add ansible automation script

ansible/inventory/hosts

@@ -0,0 +1,10 @@
+[proxmox]
+10.10.26.12
+10.10.26.13
+10.10.26.14
+
+[proxmox:vars]
+ansible_user=root
+ansible_password=Pnd77net!
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+ansible_python_interpreter=/usr/bin/python3

ansible/playbooks/gather_proxmox_vms_lxcs.yml

@@ -0,0 +1,36 @@
+---
+- name: Gather Proxmox VM and LXC information
+  hosts: proxmox
+  gather_facts: false
+
+  tasks:
+    - name: Get list of KVM virtual machines
+      ansible.builtin.shell: |
+        qm list
+      register: qm_list_output
+      changed_when: false
+
+    - name: Get list of LXC containers
+      ansible.builtin.shell: |
+        pct list
+      register: pct_list_output
+      changed_when: false
+
+    - name: Ensure log directory exists on local machine
+      ansible.builtin.file:
+        path: "{{ playbook_dir }}/logs"
+        state: directory
+      delegate_to: localhost
+      run_once: true
+
+    - name: Write VM list to local log file
+      ansible.builtin.copy:
+        content: "{{ qm_list_output.stdout }}"
+        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_vms.log"
+      delegate_to: localhost
+
+    - name: Write LXC list to local log file
+      ansible.builtin.copy:
+        content: "{{ pct_list_output.stdout }}"
+        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_lxcs.log"
+      delegate_to: localhost

ansible/playbooks/logs/10.10.26.12_lxcs.log

@@ -0,0 +1,10 @@
+VMID       Status     Lock         Name                
+100        stopped                 apache-guacamole    
+106        stopped                 relay.avt.data-center.id
+109        stopped                 postgre-db          
+113        running                 new-web-portal      
+123        stopped                 moonwalker-web      
+124        stopped                 bacularis           
+140        stopped                 new-ssh-proxy       
+179        stopped                 jumphost-linux      
+183        stopped                 vaultwarden-revam   

ansible/playbooks/logs/10.10.26.12_lynis_report.log

@@ -0,0 +1,957 @@
+
+[ Lynis 3.1.4 ]
+
+################################################################################
+  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+  welcome to redistribute it under the terms of the GNU General Public License.
+  See the LICENSE file for details about using this software.
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+################################################################################
+
+
+[+] Initializing program
+------------------------------------
+- Detecting OS...  [ DONE ]
+- Checking profiles... [ DONE ]
+
+  ---------------------------------------------------
+  Program version:           3.1.4
+  Operating system:          Linux
+  Operating system name:     Debian
+  Operating system version:  13
+  Kernel version:            6.17.2
+  Hardware platform:         x86_64
+  Hostname:                  ppve02
+  ---------------------------------------------------
+  Profiles:                  /etc/lynis/default.prf
+  Log file:                  /var/log/lynis.log
+  Report file:               /var/log/lynis-report.dat
+  Report version:            1.0
+  Plugin directory:          /etc/lynis/plugins
+  ---------------------------------------------------
+  Auditor:                   [Not Specified]
+  Language:                  en
+  Test category:             all
+  Test group:                all
+  ---------------------------------------------------
+- Program update status...  [ NO UPDATE ]
+
+[+] System tools
+------------------------------------
+- Scanning available tools...
+- Checking system binaries...
+
+[+] Plugins (phase 1)
+------------------------------------
+Note: plugins have more extensive tests and may take several minutes to complete
+ 
+- Plugin: debian
+    [
+[+] Debian Tests
+------------------------------------
+- Checking for system binaries that are required by Debian Tests...
+- Checking /bin...  [ FOUND ]
+- Checking /sbin...  [ FOUND ]
+- Checking /usr/bin...  [ FOUND ]
+- Checking /usr/sbin...  [ FOUND ]
+- Checking /usr/local/bin...  [ FOUND ]
+- Checking /usr/local/sbin...  [ FOUND ]
+- Authentication:
+- PAM (Pluggable Authentication Modules):
+- libpam-tmpdir [ Not Installed ]
+- File System Checks:
+- DM-Crypt, Cryptsetup & Cryptmount:
+- Software:
+- apt-listbugs [ Not Installed ]
+- apt-listchanges [ Installed and enabled for apt ]
+- needrestart [ Not Installed ]
+- fail2ban [ Not Installed ]
+]
+
+[+] Boot and services
+------------------------------------
+- Service Manager [ systemd ]
+- Checking UEFI boot [ ENABLED ]
+- Checking Secure Boot [ DISABLED ]
+- Checking presence GRUB2 [ FOUND ]
+- Checking for password protection [ NONE ]
+- Check running services (systemctl) [ DONE ]
+Result: found 46 running services
+- Check enabled services at boot (systemctl) [ DONE ]
+Result: found 68 enabled services
+- Check startup files (permissions) [ OK ]
+- Running 'systemd-analyze security'
+Unit name (exposure value) and predicate
+--------------------------------
+- check-mk-agent-async.service (value=9.6) [ UNSAFE ]
+- chrony.service (value=3.5) [ PROTECTED ]
+- cmk-agent-ctl-daemon.service (value=4.4) [ PROTECTED ]
+- console-getty.service (value=9.6) [ UNSAFE ]
+- corosync.service (value=9.2) [ UNSAFE ]
+- cron.service (value=9.6) [ UNSAFE ]
+- dbus.service (value=9.3) [ UNSAFE ]
+- dm-event.service (value=9.5) [ UNSAFE ]
+- dnsmasq@jualan.service (value=9.6) [ UNSAFE ]
