lynis

Overview Versions Insights

mablanco.lynis

Ansible role to deploy Lynis, an open source security auditing tool, from either its Git repo, the official tar archive or the official Linux packages. It also schedules a weekly audit whose resulting report is sent to a customizable email account.

I recommend using the 'git' method as it always installs the latest available version, while only using the 'tar' method as a fallback in case the target machine doesn't have a git CLI client available. If you prefer the best integration with your Linux distribution, then you can choose the 'pkg' method.

Role Variables

  • lynis_deploy_method: Deployment method. Defaults to 'tar'. Accepted values: 'tar', 'git', 'pkg'. Currently supported Linux distros: Debian, Ubuntu, RHEL, Fedora, CentOS, openSuSE and SLES.
  • lynis_home: Directory where Lynis will be installed. Defaults to '/opt/lynis'
  • lynis_url: URL to fetch the tar archive from. Defaults to 'https://cisofy.com/files'
  • lynis_version: Version of the tar archive to fetch. Currently defaults to '2.7.3'
  • lynis_package: Name of the tar archive. Defaults to 'lynis-{{ lynis_version }}.tar.gz'
  • lynis_git_repo: Git repo URL. Defaults to 'https://github.com/CISOfy/lynis'
  • lynis_cron_hour: Hour of execution of the cron job. Defaults to '6'.
  • lynis_cron_minute: Minute of execution of the cron job. Defaults to '30'.
  • lynis_cron_dow: Day of week of execution of the cron job. Defaults to '7'.
  • lynis_report_from: Sender email address for the weekly audit report. No valid default.
  • lynis_report_to: Receiver email address for the weekly audit report. No valid default.
  • lynis_log_expire: Days before logs are purged. Defaults to '90'.
  • lynis_tests_to_skip: Tests to skip in the audit runs. No default, fill it in at your convenience with a list of test codes.

Example Playbook

Examples of how to use this role, depending on the deployment method of choice:

- hosts: lynis-tar
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: tar }

- hosts: lynis-git
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: git }

- hosts: lynis-pkg
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: pkg }

You can also use the lynis_deploy_method variable in your inventory as follows:

[lynis-tar]
server01

[lynis-tar:vars]
lynis_deploy_method=tar

If you want to skip tests that make no sense in your servers, you can assign the lynis_tests_to_skip variable with a list of the tests codes in any of the usual places in Ansible. For example, in the 'vars/main.yml' file:

---
# vars file for mablanco.lynis

lynis_tests_to_skip:
  - SSH-7408
  - KRNL-6000
  - HOME-9350

License

GPLv3

About

Lynis security audit tool deployment

role security
Install
ansible-galaxy install mablanco/ansible-lynis
GitHub repository
11 stars
2 forks
1 open issues
License
gpl-3.0
Downloads
144
Owner
Marco Antonio Blanco
DevSecOps & Cloud Engineer, FOSS advocate and Agile supporter.