Lynis Configuration

Configuration guide for Lynis


Lynis Profiles

With the help of parameters we can alter the behavior of Lynis. Too many parameters would make it hard to use the software. For that reason, Lynis uses audit profiles. Profiles can be compared with a configuration file.

Default profile

You can recognize an audit profile having the .prf extension. The default profile is named default.prf. Newer versions of Lynis will also use this profile to set its initial values.

Making changes

The default profile contains settings which are fine for most security scans. If you like to customize how Lynis runs, do not make changes in this profile. Instead, add them to the file custom.prf. See more details below on how to configure Lynis by using a custom profile.

If you want to confirm what profiles are used, use the "show profiles" command

lynis show profiles

You can also see the active settings. Optionally add --brief and --nocolors to show only the settings.

lynis show settings

Note: if this command does not work, your version of Lynis is too old. Upgrade to a newer version.

Configuration and Automation

New versions of Lynis can be configured with a few commands. This makes it easy to combine with configuration management.

Create a custom profile

First create an empty profile, with the name custom.prf

touch /etc/lynis/custom.prf

To learn about the available settings, open the default settings file (default.prf). Then copy a preferred option to your custom profile.

Configure settings from the command line

Now you can configure individual settings from the command line.

lynis configure settings debug=yes

To change multiple settings, use a colon to separate them.

lynis configure settings debug=yes:quick=yes

Confirm that your new settings are picked up with the show settings command.

lynis show settings

Using something like Ansible? Have a look at our Ansible examples.

Lynis cronjob

Running Lynis as a cronjob is also possible. For that purpose the --cronjob parameter exists. By adding this option all special chars will be stripped from the output and the scan will be run completely automated (no user intervention needed).


Example:
#!/bin/sh

set -u
DATE=$(date +%Y%m%d)
HOST=$(hostname)
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /usr/local/lynis

# Run Lynis
./lynis audit system --cronjob > ${REPORT}

# Optional step: Move report file if it exists
if [ -f /var/log/lynis-report.dat ]; then
    mv /var/log/lynis-report.dat ${DATA}
fi
# The End

Add the contents of this script to /etc/cron.daily/lynis and create the related paths in the script (/usr/local/lynis and /var/log/lynis).


Tips:
  • If you only want to see the warnings while running Lynis as a cronjob, use the options --cronjob and --quiet together.
  • The profile option 'pause_between_tests' can be used to increase the wait time between tests. This might be used to decrease the load on the machine slightly. Please note that a small delay between the tests will result in taking the scan (much) longer to finish.
  • If you want to sync the report file to a central host, you could write a small script to run Lynis and sync/copy the report file afterwards.
  • Are you using Lynis Enterprise? Upload the data automatically by adding --upload to the 'lynis audit system' command. Define your upload server and license in custom.prf.

NextGetting Started