Migration tips for Lynis to version 2.3.1 and beyond

Lynis migration tips

Usually a lot of work is put into new releases. So it is a shame if most users don’t use the latest version, right? Surprisingly, that still happens a lot.

In the recent past, users of Lynis had to rely on external package maintainers, custom package building, or manually downloading the latest release.

Debian and RPM packages

If you are running a system that uses the DEB or RPM format, you might want to use our new software repository. It simplifies installing and updating Lynis.

Uninstall first

Before you install the package, remove any Lynis you have installed. You may otherwise still end up running an old version. Before you do, copy any changes you made to default.prf to a separate file. These settings need to be stored later in /etc/lynis/custom.prf.

Changes to profiles

Two major changes have been made to the Lynis profiles:

  1. Support for multiple profiles
  2. New format

Multiple profiles

Previously there was only one active profile, now it is possible to have a few. This way we can safely update default.prf, while you store your changes in a separate file. And if you like, you can dynamically add an additional profile, to override your normal settings. Great for running Lynis in development mode, or when scanning systems of multiple customers.

New logic for using Lynis profiles:
1. Use default profile (default.prf)
2. Check presence custom.prf (and use when available)
3. Check if you have provided a profile with –profile

Use custom.prf

The default profile will always be applied. On top of this, you can use your own settings. These are stored in custom.prf. So if you like to make changes, then copy only those lines to the file custom.prf. Place this file in the same directory as where default.prf resides (tip: use lynis show profiles to detect the location). When using our software packages, this will be in /etc/lynis.

New format

Older versions of Lynis used a less-friendly way of storing the settings. It was great for the tooling, but bad for humans. Oops… We have rewritten almost all settings and now store them as simple key-value pairs (setting=value). If you copied any changes from before, it is suggested to use this new simple format.

Tip: check your active settings with lynis show settings

Note: the –profile option can still be used. Only use it when you (temporarily) want to use a different profile for that scan. Otherwise, use the custom.prf file.



One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.