Lynis Enterprise - Self-hosted on Alma Linux 8
Requirements
- Virtual machine
- 2 GB memory or more
- Disk partitioning with at least 10 GB free space
Preparation steps
New system
Use a new (virtual) machine as the installer will make changes to its configuration. Use the latest version of the selected operating system.
Hostname and domain configuration
Ensure that the hostname and domain are both correct. It will be used to configure the application components.
Change /etc/hostname and /etc/hosts to properly configure the system.
Tips:
- Add a 127.0.1.1 entry linked to the fully qualified domain name (FQDN), followed by just the hostname.
- Example:
127.0.1.1 lynis.example.com lynis
- Example:
- Confirm that the system has a domain name configured. Command:
hostname -d
After making changes, reboot the system to make sure that all is good.
Create /data partition
Create a /data directory or dedicated partition. When using a partition, ensure it has at least 10 GB of space. Usage of LVM is suggested, so the partition can be extended later.
This directory is used to store software components
Firewall preparation
When iptables/ufw is available, allow incoming connections to HTTP and HTTPS. HTTP is only used for the convenience of users and redirects them to HTTPS automatically.
Postfix or MTA configuration
Configure a local MTA (like Postfix), allowing the system to send emails
PostgreSQL 15
The default PostgreSQL version available to Alma Linux is too old.
dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Disable the default version
dnf -qy module disable postgresql
Install PostgreSQL 15
dnf install -y postgresql15 postgresql15-server
Configure initial database setup:
/usr/pgsql-15/bin/postgresql-15-setup initdb
Create an alias
systemctl edit postgresql-15.service
[Install]
Alias=postgresql.service
Save this file.
Enable and start
systemctl enable –now postgresql-15.service
SELinux
By default, port 8081 is already mapped. So it needs to be remapped to http_port_t.
semanage port -m -t http_port_t -p tcp 8081
Reboot
If the system did not have a reboot yet, this is a good moment to ensure all is well before doing the installation.
Installation
Configure the software repository
Create a new file: /etc/yum.repos.d/cisofy-lynis-enterprise.repo
With the contents:
[lynis-enterprise]
name=CISOfy Software - Lynis Enterprise packages
baseurl=https://packages.cisofy.com/customers/LICENSE/lynis-enterprise/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
Important note: replace LICENSE with the actual master license key.
Update repositories
dnf makecache
Install the Lynis Enterprise Updater
dnf install lynis-enterprise-updater
Lynis Enterprise Installation
Now run the Updater utility.
lynis-updater install
During the execution of the installer, it will ask you for basic information, like an e-mail address and license number. Use the master key as mentioned before.
Add repository and install the Updater
Install HTTPS transport
apt install apt-transport-https
Note: this package might already be installed
Import key
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
Configure the software repository
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/customers/LICENSE/lynis-enterprise/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis-enterprise.list
Important note: replace LICENSE with the actual master license key.
Update repositories
apt update
Install the Lynis Enterprise Updater
apt -y install lynis-enterprise-updater
When something goes wrong
Sometimes the Updater may stop due to an error. In that case, it will most likely tell what goes wrong and what step to take.
Run the Updater
Good to know: you can always run the Updater again, during or after the installation. In that case use the ‘update’ command:
lynis-updater update
If changed basic details of the system after or during the setup, such as a hostname, then a ‘forced’ update might be needed. This will do the same thing as normally, but will run more tasks and enforce that some files are created (again).
lynis-updater update --force
Create admin user
At the end of the installation, the installer will help you create an admin user for the web interface. While creating this admin user, we strongly suggest using the name ‘root’ (without quotes) as its username. When the installation is done, you can use this user account to perform the last ssteps of configuration.
After installing the software, log in as user root on the web interface. Perform the following steps and create:
Create one or more business entities
After you are logged in, you get the opportunity to create a company. This can be the name of your company, a business division(s), team(s), or customer(s). Entities can not see data of another entity, so this can be used to keep sensitive data separated.
Add one license to each company/division
Create a sublicense and configure
Setting | Value |
---|---|
Maximum systems | Ordered number of licenses or divide them over multiple sublicenses |
Maximum scans | 10 |
Maximum accounts | 99 |
Type | Lynis |
Subtype | Premium |
Begin date | Start of license (example: 2024-03-18) |
End date | Begin date + 1 year |
License key | Keep it as-is |
Credits | Keep it as-is |
Create a personal user account
Normal user accounts are used to do the daily administration. The admin user ‘root’ is only for doing configuration of the system itself.
So create one or more normal users, one for yourself, one for your colleagues that need access as well.
Certificate
During installation, a self-signed certificate is created, as all connections are forced to use HTTPS. You could replace the certificate with an internal certificate if you have one. Another option is using Let’s Encrypt.