+- dnsmasq@terakhir.service (value=9.6) [ UNSAFE ]
+- emergency.service (value=9.5) [ UNSAFE ]
+- frr.service (value=9.8) [ UNSAFE ]
+- getty@tty1.service (value=9.6) [ UNSAFE ]
+- iscsid.service (value=9.5) [ UNSAFE ]
+- keepalived.service (value=9.6) [ UNSAFE ]
+- ksmtuned.service (value=9.6) [ UNSAFE ]
+- kvm_backup_service.service (value=9.6) [ UNSAFE ]
+- kvm_virt_server.service (value=9.6) [ UNSAFE ]
+- lldpd.service (value=8.5) [ EXPOSED ]
+- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
+- lxc-monitord.service (value=9.6) [ UNSAFE ]
+- lxcfs.service (value=9.6) [ UNSAFE ]
+- lynis.service (value=9.6) [ UNSAFE ]
+- netavark-dhcp-proxy.service (value=9.6) [ UNSAFE ]
+- nfs-blkmap.service (value=9.5) [ UNSAFE ]
+- postfix.service (value=3.9) [ PROTECTED ]
+- postfix@-.service (value=3.9) [ PROTECTED ]
+- proxmenux-monitor.service (value=9.6) [ UNSAFE ]
+- proxmox-firewall.service (value=9.6) [ UNSAFE ]
+- pve-cluster.service (value=9.5) [ UNSAFE ]
+- pve-container@113.service (value=9.6) [ UNSAFE ]
+- pve-firewall.service (value=9.5) [ UNSAFE ]
+- pve-ha-crm.service (value=9.6) [ UNSAFE ]
+- pve-ha-lrm.service (value=9.6) [ UNSAFE ]
+- pve-lxc-syscalld.service (value=9.6) [ UNSAFE ]
+- pvedaemon.service (value=9.6) [ UNSAFE ]
+- pvefw-logger.service (value=9.5) [ UNSAFE ]
+- pveproxy.service (value=9.6) [ UNSAFE ]
+- pvescheduler.service (value=9.6) [ UNSAFE ]
+- pvestatd.service (value=9.6) [ UNSAFE ]
+- qmeventd.service (value=9.6) [ UNSAFE ]
+- rc-local.service (value=9.6) [ UNSAFE ]
+- rescue.service (value=9.5) [ UNSAFE ]
+- rpc-gssd.service (value=9.5) [ UNSAFE ]
+- rpc-statd-notify.service (value=9.5) [ UNSAFE ]
+- rpc-statd.service (value=9.5) [ UNSAFE ]
+- rpc-svcgssd.service (value=9.5) [ UNSAFE ]
+- rpcbind.service (value=9.5) [ UNSAFE ]
+- rrdcached.service (value=9.6) [ UNSAFE ]
+- rsyslog.service (value=4.5) [ PROTECTED ]
+- smartmontools.service (value=9.6) [ UNSAFE ]
+- snmpd.service (value=9.6) [ UNSAFE ]
+- spiceproxy.service (value=9.6) [ UNSAFE ]
+- ssh.service (value=9.6) [ UNSAFE ]
+- sshd@sshd-keygen.service (value=9.6) [ UNSAFE ]
+- systemd-ask-password-console.service (value=9.4) [ UNSAFE ]
+- systemd-ask-password-wall.service (value=9.4) [ UNSAFE ]
+- systemd-bsod.service (value=9.5) [ UNSAFE ]
+- systemd-hostnamed.service (value=1.7) [ PROTECTED ]
+- systemd-initctl.service (value=9.4) [ UNSAFE ]
+- systemd-journald.service (value=4.9) [ PROTECTED ]
+- systemd-logind.service (value=2.8) [ PROTECTED ]
+- systemd-networkd.service (value=2.9) [ PROTECTED ]
+- systemd-rfkill.service (value=9.4) [ UNSAFE ]
+- systemd-udevd.service (value=7.1) [ MEDIUM ]
+- user@0.service (value=9.8) [ UNSAFE ]
+- watchdog-mux.service (value=9.6) [ UNSAFE ]
+- wazuh-agent.service (value=9.6) [ UNSAFE ]
+- zfs-zed.service (value=9.6) [ UNSAFE ]
+
+[+] Kernel
+------------------------------------
+- Checking default runlevel [ runlevel 5 ]
+- Checking CPU support (NX/PAE)
+CPU support: PAE and/or NoeXecute supported [ FOUND ]
+- Checking kernel version and release [ DONE ]
+- Checking kernel type [ DONE ]
+- Checking loaded kernel modules [ DONE ]
+Found 125 active modules
+- Checking Linux kernel configuration file [ FOUND ]
+- Checking default I/O kernel scheduler [ NOT FOUND ]
+- Checking core dumps configuration
+- configuration in systemd conf files [ DEFAULT ]
+- configuration in /etc/profile [ DEFAULT ]
+- 'hard' configuration in /etc/security/limits.conf [ ENABLED ]
+- 'soft' configuration in /etc/security/limits.conf [ DISABLED ]
+- Checking setuid core dumps configuration [ DISABLED ]
+- Check if reboot is needed [ NO ]
+
+[+] Memory and Processes
+------------------------------------
+- Checking /proc/meminfo [ FOUND ]
+- Searching for dead/zombie processes [ NOT FOUND ]
+- Searching for IO waiting processes [ NOT FOUND ]
+- Search prelink tooling [ NOT FOUND ]
+
+[+] Users, Groups and Authentication
+------------------------------------
+- Administrator accounts [ OK ]
+- Unique UIDs [ OK ]
+- Consistency of group files (grpck) [ OK ]
+- Unique group IDs [ OK ]
+- Unique group names [ OK ]
+- Password file consistency [ OK ]
+- Password hashing methods [ OK ]
+- Checking password hashing rounds [ DISABLED ]
+- Query system users (non daemons) [ DONE ]
+- NIS+ authentication support [ NOT ENABLED ]
+- NIS authentication support [ NOT ENABLED ]
+- Sudoers file(s) [ FOUND ]
+- Permissions for directory: /etc/sudoers.d [ WARNING ]
+- Permissions for: /etc/sudoers [ OK ]
+- Permissions for: /etc/sudoers.d/README [ OK ]
+- Permissions for: /etc/sudoers.d/zfs [ OK ]
+- PAM password strength tools [ SUGGESTION ]
+- PAM configuration files (pam.conf) [ FOUND ]
+- PAM configuration files (pam.d) [ FOUND ]
+- PAM modules [ FOUND ]
+- LDAP module in PAM [ NOT FOUND ]
+- Accounts without expire date [ SUGGESTION ]
+- Accounts without password [ OK ]
+- Locked accounts [ FOUND ]
+- Checking user password aging (minimum) [ DISABLED ]
+- User password aging (maximum) [ DISABLED ]
+- Checking expired passwords [ OK ]
+- Checking Linux single user mode authentication [ OK ]
+- Determining default umask
+- umask (/etc/profile) [ NOT FOUND ]
+- umask (/etc/login.defs) [ SUGGESTION ]
+- LDAP authentication support [ NOT ENABLED ]
+- Logging failed login attempts [ DISABLED ]
+
+[+] Kerberos
+------------------------------------
+- Check for Kerberos KDC and principals [ NOT FOUND ]
+
+[+] Shells
+------------------------------------
+- Checking shells from /etc/shells
+Result: found 7 shells (valid shells: 7).
