Initial skills documentation — 25 categories, all SKILL.md + references + scripts
This commit is contained in:
@@ -0,0 +1,98 @@
|
||||
---
|
||||
name: lynis-security-scan
|
||||
description: "Deploy and manage nightly Lynis security audits across all servers — package CVE scanning, misconfiguration detection, SSH brute-force monitoring. Silent when clean, alerts on new findings."
|
||||
version: 1.0.0
|
||||
author: Sho'Nuff
|
||||
tags: [security, lynis, audit, cve, scanning, cron]
|
||||
---
|
||||
|
||||
# Lynis Security Scan
|
||||
|
||||
Deploy the Lynis system audit tool across all servers. Nightly runs at 3 AM. Silent when no new warnings appear. Alerts if new findings emerge.
|
||||
|
||||
## Installation
|
||||
|
||||
```bash
|
||||
apt-get install -y lynis
|
||||
lynis --version # should be 3.1.x+
|
||||
```
|
||||
|
||||
## First Run
|
||||
|
||||
```bash
|
||||
lynis audit system --quick
|
||||
```
|
||||
|
||||
Key output: Hardening index (0-100), Warnings count, Suggestions count.
|
||||
|
||||
Results are stored in `/var/log/lynis-report.dat` and `/var/log/lynis.log`.
|
||||
|
||||
## Cron Deployment
|
||||
|
||||
The script at `/root/.hermes/scripts/lynis-scan.sh`:
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
# Nightly security audit via Lynis
|
||||
# Runs at 3 AM, outputs report, only alerts on new warnings
|
||||
LOG="/var/log/lynis-report.dat"
|
||||
PREV="/root/.hermes/lynis-prev.dat"
|
||||
|
||||
lynis audit system --quick > /dev/null 2>&1
|
||||
|
||||
# Count warnings
|
||||
WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0)
|
||||
|
||||
# Compare with previous run
|
||||
if [ -f "$PREV" ]; then
|
||||
OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0)
|
||||
else
|
||||
OLD_WARNS=0
|
||||
fi
|
||||
|
||||
cp "$LOG" "$PREV"
|
||||
|
||||
# Only output if something changed
|
||||
if [ "$WARNS" -ne "$OLD_WARNS" ]; then
|
||||
echo "Lynis: $WARNS warnings (was $OLD_WARNS)"
|
||||
grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' '
|
||||
else
|
||||
echo "[SILENT]"
|
||||
fi
|
||||
```
|
||||
|
||||
Add as no_agent=True cron:
|
||||
```bash
|
||||
cronjob(action='create', name='lynis-scan', schedule='0 3 * * *',
|
||||
script='lynis-scan.sh', no_agent=True, deliver='origin')
|
||||
```
|
||||
|
||||
## Multi-Server Deployment
|
||||
|
||||
Copy the script to each server and add to crontab. **Use the server's native crontab** rather than the Hermes cron system — the Hermes cron scheduler only runs on the host box, so it cannot schedule jobs on remote servers. Use SSH + `crontab -l` to deploy remotely:
|
||||
|
||||
```bash
|
||||
scp /root/.hermes/scripts/lynis-scan.sh root@<server>:/usr/local/bin/
|
||||
ssh root@<server> 'chmod +x /usr/local/bin/lynis-scan.sh && \
|
||||
(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/lynis-scan.sh") | crontab -'
|
||||
```
|
||||
|
||||
### Servers deployed
|
||||
|
||||
| Server | IP | Date deployed | Status |
|
||||
|--------|----|-------------|--------|
|
||||
| Core (netcup) | 152.53.192.33 | Jul 6, 2026 | ✅ Running via cron job |
|
||||
| wphost02 (Hetzner) | 5.161.62.38 | Jul 7, 2026 | ✅ Running via crontab |
|
||||
|
||||
**Watchdog cron jobs should be no_agent=True.** The script itself handles the decision logic (silent unless something changed). Wrapping it in an LLM agent adds unnecessary tokens and causes phantom typing indicators in Telegram. Set `no_agent=True` when creating/updating the cron job for this script.
|
||||
|
||||
## Baseline Scores
|
||||
|
||||
| Server | Score (out of 100) | Warnings |
|
||||
|--------|-------------------|----------|
|
||||
| Netcup (core) | 62 | 3 (vulnerable package, IPv6 DNS) |
|
||||
| Hetzner wphost02 | 63 | 3 (to review) |
|
||||
|
||||
Common warnings:
|
||||
- **PKGS-7392**: One or more vulnerable packages. Fix with `apt-get update && apt-get upgrade`.
|
||||
- **NETW-2704/NETW-2705**: Nameserver unreachable (often IPv6 DNS). Fix by disabling IPv6 DNS or adding working resolvers.
|
||||
Reference in New Issue
Block a user