#!/bin/bash # Nightly security audit via Lynis # Runs at 3 AM, outputs report, only alerts on new warnings LOG="/var/log/lynis-report.dat" PREV="/root/.hermes/lynis-prev.dat" lynis audit system --quick > /dev/null 2>&1 # Count warnings WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0) # Compare with previous run if [ -f "$PREV" ]; then OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0) else OLD_WARNS=0 fi # Save current for next comparison cp "$LOG" "$PREV" # Only output if something changed if [ "$WARNS" -ne "$OLD_WARNS" ]; then echo "Lynis: $WARNS warnings (was $OLD_WARNS)" grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' ' else echo "[SILENT]" fi