Lynis vs OpenSCAP vs Goss: Self-Hosted Server Security Auditing Guide 2026

Running servers without regular security audits is like driving without insurance — it works fine until it doesn’t. Every self-hosted server, whether it’s a home lab VPS, a production Kubernetes node, or a development box, needs systematic security checks. Cloud-native tools like Prowler and Scout Suite handle cloud provider auditing, but what about the servers themselves?

This guide compares three of the most popular open-source server security auditing tools — Lynis, OpenSCAP, and Goss — and helps you choose the right one for your compliance and hardening workflow.

Why Self-Hosted Server Auditing Matters

Server security auditing serves several critical purposes:

• Compliance requirements: Standards like PCI DSS, HIPAA, ISO 27001, and SOC 2 require regular system hardening checks and documented audit trails.
• Attack surface reduction: Automated audits identify unnecessary services, weak configurations, outdated packages, and exposed ports before attackers do.
• Configuration drift detection: Servers change over time. Regular audits catch unauthorized configuration changes that could introduce vulnerabilities.
• Continuous improvement: Each audit produces a hardening score, giving you a measurable baseline to track security improvements over time.

Unlike cloud-based vulnerability scanners that probe from the outside, these tools run directly on your servers with full access to local configuration files, installed packages, running services, and kernel parameters. This means deeper, more accurate findings.

Lynis: The Comprehensive Security Auditor

Lynis by CISOfy is the most widely used open-source security auditing tool for Unix-like systems. With over 15,500 GitHub stars, it covers an impressive range of checks — from boot loaders and kernel hardening to package management, filesystem security, and logging configuration.

Key Features

• 300+ security checks across 16 categories including authentication, cryptography, filesystems, firewalls, and malware detection.
• Hardening Index scoring system that produces a numeric score (0–100) to track improvement over time.
• Agentless and lightweight — runs as a single shell script with no daemon or database required.
• Broad platform support: Linux, macOS, FreeBSD, OpenBSD, NetBSD, Solaris, and AIX.
• Compliance mapping: Built-in references to CIS benchmarks, PCI DSS, HIPAA, and ISO 27001 controls.
• Extensible plugin system for custom checks and automated remediation scripts.

Installing Lynis

The simplest installation method uses your system package manager:

1
2
3
4
5
6
7
8
9

# Debian/Ubuntu
sudo apt update && sudo apt install -y lynis

# RHEL/CentOS/Rocky
sudo dnf install -y epel-release
sudo dnf install -y lynis

# Arch Linux
sudo pacman -S lynis

To audit a system, run:

1
2
3
4
5
6
7
8

# Full system audit (requires root for all checks)
sudo lynis audit system

# Audit with custom profile
sudo lynis audit system --profile /etc/lynis/custom.prf

# Pentest mode (non-interactive, useful for CI/CD)
sudo lynis audit system --pentest

Running Lynis in Docker

Lynis can also run inside a container that inspects the host filesystem:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"
services:
  lynis:
    image: cisofy/lynis:latest
    container_name: lynis-audit
    volumes:
      - /:/host:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - LYNIS_OPTIONS=audit system
    command: >
      sh -c "
        apk add --no-cache docker-cli &&
        lynis audit system --quick
      "
    restart: "no"

Note: The official CISOfy Docker image is not available on Docker Hub, but community-maintained images exist. Alternatively, you can build your own:

1
2
3
4

FROM alpine:3.19
RUN apk add --no-cache lynis bash
WORKDIR /audit
CMD ["lynis", "audit", "system", "--quick"]

Understanding Lynis Output

After running, Lynis produces a detailed report at /var/log/lynis-report.dat and a human-readable summary in the terminal:

1

[+] Hardening index : 72 [FOUND: 142 SUGGESTIONS: 38]

The hardening index gives you a single number to track. Suggestions are categorized by severity (Warning, Suggestion, OK) and include specific file paths and configuration recommendations.

OpenSCAP: NIST-Certified Compliance Engine

OpenSCAP is an open-source implementation of the Security Content Automation Protocol (SCAP), certified by NIST. It provides a framework for vulnerability management, configuration assessment, and compliance checking against standardized benchmarks.