+- Session timeout settings/tools [ NONE ]
+- Checking default umask values
+- Checking default umask in /etc/bash.bashrc [ NONE ]
+- Checking default umask in /etc/profile [ NONE ]
+
+[+] File systems
+------------------------------------
+- Checking mount points
+- Checking /home mount point [ SUGGESTION ]
+- Checking /tmp mount point [ OK ]
+- Checking /var mount point [ SUGGESTION ]
+- Checking LVM volume groups [ FOUND ]
+- Checking LVM volumes [ FOUND ]
+- Query swap partitions (fstab) [ OK ]
+- Testing swap partitions [ OK ]
+- Testing /proc mount (hidepid) [ SUGGESTION ]
+- Checking for old files in /tmp [ OK ]
+- Checking /tmp sticky bit [ OK ]
+- Checking /var/tmp sticky bit [ OK ]
+- ACL support root file system [ ENABLED ]
+- Mount options of / [ NON DEFAULT ]
+- Mount options of /dev [ PARTIALLY HARDENED ]
+- Mount options of /dev/shm [ PARTIALLY HARDENED ]
+- Mount options of /run [ HARDENED ]
+- Mount options of /tmp [ PARTIALLY HARDENED ]
+- Total without nodev:12 noexec:18 nosuid:10 ro or noexec (W^X): 17 of total 35
+- Disable kernel support of some filesystems
+
+[+] USB Devices
+------------------------------------
+- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
+- Checking USB devices authorization [ ENABLED ]
+- Checking USBGuard [ NOT FOUND ]
+
+[+] Storage
+------------------------------------
+- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]
+
+[+] NFS
+------------------------------------
+- Query rpc registered programs [ DONE ]
+- Query NFS versions [ DONE ]
+- Query NFS protocols [ DONE ]
+- Check running NFS daemon [ NOT FOUND ]
+
+[+] Name services
+------------------------------------
+- Checking search domains [ FOUND ]
+- Searching DNS domain name [ FOUND ]
+Domain name: avt.data-center.id
+- Checking /etc/hosts
+- Duplicate entries in hosts file [ NONE ]
+- Presence of configured hostname in /etc/hosts [ FOUND ]
+- Hostname mapped to localhost [ NOT FOUND ]
+- Localhost mapping to IP address [ OK ]
+
+[+] Ports and packages
+------------------------------------
+- Searching package managers
+
+  [WARNING]: Test NAME-4408 had a long execution: 10.079518 seconds
+
+- Searching dpkg package manager [ FOUND ]
+- Querying package manager
+- Query unpurged packages [ FOUND ]
+- Checking security repository in sources.list.d directory [ OK ]
+- Checking APT package database [ OK ]
+- Checking vulnerable packages [ WARNING ]
+
+  [WARNING]: Test PKGS-7392 had a long execution: 12.672509 seconds
+
+- Checking upgradeable packages [ SKIPPED ]
+- Checking package audit tool [ INSTALLED ]
+Found: apt-get
+- Toolkit for automatic upgrades [ NOT FOUND ]
+
+[+] Networking
+------------------------------------
+- Checking IPv6 configuration [ ENABLED ]
+Configuration method [ AUTO ]
+IPv6 only [ NO ]
+
+  [WARNING]: Test NETW-2600 had a long execution: 22.215080 seconds
+
+- Checking configured nameservers
+- Testing nameservers
+Nameserver: 10.10.10.11 [ NO RESPONSE ]
+Nameserver: 10.10.10.12 [ OK ]
+Nameserver: 8.8.8.8 [ OK ]
+- Minimal of 2 responsive nameservers [ OK ]
+- Getting listening ports (TCP/UDP) [ DONE ]
+- Checking promiscuous interfaces [ WARNING ]
+- Checking status DHCP client [ NOT ACTIVE ]
+- Checking for ARP monitoring software [ NOT FOUND ]
+- Uncommon network protocols [ 0 ]
+
+[+] Printers and Spools
+------------------------------------
+- Checking cups daemon [ NOT FOUND ]
+- Checking lp daemon [ NOT RUNNING ]
+
+[+] Software: e-mail and messaging
+------------------------------------
+- Postfix status [ RUNNING ]
+- Postfix configuration [ FOUND ]
+- Postfix banner [ WARNING ]
+
+[+] Software: firewalls
+------------------------------------
+- Checking iptables kernel module [ FOUND ]
+- Checking iptables policies of chains [ FOUND ]
+- Chain INPUT (table: filter, target: ACCEPT) [ ACCEPT ]
+- Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
+- Checking for empty ruleset [ WARNING ]
+- Checking for unused rules [ OK ]
+- Checking host based firewall [ ACTIVE ]
+
+[+] Software: webserver
+------------------------------------
+- Checking Apache [ NOT FOUND ]
+- Checking nginx [ NOT FOUND ]
+
+[+] SSH Support
+------------------------------------
+- Checking running SSH daemon [ FOUND ]
+- Searching SSH configuration [ FOUND ]
+- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
+- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
+- OpenSSH option: ClientAliveInterval [ OK ]
+- OpenSSH option: FingerprintHash [ OK ]
+- OpenSSH option: GatewayPorts [ OK ]
+- OpenSSH option: IgnoreRhosts [ OK ]
+- OpenSSH option: LoginGraceTime [ OK ]
+- OpenSSH option: LogLevel [ SUGGESTION ]
+- OpenSSH option: MaxAuthTries [ SUGGESTION ]
+- OpenSSH option: MaxSessions [ SUGGESTION ]
+- OpenSSH option: PermitRootLogin [ SUGGESTION ]
+- OpenSSH option: PermitUserEnvironment [ OK ]
+- OpenSSH option: PermitTunnel [ OK ]
+- OpenSSH option: Port [ SUGGESTION ]
+- OpenSSH option: PrintLastLog [ OK ]
+- OpenSSH option: StrictModes [ OK ]
+- OpenSSH option: TCPKeepAlive [ SUGGESTION ]
+- OpenSSH option: UseDNS [ OK ]
+- OpenSSH option: X11Forwarding [ SUGGESTION ]
+- OpenSSH option: AllowAgentForwarding [ SUGGESTION ]
+- OpenSSH option: AllowUsers [ NOT FOUND ]
+- OpenSSH option: AllowGroups [ NOT FOUND ]
+
+[+] SNMP Support
+------------------------------------
+- Checking running SNMP daemon [ FOUND ]
+- Checking SNMP configuration [ FOUND ]
+- Checking SNMP community strings [ OK ]
+
+[+] Databases
+------------------------------------
+- MySQL process status [ FOUND ]
+
+[+] LDAP Services
+------------------------------------
+- Checking OpenLDAP instance [ NOT FOUND ]
+
+[+] PHP
+------------------------------------
+- Checking PHP [ NOT FOUND ]
+
+[+] Squid Support
+------------------------------------
+- Checking running Squid daemon [ NOT FOUND ]
+
+[+] Logging and files
+------------------------------------
+- Checking for a running log daemon [ OK ]
+- Checking Syslog-NG status [ NOT FOUND ]
+- Checking systemd journal status [ FOUND ]
+- Checking Metalog status [ NOT FOUND ]
+- Checking RSyslog status [ FOUND ]
+- Checking RFC 3195 daemon status [ NOT FOUND ]
+- Checking minilogd instances [ NOT FOUND ]
+- Checking wazuh-agent daemon status [ NOT FOUND ]
+- Checking logrotate presence [ OK ]
+- Checking remote logging [ ENABLED ]
+- Checking log directories (static list) [ DONE ]
+- Checking open log files [ DONE ]
+- Checking deleted files in use [ FILES FOUND ]
+
+[+] Insecure services
+------------------------------------
+- Installed inetd package [ NOT FOUND ]
+- Installed xinetd package [ OK ]
+- xinetd status [ NOT ACTIVE ]
+- Installed rsh client package [ OK ]
+- Installed rsh server package [ OK ]
+- Installed telnet client package [ OK ]
+- Installed telnet server package [ NOT FOUND ]
+- Checking NIS client installation [ OK ]
+- Checking NIS server installation [ OK ]
+- Checking TFTP client installation [ OK ]
+- Checking TFTP server installation [ OK ]
+
+[+] Banners and identification
+------------------------------------
+- /etc/issue [ FOUND ]
+- /etc/issue contents [ WEAK ]
+- /etc/issue.net [ FOUND ]
+- /etc/issue.net contents [ WEAK ]
+
+[+] Scheduled tasks
+------------------------------------
+- Checking crontab and cronjob files [ DONE ]
+
+[+] Accounting
+------------------------------------
+- Checking accounting information [ NOT FOUND ]
+- Checking sysstat accounting data [ NOT FOUND ]
+- Checking auditd [ NOT FOUND ]
+
+[+] Time and Synchronization
+------------------------------------
+- NTP daemon found: chronyd [ FOUND ]
+- Checking for a running NTP daemon or client [ OK ]
+
+[+] Cryptography
+------------------------------------
+- Checking for expired SSL certificates [0/152] [ NONE ]
+
+  [WARNING]: Test CRYP-7902 had a long execution: 13.384702 seconds
+
+- Kernel entropy is sufficient [ YES ]
+- HW RNG & rngd [ NO ]
+- SW prng [ NO ]
+- MOR variable not found [ WEAK ]
+
+[+] Virtualization
+------------------------------------
+
+[+] Containers
+------------------------------------
+
+[+] Security frameworks
+------------------------------------
+- Checking presence AppArmor [ FOUND ]
+- Checking AppArmor status [ ENABLED ]
+Found 95 unconfined processes
+- Checking presence SELinux [ NOT FOUND ]
+- Checking presence TOMOYO Linux [ NOT FOUND ]
+- Checking presence grsecurity [ NOT FOUND ]
+- Checking for implemented MAC framework [ OK ]
+
+[+] Software: file integrity
+------------------------------------
+- Checking file integrity tools
+- Wazuh (syscheck) [ FOUND ]
+- Checking presence integrity tool [ FOUND ]
+
+[+] Software: System tooling
+------------------------------------
+- Checking automation tooling
+- Ansible artifact [ FOUND ]
+- Automation tooling [ FOUND ]
+- Checking presence of Wazuh (agent) [ FOUND ]
+- Checking for IDS/IPS tooling [ FOUND ]
+
+[+] Software: Malware
+------------------------------------
+- Malware software components [ NOT FOUND ]
+
+[+] File Permissions
+------------------------------------
+- Starting file permissions check
+File: /boot/grub/grub.cfg [ OK ]
+File: /etc/crontab [ SUGGESTION ]
+File: /etc/group [ OK ]
+File: /etc/group- [ OK ]
+File: /etc/hosts.allow [ OK ]
+File: /etc/hosts.deny [ OK ]
+File: /etc/issue [ OK ]
+File: /etc/issue.net [ OK ]
+File: /etc/motd [ OK ]
+File: /etc/passwd [ OK ]
+File: /etc/passwd- [ OK ]
+File: /etc/ssh/sshd_config [ SUGGESTION ]
+Directory: /root/.ssh [ OK ]
+Directory: /etc/cron.d [ SUGGESTION ]
+Directory: /etc/cron.daily [ SUGGESTION ]
+Directory: /etc/cron.hourly [ SUGGESTION ]
+Directory: /etc/cron.weekly [ SUGGESTION ]
+Directory: /etc/cron.monthly [ SUGGESTION ]
+
+[+] Home directories
+------------------------------------
+- Permissions of home directories [ OK ]
+- Ownership of home directories [ OK ]
+- Checking shell history files [ OK ]
+
+[+] Kernel Hardening
+------------------------------------
+- Comparing sysctl key pairs with scan profile
+- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ]
+- fs.protected_fifos (exp: 2) [ DIFFERENT ]
+- fs.protected_hardlinks (exp: 1) [ OK ]
+- fs.protected_regular (exp: 2) [ OK ]
+- fs.protected_symlinks (exp: 1) [ OK ]
+- fs.suid_dumpable (exp: 0) [ OK ]
+- kernel.core_uses_pid (exp: 1) [ OK ]
+- kernel.ctrl-alt-del (exp: 0) [ OK ]
+- kernel.dmesg_restrict (exp: 1) [ OK ]
+- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
+- kernel.modules_disabled (exp: 1) [ DIFFERENT ]
+- kernel.perf_event_paranoid (exp: 2 3 4) [ OK ]
+- kernel.randomize_va_space (exp: 2) [ OK ]
+- kernel.sysrq (exp: 0) [ DIFFERENT ]
+- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ]
+- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
+- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ]
+- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
+- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
+- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
+- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
+- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
+- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
+- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
+- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
+- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
+- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
+- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
+- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
+- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
+- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
+- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
+
+[+] Hardening
+------------------------------------
+- Installed compiler(s) [ FOUND ]
+- Installed malware scanner [ NOT FOUND ]
+- Non-native binary formats [ FOUND ]
+
+[+] Custom tests
+------------------------------------
+- Running custom tests...  [ NONE ]
+
+[+] Plugins (phase 2)
+------------------------------------
+
+================================================================================
+
+  -[ Lynis 3.1.4 Results ]-
+
+  Warnings (18):
+  ----------------------------
+  ! Found one or more vulnerable packages. [PKGS-7392] 
+      https://cisofy.com/lynis/controls/PKGS-7392/
+
+  ! Nameserver 10.10.10.11 does not respond [NETW-2704] 
+      https://cisofy.com/lynis/controls/NETW-2704/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens27f0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens29f0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens29f1
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : bond0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap420i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap457i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2001i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2005i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2006i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2027i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap8080i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2032i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap137i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap137i1
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
+      https://cisofy.com/lynis/controls/MAIL-8818/
+
+  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
+      https://cisofy.com/lynis/controls/FIRE-4512/
+
+  Suggestions (51):
+  ----------------------------
+  * This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LYNIS/
+
+  * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0280/
+
+  * Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0810/
+
+  * Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0831/
+
+  * Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0880/
+
+  * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/BOOT-5122/
+
+  * Determine runlevel and services at startup [BOOT-5180] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/BOOT-5180/
+
+  * Consider hardening system services [BOOT-5264] 
+    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service
+    - Related resources
+      * Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+      * Website: https://cisofy.com/lynis/controls/BOOT-5264/
+
+  * Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
+    - Details  : /vmlinuz or /boot/vmlinuz
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/KRNL-5788/
+
+  * Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
+    - Related resources
+      * Article: Linux password security: hashing rounds: https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9230/
+
+  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc [AUTH-9262] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9262/
+
+  * When possible set expire dates for all password protected accounts [AUTH-9282] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/AUTH-9282/
+
+  * Look at the locked accounts and consider removing them [AUTH-9284] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/AUTH-9284/
+
+  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9286/
+
+  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9286/
+
+  * Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [AUTH-9328] 
+    - Related resources
+      * Article: Set default file permissions on Linux with umask: https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9328/
+
+  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-6310/
+
+  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-6310/
+
+  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/USB-1000/
+
+  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/STRG-1846/
+
+  * Purge old/removed packages (8 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7346/
+
+  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7370/
+
+  * Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7392/
+
+  * Install package apt-show-versions for patch management purposes [PKGS-7394] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7394/
+
+  * Consider using a tool to automatically apply upgrades [PKGS-7420] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7420/
+
+  * Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-2704/
+
+  * Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'rds' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818] 
+    - Related resources
+      * Article: Postfix Hardening Guide for Security and Privacy: https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+      * Website: https://cisofy.com/lynis/controls/MAIL-8818/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : AllowTcpForwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : ClientAliveCountMax (set 3 to 2)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : LogLevel (set INFO to VERBOSE)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : MaxAuthTries (set 6 to 3)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : MaxSessions (set 10 to 2)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : Port (set 22 to )
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : TCPKeepAlive (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : X11Forwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : AllowAgentForwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Check what deleted files are still in use and why. [LOGG-2190] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LOGG-2190/
+
+  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
+    - Related resources
+      * Article: The real purpose of login banners: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: https://cisofy.com/lynis/controls/BANN-7126/
+
+  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
+    - Related resources
+      * Article: The real purpose of login banners: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: https://cisofy.com/lynis/controls/BANN-7130/
+
+  * Enable process accounting [ACCT-9622] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/ACCT-9622/
+
+  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/ACCT-9626/
+
+  * Enable auditd to collect audit information [ACCT-9628] 
+    - Related resources
+      * Article: Linux audit framework 101: basic rules for configuration: https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+      * Article: Monitoring Linux file access, changes and data modifications: https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+      * Website: https://cisofy.com/lynis/controls/ACCT-9628/
+
+  * Consider restricting file permissions [FILE-7524] 
+    - Details  : See screen output or log file
+    - Solution : Use chmod to change file permissions
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-7524/
+
+  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
+    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
+    - Related resources
+      * Article: Linux hardening with sysctl settings: https://linux-audit.com/linux-hardening-with-sysctl/
+      * Article: Overview of sysctl options and values: https://linux-audit.com/kernel/sysctl/
+      * Website: https://cisofy.com/lynis/controls/KRNL-6000/
+
+  * Harden compilers like restricting access to root user only [HRDN-7222] 
+    - Related resources
+      * Article: Why remove compilers from your system?: https://linux-audit.com/software/why-remove-compilers-from-your-system/
+      * Website: https://cisofy.com/lynis/controls/HRDN-7222/
+
+  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
+    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh
+    - Related resources
+      * Article: Antivirus for Linux: is it really needed?: https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+      * Article: Monitoring Linux Systems for Rootkits: https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+      * Website: https://cisofy.com/lynis/controls/HRDN-7230/
+
+  Follow-up:
+  ----------------------------
+  - Show details of a test (lynis show details TEST-ID)
+  - Check the logfile for all details (less /var/log/lynis.log)
+  - Read security controls texts (https://cisofy.com)
+  - Use --upload to upload data to central system (Lynis Enterprise users)
+
+================================================================================
+
+  Lynis security scan details:
+
+  Hardening index : 65 [#############       ]
+  Tests performed : 264
+  Plugins enabled : 1
+
+  Components:
+  - Firewall               [V]
+  - Malware scanner        [X]
+
+  Scan mode:
+  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+
+  Lynis modules:
+  - Compliance status      [?]
+  - Security audit         [V]
+  - Vulnerability scan     [V]
+
+  Files:
+  - Test and debug information      : /var/log/lynis.log
+  - Report data                     : /var/log/lynis-report.dat
+
+================================================================================
+
+  Lynis 3.1.4
+
+  Auditing, system hardening, and compliance for UNIX-based systems
+  (Linux, macOS, BSD, and others)
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+
+================================================================================
+
+  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

ansible/playbooks/logs/10.10.26.12_vms.log

@@ -0,0 +1,56 @@
+      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
+       102 andromeda-vm-clone   stopped    32768            220.00 0         
+       103 andromedavm          stopped    32768            220.00 0         
+       114 pgsql-01             stopped    16384            300.00 0         
+       117 haproxy-01           stopped    4096             100.00 0         
+       137 milkywayvm           running    2048              20.00 12274     
+       160 foreman              stopped    8192              80.00 0         
+       220 bareos-server        stopped    8192             100.00 0         
+       221 bacula-server        stopped    8192              80.00 0         
+       305 ceph-01              stopped    16384             80.00 0         
+       307 ceph-03              stopped    16384             80.00 0         
+       350 grafana-loki         stopped    16384            100.00 0         
+       352 grafana-mimir        stopped    16384            100.00 0         
+       354 prometheus           stopped    8192             100.00 0         
+       401 ns1.data-center.online stopped    4096             100.00 0         
+       420 gitea                running    16384            300.00 10009     
+       421 seafile              stopped    32768             80.00 0         
+       450 local-dns-server     stopped    4096             100.00 0         
+       456 iam-datahall-01-new  stopped    8192             100.00 0         
+       457 iam-datahall-02-new  running    8192             100.00 10248     
+       458 kong-cluster-db      stopped    8192             100.00 0         
+       460 kong-node-1          stopped    8192              80.00 0         
+       461 kong-node-2          stopped    8192              80.00 0         
+       462 kong-node-3          stopped    8192              80.00 0         
+       463 kong-ha-1            stopped    8192              80.00 0         
+       464 kong-ha-2            stopped    8192              80.00 0         
+       465 open-km              stopped    8192             300.00 0         
+       561 minio-node-01        stopped    16384             80.00 0         
+       562 minio-node-02        stopped    16384             80.00 0         
+       563 minio-node-03        stopped    16384             80.00 0         
+       564 haproxy-node-01      stopped    4096              50.00 0         
+       899 excalidraw           stopped    8192             100.00 0         
+       901 web-jagatech         stopped    8192             100.00 0         
+      1003 kube-master-03       stopped    16384            300.00 0         
+      1005 kube-worker-node-02  stopped    16384            300.00 0         
+      2001 authentik            running    8192             300.00 10524     
+      2005 finops-revamp        running    8192             150.00 10718     
+      2006 vaultwarden          running    8192             100.00 10911     
+      2021 proxmox-backup       stopped    8192             300.00 0         
+      2022 jumpserver           stopped    32768            300.00 0         
+      2027 new-mail-server      running    32768            500.00 11113     
+      2029 penpot               stopped    8192             300.00 0         
+      2032 accurate-server      running    16384             80.00 11357     
+      5000 dxi-5000             stopped    16384            100.00 0         
+      8002 teraform             stopped    8192              50.00 0         
+      8080 service-desk         running    8192             100.00 11388     
+      9000 tester-bandwith      stopped    8192              50.00 0         
+      9001 gitea-runner-01      stopped    8192              50.00 0         
+     10000 docker-load-balancer stopped    16384            300.00 0         
+     10001 docker-node-01       stopped    16384            300.00 0         
+     10002 docker-node-02       stopped    16384            300.00 0         
+     10003 docker-node-03       stopped    16384            300.00 0         
+     10004 IOT-VM               stopped    16384            300.00 0         
+     90000 tools-baseos-massive stopped    8192              50.00 0         
+     99992 test-iam-dns         stopped    4096              50.00 0         
+    999999 kong-api-reff        stopped    2048              30.00 0         

ansible/playbooks/logs/10.10.26.13_lxcs.log

@@ -0,0 +1,8 @@
+VMID       Status     Lock         Name                
+101        running                 ns01.avt.data-center.id
+104        stopped                 grafana.avt.data-center.id
+105        stopped                 iam.avt.data-center.id
+110        stopped                 redis-db            
+178        stopped                 apache-guacamole    
+180        running                 oci-grafana         
+301        stopped                 ssh-proxy-poc       

ansible/playbooks/logs/10.10.26.13_lynis_report.log

@@ -0,0 +1,931 @@
+
+[ Lynis 3.1.4 ]
+
+################################################################################
+  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+  welcome to redistribute it under the terms of the GNU General Public License.
+  See the LICENSE file for details about using this software.
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+################################################################################
+
+
+[+] Initializing program
+------------------------------------
+- Detecting OS...  [ DONE ]
+- Checking profiles... [ DONE ]
+
+  ---------------------------------------------------
+  Program version:           3.1.4
+  Operating system:          Linux
+  Operating system name:     Debian
+  Operating system version:  13
+  Kernel version:            6.17.2
+  Hardware platform:         x86_64
+  Hostname:                  ppve03
+  ---------------------------------------------------
+  Profiles:                  /etc/lynis/default.prf
+  Log file:                  /var/log/lynis.log
+  Report file:               /var/log/lynis-report.dat
+  Report version:            1.0
+  Plugin directory:          /etc/lynis/plugins
+  ---------------------------------------------------
+  Auditor:                   [Not Specified]
+  Language:                  en
+  Test category:             all
+  Test group:                all
+  ---------------------------------------------------
+- Program update status...  [ NO UPDATE ]
+
+[+] System tools
+------------------------------------
+- Scanning available tools...
