How to update Lynis
With every software tool receiving improvements and bug fixes, it’s important to update Lynis as well. In this article we have a look at how to easily upgrade Lynis.
Options
Two common options to keep software up-to-date is by using a package, or the usage of a custom archive. Installing Lynis is optional, running it from remote (or local) storage is a valid option.
Lynis Packages
On the CISOfy software repository you can find a Lynis package. The packages are available for systems running CentOS, Debian, Fedora, RHEL, openSUSE, Ubuntu, and others.
For administrators who prefer to use custom packages, it’s a good option to use the source file and build a custom package. This way the package can be installed on test servers first and then deployed to all production systems. By using a software update tool or configuration management tool (e.g. Cfengine or Puppet), new releases can be pushed and enforced.
Building RPM
SUSE Linux has an example .spec file available for people who want to build their own RPM files and can be found here. Also from the authors behind Lynis there is an example file.
After adjusting any file paths and usually the version number, run the rpmbuild tool:
rpmbuild -ba lynis.spec
Customized tarball
For companies with many systems, a good alternative to a Lynis package is the usage of a personally customized tarball. Download the Lynis tarball from the website of CISOfy, extract the contents and make alterations for your auditing needs. Commons adjustments include:
- Filling in license key (scan profile)
- Putting plugins into the tarball
- Customization to Lynis
After the adjustments, perform a test run on some (test) systems. When the build is stable, create a new archive and publish it on a service of your choice. One common example is the usage of a web server, which stores the latest version of the package (e.g. lynis-custom-latest.tar.gz). It can be downloaded via a daily cron job with tools like wget of CURL.
Using GitHub
Lynis is available on GitHub. Getting the latest version is as easy as cloning the project and keep it in sync. While we suggest people to keep in sync, we also believe in testing. Therefore the previous section about customizing it, should also include testing.
Lynis Enterprise Suite users
Especially users of the Enterprise version will benefit of keeping Lynis up-to-date, to receive the latest improvements and new features. Sometimes new functionality will show up in the Enterprise interface. In such case it requires Lynis to be at a certain software level to collect the related data. Additionally any bugs or suggestions reported by the community is available in the latest Lynis client.
We advise Enterprise users to stay up-to-date and test new releases first. Only then deploy it on the production systems. Using Lynis from software repositories may result in using an outdated version.