Find Differences Between Two Daily Lynis Audits

Comparing Lynis Scan Results

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs.


Lynis has two important files to which is logs data:

  • /var/log/lynis.log
  • /var/log/lynis-report.dat

The first file /var/log/lynis.log has all technical details of the audit. The report file /var/log/lynis-report.dat contains all important scan results, like warnings, suggestions, and generic system information. It is this same report file which we can use to compare two different audits!


To help you out finding differences between two scheduled Lynis runs, simply leverage the report file.

Example script

# Step 1: Archive file
if [ -f /var/log/lynis-report.dat ]; then
     cp /var/log/lynis-report.dat /var/log/lynis-report-previous.dat

# Step 2: Here you run Lynis (e.g. as a cron job)
cd /path/to/lynis
./lynis --cronjob

# Step 3: Perform the difference (unless it is the first time)
if [ ${PERFORM_DIFF} -eq 1 ]; then
    DIFFERENCES=`diff --ignore-matching-lines report_datetime /var/log/lynis-report.dat /var/log/lynis-report-previous.dat`
    if [ $? -gt 0 ]; then
        echo "Found differences:"
        echo "==========================================================================="
        diff -y /var/log/lynis-report-previous.dat /var/log/lynis-report.dat | grep -v "report_datetime"
        echo "==========================================================================="



Here is how it works in steps:


  1. Archive the existing lynis-report.dat file
  2. Run Lynis (again)
  3. Compare results

Just three simple steps.

Implementing the script

If you already run Lynis as a scheduled cron job, copy that file for testing and add the top and bottom section (step 1 and 3) from the example.

Next is testing if things work like expected. So first run your script and check if execution of Lynis was successful. You can do this by checking the /var/log/lynis.log and /var/log/lynis-report.dat files.

Then determine if it correctly copied the previous report contents to /var/log/lynis-report-previous.dat.

If it copied the file, change a few lines in your active report /var/log/lynis-report.dat (not the -previous file, as it will be overwritten!).

Run the script again and see if the differences show up:

Screenshot of diff tool to determine Lynis differences during security audit

The diff tool found a minor change between two scans



Found this tip helpful? Share it with others and help more people with automation.

Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *