Learn how to automate security audits on AlmaLinux servers using Lynis and apply Lynis hardening suggestions on AlmaLinux using custom shell scripts.
Hardening a Linux server is essential for protecting applications, user data, and critical services. For teams managing AlmaLinux environments, Lynis offers a powerful, open-source way to automate security audits. In this guide, we walk through installing Lynis and running a basic system audit to evaluate server hardening, compliance, and security posture.
Lynis is a powerful, open-source security auditing and compliance tool designed for Unix-based systems like Linux, macOS, and BSD. Created and maintained by CISOfy, Lynis is widely used by system administrators, DevOps engineers, and security professionals to assess the security posture of servers in real time.
Lynis not only identifies security gaps but also provides actionable suggestions and warnings, helping us harden our systems effectively. It supports standards such as CIS benchmarks, ISO27001, HIPAA, and PCI-DSS, making it ideal for organizations with compliance requirements.
What is Lynis?
Lynis is a popular security auditing tool for UNIX-based systems like Linux, macOS, and BSD. It helps us:
- Identify security vulnerabilities
- Evaluate system hardening status
- Detect configuration flaws
- Meet compliance standards (e.g., PCI-DSS, HIPAA, ISO27001)
By integrating Lynis into our server maintenance routine, we can automate audits and respond to risks proactively.
Prerequisites
Before starting, make sure AlmaLinux server is ready.
- A AlmaLinux 9 installed dedicated server or KVM VPS.
- A root user or normal user with administrative privileges.
Automating Ubuntu Server Security Audits with Lynis: Installation & Basic Scan Guide and apply hardening suggestions.
Step 1: Update AlmaLinux System
Before installing any tools, let’s ensure our AlmaLinux server is up to date. Open a terminal and run:
sudo dnf update -y
sudo dnf upgrade -y
Keeping packages updated is a basic but critical layer of server security.
Step 2: Install Git (Required for Lynis Cloning)
If Git is not already installed on our server, install it with:
sudo dnf install git -y
We’ll use Git to clone the official Lynis repository from CISOfy.
Step 3: Clone the Lynis Repository
Now, let’s download the latest Lynis source code directly from GitHub:
cd /opt
sudo git clone https://github.com/CISOfy/lynis.git
sudo chown -R root:root lynis
This will clone Lynis into /opt/lynis. Changing the ownership ensures only the root user can execute and modify the tool.
Step 4: Run a Basic Security Audit with Lynis
With Lynis downloaded, we can run our first scan.
Switch into the Lynis directory:
cd /opt/lynis
Then run:
sudo ./lynis audit system
This command initiates a full security audit. Lynis will check for:
- File permissions
- Installed packages
- Logging and auditing configuration
- Authentication mechanisms
- Kernel hardening settings
- Malware scanning configurations
- Firewall rules and more
Step 5: Review the Lynis Security Report
After the audit completes, Lynis gives us a summary:
- Hardening Index: A numeric score from 0 to 100+
- Suggestions: Actionable tips to improve security
- Warnings: Misconfigurations or critical risks
Reports are saved in:
/var/log/lynis.log
/var/log/lynis-report.dat
We recommend creating a checklist from the Suggestions and addressing each one in priority order.
Step 6: Schedule Regular Scans with Cron (Optional)
To automate our audits, we can schedule Lynis to run periodically using cron.
Open the root crontab:
sudo crontab -e
Add the following line to run a scan every Sunday at midnight:
0 0 * * 0 /opt/lynis/lynis audit system --quiet
The --quiet flag reduces output noise but still logs findings. This ensures we don’t miss any changes in server posture over time.
Step 7: Send Alerts or Reports (Optional Enhancements)
For production environments, consider piping the audit summary into an email or notification system. For example, using mailx:
sudo yum install mailx -y
sudo ./lynis audit system | mail -s "Weekly AlmaLinux Audit Report" admin@example.com
We can also parse the log file and push it into centralized SIEM tools or monitoring dashboards.
