3.2 KiB
name, description, version, author, tags
| name | description | version | author | tags | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| lynis-security-scan | Deploy and manage nightly Lynis security audits across all servers — package CVE scanning, misconfiguration detection, SSH brute-force monitoring. Silent when clean, alerts on new findings. | 1.0.0 | Sho'Nuff |
|
Lynis Security Scan
Deploy the Lynis system audit tool across all servers. Nightly runs at 3 AM. Silent when no new warnings appear. Alerts if new findings emerge.
Installation
apt-get install -y lynis
lynis --version # should be 3.1.x+
First Run
lynis audit system --quick
Key output: Hardening index (0-100), Warnings count, Suggestions count.
Results are stored in /var/log/lynis-report.dat and /var/log/lynis.log.
Cron Deployment
The script at /root/.hermes/scripts/lynis-scan.sh:
#!/bin/bash
# Nightly security audit via Lynis
# Runs at 3 AM, outputs report, only alerts on new warnings
LOG="/var/log/lynis-report.dat"
PREV="/root/.hermes/lynis-prev.dat"
lynis audit system --quick > /dev/null 2>&1
# Count warnings
WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0)
# Compare with previous run
if [ -f "$PREV" ]; then
OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0)
else
OLD_WARNS=0
fi
cp "$LOG" "$PREV"
# Only output if something changed
if [ "$WARNS" -ne "$OLD_WARNS" ]; then
echo "Lynis: $WARNS warnings (was $OLD_WARNS)"
grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' '
else
echo "[SILENT]"
fi
Add as no_agent=True cron:
cronjob(action='create', name='lynis-scan', schedule='0 3 * * *',
script='lynis-scan.sh', no_agent=True, deliver='origin')
Multi-Server Deployment
Copy the script to each server and add to crontab. Use the server's native crontab rather than the Hermes cron system — the Hermes cron scheduler only runs on the host box, so it cannot schedule jobs on remote servers. Use SSH + crontab -l to deploy remotely:
scp /root/.hermes/scripts/lynis-scan.sh root@<server>:/usr/local/bin/
ssh root@<server> 'chmod +x /usr/local/bin/lynis-scan.sh && \
(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/lynis-scan.sh") | crontab -'
Servers deployed
| Server | IP | Date deployed | Status |
|---|---|---|---|
| Core (netcup) | 152.53.192.33 | Jul 6, 2026 | ✅ Running via cron job |
| wphost02 (Hetzner) | 5.161.62.38 | Jul 7, 2026 | ✅ Running via crontab |
Watchdog cron jobs should be no_agent=True. The script itself handles the decision logic (silent unless something changed). Wrapping it in an LLM agent adds unnecessary tokens and causes phantom typing indicators in Telegram. Set no_agent=True when creating/updating the cron job for this script.
Baseline Scores
| Server | Score (out of 100) | Warnings |
|---|---|---|
| Netcup (core) | 62 | 3 (vulnerable package, IPv6 DNS) |
| Hetzner wphost02 | 63 | 3 (to review) |
Common warnings:
- PKGS-7392: One or more vulnerable packages. Fix with
apt-get update && apt-get upgrade. - NETW-2704/NETW-2705: Nameserver unreachable (often IPv6 DNS). Fix by disabling IPv6 DNS or adding working resolvers.