This kind of feels like it should be an OpenSCAP tool. Is this really different in some way I’m missing, or is it distinct mainly in an attempt to sell the enterprise version?
Maybe it should be? I just learned about the existence of this tool myself recently, and I’m not familiar at all with OpenSCAP. I care about this class of tool because I run some personal linux servers and I’d like to be able to run a simple command line utility that tells me if I’m making any obvious security mistakes it knows about, which is what lynis looks like it does. If there are other better tools that do similar things, I’d love to hear about them.
You might want to check out the tools from OpenSCAP then. The nice thing about them is that they process a standard scanning and configuration format, and many developers/vendors publish “policies” that tell any tool that can consume that format how to scan and often how to fix configurations.
It sounds like there’s a lot of overlap. There also may be no harm in running both for better coverage since neither needs a long-running agent on your system from the looks of it.
This kind of feels like it should be an OpenSCAP tool. Is this really different in some way I’m missing, or is it distinct mainly in an attempt to sell the enterprise version?
Maybe it should be? I just learned about the existence of this tool myself recently, and I’m not familiar at all with OpenSCAP. I care about this class of tool because I run some personal linux servers and I’d like to be able to run a simple command line utility that tells me if I’m making any obvious security mistakes it knows about, which is what lynis looks like it does. If there are other better tools that do similar things, I’d love to hear about them.
You might want to check out the tools from OpenSCAP then. The nice thing about them is that they process a standard scanning and configuration format, and many developers/vendors publish “policies” that tell any tool that can consume that format how to scan and often how to fix configurations.
It sounds like there’s a lot of overlap. There also may be no harm in running both for better coverage since neither needs a long-running agent on your system from the looks of it.