+- Checking system binaries...
+
+[+] Plugins (phase 1)
+------------------------------------
+Note: plugins have more extensive tests and may take several minutes to complete
+ 
+- Plugin: debian
+    [
+[+] Debian Tests
+------------------------------------
+- Checking for system binaries that are required by Debian Tests...
+- Checking /bin...  [ FOUND ]
+- Checking /sbin...  [ FOUND ]
+- Checking /usr/bin...  [ FOUND ]
+- Checking /usr/sbin...  [ FOUND ]
+- Checking /usr/local/bin...  [ FOUND ]
+- Checking /usr/local/sbin...  [ FOUND ]
+- Authentication:
+- PAM (Pluggable Authentication Modules):
+
+  [WARNING]: Test DEB-0001 had a long execution: 12.768266 seconds
+
+- libpam-tmpdir [ Not Installed ]
+- File System Checks:
+- DM-Crypt, Cryptsetup & Cryptmount:
+- Software:
+- apt-listbugs [ Not Installed ]
+- apt-listchanges [ Installed and enabled for apt ]
+- needrestart [ Not Installed ]
+- fail2ban [ Not Installed ]
+]
+
+[+] Boot and services
+------------------------------------
+- Service Manager [ systemd ]
+- Checking UEFI boot [ ENABLED ]
+- Checking Secure Boot [ DISABLED ]
+- Checking presence GRUB2 [ FOUND ]
+- Checking for password protection [ NONE ]
+- Check running services (systemctl) [ DONE ]
+Result: found 47 running services
+- Check enabled services at boot (systemctl) [ DONE ]
+Result: found 67 enabled services
+- Check startup files (permissions) [ OK ]
+- Running 'systemd-analyze security'
+Unit name (exposure value) and predicate
+--------------------------------
+- check-mk-agent-async.service (value=9.6) [ UNSAFE ]
+- chrony.service (value=3.5) [ PROTECTED ]
+- cmk-agent-ctl-daemon.service (value=4.4) [ PROTECTED ]
+- console-getty.service (value=9.6) [ UNSAFE ]
+- corosync.service (value=9.2) [ UNSAFE ]
+- cron.service (value=9.6) [ UNSAFE ]
+- dbus.service (value=9.3) [ UNSAFE ]
+- dm-event.service (value=9.5) [ UNSAFE ]
+- dnsmasq@jualan.service (value=9.6) [ UNSAFE ]
+- dnsmasq@terakhir.service (value=9.6) [ UNSAFE ]
+- emergency.service (value=9.5) [ UNSAFE ]
+- frr.service (value=9.8) [ UNSAFE ]
+- getty@tty1.service (value=9.6) [ UNSAFE ]
+- iscsid.service (value=9.5) [ UNSAFE ]
+- keepalived.service (value=9.6) [ UNSAFE ]
+- ksmtuned.service (value=9.6) [ UNSAFE ]
+- kvm_backup_service.service (value=9.6) [ UNSAFE ]
+- kvm_virt_server.service (value=9.6) [ UNSAFE ]
+- lldpd.service (value=8.5) [ EXPOSED ]
+- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
+- lxc-monitord.service (value=9.6) [ UNSAFE ]
+- lxcfs.service (value=9.6) [ UNSAFE ]
+- lynis.service (value=9.6) [ UNSAFE ]
+- netavark-dhcp-proxy.service (value=9.6) [ UNSAFE ]
+- nfs-blkmap.service (value=9.5) [ UNSAFE ]
+- postfix.service (value=3.9) [ PROTECTED ]
+- postfix@-.service (value=3.9) [ PROTECTED ]
+- proxmenux-monitor.service (value=9.6) [ UNSAFE ]
+- proxmox-firewall.service (value=9.6) [ UNSAFE ]
+- pve-cluster.service (value=9.5) [ UNSAFE ]
+- pve-container@101.service (value=9.6) [ UNSAFE ]
+- pve-container@180.service (value=9.6) [ UNSAFE ]
+- pve-firewall.service (value=9.5) [ UNSAFE ]
+- pve-ha-crm.service (value=9.6) [ UNSAFE ]
+- pve-ha-lrm.service (value=9.6) [ UNSAFE ]
+- pve-lxc-syscalld.service (value=9.6) [ UNSAFE ]
+- pvedaemon.service (value=9.6) [ UNSAFE ]
+- pvefw-logger.service (value=9.5) [ UNSAFE ]
+- pveproxy.service (value=9.6) [ UNSAFE ]
+- pvescheduler.service (value=9.6) [ UNSAFE ]
+- pvestatd.service (value=9.6) [ UNSAFE ]
+- qmeventd.service (value=9.6) [ UNSAFE ]
+- rc-local.service (value=9.6) [ UNSAFE ]
+- rescue.service (value=9.5) [ UNSAFE ]
+- rpc-gssd.service (value=9.5) [ UNSAFE ]
+- rpc-statd-notify.service (value=9.5) [ UNSAFE ]
+- rpc-statd.service (value=9.5) [ UNSAFE ]
+- rpc-svcgssd.service (value=9.5) [ UNSAFE ]
+- rpcbind.service (value=9.5) [ UNSAFE ]
+- rrdcached.service (value=9.6) [ UNSAFE ]
+- rsyslog.service (value=4.5) [ PROTECTED ]
+- smartmontools.service (value=9.6) [ UNSAFE ]
+- snmpd.service (value=9.6) [ UNSAFE ]
+- spiceproxy.service (value=9.6) [ UNSAFE ]
+- ssh.service (value=9.6) [ UNSAFE ]
+- sshd@sshd-keygen.service (value=9.6) [ UNSAFE ]
+- systemd-ask-password-console.service (value=9.4) [ UNSAFE ]
+- systemd-ask-password-wall.service (value=9.4) [ UNSAFE ]
+- systemd-bsod.service (value=9.5) [ UNSAFE ]
+- systemd-hostnamed.service (value=1.7) [ PROTECTED ]
+- systemd-initctl.service (value=9.4) [ UNSAFE ]
+- systemd-journald.service (value=4.9) [ PROTECTED ]
+- systemd-logind.service (value=2.8) [ PROTECTED ]
+- systemd-networkd.service (value=2.9) [ PROTECTED ]
+- systemd-rfkill.service (value=9.4) [ UNSAFE ]
+- systemd-udevd.service (value=7.1) [ MEDIUM ]
+- user@0.service (value=9.8) [ UNSAFE ]
+- watchdog-mux.service (value=9.6) [ UNSAFE ]
+- wazuh-agent.service (value=9.6) [ UNSAFE ]
+- zfs-zed.service (value=9.6) [ UNSAFE ]
+
+[+] Kernel
+------------------------------------
+- Checking default runlevel [ runlevel 5 ]
+- Checking CPU support (NX/PAE)
+CPU support: PAE and/or NoeXecute supported [ FOUND ]
+- Checking kernel version and release [ DONE ]
+- Checking kernel type [ DONE ]
+- Checking loaded kernel modules [ DONE ]
+Found 125 active modules
+- Checking Linux kernel configuration file [ FOUND ]
+- Checking default I/O kernel scheduler [ NOT FOUND ]
+- Checking core dumps configuration
+- configuration in systemd conf files [ DEFAULT ]
+- configuration in /etc/profile [ DEFAULT ]
+- 'hard' configuration in /etc/security/limits.conf [ ENABLED ]
+- 'soft' configuration in /etc/security/limits.conf [ DISABLED ]
+- Checking setuid core dumps configuration [ DISABLED ]
+- Check if reboot is needed [ NO ]
+
+[+] Memory and Processes
+------------------------------------
+- Checking /proc/meminfo [ FOUND ]
+- Searching for dead/zombie processes [ NOT FOUND ]
+- Searching for IO waiting processes [ NOT FOUND ]
+- Search prelink tooling [ NOT FOUND ]
+
+[+] Users, Groups and Authentication
+------------------------------------
+- Administrator accounts [ OK ]
