Files

99 lines
3.2 KiB
Markdown

---
name: lynis-security-scan
description: "Deploy and manage nightly Lynis security audits across all servers — package CVE scanning, misconfiguration detection, SSH brute-force monitoring. Silent when clean, alerts on new findings."
version: 1.0.0
author: Sho'Nuff
tags: [security, lynis, audit, cve, scanning, cron]
---
# Lynis Security Scan
Deploy the Lynis system audit tool across all servers. Nightly runs at 3 AM. Silent when no new warnings appear. Alerts if new findings emerge.
## Installation
```bash
apt-get install -y lynis
lynis --version # should be 3.1.x+
```
## First Run
```bash
lynis audit system --quick
```
Key output: Hardening index (0-100), Warnings count, Suggestions count.
Results are stored in `/var/log/lynis-report.dat` and `/var/log/lynis.log`.
## Cron Deployment
The script at `/root/.hermes/scripts/lynis-scan.sh`:
```bash
#!/bin/bash
# Nightly security audit via Lynis
# Runs at 3 AM, outputs report, only alerts on new warnings
LOG="/var/log/lynis-report.dat"
PREV="/root/.hermes/lynis-prev.dat"
lynis audit system --quick > /dev/null 2>&1
# Count warnings
WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0)
# Compare with previous run
if [ -f "$PREV" ]; then
OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0)
else
OLD_WARNS=0
fi
cp "$LOG" "$PREV"
# Only output if something changed
if [ "$WARNS" -ne "$OLD_WARNS" ]; then
echo "Lynis: $WARNS warnings (was $OLD_WARNS)"
grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' '
else
echo "[SILENT]"
fi
```
Add as no_agent=True cron:
```bash
cronjob(action='create', name='lynis-scan', schedule='0 3 * * *',
script='lynis-scan.sh', no_agent=True, deliver='origin')
```
## Multi-Server Deployment
Copy the script to each server and add to crontab. **Use the server's native crontab** rather than the Hermes cron system — the Hermes cron scheduler only runs on the host box, so it cannot schedule jobs on remote servers. Use SSH + `crontab -l` to deploy remotely:
```bash
scp /root/.hermes/scripts/lynis-scan.sh root@<server>:/usr/local/bin/
ssh root@<server> 'chmod +x /usr/local/bin/lynis-scan.sh && \
(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/lynis-scan.sh") | crontab -'
```
### Servers deployed
| Server | IP | Date deployed | Status |
|--------|----|-------------|--------|
| Core (netcup) | 152.53.192.33 | Jul 6, 2026 | ✅ Running via cron job |
| wphost02 (Hetzner) | 5.161.62.38 | Jul 7, 2026 | ✅ Running via crontab |
**Watchdog cron jobs should be no_agent=True.** The script itself handles the decision logic (silent unless something changed). Wrapping it in an LLM agent adds unnecessary tokens and causes phantom typing indicators in Telegram. Set `no_agent=True` when creating/updating the cron job for this script.
## Baseline Scores
| Server | Score (out of 100) | Warnings |
|--------|-------------------|----------|
| Netcup (core) | 62 | 3 (vulnerable package, IPv6 DNS) |
| Hetzner wphost02 | 63 | 3 (to review) |
Common warnings:
- **PKGS-7392**: One or more vulnerable packages. Fix with `apt-get update && apt-get upgrade`.
- **NETW-2704/NETW-2705**: Nameserver unreachable (often IPv6 DNS). Fix by disabling IPv6 DNS or adding working resolvers.