Find Differences Between Two Daily Lynis Audits

Comparing Lynis ScanĀ Results

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs.

Report

Lynis has two important files to which is logs data:

  • /var/log/lynis.log
  • /var/log/lynis-report.dat

The first file /var/log/lynis.log has all technical details of the audit. The report file /var/log/lynis-report.dat contains all important scan results, like warnings, suggestions, and generic system information. It is this same report file which we can use to compare two different audits!

Script

To help you out finding differences between two scheduled Lynis runs, simply leverage the report file.

Example script

#!/bin/sh
PERFORM_DIFF=0
# Step 1: Archive file
if [ -f /var/log/lynis-report.dat ]; then
     cp /var/log/lynis-report.dat /var/log/lynis-report-previous.dat
     PERFORM_DIFF=1
fi

# Step 2: Here you run Lynis (e.g. as a cron job)
cd /path/to/lynis
./lynis --cronjob

# Step 3: Perform the difference (unless it is the first time)
if [ ${PERFORM_DIFF} -eq 1 ]; then
    DIFFERENCES=`diff --ignore-matching-lines report_datetime /var/log/lynis-report.dat /var/log/lynis-report-previous.dat`
    if [ $? -gt 0 ]; then
        echo "Found differences:"
        echo "==========================================================================="
        diff -y /var/log/lynis-report-previous.dat /var/log/lynis-report.dat | grep -v "report_datetime"
        echo "==========================================================================="
    fi

fi

#EOF

Here is how it works in steps:

Steps

  1. Archive the existing lynis-report.dat file
  2. Run Lynis (again)
  3. Compare results

Just three simple steps.

Implementing the script

If you already run Lynis as a scheduled cron job, copy that file for testing and add the top and bottom section (step 1 and 3) from the example.

Next is testing if things work like expected. So first run your script and check if execution of Lynis was successful. You can do this by checking the /var/log/lynis.log and /var/log/lynis-report.dat files.

Then determine if it correctly copied the previous report contents to /var/log/lynis-report-previous.dat.

If it copied the file, change a few lines in your active reportĀ /var/log/lynis-report.dat (not the -previous file, as it will be overwritten!).

Run the script again and see if the differences show up:

Screenshot of diff tool to determine Lynis differences during security audit

The diff tool found a minor change between two scans

 

 

Found this tip helpful? Share it with others and help more people with automation.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.