Find differences between two daily Lynis audits

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs.


Lynis has two important files to which is logs data:

  • /var/log/lynis.log
  • /var/log/lynis-report.dat

The first file /var/log/lynis.log has all technical details of the audit. The report file /var/log/lynis-report.dat contains all important scan results, like warnings, suggestions, and generic system information. It is this same report file which we can use to compare two different audits!


To help you out finding differences between two scheduled Lynis runs, simply leverage the report file.

Example script

# Step 1: Archive file
if [ -f /var/log/lynis-report.dat ]; then
     cp /var/log/lynis-report.dat /var/log/lynis-report-previous.dat

# Step 2: Here you run Lynis (e.g. as a cron job)
cd /path/to/lynis
./lynis audit system --cronjob

# Step 3: Perform the difference (unless it is the first time)
if [ ${PERFORM_DIFF} -eq 1 ]; then
    DIFFERENCES=`diff --ignore-matching-lines report_datetime /var/log/lynis-report.dat /var/log/lynis-report-previous.dat`
    if [ $? -gt 0 ]; then
        echo "Found differences:"
        echo "==========================================================================="
        diff -y /var/log/lynis-report-previous.dat /var/log/lynis-report.dat | grep -v "report_datetime"
        echo "==========================================================================="



Here is how it works in steps:


  1. Archive the existing lynis-report.dat file
  2. Run Lynis (again)
  3. Compare results

Just three simple steps.

Implementing the script

If you already run Lynis as a scheduled cron job, copy that file for testing and add the top and bottom section (step 1 and 3) from the example.

Next is testing if things work like expected. So first run your script and check if execution of Lynis was successful. You can do this by checking the /var/log/lynis.log and /var/log/lynis-report.dat files.

Then determine if it correctly copied the previous report contents to /var/log/lynis-report-previous.dat.

If it copied the file, change a few lines in your active report /var/log/lynis-report.dat (not the -previous file, as it will be overwritten!).

Run the script again and see if the differences show up:

Screenshot of diff tool to determine Lynis differences during security audit

The diff tool found a minor change between two scans

Found this tip helpful? Share it with others and help more people with automation.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • cp
  • diff
  • echo


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon