mablanco.lynis

Panoramica Versioni Approfondimenti

mablanco.lynis

This Ansible role is used to install Lynis, which is a free tool for checking security. You can install it from its Git repository, the official tar file, or the official Linux packages. It also sets up a weekly security check and sends the report to an email of your choice.

I suggest using the 'git' method to get the newest version. Use the 'tar' method only if the target machine doesn't have a git client. If you want the best fit for your Linux system, choose the 'pkg' method.

Role Variables

  • lynis_deploy_method: The method for installation. Default is 'tar'. Options: 'tar', 'git', 'pkg'. Works with: Debian, Ubuntu, RHEL, Fedora, CentOS, openSuSE, and SLES.
  • lynis_home: Where to install Lynis. Default is '/opt/lynis'
  • lynis_url: Link to download the tar file. Default is 'https://cisofy.com/files'
  • lynis_version: Version of the tar file to download. Default is '2.7.3'
  • lynis_package: Name of the tar file. Default is 'lynis-{{ lynis_version }}.tar.gz'
  • lynis_git_repo: URL for the Git repository. Default is 'https://github.com/CISOfy/lynis'
  • lynis_cron_hour: Hour for the weekly check. Default is '6'.
  • lynis_cron_minute: Minute for the weekly check. Default is '30'.
  • lynis_cron_dow: Day of the week for the weekly check. Default is '7' (Sunday).
  • lynis_report_from: Sender's email for the audit report. No default provided.
  • lynis_report_to: Recipient's email for the audit report. No default provided.
  • lynis_log_expire: Days before logs are deleted. Default is '90'.
  • lynis_tests_to_skip: List of tests to ignore during checks. Default is empty; fill in as needed.

Example Playbook

Here are examples of how to use this role, based on your chosen installation method:

- hosts: lynis-tar
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: tar }

- hosts: lynis-git
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: git }

- hosts: lynis-pkg
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: pkg }

You can also set the lynis_deploy_method variable in your inventory like this:

[lynis-tar]
server01

[lynis-tar:vars]
lynis_deploy_method=tar

If you want to skip specific tests that aren’t relevant for your servers, you can use the lynis_tests_to_skip variable with a list of test codes in the usual places in Ansible, like in the 'vars/main.yml' file:

---
# vars file for mablanco.lynis

lynis_tests_to_skip:
  - SSH-7408
  - KRNL-6000
  - HOME-9350

License

GPLv3

Informazioni sul progetto

Lynis security audit tool deployment

role security
Installa
ansible-galaxy install mablanco.lynis
GitHub repository
11 stelle
2 fork
1 problemi aperti
Licenza
gpl-3.0
Download
208
Proprietario
Marco Antonio Blanco
DevSecOps & Cloud Engineer, FOSS advocate and Agile supporter.