lynis

mablanco.lynis

Ansible role to deploy Lynis, an open source security auditing tool, from either its Git repo, the official tar archive or the official Linux packages. It also schedules a weekly audit whose resulting report is sent to a customizable email account.

I recommend using the 'git' method as it always installs the latest available version, while only using the 'tar' method as a fallback in case the target machine doesn't have a git CLI client available. If you prefer the best integration with your Linux distribution, then you can choose the 'pkg' method.

Role Variables

  • lynis_deploy_method: Deployment method. Defaults to 'tar'. Accepted values: 'tar', 'git', 'pkg'. Currently supported Linux distros: Debian, Ubuntu, RHEL, Fedora, CentOS, openSuSE and SLES.
  • lynis_home: Directory where Lynis will be installed. Defaults to '/opt/lynis'
  • lynis_url: URL to fetch the tar archive from. Defaults to 'https://cisofy.com/files'
  • lynis_version: Version of the tar archive to fetch. Currently defaults to '2.7.3'
  • lynis_package: Name of the tar archive. Defaults to 'lynis-{{ lynis_version }}.tar.gz'
  • lynis_git_repo: Git repo URL. Defaults to 'https://github.com/CISOfy/lynis'
  • lynis_cron_hour: Hour of execution of the cron job. Defaults to '6'.
  • lynis_cron_minute: Minute of execution of the cron job. Defaults to '30'.
  • lynis_cron_dow: Day of week of execution of the cron job. Defaults to '7'.
  • lynis_report_from: Sender email address for the weekly audit report. No valid default.
  • lynis_report_to: Receiver email address for the weekly audit report. No valid default.
  • lynis_log_expire: Days before logs are purged. Defaults to '90'.
  • lynis_tests_to_skip: Tests to skip in the audit runs. No default, fill it in at your convenience with a list of test codes.

Example Playbook

Examples of how to use this role, depending on the deployment method of choice:

- hosts: lynis-tar
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: tar }

- hosts: lynis-git
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: git }

- hosts: lynis-pkg
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: pkg }

You can also use the lynis_deploy_method variable in your inventory as follows:

[lynis-tar]
server01

[lynis-tar:vars]
lynis_deploy_method=tar

If you want to skip tests that make no sense in your servers, you can assign the lynis_tests_to_skip variable with a list of the tests codes in any of the usual places in Ansible. For example, in the 'vars/main.yml' file:

---
# vars file for mablanco.lynis

lynis_tests_to_skip:
  - SSH-7408
  - KRNL-6000
  - HOME-9350

License

GPLv3

About

Lynis security audit tool deployment

Install
ansible-galaxy install mablanco/ansible-lynis
GitHub repository
License
gpl-3.0
Downloads
147
Owner
DevSecOps & Cloud Engineer, FOSS advocate and Agile supporter.