Key Features

• NIST SCAP 1.2 certified — the gold standard for government and enterprise compliance.
• XCCDF and OVAL support — parses standardized security checklists and vulnerability definitions.
• SCAP Security Guide (SSG) — pre-built profiles for CIS benchmarks, STIGs, and PCI DSS across multiple distributions.
• Remediation generation — produces Ansible playbooks, Bash scripts, and Kubernetes manifests to fix failed checks automatically.
• HTML report generation — visually rich reports with pass/fail status for every rule.
• Integration with SCAP Workbench — GUI tool for interactive scanning.

Installing OpenSCAP

1
2
3
4
5
6
7
8
9

# Debian/Ubuntu
sudo apt update && sudo apt install -y openscap-scanner libopenscap8

# RHEL/CentOS/Rocky
sudo dnf install -y openscap-scanner openscap-utils

# Install SCAP Security Guide (pre-built profiles)
sudo apt install -y scap-security-guide
# or: sudo dnf install -y scap-security-guide

Running OpenSCAP Scans

OpenSCAP uses XCCDF profiles tailored to specific distributions and compliance standards:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# List available profiles for your system
oscap xccdf ds ls /usr/share/xml/scap/ssg/content/ssg-debian12-ds.xml

# Run a CIS-compliant scan and generate HTML report
oscap xccdf eval \
  --profile cis \
  --results scan-results.xml \
  --report scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-debian12-ds.xml

# Generate Ansible remediation playbook from failed checks
oscap xccdf generate fix \
  --fix-type ansible \
  --result-id "" \
  scan-results.xml > remediation.yml

Running OpenSCAP via Docker

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"
services:
  openscap:
    image: openscap/openscap:latest
    container_name: openscap-scan
    volumes:
      - /:/host:ro
      - ./reports:/reports
    working_dir: /host
    command: >
      oscap xccdf eval
      --profile cis_level1_server
      --results /reports/results.xml
      --report /reports/report.html
      /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
    restart: "no"

The HTML report includes a detailed breakdown of each rule, showing pass/fail status, severity level, and remediation instructions. This makes OpenSCAP ideal for compliance documentation and audit evidence.

Goss: Fast Server Validation Framework

Goss by aelsabbahy takes a different approach — rather than running hundreds of predefined checks, Goss validates server state against a user-defined YAML configuration file. With nearly 6,000 GitHub stars, it’s designed for speed and simplicity, completing full system validation in under a second.

Key Features

• Sub-second validation — written in Go, Goss runs a single binary with no dependencies.
• Declarative YAML config — you define the desired state; Goss checks if reality matches.
• Broad resource types — validates packages, services, files, ports, processes, users, groups, DNS, HTTP endpoints, kernel parameters, and more.
• Auto-generate configs — goss autoadd creates a config file from the current server state.
• CI/CD friendly — outputs in JSON, JUnit, or rspecish formats for integration with testing pipelines.
• ServerSpec alternative — designed as a faster, simpler replacement for Ruby-based ServerSpec tests.

Installing Goss

1
2
3
4
5
6
7

# Install latest version
GOSS_VER=v0.4.4
curl -fsSL https://github.com/goss-org/goss/releases/download/$GOSS_VER/goss-linux-amd64 -o /usr/local/bin/goss
chmod +x /usr/local/bin/goss

# Verify installation
goss --version

Creating and Running Goss Tests

Generate a config from your current server state:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# Auto-detect current configuration
goss autoadd sshd
goss autoadd nginx

# Or manually create goss.yaml
cat > goss.yaml << 'EOF'
package:
  nginx:
    installed: true
    versions:
      - 1.24.0

service:
  nginx:
    enabled: true
    running: true

port:
  tcp:80:
    listening: true
  tcp:443:
    listening: true

file:
  /etc/nginx/nginx.conf:
    exists: true
    mode: "0644"
    owner: root
    group: root
EOF

Run validation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Run all tests
goss validate

# Output in different formats
goss validate -f documentation
goss validate -f json
goss validate -f junit > results.xml

# Run specific tests
goss validate --include-package,service

Running Goss in Docker

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

version: "3.8"
services:
  goss:
    image: aelsabbahy/goss:latest
    container_name: goss-validate
    volumes:
      - ./goss.yaml:/goss/goss.yaml:ro
      - /:/hostfs:ro
    environment:
      - GOSS_FILES_PATH=/goss
    command: validate
    restart: "no"

Or run directly against a Dockerfile as a build-time validation:

1
2
3
4
5

FROM nginx:1.24-alpine
COPY goss.yaml /goss/goss.yaml
RUN wget -qO /usr/local/bin/goss https://github.com/goss-org/goss/releases/latest/download/goss-linux-amd64 && \
    chmod +x /usr/local/bin/goss && \
    /usr/local/bin/goss validate

Comparison Table

Choosing the Right Tool

Use Lynis When:

• You want a comprehensive security audit out of the box with zero configuration.
• You need a numeric hardening score to track improvement over time.
• Your environment includes diverse Unix variants (macOS, BSD, Solaris).
• You want actionable suggestions ranked by severity.

Use OpenSCAP When:

• You need NIST-certified compliance evidence for auditors.
• Your organization follows CIS benchmarks or DISA STIGs.
• You want automated remediation playbooks for failed checks.
• You need detailed HTML reports with pass/fail status for every rule.

Use Goss When:

• You want fast, repeatable validation in CI/CD pipelines.
• You prefer declarative “infrastructure as code” style testing.
• You need to validate specific resources (packages, ports, services) without running hundreds of irrelevant checks.
• You want sub-second execution times for rapid feedback loops.

Combining All Three Tools

A mature security program uses all three tools at different stages:

1
2
3
4
5
6
7

┌─────────────────────────────────────────────────┐
│           Server Security Pipeline               │
│                                                   │
│  1. Goss    → Validate desired state on deploy   │
│  2. Lynis   → Weekly comprehensive audit         │
│  3. OpenSCAP → Monthly compliance scan           │
└─────────────────────────────────────────────────┘

• Goss runs on every deployment to catch configuration drift immediately.
• Lynis runs weekly to discover new security issues and track the hardening index trend.
• OpenSCAP runs monthly to generate compliance reports for auditors, with automated remediation for failed checks.

For a complete security posture, pair server auditing with runtime security monitoring using Falco, osquery, and auditd and vulnerability scanning with Trivy, Grype, and OpenVAS.

FAQ

Is Lynis free to use?

Yes, Lynis is fully open-source (GPLv3) and free to use. CISOfy offers a commercial version called Lynis Enterprise with a centralized dashboard, scheduling, and multi-node management, but the community edition includes all core auditing features.

Can OpenSCAP scan Windows servers?

OpenSCAP primarily supports Linux distributions. For Windows compliance checking, you would need Microsoft’s Security Compliance Toolkit or a commercial SCAP-compatible scanner. OpenSCAP’s strength is Linux-centric compliance profiles from the SCAP Security Guide project.

How do I schedule Lynis to run automatically?

Lynis has no built-in scheduler. Use cron to run it on a schedule:

1
2

# Run weekly audit every Sunday at 2 AM
0 2 * * 0 /usr/sbin/lynis audit system --cronjob > /var/log/lynis-weekly.log 2>&1

Parse the output with the --cronjob flag for machine-readable results suitable for monitoring dashboards.

Does Goss replace configuration management tools like Ansible?

No, Goss validates the result of configuration management — it doesn’t apply changes. You would use Ansible, Puppet, or Chef to configure your servers, and Goss to verify the configuration matches expectations. Think of Goss as the test suite for your infrastructure.

Which tool generates the best compliance reports for auditors?

OpenSCAP produces the most auditor-ready reports. Its HTML output includes detailed pass/fail status for every rule in standardized benchmarks (CIS, STIG), making it ideal for compliance documentation. Lynis reports are more actionable for internal remediation, while Goss reports are designed for CI/CD integration rather than auditor review.

Can these tools run in air-gapped environments?

Yes, all three tools work fully offline. Lynis and Goss are single-file distributions that need no network access. OpenSCAP requires the SCAP Security Guide data files, which can be downloaded once and copied to air-gapped systems. None of these tools phone home or require external connectivity.