing the attack surface of your devices. Like a defense in depth strategy, which forms the crux of cybersecurity best practices, hardening of computer systems is but one cog in the wheel of client security, where that in turn is a portion of the overall security posture for the environment.

Among the many tasks' IT can perform to keep client devices as secure as possible, one such method that can aid IT pros to verify if these tasks are helping to secure devices is a hardening scan. Lynis provides just that type of verification by scanning supported devices--macOS & Linux clients and servers--to yield a plethora of actionable data, providing administrators the opportunity to course correct any issues that can potentially lead to a compromise.

SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)

What is Lynis?

Lynis is different to other, more popular security packages such as Nessus and OpenVAS, in that while the latter both focus on assessing vulnerabilities for the purposes of exploiting the findings; the former analyzes systems and compares the findings to a known set of ever-expanding criteria in an effort to determine an index, or score, that is assigned to systems after a number of checks have been completed and how the device compares to the criteria of known best practices.

Lynis is open-source software that runs on macOS and multiple Unix/Linux distributions from a small, lightweight utility that runs locally on each device. No agent or root permissions are necessary for the scan to complete, although there are a few tests that will require admin privileges to run successfully, but ultimately root access is optional, not a requirement for the scans to complete, and the report to be printed. Speaking of reporting, there are several options to export reports for review and mitigation.

Lastly, built directly into the reports are a line-by-line breakdown of what tests were performed and their results. For tests that result in positive findings, links to information for remediation are provided within the reports for each line item making it dead simple for IT to address all issues found.

Before we get into the install process and running our first report, we'll run through the installation process for Macs.

Lynis runs only on the following OSes:

  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • macOS
  • NetBSD
  • NixOS
  • OpenBSD
  • Solaris
  • Raspberry Pi
  • IoT devices
  • QNAP storage appliances

Installing Lynis via Git

  1. After logging on to the system, launch the Terminal.
  2. Choose the working directory that Lynis will be cloned to by entering: cd /usr/loca
  3. Next, clone the project by entering: git clone

Installing Lynis on macOS using HomeBrew

  1. Log in to macOS and launch the Terminal.
  2. Install Lynis using homebrew by entering:

brew install lynis

Running a scan using Lynis

1. From the Terminal, entering the following command will begin a full-system scan:

lynis audit system

There are also a number of commands and options that may be used to modify the default configuration and/or the way Lynis behaves. By entering Lynis a listing of choices will be printed on-screen. If the suffix show options is added, more options will be displayed. Additionally, there is a man page available by appending the man prefix argument which breaks down the many ways Lynis can be run (Figure A).


Figure A

Also see


Image: Getty Images/iStockphoto

By Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...