Lynis Enterprise
Lynis Enterprise - Self-hosted on Debian 12 (Bookworm)¶
- Licencecode: 78d1c576-11e2-408c-b76f-6f2d68e6996b
- Number of systems: 100
- End date for licence: 2026-02-28
Requirements¶
- Virtual machine
- 2 GB memory or more
- Disk partitioning with at least 10 GB free space
Preparation steps¶
New system¶
Use a new Debian 12 (virtual) machine as the installer will make changes to its configuration. Use the latest version of the selected operating system.
Hostname and domain configuration¶
Ensure that the hostname and domain are both correct. It will be used to configure the application components.
Change /etc/hostname and /etc/hosts to properly configure the system.
Tips:
- Add a 127.0.1.1 entry linked to the fully qualified domain name (FQDN), followed by just the hostname.
- Example:
127.0.1.1 lynis.example.com lynis - Confirm that the system has a domain name configured. Command:
hostname -d
After making changes, reboot the system to make sure that all is good.
Create /data partition¶
Create a /data directory or dedicated partition. When using a partition, ensure it has at least 10 GB of space. Usage of LVM is suggested, so the partition can be extended later.
This directory is used to store software components
Firewall preparation¶
When iptables/ufw is available, allow incoming connections to HTTP and HTTPS. HTTP is only used for the convenience of users and redirects them to HTTPS automatically.
Postfix or MTA configuration¶
Configure a local MTA (like Postfix), allowing the system to send emails
Install MTA¶
The systems needs to be able to send out emails. Install Postfix or another MTA.
PostgreSQL¶
Python 3¶
sudo¶
Install sudo as it is used in the Updater tool.
Other packages/configuration
sudo apt-get install ufw
sudo apt install gpg
sudo apt install mc
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
sudo ufw status
Reboot¶
If the system did not have a reboot yet, this is a good moment to ensure all is well before doing the installation.
Installation¶
Install HTTPS transport
Note: this package might already be installed
Import key
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
Configure the software repository
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/customers/LICENSE/lynis-enterprise/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis-enterprise.list
Important note: replace LICENSE with the actual master license key.
Update repositories
Install the Lynis Enterprise Updater
Lynis Enterprise Installation¶
Now run the Updater utility.
During the execution of the installer, it will ask you for basic information, like an e-mail address and license number. Use the master key as mentioned before.
Add repository and install the Updater¶
Install HTTPS transport
Note: this package might already be installed
Import key
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
Configure the software repository
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/customers/LICENSE/lynis-enterprise/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis-enterprise.list
Important note: replace LICENSE with the actual master license key.
Update repositories
Install the Lynis Enterprise Updater
When something goes wrong¶
Sometimes the Updater may stop due to an error. In that case, it will most likely tell what goes wrong and what step to take.
Run the Updater
Good to know: you can always run the Updater again, during or after the installation. In that case use the ‘update’ command:
If changed basic details of the system after or during the setup, such as a hostname, then a ‘forced’ update might be needed. This will do the same thing as normally, but will run more tasks and enforce that some files are created (again).
Create admin user¶
At the end of the installation, the installer will help you create an admin user for the web interface. While creating this admin user, we strongly suggest using the name ‘root’ (without quotes) as its username. When the installation is done, you can use this user account to perform the last steps of configuration.
After installing the software, log in as user root on the web interface. Perform the following steps and create:
Create one or more business entities
After you are logged in, you get the opportunity to create a company. This can be the name of your company, a business division(s), team(s), or customer(s). Entities can not see data of another entity, so this can be used to keep sensitive data separated.
Add one license to each company/division
Create a sublicense and configure
| Setting | Value |
|---|---|
| Maximum systems | Ordered number of licenses or divide them over multiple sublicenses |
| Maximum scans | 10 |
| Maximum accounts | 99 |
| Type | Lynis |
| Subtype | Premium |
| Begin date | Start of license (example: 2024-03-18) |
| End date | Begin date + 1 year |
| License key | Keep it as-is |
| Credits | Keep it as-is |
Create a personal user account
Normal user accounts are used to do the daily administration. The admin user ‘root’ is only for doing configuration of the system itself.
So create one or more normal users, one for yourself, one for your colleagues that need access as well.
Certificate¶
During installation, a self-signed certificate is created, as all connections are forced to use HTTPS. You could replace the certificate with an internal certificate if you have one. Another option is using Let’s Encrypt.
Send error mails with debug
sudo echo "ADMINS = (('Name', 'your.name@example.com'),)" >> /data/lynis-enterprise/interface/bin/lynis_interface/lynis_interface/local_settings.py
sudo echo "DEBUG = True" >> /data/lynis-enterprise/interface/bin/lynis_interface/lynis_interface/local_settings.py