Find Differences Between Two Daily Lynis Audits

Comparing Lynis Scan Results

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs.

Report

Lynis has two important files to which is logs data:

  • /var/log/lynis.log
  • /var/log/lynis-report.dat

The first file /var/log/lynis.log has all technical details of the audit. The report file /var/log/lynis-report.dat contains all important scan results, like warnings, suggestions, and generic system information. It is this same report file which we can use to compare two different audits!

Script

To help you out finding differences between two scheduled Lynis runs, simply leverage the report file.

Example script

Here is how it works in steps:

Steps

  1. Archive the existing lynis-report.dat file
  2. Run Lynis (again)
  3. Compare results

Just three simple steps.

Implementing the script

If you already run Lynis as a scheduled cron job, copy that file for testing and add the top and bottom section (step 1 and 3) from the example.

Next is testing if things work like expected. So first run your script and check if execution of Lynis was successful. You can do this by checking the /var/log/lynis.log and /var/log/lynis-report.dat files.

Then determine if it correctly copied the previous report contents to /var/log/lynis-report-previous.dat.

If it copied the file, change a few lines in your active report /var/log/lynis-report.dat (not the -previous file, as it will be overwritten!).

Run the script again and see if the differences show up:

 

 

Found this tip helpful? Share it with others and help more people with automation.

Screenshot of Lynis security tool

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page