How are auditd and Lynis different?

Differences between auditd and Lynis

Recently I received the question what the difference is between auditd and Lynis. Both focus on auditing, that part is clear. For someone not familiar with both software tools, the technical differences may not directly be obvious. Time to write about that, for everyone that has the same question.

Comparing functionality

Let’s start with a quick introduction in both tools.

Audit daemon

AuditdĀ is the daemon process in the Linux Audit Framework, written and maintained by Red Hat. It focuses on logging system events (accounting).


Lynis performs a security audit of the system. You can compare it with health check, or a yearly checkup for your car.

Lynis screenshot with colored output

Colored output to guide first-time users

When to use which tool?

Both tools share the “auditing” part, so this is where the confusion might come in. The important difference is the specific goal you want to achieve.

If you want to track events (like if your /etc/passwd file was changed, or setting the time), then you want to use auditd. Lynis on the other hand, would check for incorrect file permissions on a file like /etc/passwd. It does not track changes in the file itself.

Consider Lynis as a the yearly check for your car and auditd the onboard computer of the car which checks that the engine is not too hot while driving.


So if you want to track changes, use auditd. If you want to know if things are properly configured, then use Lynis. And you may have guessed it: if you want to get your system properly secured, you want to use both solutions. After all, they have a different goal.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


One comment

  • TomasTomas

    Good article, thanks very much for sharing Michael. I use both tools but for different reasons.

    I find Lynis perfect for an initial automated system audit to identify bits and pieces that need hardening. Auditd is deployed and configured as part of said security hardening to record events that modify something I am interested in, e.g. attempts to change system’s network environment or modify SELinux rules. AIDE/Tripwire take care of integrity checking with a handful of other tools to look for intrusion, rootkits, malware etc.

    I then finally run OpenSCAP to verify security compliance. I’m sure you will agree that security hardening is a lengthy and ongoing process.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.