Skip to content

Lynis Client

Lynis Client - Software Repository (Customers)

Difference with Community version

The software packages in this repository consists of stable releases of Lynis. Customers of Lynis Enterprise also have the following packages available:

  • Lynis Collector
  • Lynis Plugins

Requirements

  • A valid Lynis Enterprise license key
  • License activation

The customer repository is not enabled for your license key(s) by default. If you like to use the packages from our software repository, contact support@cisofy.com. This is also useful if you like to add our packages into your own internal software repository.

Installation

CentOS, Fedora, and RHEL

Update prerequisites

  • Have your license key enabled by CISOfy support
  • Use up-to-date versions of cURL, NSS, OpenSSL, and CA certificates
yum update ca-certificates curl nss openssl

Create repository

Create /etc/yum.repos.d/cisofy-lynis.repo

[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/customers/LICENSE-KEY/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1

Info

Using a self-hosted installation of Lynis Enterprise? Use your sublicense key (not the master key).

Install Lynis and Lynis plugins

yum makecache timer
yum install lynis lynis-plugins

After installation, configure Lynis with the configure settings command.

Debian and Ubuntu

Update prerequisites

Have your license key enabled by CISOfy support, otherwise you get a 404 error.

The software repository uses preferably HTTPS, so the 'https' method for APT might need to be installed first.

sudo apt install apt-transport-https

Suggested method to download key and use it

sudo curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/customers/LICENSE-KEY/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

Add repo

sudo echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/customers/a33872ac-f2bc-11ef-8aed-bc2411d3a51c/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

Info

Using a self-hosted installation of Lynis Enterprise? Use your sublicense key (not the master key!).

Install Lynis and Lynis Plugins

sudo apt update
sudo apt install lynis lynis-plugins

After installation, configure Lynis with the configure settings command.

Configure Lynis client

The client configuration can be scripted, for easy deployment. Use the configure settings command for this and run Lynis.

sudo touch /etc/lynis/custom.prf

Example: 

sudo lynis configure settings license-key=LICENSE-KEY:upload-server=portal.cisofy.com
sudo lynis audit system --quick --upload

Custom Enterprise Profile:

#################################################################################
#
# All empty lines or with the # prefix will be skipped
#
#################################################################################

# Debug mode (for debugging purposes, extra data logged to screen)
#debug=yes

# Profile name, will be used as title/description
profile-name=Kontext E Template

# Skip a test (one per line)
#skip-test=SSH-7408
#skip-test=NETW-3015

# Skip a particular option within a test (when applicable)
#skip-test=SSH-7408:loglevel
#skip-test=SSH-7408:permitrootlogin

# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes

#################################################################################
#
# Plugins
# ---------------
# Define which plugins are enabled
#
# Notes:
# - Nothing happens if plugin isn't available
# - There is no order in execution of plugins
# - See documentation about how to use plugins and phases
# - Some are for Lynis Enterprise users only
#
#################################################################################

# Lynis plugins to enable

# Disable a particular plugin (will overrule an enabled plugin)
#disable-plugin=authentication

#################################################################################
#
# Kernel options
# ---------------
# config-data=, followed by:
#
# - Type                     = Set to 'sysctl'
# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
# - Expected value           = Preferred value for key (e.g. 0)
# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
# - Related file or command  = For example, sysctl -a to retrieve more details
# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
#
#################################################################################

# Config
# - Type (sysctl)
# - Setting (kernel.sysrq)
# - Expected value (0)
# - Hardening Points (1)
# - Description (Disable magic SysRQ)
# - Related file or command (sysctl -a)
# - Solution field (url:URL, text:TEXT, or -)

# Processes


# Kernel


# Network


# Other

#################################################################################
#
# permfile
# ---------------
# permfile=file name:file permissions:owner:group:action:
# Action = NOTICE or WARN
# Examples:
# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
# permfile=/etc/test1.dat:640:root:-:WARN:
#
#################################################################################



#################################################################################
#
# permdir
# ---------------
# permdir=directory name:file permissions:owner:group:action when permissions are different:
#
#################################################################################

permdir=/etc/cron.yearly:rwx------:root:root:WARN:

# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files
#ignore-home-dir=/home/user


# Allow promiscuous interfaces
#   <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:

# The URL prefix and append to the URL for controls or your custom tests
# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
#control-url-protocol=https
#control-url-prepend=cisofy.com/control/
#control-url-append=/

