Learn how to automate security audits on Ubuntu servers using Lynis.
As server administrators and DevOps teams, securing our infrastructure is no longer optional — it's essential. One overlooked vulnerability can expose an entire application stack to serious threats. That’s why regular system audits are vital, and tools like Lynis help us automate the process.
Lynis is a powerful, open-source security auditing and compliance tool designed for Unix-based systems like Linux, macOS, and BSD. Created and maintained by CISOfy, Lynis is widely used by system administrators, DevOps engineers, and security professionals to assess the security posture of servers in real time.
Lynis not only identifies security gaps but also provides actionable suggestions and warnings, helping us harden our systems effectively. It supports standards such as CIS benchmarks, ISO27001, HIPAA, and PCI-DSS, making it ideal for organizations with compliance requirements.
Whether we're managing a single Ubuntu server or an enterprise infrastructure with hundreds of nodes, Lynis helps us automate, standardize, and scale our security auditing efforts
We’ll walk through installing Lynis, performing a basic scan, and go deeper with advanced features like custom audit profiles, cron scheduling, and even CI/CD pipeline integration.
Prerequisites
Before starting, make sure Ubuntu server is ready.
- A Ubuntu 24.04 installed dedicated server or KVM VPS.
- A root user or normal user with administrative privileges.
Automating Ubuntu Server Security Audits with Lynis: Installation & Basic Scan Gu
Step 1: Update the Server
Keep your system up to date before installing any audit tools:
sudo apt update && sudo apt upgrade -y
Step 2: Install Lynis
Option A: APT Package (Quick)
sudo apt install lynis -y
Option B: From GitHub (Latest Features)
cd /opt
sudo git clone https://github.com/CISOfy/lynis
sudo chown -R $USER:$USER lynis
IMPORTANT: If you have installed Lynis using GitHub then you need to cd /opt/lynis and run command start with ./lynis. If you have installed Lynis using APT package, use sudo lynis directly.
Step 3: Verify Installation
cd /opt/lynis
./lynis show version
Step 4: Run a Basic Security Scan
sudo ./lynis audit system
This inspects more than 200 system configurations and services like:
- Firewall settings
- Kernel parameters
- SSH, sudoers, and login policies
- File permissions
- Malware detection (via ClamAV)
- Logging and auditd configuration
Step 5: Analyze Audit Results
After scanning, Lynis shows:
- Hardening index (0–100)
- Warnings (security issues)
- Suggestions (best practices)
Log and summary files are saved at:
/var/log/lynis.log
/var/log/lynis-report.dat
Step 6: Automate Weekly Scans
Use cron to schedule:
sudo crontab -e
Add:
0 2 * * 0 /opt/lynis/lynis audit system --quiet >> /var/log/weekly-lynis.log
This runs every Sunday at 2 AM.
Step 7: Use a Custom Audit Profile (Advanced)
Create a profile for focused checks:
mkdir -p /etc/lynis/custom
cp /opt/lynis/default.prf /etc/lynis/custom/hardened.prf
Edit it to include/exclude modules:
nano /etc/lynis/custom/hardened.prf
Example:
skip-test=KRNL-5830 # skip IPv6 kernel test
enabled-test=AUTH-9222 # ensure sudo is protected
Run using the custom profile:
sudo ./lynis audit system --profile /etc/lynis/custom/hardened.prf
Step 8: Integrate Lynis into CI/CD Pipelines (Pro-level)
Lynis can be used as part of your server provisioning or CI/CD audit pipeline.
Example in a Bash-based CI step:
#!/bin/bash
cd /opt/lynis
./lynis audit system --quick > lynis_output.txt
if grep -q "Warning" lynis_output.txt; then
echo "Security warnings found!"
exit 1
fi
This fails your CI build if any warnings are found — useful for pre-deployment checks.
Step 9: Export and Parse Audit Data
You can extract specific security events:
grep "^warning" /var/log/lynis-report.dat
grep "^suggestion" /var/log/lynis-report.dat
Convert output to JSON (for dashboards or monitoring):
cat /var/log/lynis-report.dat | jq -R -s -f lynis_to_json.jq
(Requires a custom jq script for structured export.)
Step 10: Pair with Other Tools
Enhance results with tools like:
- Fail2ban – for SSH brute force blocking
- ClamAV – for malware detection (Lynis will flag if missing)
- Auditd – to track system-level events (Lynis recommends configurations)
Summary: Why Lynis is Essential
- Agentless – No daemon, no bloat.
- Fast & Customizable – Scan only what we need.
- Scalable – Ideal for bare-metal and cloud servers.
- Compliance-Oriented – CIS, ISO, HIPAA recommendations.
- Automatable – Works in CI/CD, cron, Ansible.
Final Thoughts
Lynis goes beyond basic checks — it gives our Ubuntu servers a professional-grade security audit. By automating it and integrating with our workflows, we transform security from a manual burden into a seamless process.
In the next post, we’ll show how to automatically fix common Lynis warnings and convert hardening suggestions into shell scripts.
Let’s secure smarter, not harder.
Check out our low cost dedicated server.
