Configuration guide for Lynis
With the help of parameters we can alter the behavior of Lynis. Too many parameters would make it hard to use the software. For that reason, Lynis uses audit profiles. Profiles can be compared with a configuration file.
You can recognize an audit profile having the .prf extension. The default profile is named default.prf. Newer versions of Lynis will also use this profile to set its initial values.
The default profile contains settings which are fine for most security scans. If you like to customize how Lynis runs, do not make changes in this profile. Instead, add them to the file custom.prf. See more details below on how to configure Lynis by using a custom profile.
If you want to confirm what profiles are used, use the "show profiles" commandlynis show profiles
You can also see the active settings. Optionally add --brief and --nocolors to show only the settings.lynis show settings
Note: if this command does not work, your version of Lynis is too old. Upgrade to a newer version.
Configuration and Automation
New versions of Lynis can be configured with a few commands. This makes it easy to combine with configuration management.
Create a custom profile
First create an empty profile, with the name custom.prftouch /etc/lynis/custom.prf
To learn about the available settings, open the default settings file (default.prf). Then copy a preferred option to your custom profile.
Configure settings from the command line
Now you can configure individual settings from the command line.lynis configure settings debug=yes
To change multiple settings, use a colon to separate them.lynis configure settings debug=yes:quick=yes
Confirm that your new settings are picked up with the show settings command.lynis show settings
Using something like Ansible? Have a look at our Ansible examples.
Running Lynis as a cronjob is also possible. For that purpose the --cronjob parameter exists. By adding this option all special chars will be stripped from the output and the scan will be run completely automated (no user intervention needed).
Add the contents of this script to /etc/cron.daily/lynis and create the related paths in the script (/usr/local/lynis and /var/log/lynis).
- If you only want to see the warnings while running Lynis as a cronjob, use the options --cronjob and --quiet together.
- The profile option 'pause_between_tests' can be used to increase the wait time between tests. This might be used to decrease the load on the machine slightly. Please note that a small delay between the tests will result in taking the scan (much) longer to finish.
- If you want to sync the report file to a central host, you could write a small script to run Lynis and sync/copy the report file afterwards.
- Are you using Lynis Enterprise? Upload the data automatically by adding --upload to the 'lynis audit system' command. Define your upload server and license in custom.prf.