Upgrading Lynis

Guide to keep your Lynis up-to-date

Why Upgrade?

Staying up-to-date

New versions of Lynis are released on a regular basis. During the last eight years, these updates made Lynis the tool it now is. The result is stability, with rich support for external components. To ensure this stability and support for software components, updates are will be required.

The downside of regular updates is the amount of work needed to keep it up-to-date. This document helps to simplify the upgrade process, and ensure security and quality control.

Upgrade Steps

All upgrade methods are based on three simple steps. It depends on your situation what the best strategy will be per step. So we provide some options, so the best option for any situation can be used.

  • Step 1: Get notified
  • Step 2: Test the new release
  • Step 3: Deployment

Step 1: Get notified

To stay up-to-date, the first step is to know there is an actual update available.

Step 2: Test the new release

Before deploying a new version, we suggest to test it first in your own environment. Great candidates for testing are test, staging or any non-critical systems.

  • Run the 'diff' command on the report file, to see the differences.
  • Collect the log file of previous version and the new one, run a diff after testing

Step 3: Deployment

The final step is deploying the software to the internal systems. It all comes down to what software distribution possibilities are available in your environment. When choosing the right option, look at the one which is the easiest to maintain.

Using package management: Use file transfer protocols: Using configuration management tools:

CISOfy software repository

If your your system uses packages based on DEB or RPM, consider using our software repository. This is the easiest way to stay up-to-date.

Downloading packages

If you would like to use packages in your own repository, you can use a download function of your package manager. The related DEB or RPM files can then be imported in your own internal repository (e.g. Red Hat Satellite)


Systems running Debian, Ubuntu, or a similar Linux distribution, can use the apt command. Older releases might be using apt-get instead.

apt download lynis


For systems running CentOS, Fedora, Scientific Linux, Red Hat Enterprise Linux (RHEL), etc, can use the yumdownloader utility.

yum -y install yum-utils

yumdownloader lynis

Build a custom package (RPM)

Included in our software development kit, there is a Lynis spec file included. This file helps with building a RPM package, which can be used on systems like CentOS, Fedora, openSUSE, and Red Hat Enterprise Linux.

For this example we are using a user 'build'.

Install rpmbuild utility

sudo yum install rpm-build

Create directories:

mkdir -p /home/build/lynis-build/rpmbuild/{BUILD,BUILDROOT,SOURCES,SRPMS}
mkdir -p /home/build/lynis-build/rpmbuild/RPMS/noarch

Update lynis.spec

cd extras

First change the version number in the lynis.spec file.

Download Lynis tarball

Download the latest Lynis tarball (community or enterprise version). After downloading, move this file to /home/build/lynis-build/rpmbuild/SOURCES/lynis-1.2.3.tar.gz. Replace 1.2.3 with the current version number.

Building the RPM

rpmbuild -ba lynis.spec

ls -l /home/build/lynis-build/rpmbuild/RPMS/noarch

Distribution of the RPM

The result should be a fresh RPM file, usuable for installation on your systems. You can push the file to the machine, or install it remotely from an internal web server.

rpm -Uvh https://system.domain.com/packages/lynis-1.2.3-1.noarch.rpm

Experienced any differences during your build process? Share and we help you out.

Download from internal web server

Since Lynis version 2.1.1, updates can be downloaded from a custom defined web server. The related command is lynis update release, which checks the web server and performs an update.

Note: updates are retrieved from one of your internal systems. This is to prevent automatic updates, without testing the software first.

Profile configuration
To use this option, some configuration is needed. First step is changing the profile, so the Lynis client knows where to look.

Lynis also needs to store the current version, allowing it to compare this version with the version on the server. Ensure the local path is configured and set to your local directory.

Note: If you use /usr/local/lynis as directory, just define /usr/local, as the 'lynis' directory is included in the tar ball.


  1. Download the latest Lynis version
  2. Extract it and change your profile (tar xfvz lynis-<version>.tar.gz)
  3. Configure the update_* settings in your profile
  4. Run and test the new version (lynis audit system)
  5. Tar it (cd .. && tar -czf lynis-latest.tar.gz lynis)
  6. Copy the tar ball to the web server
  7. Test if the file can be downloaded by accessing the full URL
  8. Run lynis update release on a test client

Download from NFS mount

If you are using NFS mounts on your systems, you could actually run Lynis directly from that mount point. Another option is to create a cron job and copy the files from the NFS mount point to your local directory.

Rsync or SCP

The distribution of updates can also be done with common utilities like rsync and scp.

One option is to pull, by having all clients fetch the latest package from a central machine.

Another option is to have an active server, which pushes the update to all systems.

When using many systems, consider looking at parallel SCP or parallel rsync, or using the web server approach.

Deploy and Upgrade via Ansible

We have an Ansible playbook for Lynis, which allows installation and upgrading.