--- name: lynis-security-scan description: "Deploy and manage nightly Lynis security audits across all servers — package CVE scanning, misconfiguration detection, SSH brute-force monitoring. Silent when clean, alerts on new findings." version: 1.0.0 author: Sho'Nuff tags: [security, lynis, audit, cve, scanning, cron] --- # Lynis Security Scan Deploy the Lynis system audit tool across all servers. Nightly runs at 3 AM. Silent when no new warnings appear. Alerts if new findings emerge. ## Installation ```bash apt-get install -y lynis lynis --version # should be 3.1.x+ ``` ## First Run ```bash lynis audit system --quick ``` Key output: Hardening index (0-100), Warnings count, Suggestions count. Results are stored in `/var/log/lynis-report.dat` and `/var/log/lynis.log`. ## Cron Deployment The script at `/root/.hermes/scripts/lynis-scan.sh`: ```bash #!/bin/bash # Nightly security audit via Lynis # Runs at 3 AM, outputs report, only alerts on new warnings LOG="/var/log/lynis-report.dat" PREV="/root/.hermes/lynis-prev.dat" lynis audit system --quick > /dev/null 2>&1 # Count warnings WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0) # Compare with previous run if [ -f "$PREV" ]; then OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0) else OLD_WARNS=0 fi cp "$LOG" "$PREV" # Only output if something changed if [ "$WARNS" -ne "$OLD_WARNS" ]; then echo "Lynis: $WARNS warnings (was $OLD_WARNS)" grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' ' else echo "[SILENT]" fi ``` Add as no_agent=True cron: ```bash cronjob(action='create', name='lynis-scan', schedule='0 3 * * *', script='lynis-scan.sh', no_agent=True, deliver='origin') ``` ## Multi-Server Deployment Copy the script to each server and add to crontab. **Use the server's native crontab** rather than the Hermes cron system — the Hermes cron scheduler only runs on the host box, so it cannot schedule jobs on remote servers. Use SSH + `crontab -l` to deploy remotely: ```bash scp /root/.hermes/scripts/lynis-scan.sh root@:/usr/local/bin/ ssh root@ 'chmod +x /usr/local/bin/lynis-scan.sh && \ (crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/lynis-scan.sh") | crontab -' ``` ### Servers deployed | Server | IP | Date deployed | Status | |--------|----|-------------|--------| | Core (netcup) | 152.53.192.33 | Jul 6, 2026 | ✅ Running via cron job | | wphost02 (Hetzner) | 5.161.62.38 | Jul 7, 2026 | ✅ Running via crontab | **Watchdog cron jobs should be no_agent=True.** The script itself handles the decision logic (silent unless something changed). Wrapping it in an LLM agent adds unnecessary tokens and causes phantom typing indicators in Telegram. Set `no_agent=True` when creating/updating the cron job for this script. ## Baseline Scores | Server | Score (out of 100) | Warnings | |--------|-------------------|----------| | Netcup (core) | 62 | 3 (vulnerable package, IPv6 DNS) | | Hetzner wphost02 | 63 | 3 (to review) | Common warnings: - **PKGS-7392**: One or more vulnerable packages. Fix with `apt-get update && apt-get upgrade`. - **NETW-2704/NETW-2705**: Nameserver unreachable (often IPv6 DNS). Fix by disabling IPv6 DNS or adding working resolvers.