« Back to Installation Guides

Lynis Enterprise - Self-hosted on Alma Linux 8

Requirements

  • Virtual machine
  • 2 GB memory or more
  • Disk partitioning with at least 10 GB free space

Preparation steps

New system

Use a new (virtual) machine as the installer will make changes to its configuration. Use the latest version of the selected operating system.

Hostname and domain configuration

Ensure that the hostname and domain are both correct. It will be used to configure the application components.

Change /etc/hostname and /etc/hosts to properly configure the system.

Tips:

  • Add a 127.0.1.1 entry linked to the fully qualified domain name (FQDN), followed by just the hostname.
    • Example: 127.0.1.1 lynis.example.com lynis
  • Confirm that the system has a domain name configured. Command: hostname -d

After making changes, reboot the system to make sure that all is good.

Create /data partition

Create a /data directory or dedicated partition. When using a partition, ensure it has at least 10 GB of space. Usage of LVM is suggested, so the partition can be extended later.

This directory is used to store software components

Firewall preparation

When iptables/ufw is available, allow incoming connections to HTTP and HTTPS. HTTP is only used for the convenience of users and redirects them to HTTPS automatically.

Postfix or MTA configuration

Configure a local MTA (like Postfix), allowing the system to send emails

PostgreSQL 15

The default PostgreSQL version available to Alma Linux is too old.

dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm

Disable the default version

dnf -qy module disable postgresql

Install PostgreSQL 15

dnf install -y postgresql15 postgresql15-server

Configure initial database setup:

/usr/pgsql-15/bin/postgresql-15-setup initdb

Create an alias

systemctl edit postgresql-15.service

[Install]
Alias=postgresql.service

Save this file.

Enable and start

systemctl enable –now postgresql-15.service

SELinux

By default, port 8081 is already mapped. So it needs to be remapped to http_port_t.

semanage port -m -t http_port_t -p tcp 8081

Reboot

If the system did not have a reboot yet, this is a good moment to ensure all is well before doing the installation.

Installation

Configure the software repository

Create a new file: /etc/yum.repos.d/cisofy-lynis-enterprise.repo

With the contents:

[lynis-enterprise]
name=CISOfy Software - Lynis Enterprise packages
baseurl=https://packages.cisofy.com/customers/LICENSE/lynis-enterprise/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1

Important note: replace LICENSE with the actual master license key.

Update repositories

dnf makecache

Install the Lynis Enterprise Updater

dnf install lynis-enterprise-updater

Lynis Enterprise Installation

Now run the Updater utility.

lynis-updater install

During the execution of the installer, it will ask you for basic information, like an e-mail address and license number. Use the master key as mentioned before.

Add repository and install the Updater

Install HTTPS transport

apt install apt-transport-https

Note: this package might already be installed

Import key

curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg

Configure the software repository

echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/customers/LICENSE/lynis-enterprise/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis-enterprise.list

Important note: replace LICENSE with the actual master license key.

Update repositories

apt update

Install the Lynis Enterprise Updater

apt -y install lynis-enterprise-updater

When something goes wrong

Sometimes the Updater may stop due to an error. In that case, it will most likely tell what goes wrong and what step to take.

Run the Updater

Good to know: you can always run the Updater again, during or after the installation. In that case use the ‘update’ command:

lynis-updater update

If changed basic details of the system after or during the setup, such as a hostname, then a ‘forced’ update might be needed. This will do the same thing as normally, but will run more tasks and enforce that some files are created (again).

lynis-updater update --force

Create admin user

At the end of the installation, the installer will help you create an admin user for the web interface. While creating this admin user, we strongly suggest using the name ‘root’ (without quotes) as its username. When the installation is done, you can use this user account to perform the last ssteps of configuration.

After installing the software, log in as user root on the web interface. Perform the following steps and create:

Create one or more business entities

After you are logged in, you get the opportunity to create a company. This can be the name of your company, a business division(s), team(s), or customer(s). Entities can not see data of another entity, so this can be used to keep sensitive data separated.

Add one license to each company/division

Create a sublicense and configure

SettingValue
Maximum systemsOrdered number of licenses or divide them over multiple sublicenses
Maximum scans10
Maximum accounts99
TypeLynis
SubtypePremium
Begin dateStart of license (example: 2024-03-18)
End dateBegin date + 1 year
License keyKeep it as-is
CreditsKeep it as-is

Create a personal user account

Normal user accounts are used to do the daily administration. The admin user ‘root’ is only for doing configuration of the system itself.

So create one or more normal users, one for yourself, one for your colleagues that need access as well.

Certificate

During installation, a self-signed certificate is created, as all connections are forced to use HTTPS. You could replace the certificate with an internal certificate if you have one. Another option is using Let’s Encrypt.

Feedback

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.