Files
hermes-skills/skills/security-audits/lynis-security-scan/SKILL.md
T

3.2 KiB

name, description, version, author, tags
name description version author tags
lynis-security-scan Deploy and manage nightly Lynis security audits across all servers — package CVE scanning, misconfiguration detection, SSH brute-force monitoring. Silent when clean, alerts on new findings. 1.0.0 Sho'Nuff
security
lynis
audit
cve
scanning
cron

Lynis Security Scan

Deploy the Lynis system audit tool across all servers. Nightly runs at 3 AM. Silent when no new warnings appear. Alerts if new findings emerge.

Installation

apt-get install -y lynis
lynis --version  # should be 3.1.x+

First Run

lynis audit system --quick

Key output: Hardening index (0-100), Warnings count, Suggestions count.

Results are stored in /var/log/lynis-report.dat and /var/log/lynis.log.

Cron Deployment

The script at /root/.hermes/scripts/lynis-scan.sh:

#!/bin/bash
# Nightly security audit via Lynis
# Runs at 3 AM, outputs report, only alerts on new warnings
LOG="/var/log/lynis-report.dat"
PREV="/root/.hermes/lynis-prev.dat"

lynis audit system --quick > /dev/null 2>&1

# Count warnings
WARNS=$(grep -c "^warning\[\]" "$LOG" 2>/dev/null || echo 0)

# Compare with previous run
if [ -f "$PREV" ]; then
    OLD_WARNS=$(grep -c "^warning\[\]" "$PREV" 2>/dev/null || echo 0)
else
    OLD_WARNS=0
fi

cp "$LOG" "$PREV"

# Only output if something changed
if [ "$WARNS" -ne "$OLD_WARNS" ]; then
    echo "Lynis: $WARNS warnings (was $OLD_WARNS)"
    grep "^warning\[\]" "$LOG" | sed 's/warning\[\]=//' | tr '|' ' '
else
    echo "[SILENT]"
fi

Add as no_agent=True cron:

cronjob(action='create', name='lynis-scan', schedule='0 3 * * *',
  script='lynis-scan.sh', no_agent=True, deliver='origin')

Multi-Server Deployment

Copy the script to each server and add to crontab. Use the server's native crontab rather than the Hermes cron system — the Hermes cron scheduler only runs on the host box, so it cannot schedule jobs on remote servers. Use SSH + crontab -l to deploy remotely:

scp /root/.hermes/scripts/lynis-scan.sh root@<server>:/usr/local/bin/
ssh root@<server> 'chmod +x /usr/local/bin/lynis-scan.sh && \
  (crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/lynis-scan.sh") | crontab -'

Servers deployed

Server IP Date deployed Status
Core (netcup) 152.53.192.33 Jul 6, 2026 Running via cron job
wphost02 (Hetzner) 5.161.62.38 Jul 7, 2026 Running via crontab

Watchdog cron jobs should be no_agent=True. The script itself handles the decision logic (silent unless something changed). Wrapping it in an LLM agent adds unnecessary tokens and causes phantom typing indicators in Telegram. Set no_agent=True when creating/updating the cron job for this script.

Baseline Scores

Server Score (out of 100) Warnings
Netcup (core) 62 3 (vulnerable package, IPv6 DNS)
Hetzner wphost02 63 3 (to review)

Common warnings:

  • PKGS-7392: One or more vulnerable packages. Fix with apt-get update && apt-get upgrade.
  • NETW-2704/NETW-2705: Nameserver unreachable (often IPv6 DNS). Fix by disabling IPv6 DNS or adding working resolvers.