+- Unique UIDs [ OK ]
+- Consistency of group files (grpck) [ OK ]
+- Unique group IDs [ OK ]
+- Unique group names [ OK ]
+- Password file consistency [ OK ]
+- Password hashing methods [ OK ]
+- Checking password hashing rounds [ DISABLED ]
+- Query system users (non daemons) [ DONE ]
+- NIS+ authentication support [ NOT ENABLED ]
+- NIS authentication support [ NOT ENABLED ]
+- Sudoers file(s) [ FOUND ]
+- Permissions for directory: /etc/sudoers.d [ WARNING ]
+- Permissions for: /etc/sudoers [ OK ]
+- Permissions for: /etc/sudoers.d/zfs [ OK ]
+- Permissions for: /etc/sudoers.d/README [ OK ]
+- PAM password strength tools [ SUGGESTION ]
+- PAM configuration files (pam.conf) [ FOUND ]
+- PAM configuration files (pam.d) [ FOUND ]
+- PAM modules [ FOUND ]
+- LDAP module in PAM [ NOT FOUND ]
+- Accounts without expire date [ SUGGESTION ]
+- Accounts without password [ OK ]
+- Locked accounts [ FOUND ]
+- Checking user password aging (minimum) [ DISABLED ]
+- User password aging (maximum) [ DISABLED ]
+- Checking expired passwords [ OK ]
+- Checking Linux single user mode authentication [ OK ]
+- Determining default umask
+- umask (/etc/profile) [ NOT FOUND ]
+- umask (/etc/login.defs) [ SUGGESTION ]
+- LDAP authentication support [ NOT ENABLED ]
+- Logging failed login attempts [ DISABLED ]
+
+[+] Kerberos
+------------------------------------
+- Check for Kerberos KDC and principals [ NOT FOUND ]
+
+[+] Shells
+------------------------------------
+- Checking shells from /etc/shells
+Result: found 7 shells (valid shells: 7).
+- Session timeout settings/tools [ NONE ]
+- Checking default umask values
+- Checking default umask in /etc/bash.bashrc [ NONE ]
+- Checking default umask in /etc/profile [ NONE ]
+
+[+] File systems
+------------------------------------
+- Checking mount points
+- Checking /home mount point [ SUGGESTION ]
+- Checking /tmp mount point [ OK ]
+- Checking /var mount point [ SUGGESTION ]
+- Checking LVM volume groups [ FOUND ]
+- Checking LVM volumes [ FOUND ]
+- Query swap partitions (fstab) [ OK ]
+- Testing swap partitions [ OK ]
+- Testing /proc mount (hidepid) [ SUGGESTION ]
+- Checking for old files in /tmp [ OK ]
+- Checking /tmp sticky bit [ OK ]
+- Checking /var/tmp sticky bit [ OK ]
+- ACL support root file system [ ENABLED ]
+- Mount options of / [ NON DEFAULT ]
+- Mount options of /dev [ PARTIALLY HARDENED ]
+- Mount options of /dev/shm [ PARTIALLY HARDENED ]
+- Mount options of /run [ HARDENED ]
+- Mount options of /tmp [ PARTIALLY HARDENED ]
+- Total without nodev:12 noexec:18 nosuid:10 ro or noexec (W^X): 17 of total 35
+- Disable kernel support of some filesystems
+
+[+] USB Devices
+------------------------------------
+- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
+- Checking USB devices authorization [ ENABLED ]
+- Checking USBGuard [ NOT FOUND ]
+
+[+] Storage
+------------------------------------
+- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]
+
+[+] NFS
+------------------------------------
+- Query rpc registered programs [ DONE ]
+- Query NFS versions [ DONE ]
+- Query NFS protocols [ DONE ]
+- Check running NFS daemon [ NOT FOUND ]
+
+[+] Name services
+------------------------------------
+- Checking search domains [ FOUND ]
+- Searching DNS domain name [ FOUND ]
+Domain name: avt.data-center.id
+- Checking /etc/hosts
+- Duplicate entries in hosts file [ NONE ]
+- Presence of configured hostname in /etc/hosts [ FOUND ]
+- Hostname mapped to localhost [ NOT FOUND ]
+- Localhost mapping to IP address [ OK ]
+
+[+] Ports and packages
+------------------------------------
+- Searching package managers
+
+  [WARNING]: Test NAME-4408 had a long execution: 10.121023 seconds
+
+- Searching dpkg package manager [ FOUND ]
+- Querying package manager
+- Query unpurged packages [ FOUND ]
+- Checking security repository in sources.list.d directory [ OK ]
+- Checking APT package database [ OK ]
+- Checking vulnerable packages [ WARNING ]
+
+  [WARNING]: Test PKGS-7392 had a long execution: 12.847876 seconds
+
+- Checking upgradeable packages [ SKIPPED ]
+- Checking package audit tool [ INSTALLED ]
+Found: apt-get
+- Toolkit for automatic upgrades [ NOT FOUND ]
+
+[+] Networking
+------------------------------------
+- Checking IPv6 configuration [ ENABLED ]
+Configuration method [ AUTO ]
+IPv6 only [ NO ]
+
+  [WARNING]: Test NETW-2600 had a long execution: 29.914320 seconds
+
+- Checking configured nameservers
+- Testing nameservers
+Nameserver: 10.10.10.11 [ NO RESPONSE ]
+Nameserver: 10.10.10.12 [ OK ]
+Nameserver: 8.8.8.8 [ OK ]
+- Minimal of 2 responsive nameservers [ OK ]
+- Getting listening ports (TCP/UDP) [ DONE ]
+- Checking promiscuous interfaces [ WARNING ]
+- Checking status DHCP client [ NOT ACTIVE ]
+- Checking for ARP monitoring software [ NOT FOUND ]
+- Uncommon network protocols [ 0 ]
+
+[+] Printers and Spools
+------------------------------------
+- Checking cups daemon [ NOT FOUND ]
+- Checking lp daemon [ NOT RUNNING ]
+
+[+] Software: e-mail and messaging
+------------------------------------
+- Postfix status [ RUNNING ]
+- Postfix configuration [ FOUND ]
+- Postfix banner [ WARNING ]
+
+[+] Software: firewalls
+------------------------------------
+- Checking iptables kernel module [ FOUND ]
+- Checking iptables policies of chains [ FOUND ]
+- Chain INPUT (table: filter, target: ACCEPT) [ ACCEPT ]
+- Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
+- Checking for empty ruleset [ WARNING ]
+- Checking for unused rules [ OK ]
+- Checking host based firewall [ ACTIVE ]
+
+[+] Software: webserver
+------------------------------------
+- Checking Apache [ NOT FOUND ]
+- Checking nginx [ NOT FOUND ]
+
+[+] SSH Support
+------------------------------------
+- Checking running SSH daemon [ FOUND ]
+- Searching SSH configuration [ FOUND ]
+- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
+- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
+- OpenSSH option: ClientAliveInterval [ OK ]