Automating Server Hardening with Lynis
Take server auditing to the next level with this hands-on guide to automatically apply Lynis hardening suggestions on AlmaLinux using custom shell scripts.
Step 1: Run a Fresh Audit to Generate Suggestions
We assume Lynis is installed at /opt/lynis.
Run a fresh audit and generate the latest suggestions:
cd /opt/lynis
sudo ./lynis audit system
Now check the suggestions file:
cat /var/log/lynis-report.dat | grep suggestion
This gives output like:
suggestion[]=Install a firewall package like iptables or firewalld
suggestion[]=Configure password aging via chage or login.defs
suggestion[]=Disable unused filesystems in /etc/fstab
Step 2: Parse and Extract Suggestions from Report
Create a shell script to extract these lines into a simplified format:
File: parse_suggestions.sh
vi parse_suggestions.sh
add following content:
#!/bin/bash
report_file="/var/log/lynis-report.dat"
output_file="./parsed_suggestions.txt"
grep "^suggestion\[\]=" "$report_file" | sed 's/suggestion\[\]=//' > "$output_file"
echo "[+] Parsed suggestions saved to $output_file"
Make it executable:
chmod +x parse_suggestions.sh
./parse_suggestions.sh
Step 3: Create a Remediation Script Template
Next, let’s write a Bash script that reads from parsed_suggestions.txt and applies pre-coded fixes for known issues.
File: apply_remediations.sh
vi apply_remediations.sh
Add following content:
#!/bin/bash
suggestions="./parsed_suggestions.txt"
while IFS= read -r line; do
case "$line" in
*"firewalld"*)
echo "[+] Installing and enabling firewalld..."
sudo dnf install firewalld -y
sudo systemctl enable firewalld --now
;;
*"password aging"*)
echo "[+] Configuring password aging policy..."
sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
sudo sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs
;;
*"Disable unused filesystems"*)
echo "[+] Disabling uncommon filesystems..."
echo "install cramfs /bin/true" | sudo tee -a /etc/modprobe.d/disable-filesystems.conf
echo "install freevxfs /bin/true" | sudo tee -a /etc/modprobe.d/disable-filesystems.conf
echo "install jffs2 /bin/true" | sudo tee -a /etc/modprobe.d/disable-filesystems.conf
;;
*"Install aide"*)
echo "[+] Installing AIDE (file integrity monitor)..."
sudo dnf install aide -y
sudo aide --init
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
;;
*"Configure auditing"*)
echo "[+] Ensuring auditd is running..."
sudo dnf install audit -y
sudo systemctl enable auditd --now
;;
*)
echo "[!] No remediation coded for: $line"
;;
esac
done < "$suggestions"
Make it executable:
chmod +x apply_remediations.sh
./apply_remediations.sh
Step 4: Combine into One Workflow
Let’s automate the full workflow: audit → parse → remediate.
File: lynis_auto_hardener.sh
vi lynis_auto_hardener.sh
Add following content:
#!/bin/bash
echo "[*] Starting Lynis Audit + Remediation..."
cd /opt/lynis
sudo ./lynis audit system
echo "[*] Parsing suggestions..."
./parse_suggestions.sh
echo "[*] Applying remediations..."
./apply_remediations.sh
echo "[✓] System hardening automation complete."
Step 5: Schedule This via Cron or Systemd Timer (Optional)
To automate regular audits and remediations, add a weekly cron job:
sudo crontab -e
0 3 * * 0 /opt/lynis/lynis_auto_hardener.sh >> /var/log/lynis-remediation.log 2>&1
Conclusion
By setting up Lynis on AlmaLinux, we’ve taken a major step toward proactive server security. From identifying misconfigurations to strengthening compliance, Lynis helps our DevOps and sysadmin teams build safer infrastructure.
Lynis offers a powerful way to audit system security, but real-world security requires action. By scripting around Lynis suggestions, we can quickly remediate common issues and enforce secure configurations across all AlmaLinux servers.
This automation is modular. As more suggestions arise, we can extend apply_remediations.sh with additional case statements and match phrases.
Stay secure. Automate the basics — so we can focus on the critical stuff.
