Upgrading Lynis

Guide to keep your Lynis up-to-date

Why Upgrade?

Staying up-to-date

New versions of Lynis are released on a regular basis. During the last eight years, these updates made Lynis the tool it now is. The result is stability, with rich support for external components. To ensure this stability and support for software components, updates are will be required.

The downside of regular updates is the amount of work needed to keep it up-to-date. This document helps to simplify the upgrade process, and ensure security and quality control.

Upgrade Steps

All upgrade methods are based on three simple steps. It depends on your situation what the best strategy will be per step. So we provide some options, so the best option for any situation can be used.

Step 1: Get notified
Step 2: Test the new release
Step 3: Deployment

Step 1: Get notified

To stay up-to-date, the first step is to know there is an actual update available.

Become a stargazer at GitHub
Use 'lynis update check' (requires new version)
Use the notification list
Follow us on Twitter

Step 2: Test the new release

Before deploying a new version, we suggest to test it first in your own environment. Great candidates for testing are test, staging or any non-critical systems.

Tips:

Run the 'diff' command on the report file, to see the differences.
Collect the log file of previous version and the new one, run a diff after testing

Step 3: Deployment

The final step is deploying the software to the internal systems. It all comes down to what software distribution possibilities are available in your environment. When choosing the right option, look at the one which is the easiest to maintain.

Using package management:
Software repository
Build a custom package (RPM)
Use file transfer protocols:
Download from internal web server
Download from NFS mount
Rsync or SCP
Using configuration management tools:
Ansible

CISOfy software repository

If your your system uses packages based on DEB or RPM, consider using our software repository. This is the easiest way to stay up-to-date.
Downloading packages
If you would like to use packages in your own repository, you can use a download function of your package manager. The related DEB or RPM files can then be imported in your own internal repository (e.g. Red Hat Satellite)
DEB
Systems running Debian, Ubuntu, or a similar Linux distribution, can use the apt command. Older releases might be using apt-get instead.
apt download lynis
RPM
For systems running CentOS, Fedora, Scientific Linux, Red Hat Enterprise Linux (RHEL), etc, can use the yumdownloader utility.
yum -y install yum-utils
yumdownloader lynis

Build a custom package (RPM)

Included in our software development kit, there is a Lynis spec file included. This file helps with building a RPM package, which can be used on systems like CentOS, Fedora, openSUSE, and Red Hat Enterprise Linux.
For this example we are using a user 'build'.
Install rpmbuild utility
sudo yum install rpm-build
Create directories:
mkdir -p /home/build/lynis-build/rpmbuild/{BUILD,BUILDROOT,SOURCES,SRPMS}
mkdir -p /home/build/lynis-build/rpmbuild/RPMS/noarch
Update lynis.spec
cd extras
First change the version number in the lynis.spec file.
Download Lynis tarball
Download the latest Lynis tarball (community or enterprise version). After downloading, move this file to /home/build/lynis-build/rpmbuild/SOURCES/lynis-1.2.3.tar.gz. Replace 1.2.3 with the current version number.
Building the RPM
rpmbuild -ba lynis.spec
ls -l /home/build/lynis-build/rpmbuild/RPMS/noarch
Distribution of the RPM
The result should be a fresh RPM file, usuable for installation on your systems. You can push the file to the machine, or install it remotely from an internal web server.
rpm -Uvh https://system.domain.com/packages/lynis-1.2.3-1.noarch.rpm
Experienced any differences during your build process? Share and we help you out.

Download from internal web server

Since Lynis version 2.1.1, updates can be downloaded from a custom defined web server. The related command is lynis update release, which checks the web server and performs an update.
Note: updates are retrieved from one of your internal systems. This is to prevent automatic updates, without testing the software first.
Profile configuration
To use this option, some configuration is needed. First step is changing the profile, so the Lynis client knows where to look.
Lynis also needs to store the current version, allowing it to compare this version with the version on the server. Ensure the local path is configured and set to your local directory.
Note: If you use /usr/local/lynis as directory, just define /usr/local, as the 'lynis' directory is included in the tar ball.
Steps:
Download the latest Lynis version
Extract it and change your profile (tar xfvz lynis-<version>.tar.gz)
Configure the update_* settings in your profile
Run and test the new version (lynis audit system)
Tar it (cd .. && tar -czf lynis-latest.tar.gz lynis)
Copy the tar ball to the web server
Test if the file can be downloaded by accessing the full URL
Run lynis update release on a test client

Download from NFS mount

If you are using NFS mounts on your systems, you could actually run Lynis directly from that mount point. Another option is to create a cron job and copy the files from the NFS mount point to your local directory.

Rsync or SCP

The distribution of updates can also be done with common utilities like rsync and scp.
Pull
One option is to pull, by having all clients fetch the latest package from a central machine.
Push
Another option is to have an active server, which pushes the update to all systems.
When using many systems, consider looking at parallel SCP or parallel rsync, or using the web server approach.

Deploy and Upgrade via Ansible

We have an Ansible playbook for Lynis, which allows installation and upgrading.