Skip to content

Ansible role to deploy Lynis, a security audit tool

License

Notifications You must be signed in to change notification settings

eccentrixrabbitX/ansible-lynis

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

mablanco.lynis

Ansible role to deploy Lynis, an open source security auditing tool, from either its Git repo, the official tar archive or the official Linux packages. It also schedules a weekly audit whose resulting report is sent to a customizable email account.

I recommend using the 'git' method as it always installs the latest available version, while only using the 'tar' method as a fallback in case the target machine doesn't have a git CLI client available. If you prefer the best integration with your Linux distribution, then you can choose the 'pkg' method.

Role Variables

  • lynis_deploy_method: Deployment method. Defaults to 'tar'. Accepted values: 'tar', 'git', 'pkg'. Currently supported Linux distros: Debian, Ubuntu, RHEL, Fedora, CentOS, openSuSE and SLES.
  • lynis_home: Directory where Lynis will be installed. Defaults to '/opt/lynis'
  • lynis_url: URL to fetch the tar archive from. Defaults to 'https://cisofy.com/files'
  • lynis_version: Version of the tar archive to fetch. Currently defaults to '2.7.3'
  • lynis_package: Name of the tar archive. Defaults to 'lynis-{{ lynis_version }}.tar.gz'
  • lynis_git_repo: Git repo URL. Defaults to 'https://github.com/CISOfy/lynis'
  • lynis_cron_hour: Hour of execution of the cron job. Defaults to '6'.
  • lynis_cron_minute: Minute of execution of the cron job. Defaults to '30'.
  • lynis_cron_dow: Day of week of execution of the cron job. Defaults to '7'.
  • lynis_report_from: Sender email address for the weekly audit report. No valid default.
  • lynis_report_to: Receiver email address for the weekly audit report. No valid default.
  • lynis_log_expire: Days before logs are purged. Defaults to '90'.
  • lynis_tests_to_skip: Tests to skip in the audit runs. No default, fill it in at your convenience with a list of test codes.

Example Playbook

Examples of how to use this role, depending on the deployment method of choice:

- hosts: lynis-tar
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: tar }

- hosts: lynis-git
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: git }

- hosts: lynis-pkg
  roles:
     - { role: mablanco.lynis, lynis_deploy_method: pkg }

You can also use the lynis_deploy_method variable in your inventory as follows:

[lynis-tar]
server01

[lynis-tar:vars]
lynis_deploy_method=tar

If you want to skip tests that make no sense in your servers, you can assign the lynis_tests_to_skip variable with a list of the tests codes in any of the usual places in Ansible. For example, in the 'vars/main.yml' file:

---
# vars file for mablanco.lynis

lynis_tests_to_skip:
  - SSH-7408
  - KRNL-6000
  - HOME-9350

License

GPLv3

About

Ansible role to deploy Lynis, a security audit tool

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 86.8%
  • Jinja 13.2%