Find Differences Between Two Daily Lynis Audits

Comparing Lynis Scan Results

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs.

Report

Lynis has two important files to which is logs data:

  • /var/log/lynis.log
  • /var/log/lynis-report.dat

The first file /var/log/lynis.log has all technical details of the audit. The report file /var/log/lynis-report.dat contains all important scan results, like warnings, suggestions, and generic system information. It is this same report file which we can use to compare two different audits!

Script

To help you out finding differences between two scheduled Lynis runs, simply leverage the report file.

Example script

#!/bin/sh
PERFORM_DIFF=0
# Step 1: Archive file
if [ -f /var/log/lynis-report.dat ]; then
     cp /var/log/lynis-report.dat /var/log/lynis-report-previous.dat
     PERFORM_DIFF=1
fi

# Step 2: Here you run Lynis (e.g. as a cron job)
cd /path/to/lynis
./lynis --cronjob

# Step 3: Perform the difference (unless it is the first time)
if [ ${PERFORM_DIFF} -eq 1 ]; then
    DIFFERENCES=`diff --ignore-matching-lines report_datetime /var/log/lynis-report.dat /var/log/lynis-report-previous.dat`
    if [ $? -gt 0 ]; then
        echo "Found differences:"
        echo "==========================================================================="
        diff -y /var/log/lynis-report-previous.dat /var/log/lynis-report.dat | grep -v "report_datetime"
        echo "==========================================================================="
    fi

fi

#EOF

Here is how it works in steps:

Steps

  1. Archive the existing lynis-report.dat file
  2. Run Lynis (again)
  3. Compare results

Just three simple steps.

Implementing the script

If you already run Lynis as a scheduled cron job, copy that file for testing and add the top and bottom section (step 1 and 3) from the example.

Next is testing if things work like expected. So first run your script and check if execution of Lynis was successful. You can do this by checking the /var/log/lynis.log and /var/log/lynis-report.dat files.

Then determine if it correctly copied the previous report contents to /var/log/lynis-report-previous.dat.

If it copied the file, change a few lines in your active report /var/log/lynis-report.dat (not the -previous file, as it will be overwritten!).

Run the script again and see if the differences show up:

Screenshot of diff tool to determine Lynis differences during security audit

The diff tool found a minor change between two scans

 

 

Found this tip helpful? Share it with others and help more people with automation.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *