Title says it all! 
As far as I remember, lynis saves report file(s) and prints on terminal as well. To save terminal output to file with colors (i.e. escape sequences) you can use script utility like
script <output file>
<your command here>
exit
For more detail consult with man script.
3 Likes
Thanks for kicking off another useful topic @ericmarceau. No built-in flag for this, but script -q -c "lynis audit system" lynis-report.txt captures the colored output, then view it with less -R. For HTML, pipe through aha: lynis audit system | aha > lynis-report.html. The raw data also lives at /var/log/lynis-report.dat after every run.
Reference for other readers:
3 Likes
Thank you, Eugene! Not quite what I was looking for (putting everything into the background), but that will do nicely!
2 Likes
Thank you, Hayden!
I will have to look at that aha tool some time! It looks like it would be useful to convert those coloured console sessions into the equivalent coloured HTML page. Sounds very useful if you want a portable, cross-platform format for viewing anywhere and anytime!
BTW, I usually only run my script for “–pentest”.
I’ve just added the option to my script for the “–forensics” mode and ran that for the first time just now. I will compare to see what would be the significant differences.
I’ve never run with the mode “audit system”. I will give that a try to see how informative/useful that would be.
My modified wrapper script for lynis:
#!/bin/sh
#23456789+123456789+123456789+123456789+123456789+123456789+123456789+123456789+123456789+123456789+
####################################################################################################
###
### $Id: SEC__Scan_002_lynis.sh,v 1.2 2026/04/25 21:39:39 root Exp root $
###
### Script to manage execution and logging of the 'lynis' tool.
###
####################################################################################################
mode="--pentest"
while [ $# -ne 0 ]
do
case "${1}" in
"--pentest" )
echo "\n NOTE: Other modes optional at command line: { --forensics | --quick } ..." ;
mode="${1}" ; shift ;;
"--forensics" | "--quick" )
mode="${1}" ; shift ;;
"--audit" )
mode="audit system" ; shift ;;
* ) echo "\n\t Invalid options specified on command line. Only valid options: { --pentest | --forensics | --quick } \n Bye!\n" ; exit 1 ;;
esac
done
Oasis=${Oasis:-/Oasis}
ThisDATE=`date '+%Y%m%d%H%M%S'`
command=lynis
compath=`which ${command} `
if [ -z "${compath}" ] ; then echo "\n\t Command '${command}' was not found in PATH. Abandonning.\n Bye!\n" ; exit 1 ; fi
# REFERENCE: /home/ericthered/Desktop/PROJ01_SecurityScans
LogROOT="${Oasis}/Logs"
LOGS="${LogROOT}/${command}"
for dir in ${LogROOT} ${LOGS}
do
if [ ! -d ${dir} ]
then
mkdir ${dir}
chmod 775 ${dir}
echo "\t Created directory: ${dir} ..."
fi
done
LOG="${LogROOT}/${command}/${command}.${ThisDATE}.log"
{ echo "======== |${command}|${ThisDATE}|`uname -a`| ========"
eval ${compath} ${mode} --logfile ${LOG}
} 2>&1 | tee ${LogROOT}/${command}/${command}.${ThisDATE}.details
exit 0
exit 0
exit 0
2 Likes
I compared the –pentest run with the –forensic run, and the results are a bit surprising!
There was minimal difference, and what was different was not functionally meaningful!
Here are the result for you to make your own conclusions:
diff REPORT__Lynis_SessionLog_20260516_PENTEST.txt REPORT__Lynis_SessionLog_20260516_FORENSIC.txt
1c1
< Script started on 2026-05-16 17:10:16-04:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="140" LINES="27"]
---
> Script started on 2026-05-16 17:32:48-04:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="140" LINES="27"]
6,7c6,7
< SEC__Scan_002_lynis.shsh
======== |lynis|20260516171042|Linux OasisMega1 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 x86_64 x86_64 GNU/Linux| ========
---
> SEC__Scan_002_lynis.sh --forensics
======== |lynis|20260516173319|Linux OasisMega1 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 x86_64 x86_64 GNU/Linux| ========
36c36
< Log file: /DB001_F2/Oasis/Logs/lynis/lynis.20260516171042.log
---
> Log file: /DB001_F2/Oasis/Logs/lynis/lynis.20260516173319.log
71c71
< [WARNING]: Test DEB-0001 had a long execution: 36.312760 seconds
---
> [WARNING]: Test DEB-0001 had a long execution: 32.397445 seconds
76,78d75
<
< [WARNING]: Test DEB-0280 had a long execution: 11.053237 seconds
<
191c188
< Found 93 active modules
---
> Found 97 active modules
304c301
< [WARNING]: Test PKGS-7345 had a long execution: 29.693176 seconds
---
> [WARNING]: Test PKGS-7345 had a long execution: 28.938701 seconds
320c317
< [WARNING]: Test PKGS-7392 had a long execution: 76.963911 seconds
---
> [WARNING]: Test PKGS-7392 had a long execution: 47.251480 seconds
454c451
< - Last time synchronization [ 451s ]
---
> - Last time synchronization [ 1762s ]
460c457
< [WARNING]: Test CRYP-7902 had a long execution: 190.835397 seconds
---
> [WARNING]: Test CRYP-7902 had a long execution: 177.341722 seconds
478c475
< Found 140 unconfined processes
---
