Learn how to automatically fix common Lynis security audit warnings on Ubuntu servers.
Lynis is a powerful, open-source security auditing and compliance tool designed for Unix-based systems like Linux, macOS, and BSD. Created and maintained by CISOfy, Lynis is widely used by system administrators, DevOps engineers, and security professionals to assess the security posture of servers in real time.
Lynis not only identifies security gaps but also provides actionable suggestions and warnings, helping us harden our systems effectively. It supports standards such as CIS benchmarks, ISO27001, HIPAA, and PCI-DSS, making it ideal for organizations with compliance requirements.
Whether we're managing a single Ubuntu server or an enterprise infrastructure with hundreds of nodes, Lynis helps us automate, standardize, and scale our security auditing efforts.
In our previous guide, we installed Lynis and ran automated audits on our Ubuntu servers. Now it’s time to take it to the next level: automating the remediation process.
Instead of manually addressing each suggestion and warning, we can write a set of custom scripts that read Lynis output and apply the recommended system hardening changes.
Prerequisites
Before starting, make sure Ubuntu server is ready.
- A Ubuntu 24.04 installed dedicated server or KVM VPS.
- A root user or normal user with administrative privileges.
Automating Ubuntu Server Hardening Based on Lynis Scan Results
Let’s automate it — securely and smartly.
Step 1: Prepare Your Environment
Always create a system backup or VM snapshot before applying automated changes:
sudo apt install rsync -y
sudo rsync -aAXv / /mnt/backup --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"}
Now let’s create a working directory for scripts:
mkdir -p ~/lynis-hardening
cd ~/lynis-hardening
Step 2: Parse Lynis Suggestions
Run a fresh audit and extract actionable suggestions:
sudo /opt/lynis/lynis audit system --quiet
grep "suggestion" /var/log/lynis-report.dat > suggestions.txt
This file will contain results like:
suggestion[]=Enable sysstat to collect performance data
suggestion[]=Install a malware scanner (e.g. ClamAV)
suggestion[]=Enable auditd service for event logging
Step 3: Map Suggestions to Hardening Commands
Now we’ll create a remediation script that maps these suggestions to commands.
File: auto_harden.sh
nano auto_harden.sh
Add following content:
#!/bin/bash
echo "[+] Starting auto-hardening based on Lynis suggestions..."
if grep -q "sysstat" suggestions.txt; then
echo "[*] Installing sysstat..."
sudo apt install sysstat -y
sudo systemctl enable sysstat
fi
if grep -q "ClamAV" suggestions.txt; then
echo "[*] Installing ClamAV..."
sudo apt install clamav clamav-daemon -y
sudo systemctl enable clamav-freshclam
sudo freshclam
fi
if grep -q "auditd" suggestions.txt; then
echo "[*] Installing auditd..."
sudo apt install auditd -y
sudo systemctl enable auditd
sudo systemctl start auditd
fi
if grep -q "no password policy" suggestions.txt; then
echo "[*] Applying basic password policy..."
sudo apt install libpam-pwquality -y
echo "password requisite pam_pwquality.so retry=3 minlen=12 difok=3" | sudo tee -a /etc/pam.d/common-password
fi
echo "[+] Hardening complete. Reboot recommended if kernel changes were applied."
Step 4: Run the Automation Script
Give it executable permissions and run it:
chmod +x auto_harden.sh
./auto_harden.sh
This script reads suggestions.txt and applies fixes only if they are relevant — keeping changes contextual and safe.
Step 5: Schedule Regular Audit + Hardening
Let’s automate everything with a weekly cron job.
File: /etc/cron.weekly/lynis-auto-harden
nano /etc/cron.weekly/lynis-auto-harden
Add following content:
#!/bin/bash
cd /opt/lynis
./lynis audit system --quiet
grep "suggestion" /var/log/lynis-report.dat > ~/lynis-hardening/suggestions.txt
bash ~/lynis-hardening/auto_harden.sh
Make it executable:
sudo chmod +x /etc/cron.weekly/lynis-auto-harden
This will run every Sunday and patch common security gaps automatically.
Step 6: Log and Monitor Everything
To keep an audit trail:
sudo journalctl -u auditd > ~/lynis-hardening/auditd-log.txt
cat ~/lynis-hardening/suggestions.txt >> ~/lynis-hardening/hardening-history.log
We now have a record of both suggestions and actions taken.
Bonus: Email Notification (Optional)
Install mailx to receive alerts after automation:
sudo apt install mailutils -y
Update the cron script to send mail:
mail -s "Lynis Auto-Hardening Completed" your@email.com < ~/lynis-hardening/hardening-history.log
Final Thoughts
By combining Lynis audits with auto-hardening scripts, we turn passive insights into automated action. This proactive approach helps our team scale security without manual overhead — perfect for managing fleets of Ubuntu servers or CI/CD deployment environments.
In the next article, we’ll integrate Lynis with Prometheus and Grafana for real-time monitoring of server hardening scores and security events.
Check out our low cost dedicated server.
