99 lines
3.2 KiB
Markdown
99 lines
3.2 KiB
Markdown
---
|
|
name: lynis-security-scan
|
|
description: "Deploy and manage nightly Lynis security audits across all servers — package CVE scanning, misconfiguration detection, SSH brute-force monitoring. Silent when clean, alerts on new findings."
|
|
version: 1.0.0
|
|
author: Sho'Nuff
|
|
tags: [security, lynis, audit, cve, scanning, cron]
|
|
---
|
|
|
|
# Lynis Security Scan
|
|
|
|
Deploy the Lynis system audit tool across all servers. Nightly runs at 3 AM. Silent when no new warnings appear. Alerts if new findings emerge.
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
apt-get install -y lynis
|
|
lynis --version # should be 3.1.x+
|
|
```
|
|
|
|
## First Run
|
|
|
|
```bash
|
|
lynis audit system --quick
|
|
```
|
|
|
|
Key output: Hardening index (0-100), Warnings count, Suggestions count.
|
|
|
|
Results are stored in `/var/log/lynis-report.dat` and `/var/log/lynis.log`.
|
|
|
|
## Cron Deployment
|
|
|
|
The script at `/root/.hermes/scripts/lynis-scan.sh`:
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
# Nightly security audit via Lynis
|
|
# Runs at 3 AM, outputs report, only alerts on new warnings
|
|
LOG="/var/log/lynis-report.dat"
|
|
PREV="/root/.hermes/lynis-prev.dat"
|
|
|
|
lynis audit system --quick > /dev/null 2>&1
|
|
|
|
# Count warnings
|
|
WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0)
|
|
|
|
# Compare with previous run
|
|
if [ -f "$PREV" ]; then
|
|
OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0)
|
|
else
|
|
OLD_WARNS=0
|
|
fi
|
|
|
|
cp "$LOG" "$PREV"
|
|
|
|
# Only output if something changed
|
|
if [ "$WARNS" -ne "$OLD_WARNS" ]; then
|
|
echo "Lynis: $WARNS warnings (was $OLD_WARNS)"
|
|
grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' '
|
|
else
|
|
echo "[SILENT]"
|
|
fi
|
|
```
|
|
|
|
Add as no_agent=True cron:
|
|
```bash
|
|
cronjob(action='create', name='lynis-scan', schedule='0 3 * * *',
|
|
script='lynis-scan.sh', no_agent=True, deliver='origin')
|
|
```
|
|
|
|
## Multi-Server Deployment
|
|
|
|
Copy the script to each server and add to crontab. **Use the server's native crontab** rather than the Hermes cron system — the Hermes cron scheduler only runs on the host box, so it cannot schedule jobs on remote servers. Use SSH + `crontab -l` to deploy remotely:
|
|
|
|
```bash
|
|
scp /root/.hermes/scripts/lynis-scan.sh root@<server>:/usr/local/bin/
|
|
ssh root@<server> 'chmod +x /usr/local/bin/lynis-scan.sh && \
|
|
(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/lynis-scan.sh") | crontab -'
|
|
```
|
|
|
|
### Servers deployed
|
|
|
|
| Server | IP | Date deployed | Status |
|
|
|--------|----|-------------|--------|
|
|
| Core (netcup) | 152.53.192.33 | Jul 6, 2026 | ✅ Running via cron job |
|
|
| wphost02 (Hetzner) | 5.161.62.38 | Jul 7, 2026 | ✅ Running via crontab |
|
|
|
|
**Watchdog cron jobs should be no_agent=True.** The script itself handles the decision logic (silent unless something changed). Wrapping it in an LLM agent adds unnecessary tokens and causes phantom typing indicators in Telegram. Set `no_agent=True` when creating/updating the cron job for this script.
|
|
|
|
## Baseline Scores
|
|
|
|
| Server | Score (out of 100) | Warnings |
|
|
|--------|-------------------|----------|
|
|
| Netcup (core) | 62 | 3 (vulnerable package, IPv6 DNS) |
|
|
| Hetzner wphost02 | 63 | 3 (to review) |
|
|
|
|
Common warnings:
|
|
- **PKGS-7392**: One or more vulnerable packages. Fix with `apt-get update && apt-get upgrade`.
|
|
- **NETW-2704/NETW-2705**: Nameserver unreachable (often IPv6 DNS). Fix by disabling IPv6 DNS or adding working resolvers.
|