Lynis Collector

Lynis Collector is a small utility to help with batch uploads of Lynis report files. A typical use-case is auditors who received report files from their customers. It is also useful for companies who want to restrict the number of outgoing connections. In this case the system running the Lynis Collector becomes a proxy. Only this system needs outgoing connectivity (directly, or via a HTTP proxy).

Lynis Collector is only available for customers of Lynis Enterprise.

Installation

Download

Download the Lynis Collector package from software repository that is available to users of Lynis Enterprise.

Create user

We suggest to create a non-privileged user to collect the data. In the examples here we will make us of the user ’lynis'

adduser lynis

Create directories

Next step is creating the related directories to store all information:

mkdir -p /home/lynis/lynis-collector/{new,processed}

Configuration

Location

Initially there is no configuration file. This way the program can detect a first-time user of the software component.

The configuration file is /etc/lynis/lynis-collector.conf

Root directory

First configure the directory where all data will be stored. This is the root directory and it will contain the ’new’ and ‘processed’ directories.

root-dir=/home/lynis/lynis-collector

Data server

The second thing to configure is the server which will receive the data files from the Collector. This is the data-server setting.

data-server=portal.example.com

License key

The license key for the upload is obtained from the report file. So it has to be configured on the client systems, which is done via the /etc/lynis/custom.prf file. Example: license-key=abcd-abcd-abcd-abcd

Debug mode

Especially when configuring the tool, it is useful to enable debug mode. This can be done with the debug setting.

debug=1

Self-signed certificates

When using a self-signed certificate on the Enterprise node, change the curl-options and allow ‘insecure’ connections.

curl-options=–insecure

Collecting data

The following step is receiving the data and push it into the ’new’ directory (default: /usr/local/lynis-collector/new). This can be achieved in different ways. It depends on your personal preferences and how your network is configured.

Common options to receive the data are:

  • SCP
  • SFTP
  • Samba
  • POST upload via Apache/nginx

Example: Lynis Collector using SCP

If you push data from the client (e.g. with a daily cronjob), then SCP could be a good option.

  1. Create a non-privileged user on your receiving system (e.g. lynis)
  2. Restrict access by using the scponly shell and set up key-based authentication
  3. Create a lynis-upload directory (mkdir /home/lynis/lynis-upload)
  4. Run the scp command on the audited system and copy the data to the Lynis Collector system

Tips

  • Do not use insecure protocols like FTP
  • When importing many files, rename the lynis-report.dat to something unique (e.g. lynis-report-$(date “+%s%N”).dat)

Uploading data

When the first file is copied to the new directory, run the lynis-collector tool with –debug, so it shows the result of the steps.

./lynis-collector upload --debug