Lynis Scan Results¶
Classification: CONFIDENTIAL — Internal Use Only Document:
security/vuln/lynis-scans.md· v1.1 · 2026-04-17 · GPUS-IT
Overview¶
Lynis 3.1.6 runs daily at 03:00 UTC on all 4 WDC servers (SKY, RAIN, SUN, WIND) via /usr/local/sbin/gpus-lynis-scan.sh. It performs a CIS-aligned security audit of each host and outputs a hardening index, warnings, and suggestions. Results are stored at:
- Local (machine-readable summary):
/var/log/lynis/lynis-summary.json(always-current snapshot; overwritten each run) - Local (dated archive):
/var/log/lynis/lynis-summary-YYYY-MM-DD.json - NAS:
/mnt/nas-backup/<server>/scans/YYYY-MM-DD/ - GCS:
gs://gpus-infra-backups-wdc/<server>/scans/YYYY-MM-DD/
Live results are also visible on the SOC dashboard under the Hardening tab.
JSON summary schema¶
As of April 2026, all 4 WDC servers generate a standardized /var/log/lynis/lynis-summary.json with the following 10 fields:
| Field | Type | Description |
|---|---|---|
hostname |
string | Short hostname of the scanned server (e.g., sky, rain, sun, wind) |
scan_date |
string (ISO 8601) | Timestamp when the Lynis scan completed |
hardening_index |
integer | Lynis hardening score, 0–100 |
warnings_count |
integer | Number of Lynis warning[] entries |
suggestions_count |
integer | Number of Lynis suggestion[] entries |
tests_performed |
integer | Count of Lynis tests actually executed this run |
tests_skipped |
integer | Count of Lynis tests skipped (e.g., unsupported on host) |
firewall_active |
boolean | Whether an active firewall was detected (firewalld on WDC hosts) |
malware_scanner |
string | Detected on-host malware scanner (or "none") |
file_integrity |
string | Detected file-integrity tool (e.g., "aide") |
The SOC dashboard Hardening tab and the report_generator.py pipeline on MAPLE both consume this JSON via the shared GCS path, so the schema is considered stable; additive field changes require a coordinated update of both consumers.
Latest results — 2026-04-17¶
| Server | Hardening Index | Grade | Warnings | Suggestions | Scan Time |
|---|---|---|---|---|---|
| SKY | 81/100 | A | 1 | 22 | 03:00 UTC |
| RAIN | 81/100 | A | 1 | 23 | 03:00 UTC |
| SUN | 78/100 | B | 1 | 26 | 03:00 UTC |
| WIND | 78/100 | B | 1 | 27 | 03:00 UTC |
Grading scale: A ≥ 80 · B ≥ 65 · C ≥ 50 · D ≥ 35 · F < 35
Active warnings — all servers¶
KRNL-5830 — Reboot required¶
All 4 servers report a pending kernel reboot. This is a non-critical finding indicating a kernel update has been applied but the system has not been rebooted to activate it.
Resolution: Schedule a maintenance window to reboot all 4 servers in sequence (SKY/RAIN can failover during reboot; SUN/WIND can be rebooted independently as DNS/DHCP are unaffected).
Top suggestions (common across servers)¶
| Lynis ID | Description | Priority |
|---|---|---|
| AUTH-9229 | Increase PAM password hashing rounds | Medium |
| AUTH-9282 | Set password expiry for all accounts | Medium |
| AUTH-9328 | Tighten default umask to 027 in /etc/profile and /etc/login.defs | Low |
| USB-1000 | Disable USB storage driver if not needed | Low |
| STRG-1846 | Disable firewire storage driver | Low |
| NETW-3200 | Disable unused protocols: dccp, sctp, rds, tipc | Low |
| SSH-7408 | Further harden SSH configuration | Low |
Hardening history¶
| Date | SKY | RAIN | SUN | WIND | Notes |
|---|---|---|---|---|---|
| 2026-03-16 | 79 | 79 | 76 | 76 | Baseline — first automated scan |
| 2026-04-17 | 81 | 81 | 78 | 78 | Post-remediation; JSON summary standardized across all 4 hosts |
Scan operations¶
View latest results on a server¶
# Always-current summary (recommended — consumed by SOC dashboard + report generator)
cat /var/log/lynis/lynis-summary.json | python3 -m json.tool
# Specific dated archive
cat /var/log/lynis/lynis-summary-$(date +%Y-%m-%d).json
Run a manual scan¶
Check scan log¶
View raw Lynis report¶
grep "^warning\[\]=" /var/log/lynis/lynis-report-$(date +%Y-%m-%d).dat
grep "^suggestion\[\]=" /var/log/lynis/lynis-report-$(date +%Y-%m-%d).dat | head -30
View GCS scan history for a server¶
/opt/google-cloud-sdk/bin/gsutil \
-o 'Credentials:gs_service_key_file=/etc/gpus-backup-agent-key.json' \
ls gs://gpus-infra-backups-wdc/sky/scans/
Cron schedule¶
Runs at 03:00 UTC daily — 1 hour after the server backup cron (02:00) and 30 minutes after the portal backup cron on SKY (02:30) to avoid I/O contention. Deployed identically on all 4 WDC servers (SKY, RAIN, SUN, WIND).