Strengthen Your Server with Automated Security Audits Using Ansible
Hi there! I’m Maneshwar. Right now, I’m building LiveAPI, a first-of-its-kind tool that helps you automatically index API endpoints across all your repositories. LiveAPI makes it easier to discover, understand, and interact with APIs in large infrastructures.
DevOps often emphasizes CI/CD, observability, and uptime — but what about proactive security hardening?
This post walks you through how to set up automated, cron-based security auditing with ClamAV and Lynis, powered by Ansible, and how to post alerts directly to Discord.
You’ll go from this:
ansible-playbook -i hosts.ini cron-all.yml -v
To an infrastructure where every server audits itself and sends alerts every night, with zero manual effort.
Tools Used
- Ansible — to orchestrate setup across all servers.
- ClamAV — antivirus for Linux.
- Lynis — a comprehensive Linux security auditing tool.
- Cron — for scheduled execution.
- Discord Webhooks — to notify you in real time.
- Ansible Galaxy — for clean project structure.
Project Layout
Let’s generate a reusable role using Galaxy:
ansible-galaxy init roles/cron-all
Here’s the final structure:
ansible/
├─ ansible.cfg
├─ cron-all.yml
├─ hosts.ini
├─ requirements.yml
├─ roles/
│ └─ cron-all/
│ ├─ tasks/
│ │ ├─ main.yml
│ │ ├─ crons.yml
│ │ └─ security_audit_issues.yml
│ ├─ templates/
│ │ ├─ crons.j2
│ │ └─ security_audit_issues.sh.j2
...
The Ansible Playbook
# cron-all.yml
---
- name: Install crons on all hosts
hosts: all
become: yes
gather_facts: true
remote_user: ubuntu
become_user: ubuntu
roles:
- cron-all
This runs the cron-all role as ubuntu, while elevating when needed for root-level tasks (e.g. installing packages or accessing /var/log).
Installing ClamAV & Lynis with Ansible
# roles/cron-all/tasks/security_audit_issues.yml
- name: Install ClamAV and Lynis
ansible.builtin.apt:
name:
- clamav
- lynis
state: present
update_cache: true
become: true
Also ensure fresh virus definitions and set up directories for logs and quarantine:
- name: Ensure ClamAV virus definitions are up to date
ansible.builtin.command: freshclam
register: clamav_update
changed_when: "'updated' in clamav_update.stdout"
failed_when: false
become: true
- name: Create log directory for security audit
ansible.builtin.file:
path: /home/ubuntu/crons/log
state: directory
owner: ubuntu
group: ubuntu
mode: "0755"
Scheduling the Cron Job
A smart cron loop pulls jobs from a template:
# roles/cron-all/tasks/crons.yml
- name: Add custom cron jobs to ubuntu user crontab
vars:
lines: "{{ lookup('template', 'crons.j2').splitlines() }}"
ansible.builtin.cron:
name: "{{ (idx > 0 and lines[idx-1].strip().startswith('#')) | ternary(lines[idx-1] | trim | regex_replace('^#\s*', ''), ' '.join(item.split()[5:])) }}"
minute: "{{ item.split()[0] }}"
hour: "{{ item.split()[1] }}"
day: "{{ item.split()[2] }}"
month: "{{ item.split()[3] }}"
weekday: "{{ item.split()[4] }}"
job: "{{ ' '.join(item.split()[5:]) }}"
user: ubuntu
loop: "{{ lines }}"
loop_control:
index_var: idx
when: item | trim | length > 0 and not item.strip().startswith('#')
The actual cron job comes from a template:
# roles/cron-all/templates/crons.j2
# 11:00 PM IST (converted to 17:30 UTC)
30 17 * * * sudo /bin/bash -lc "/home/ubuntu/crons/scan_and_audit.sh > /home/ubuntu/crons/log/scan_and_audit.log 2>&1"
The Audit Script
This Bash script:
- Logs to
/var/log/security_audit_<timestamp>.log - Runs
clamscanacross/ - Runs
lynis audit system - Sends the results to Discord via webhook
# roles/cron-all/templates/security_audit_issues.sh.j2
#!/bin/bash
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
TIMESTAMP=$(date '+%Y-%m-%d_%H-%M')
LOG_FILE="/var/log/security_audit_$TIMESTAMP.log"
WEBHOOK_URL="https://discord.com/api/webhooks/..." # Replace this
echo "🔐 Security Audit - $TIMESTAMP" | tee "$LOG_FILE"
echo "Running ClamAV scan..." | tee -a "$LOG_FILE"
mkdir -p /var/quarantine
clamscan -r / --infected --move=/var/quarantine | tee -a "$LOG_FILE"
CLAM_EXIT=${PIPESTATUS[0]}
echo -e "nRunning Lynis audit..." | tee -a "$LOG_FILE"
lynis audit system | tee -a "$LOG_FILE"
LYNIS_EXIT=${PIPESTATUS[0]}
# Prepare status
if [[ $CLAM_EXIT -eq 0 && $LYNIS_EXIT -eq 0 ]]; then
STATUS="✅ Security audit completed successfully."
else
STATUS="⚠️ Security audit completed with issues."
fi
read -r -d '' PAYLOAD << EOF
{ "content": "**$STATUS**" }
EOF
curl -X POST "$WEBHOOK_URL"
-F "payload_json=$PAYLOAD"
-F "file=@$LOG_FILE"
Running It
Make sure your hosts.ini points to your servers:
[all]
your-server-ip ansible_user=
ansible-playbook -i hosts.ini cron-all.yml -v
LiveAPI helps you get all your backend APIs documented in a few minutes.
With LiveAPI, you can generate interactive API docs that allow users to search and execute endpoints directly from the browser.
If you’re tired of updating Swagger manually or syncing Postman collections, give it a shot.
