With the help of parameters we can alter the behavior of Lynis. Too many parameters would make it hard to use the software. For that reason, Lynis uses audit profiles. Profiles can be compared with a configuration file.
You can recognize an audit profile having the .prf extension. The default profile is named default.prf. Newer versions of Lynis will also use this profile to set its initial values.
The default profile contains settings which are fine for most security scans. If you like to customize how Lynis runs, do not make changes in this profile. Instead, add them to the file custom.prf. See more details below on how to configure Lynis by using a custom profile.
If you want to confirm what profiles are used, use the "show profiles" commandlynis show profiles
You can also see the active settings. Optionally add --brief and --nocolors to show only the settings.$ lynis show settings
Note: if this command does not work, your version of Lynis is too old. Upgrade to a newer version.
New versions of Lynis can be configured with a few commands. This makes it easy to combine with configuration management.
Create a custom profile
First create an empty profile, with the name custom.prftouch /etc/lynis/custom.prf
To learn about the available settings, open the default settings file (default.prf). Then copy a preferred option to your custom profile.
Configure settings from the command line
Now you can configure individual settings from the command line.lynis configure settings debug=yes
To change multiple settings, use a colon to separate them.lynis configure settings debug=yes:quick=yes
Confirm that your new settings are picked up with the show settingsdate command.lynis show settings
Using something like Ansible? Have a look at our Ansible examples.
Running Lynis as a cronjob is also possible. For that purpose the --cronjob parameter exists. By adding this option all special chars will be stripped from the output and the scan will be run completely automated (no user intervention needed).
Add the contents of this script to /etc/cron.daily/lynis and create the related paths in the script (/usr/local/lynis and /var/log/lynis).