# The URL prefix and append to URL's for your custom tests
#custom-url-protocol=https
#custom-url-prepend=your-domain.example.org/control-info/
#custom-url-append=/


#################################################################################
#
# Operating system specific
# -------------------------
#
#################################################################################

# Skip the FreeBSD portaudit test
#freebsd-skip-portaudit=yes

# Skip security repository check for Debian based systems
#debian-skip-security-repository=yes


#################################################################################
#
# Lynis Enterprise options
# ------------------------
#
#################################################################################

# Lynis Enterprise license key
license-key=a33872ac-f2bc-11ef-8aed-bc2411d3a51c

# Upload data to central server
upload=yes

# The hostname/IP address to receive the data
upload-server=lynis.einvosys.com

Run on server with upload to Lynis Enterprise Server.

sudo lynis audit system --profile /etc/lynis/custom.prf --auditor $USER --logfile ~/LYNIS-initial-install1.0.log --upload

Tip: After setting up the client, create a cronjob for automatic data uploads.

Lynis cronjob

Running Lynis as a cronjob is also possible. For that purpose the --cronjob parameter exists. By adding this option all special chars will be stripped from the output and the scan will be run completely automated (no user intervention needed).

Example: 

#!/bin/sh

set -u
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /usr/sbin/

# Run Lynis
./lynis audit system --cronjob > ${REPORT}

# Optional step: Move report file if it exists
if [ -f /var/log/lynis-report.dat ]; then
    mv /var/log/lynis-report.dat ${DATA}
fi
# The End

Add the contents of this script to /etc/cron.daily/lynis and create the related paths in the script (/usr/local/lynis and /var/log/lynis).

Tips:

  • If you only want to see the warnings while running Lynis as a cronjob, use the options --cronjob and --quiet together.
  • The profile option 'pause_between_tests' can be used to increase the wait time between tests. This might be used to decrease the load on the machine slightly. Please note that a small delay between the tests will result in taking the scan (much) longer to finish.
  • If you want to sync the report file to a central host, you could write a small script to run Lynis and sync/copy the report file afterwards.
  • Are you using Lynis Enterprise? Upload the data automatically by adding --upload to the 'lynis audit system' command. Define your upload server and license in custom.prf.

Lynis Profiles

With the help of parameters we can alter the behavior of Lynis. Too many parameters would make it hard to use the software. For that reason, Lynis uses audit profiles. Profiles can be compared with a configuration file.

Default profile

You can recognize an audit profile having the .prf extension. The default profile is named default.prf. Newer versions of Lynis will also use this profile to set its initial values.

Making changes

The default profile contains settings which are fine for most security scans. If you like to customize how Lynis runs, do not make changes in this profile. Instead, add them to the file custom.prf. See more details below on how to configure Lynis by using a custom profile.

If you want to confirm what profiles are used, use the "show profiles" command

lynis show profiles

You can also see the active settings. Optionally add --brief and --nocolors to show only the settings.

lynis show settings

Note: if this command does not work, your version of Lynis is too old. Upgrade to a newer version.

Configuration and Automation

New versions of Lynis can be configured with a few commands. This makes it easy to combine with configuration management.

Create a custom profile

First create an empty profile, with the name custom.prf

touch /etc/lynis/custom.prf

To learn about the available settings, open the default settings file (default.prf). Then copy a preferred option to your custom profile.

Configure settings from the command line

Now you can configure individual settings from the command line.

lynis configure settings debug=yes

To change multiple settings, use a colon to separate them.

lynis configure settings debug=yes:quick=yes

Confirm that your new settings are picked up with the show settings command.

lynis show settings

Usefull commands

Get hardening index

sudo grep hardening_index /var/log/lynis-report.dat | cut -d = -f 2

Show nbr of warnings

sudo grep -c "warning\[\]=" /var/log/lynis-report.dat

Show all warnings

sudo grep "warning\[\]=" /var/log/lynis-report.dat

Show nbr of suggestions

sudo grep -c "suggestion\[\]=" /var/log/lynis-report.dat

Show suggestions

sudo grep "suggestion\[\]=" /var/log/lynis-report.dat

Show vulnerable package

sudo grep "vulnerable_package\[\]=" /var/log/lynis-report.dat | cut -d = -f 2