How to update Lynis

How to update Lynis

With every software tool receiving improvements and bug fixes, it’s important to update Lynis as well. In this article we have a look at how to easily upgrade Lynis.

Options

Two common options to keep software up-to-date is by using a package, or the usage of a custom archive. Installing Lynis is optional, running it from remote (or local) storage is a valid option.

Lynis Packages

On the CISOfy software repository you can find a Lynis package. The packages are available for systems running CentOS, Debian, Fedora, RHEL, openSUSE, Ubuntu, and others.

For administrators who prefer to use custom packages, it’s a good option to use the source file and build a custom package. This way the package can be installed on test servers first and then deployed to all production systems. By using a software update tool or configuration management tool (e.g. Cfengine or Puppet), new releases can be pushed and enforced.

Building RPM

SUSE Linux has an example .spec file available for people who want to build their own RPM files and can be found here. Also from the authors behind Lynis there is an example file.

After adjusting any file paths and usually the version number, run the rpmbuild tool:

rpmbuild -ba lynis.spec

Customized tarball

For companies with many systems, a good alternative to a Lynis package is the usage of a personally customized tarball. Download the Lynis tarball from the website of CISOfy, extract the contents and make alterations for your auditing needs. Commons adjustments include:

  • Filling in license key (scan profile)
  • Putting plugins into the tarball
  • Customization to Lynis

After the adjustments, perform a test run on some (test) systems. When the build is stable, create a new archive and publish it on a service of your choice. One common example is the usage of a web server, which stores the latest version of the package (e.g. lynis-custom-latest.tar.gz). It can be downloaded via a daily cron job with tools like wget of CURL.

Using GitHub

Lynis is available on GitHub. Getting the latest version is as easy as cloning the project and keep it in sync. While we suggest people to keep in sync, we also believe in testing. Therefore the previous section about customizing it, should also include testing.

Lynis Enterprise Suite users

Especially users of the Enterprise version will benefit of keeping Lynis up-to-date, to receive the latest improvements and new features. Sometimes new functionality will show up in the Enterprise interface. In such case it requires Lynis to be at a certain software level to collect the related data. Additionally any bugs or suggestions reported by the community is available in the latest Lynis client.

We advise Enterprise users to stay up-to-date and test new releases first. Only then deploy it on the production systems. Using Lynis from software repositories may result in using an outdated version.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)