Migration tips for Lynis to version 2.3.1 and beyond

Lynis migration tips

Usually a lot of work is put into new releases. So it is a shame if most users don’t use the latest version, right? Surprisingly, that still happens a lot.

In the recent past, users of Lynis had to rely on external package maintainers, custom package building, or manually downloading the latest release.

Debian and RPM packages

If you are running a system that uses the DEB or RPM format, you might want to use our new software repository. It simplifies installing and updating Lynis.

Uninstall first

Before you install the package, remove any Lynis you have installed. You may otherwise still end up running an old version. Before you do, copy any changes you made to default.prf to a separate file. These settings need to be stored later in /etc/lynis/custom.prf.

Changes to profiles

Two major changes have been made to the Lynis profiles:

  1. Support for multiple profiles
  2. New format

Multiple profiles

Previously there was only one active profile, now it is possible to have a few. This way we can safely update default.prf, while you store your changes in a separate file. And if you like, you can dynamically add an additional profile, to override your normal settings. Great for running Lynis in development mode, or when scanning systems of multiple customers.

New logic for using Lynis profiles:
1. Use default profile (default.prf)
2. Check presence custom.prf (and use when available)
3. Check if you have provided a profile with –profile

Use custom.prf

The default profile will always be applied. On top of this, you can use your own settings. These are stored in custom.prf. So if you like to make changes, then copy only those lines to the file custom.prf. Place this file in the same directory as where default.prf resides (tip: use lynis show profiles to detect the location). When using our software packages, this will be in /etc/lynis.

New format

Older versions of Lynis used a less-friendly way of storing the settings. It was great for the tooling, but bad for humans. Oops… We have rewritten almost all settings and now store them as simple key-value pairs (setting=value). If you copied any changes from before, it is suggested to use this new simple format.

Tip: check your active settings with lynis show settings

Note: the –profile option can still be used. Only use it when you (temporarily) want to use a different profile for that scan. Otherwise, use the custom.prf file.

 

 

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *