Vulnerability Tracker
Classification: CONFIDENTIAL — Internal Use Only
Document: security/vuln/tracker.md · v1.0 · 2026-03-16 · GPUS-IT
Summary
| Severity |
Open |
In Progress |
Remediated |
| Critical (CVSS ≥ 9.0) |
0 |
0 |
0 |
| High (CVSS 7.0–8.9) |
2 |
0 |
0 |
| Medium (CVSS 4.0–6.9) |
3 |
2 |
0 |
| Low (CVSS < 4.0) |
2 |
0 |
1 |
Open vulnerabilities
| ID |
Component |
Description |
CVSS |
Severity |
Affected |
Target |
Status |
| VLN-001 |
SSH Config |
No MFA — password auth disabled but no TOTP/U2F second factor |
7.5 |
High |
ALL |
Q2 2026 |
Open |
| VLN-002 |
Network |
No VLAN segmentation between server roles |
7.2 |
High |
ALL |
Q3 2026 |
Open |
| VLN-003 |
GCP IAM |
Service account key stored on-disk — no Workload Identity Federation |
6.5 |
Medium |
GCP |
Q2 2026 |
In progress |
| VLN-004 |
ESXi 6.7 |
EOL hypervisor — no vendor security patches since Oct 2023 |
6.3 |
Medium |
WATER hypervisor |
Q4 2026 |
Open |
| VLN-005 |
Identity |
No SSO — separate credentials per service, no central identity |
5.4 |
Medium |
ALL |
Q3 2026 |
Open |
| VLN-006 |
DNS |
Recursive resolver accepts queries from all internal hosts |
4.9 |
Medium |
SKY/RAIN |
Q2 2026 |
In progress |
| VLN-007 |
Logging |
No centralized SIEM alerting — manual log review only |
3.8 |
Low |
WIND |
Q3 2026 |
Open |
| VLN-008 |
Backup |
No automated backup integrity verification or restore testing |
3.1 |
Low |
ALL |
Q2 2026 |
Open |
| ID |
Component |
Description |
CVSS |
Remediated |
Notes |
| VLN-009 |
NTP |
chronyd not verified — potential log timestamp skew |
2.6 |
2026-03-10 |
chronyd verified and syncing on all 4 servers |
Lynis scan findings
Daily Lynis scans run at 03:00 on all 4 servers. See Lynis Scan Results for the latest hardening index and warnings per server.
Current hardening indices (2026-03-16):
| Server |
Hardening Index |
Warnings |
Suggestions |
| SKY |
79/100 |
1 (kernel reboot) |
23 |
| RAIN |
79/100 |
1 (kernel reboot) |
24 |
| SUN |
76/100 |
1 (kernel reboot) |
27 |
| WIND |
76/100 |
1 (kernel reboot) |
28 |
VLN-001 — SSH MFA
# Install Google Authenticator PAM module
dnf install -y google-authenticator pam
# Configure for each service account
su - dnsadmin -c "google-authenticator -t -d -f -r 3 -R 30 -w 3"
# Add to /etc/pam.d/sshd
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
# Enable ChallengeResponseAuthentication in sshd_config
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
VLN-006 — DNS recursive query restriction
# Add ACL to /etc/named.conf
# acl "internal" { 192.168.120.0/23; 192.168.124.0/24; 172.16.0.0/24; };
# options { allow-recursion { internal; }; };
sudo rndc reload