Athreya aka Maneshwar

Posted on Jul 2

Strengthen Your Server with Automated Security Audits Using Ansible

#webdev #beginners #devops #ansible

Hi there! I'm Maneshwar. Right now, I’m building LiveAPI, a first-of-its-kind tool that helps you automatically index API endpoints across all your repositories. LiveAPI makes it easier to discover, understand, and interact with APIs in large infrastructures.

DevOps often emphasizes CI/CD, observability, and uptime — but what about proactive security hardening?

This post walks you through how to set up automated, cron-based security auditing with ClamAV and Lynis, powered by Ansible, and how to post alerts directly to Discord.

You'll go from this:

ansible-playbook -i hosts.ini cron-all.yml -v

To an infrastructure where every server audits itself and sends alerts every night, with zero manual effort.

Tools Used

Ansible — to orchestrate setup across all servers.
ClamAV — antivirus for Linux.
Lynis — a comprehensive Linux security auditing tool.
Cron — for scheduled execution.
Discord Webhooks — to notify you in real time.
Ansible Galaxy — for clean project structure.

Project Layout

Let’s generate a reusable role using Galaxy:

ansible-galaxy init roles/cron-all

Here’s the final structure:

ansible/
├─ ansible.cfg
├─ cron-all.yml
├─ hosts.ini
├─ requirements.yml
├─ roles/
│  └─ cron-all/
│     ├─ tasks/
│     │  ├─ main.yml
│     │  ├─ crons.yml
│     │  └─ security_audit_issues.yml
│     ├─ templates/
│     │  ├─ crons.j2
│     │  └─ security_audit_issues.sh.j2
...

The Ansible Playbook

# cron-all.yml
---
- name: Install crons on all hosts
  hosts: all
  become: yes
  gather_facts: true
  remote_user: ubuntu
  become_user: ubuntu
  roles:
    - cron-all

This runs the cron-all role as ubuntu, while elevating when needed for root-level tasks (e.g. installing packages or accessing /var/log).

Installing ClamAV & Lynis with Ansible

# roles/cron-all/tasks/security_audit_issues.yml
- name: Install ClamAV and Lynis
  ansible.builtin.apt:
    name:
      - clamav
      - lynis
    state: present
    update_cache: true
  become: true

Also ensure fresh virus definitions and set up directories for logs and quarantine:

- name: Ensure ClamAV virus definitions are up to date
  ansible.builtin.command: freshclam
  register: clamav_update
  changed_when: "'updated' in clamav_update.stdout"
  failed_when: false
  become: true

- name: Create log directory for security audit
  ansible.builtin.file:
    path: /home/ubuntu/crons/log
    state: directory
    owner: ubuntu
    group: ubuntu
    mode: "0755"

Scheduling the Cron Job

A smart cron loop pulls jobs from a template:

# roles/cron-all/tasks/crons.yml
- name: Add custom cron jobs to ubuntu user crontab
  vars:
    lines: "{{ lookup('template', 'crons.j2').splitlines() }}"
  ansible.builtin.cron:
    name: "{{ (idx > 0 and lines[idx-1].strip().startswith('#')) | ternary(lines[idx-1] | trim | regex_replace('^#\\s*', ''), ' '.join(item.split()[5:])) }}"
    minute: "{{ item.split()[0] }}"
    hour: "{{ item.split()[1] }}"
    day: "{{ item.split()[2] }}"
    month: "{{ item.split()[3] }}"
    weekday: "{{ item.split()[4] }}"
    job: "{{ ' '.join(item.split()[5:]) }}"
    user: ubuntu
  loop: "{{ lines }}"
  loop_control:
    index_var: idx
  when: item | trim | length > 0 and not item.strip().startswith('#')

The actual cron job comes from a template:

# roles/cron-all/templates/crons.j2
# 11:00 PM IST (converted to 17:30 UTC)
30 17 * * * sudo /bin/bash -lc "/home/ubuntu/crons/scan_and_audit.sh > /home/ubuntu/crons/log/scan_and_audit.log 2>&1"

The Audit Script

This Bash script:

Logs to /var/log/security_audit_<timestamp>.log
Runs clamscan across /
Runs lynis audit system
Sends the results to Discord via webhook

# roles/cron-all/templates/security_audit_issues.sh.j2
#!/bin/bash
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

TIMESTAMP=$(date '+%Y-%m-%d_%H-%M')
LOG_FILE="/var/log/security_audit_$TIMESTAMP.log"
WEBHOOK_URL="https://discord.com/api/webhooks/..."  # Replace this

echo "🔐 Security Audit - $TIMESTAMP" | tee "$LOG_FILE"
echo "Running ClamAV scan..." | tee -a "$LOG_FILE"
mkdir -p /var/quarantine
clamscan -r / --infected --move=/var/quarantine | tee -a "$LOG_FILE"
CLAM_EXIT=${PIPESTATUS[0]}

echo -e "\nRunning Lynis audit..." | tee -a "$LOG_FILE"
lynis audit system | tee -a "$LOG_FILE"
LYNIS_EXIT=${PIPESTATUS[0]}

# Prepare status
if [[ $CLAM_EXIT -eq 0 && $LYNIS_EXIT -eq 0 ]]; then
    STATUS="✅ Security audit completed successfully."
else
    STATUS="⚠️ Security audit completed with issues."
fi

read -r -d '' PAYLOAD << EOF
{ "content": "**$STATUS**" }
EOF

curl -X POST "$WEBHOOK_URL" \
  -F "payload_json=$PAYLOAD" \
  -F "file=@$LOG_FILE"

Running It

Make sure your hosts.ini points to your servers:

[all]
your-server-ip ansible_user=

ansible-playbook -i hosts.ini cron-all.yml -v

LiveAPI helps you get all your backend APIs documented in a few minutes.

With LiveAPI, you can generate interactive API docs that allow users to search and execute endpoints directly from the browser.

If you're tired of updating Swagger manually or syncing Postman collections, give it a shot.

DEV Community