> Found 142 unconfined processes
754c751
< - Check the logfile for all details (less /DB001_F2/Oasis/Logs/lynis/lynis.20260516171042.log)
---
> - Check the logfile for all details (less /DB001_F2/Oasis/Logs/lynis/lynis.20260516173319.log)
771c768
< Normal [ ] Forensics [ ] Integration [ ] Pentest [V] (running privileged)
---
> Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
779c776
< - Test and debug information : /DB001_F2/Oasis/Logs/lynis/lynis.20260516171042.log
---
> - Test and debug information : /DB001_F2/Oasis/Logs/lynis/lynis.20260516173319.log
801c798
< Script done on 2026-05-16 17:23:30-04:00 [COMMAND_EXIT_CODE="0"]
---
> Script done on 2026-05-16 17:39:59-04:00 [COMMAND_EXIT_CODE="0"]
Here are similar results of the comparison between –pentest and “audit system” which, again, shows no difference of significance:
# diff REPORT__Lynis_SessionLog_20260516_PENTEST.txt REPORT__Lynis_SessionLog_20260516_AUDIT.txt
1c1
< Script started on 2026-05-16 17:10:16-04:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="140" LINES="27"]
---
> Script started on 2026-05-16 17:52:45-04:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="140" LINES="27"]
6,7c6,7
< SEC__Scan_002_lynis.shsh
======== |lynis|20260516171042|Linux OasisMega1 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 x86_64 x86_64 GNU/Linux| ========
---
> SEC__Scan_002_lynis.sh --audit
======== |lynis|20260516175347|Linux OasisMega1 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 x86_64 x86_64 GNU/Linux| ========
36c36
< Log file: /DB001_F2/Oasis/Logs/lynis/lynis.20260516171042.log
---
> Log file: /DB001_F2/Oasis/Logs/lynis/lynis.20260516175347.log
71c71
< [WARNING]: Test DEB-0001 had a long execution: 36.312760 seconds
---
> [WARNING]: Test DEB-0001 had a long execution: 32.702110 seconds
77c77
< [WARNING]: Test DEB-0280 had a long execution: 11.053237 seconds
---
> [WARNING]: Test DEB-0280 had a long execution: 12.525316 seconds
191c191
< Found 93 active modules
---
> Found 97 active modules
260a261,263
>
> [WARNING]: Test FILE-6332 had a long execution: 20.464297 seconds
>
304c307
< [WARNING]: Test PKGS-7345 had a long execution: 29.693176 seconds
---
> [WARNING]: Test PKGS-7345 had a long execution: 37.581445 seconds
320c323
< [WARNING]: Test PKGS-7392 had a long execution: 76.963911 seconds
---
> [WARNING]: Test PKGS-7392 had a long execution: 115.606090 seconds
454c457
< - Last time synchronization [ 451s ]
---
> - Last time synchronization [ 1057s ]
460c463
< [WARNING]: Test CRYP-7902 had a long execution: 190.835397 seconds
---
> [WARNING]: Test CRYP-7902 had a long execution: 208.709630 seconds
478c481
< Found 140 unconfined processes
---
> Found 142 unconfined processes
754c757
< - Check the logfile for all details (less /DB001_F2/Oasis/Logs/lynis/lynis.20260516171042.log)
---
> - Check the logfile for all details (less /DB001_F2/Oasis/Logs/lynis/lynis.20260516175347.log)
771c774
< Normal [ ] Forensics [ ] Integration [ ] Pentest [V] (running privileged)
---
> Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
779c782
< - Test and debug information : /DB001_F2/Oasis/Logs/lynis/lynis.20260516171042.log
---
> - Test and debug information : /DB001_F2/Oasis/Logs/lynis/lynis.20260516175347.log
801c804
< Script done on 2026-05-16 17:23:30-04:00 [COMMAND_EXIT_CODE="0"]
---
> Script done on 2026-05-16 19:08:14-04:00 [COMMAND_EXIT_CODE="0"]
Not sure what the different options should be doing functionally differently for them to bother coding different options, since the results seem to be identical, other than timing test durations!!!
1 Like
Makes sense. --pentest and audit system are mostly running the same checks. The main difference is that --pentest assumes you are running without root privileges, so it skips tests that need root.
In your case, because the wrapper is already running everything as root, both modes end up producing almost the same result.
--forensics is more for post-incident checks on a system you think might be compromised.
If you want to narrow the scope, maybe something like:
lynis audit system --tests-category malware
2 Likes
So, does that give a deeper, more focused audit, or is that coverage already included in the basic scan offered by
sudo lynis audit system
2 Likes
Same depth, just narrower scope. Same malware tests either way, you’re just telling Lynis to skip everything else.
2 Likes
Well, Hayden, what is your sense of what I should be doing?
I have no Virtual environment encaspulating Windows, and I don’t have any CrossOver Office or Wine or Xen or anything else that is used to provide an execution environment for Virus-/Trojan-sensitive Windows Apps.
I don’t even have a dual-boot for Windows! Pure Linux!
Unless there is a new way for videos from YouTube or images from sites the likes of Deviant Art to subvert or compromise my system, I don’t think I need to be scanning for that stuff daily, separately from my usual monthly scan. Is there?
2 Likes
No need to overthink it. Agreed, monthly is fine.
2 Likes