+- OpenSSH option: FingerprintHash [ OK ]
+- OpenSSH option: GatewayPorts [ OK ]
+- OpenSSH option: IgnoreRhosts [ OK ]
+- OpenSSH option: LoginGraceTime [ OK ]
+- OpenSSH option: LogLevel [ SUGGESTION ]
+- OpenSSH option: MaxAuthTries [ SUGGESTION ]
+- OpenSSH option: MaxSessions [ SUGGESTION ]
+- OpenSSH option: PermitRootLogin [ SUGGESTION ]
+- OpenSSH option: PermitUserEnvironment [ OK ]
+- OpenSSH option: PermitTunnel [ OK ]
+- OpenSSH option: Port [ SUGGESTION ]
+- OpenSSH option: PrintLastLog [ OK ]
+- OpenSSH option: StrictModes [ OK ]
+- OpenSSH option: TCPKeepAlive [ SUGGESTION ]
+- OpenSSH option: UseDNS [ OK ]
+- OpenSSH option: X11Forwarding [ SUGGESTION ]
+- OpenSSH option: AllowAgentForwarding [ SUGGESTION ]
+- OpenSSH option: AllowUsers [ NOT FOUND ]
+- OpenSSH option: AllowGroups [ NOT FOUND ]
+
+[+] SNMP Support
+------------------------------------
+- Checking running SNMP daemon [ FOUND ]
+- Checking SNMP configuration [ FOUND ]
+- Checking SNMP community strings [ OK ]
+
+[+] Databases
+------------------------------------
+No database engines found
+
+[+] LDAP Services
+------------------------------------
+- Checking OpenLDAP instance [ NOT FOUND ]
+
+[+] PHP
+------------------------------------
+- Checking PHP [ NOT FOUND ]
+
+[+] Squid Support
+------------------------------------
+- Checking running Squid daemon [ NOT FOUND ]
+
+[+] Logging and files
+------------------------------------
+- Checking for a running log daemon [ OK ]
+- Checking Syslog-NG status [ NOT FOUND ]
+- Checking systemd journal status [ FOUND ]
+- Checking Metalog status [ NOT FOUND ]
+- Checking RSyslog status [ FOUND ]
+- Checking RFC 3195 daemon status [ NOT FOUND ]
+- Checking minilogd instances [ NOT FOUND ]
+- Checking wazuh-agent daemon status [ NOT FOUND ]
+- Checking logrotate presence [ OK ]
+- Checking remote logging [ ENABLED ]
+- Checking log directories (static list) [ DONE ]
+- Checking open log files [ DONE ]
+- Checking deleted files in use [ FILES FOUND ]
+
+[+] Insecure services
+------------------------------------
+- Installed inetd package [ NOT FOUND ]
+- Installed xinetd package [ OK ]
+- xinetd status [ NOT ACTIVE ]
+- Installed rsh client package [ OK ]
+- Installed rsh server package [ OK ]
+- Installed telnet client package [ OK ]
+- Installed telnet server package [ NOT FOUND ]
+- Checking NIS client installation [ OK ]
+- Checking NIS server installation [ OK ]
+- Checking TFTP client installation [ OK ]
+- Checking TFTP server installation [ OK ]
+
+[+] Banners and identification
+------------------------------------
+- /etc/issue [ FOUND ]
+- /etc/issue contents [ WEAK ]
+- /etc/issue.net [ FOUND ]
+- /etc/issue.net contents [ WEAK ]
+
+[+] Scheduled tasks
+------------------------------------
+- Checking crontab and cronjob files [ DONE ]
+
+[+] Accounting
+------------------------------------
+- Checking accounting information [ NOT FOUND ]
+- Checking sysstat accounting data [ NOT FOUND ]
+- Checking auditd [ NOT FOUND ]
+
+[+] Time and Synchronization
+------------------------------------
+- NTP daemon found: chronyd [ FOUND ]
+- Checking for a running NTP daemon or client [ OK ]
+
+[+] Cryptography
+------------------------------------
+- Checking for expired SSL certificates [0/152] [ NONE ]
+
+  [WARNING]: Test CRYP-7902 had a long execution: 16.766634 seconds
+
+- Kernel entropy is sufficient [ YES ]
+- HW RNG & rngd [ NO ]
+- SW prng [ NO ]
+- MOR variable not found [ WEAK ]
+
+[+] Virtualization
+------------------------------------
+
+[+] Containers
+------------------------------------
+
+[+] Security frameworks
+------------------------------------
+- Checking presence AppArmor [ FOUND ]
+- Checking AppArmor status [ ENABLED ]
+Found 84 unconfined processes
+- Checking presence SELinux [ NOT FOUND ]
+- Checking presence TOMOYO Linux [ NOT FOUND ]
+- Checking presence grsecurity [ NOT FOUND ]
+- Checking for implemented MAC framework [ OK ]
+
+[+] Software: file integrity
+------------------------------------
+- Checking file integrity tools
+- Wazuh (syscheck) [ FOUND ]
+- Checking presence integrity tool [ FOUND ]
+
+[+] Software: System tooling
+------------------------------------
+- Checking automation tooling
+- Ansible artifact [ FOUND ]
+- Automation tooling [ FOUND ]
+- Checking presence of Wazuh (agent) [ FOUND ]
+- Checking for IDS/IPS tooling [ FOUND ]
+
+[+] Software: Malware
+------------------------------------
+- Malware software components [ NOT FOUND ]
+
+[+] File Permissions
+------------------------------------
+- Starting file permissions check
+File: /boot/grub/grub.cfg [ OK ]
+File: /etc/crontab [ SUGGESTION ]
+File: /etc/group [ OK ]
+File: /etc/group- [ OK ]
+File: /etc/hosts.allow [ OK ]
+File: /etc/hosts.deny [ OK ]
+File: /etc/issue [ OK ]
+File: /etc/issue.net [ OK ]
+File: /etc/motd [ OK ]
+File: /etc/passwd [ OK ]
+File: /etc/passwd- [ OK ]
+File: /etc/ssh/sshd_config [ SUGGESTION ]
+Directory: /root/.ssh [ OK ]
+Directory: /etc/cron.d [ SUGGESTION ]
+Directory: /etc/cron.daily [ SUGGESTION ]
+Directory: /etc/cron.hourly [ SUGGESTION ]
+Directory: /etc/cron.weekly [ SUGGESTION ]
+Directory: /etc/cron.monthly [ SUGGESTION ]
+
+[+] Home directories
+------------------------------------
+- Permissions of home directories [ OK ]
+- Ownership of home directories [ OK ]
+- Checking shell history files [ OK ]
+
+[+] Kernel Hardening
+------------------------------------
+- Comparing sysctl key pairs with scan profile
+- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ]
+- fs.protected_fifos (exp: 2) [ DIFFERENT ]
+- fs.protected_hardlinks (exp: 1) [ OK ]
+- fs.protected_regular (exp: 2) [ OK ]
+- fs.protected_symlinks (exp: 1) [ OK ]
+- fs.suid_dumpable (exp: 0) [ OK ]
+- kernel.core_uses_pid (exp: 1) [ OK ]
+- kernel.ctrl-alt-del (exp: 0) [ OK ]
+- kernel.dmesg_restrict (exp: 1) [ OK ]
+- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
+- kernel.modules_disabled (exp: 1) [ DIFFERENT ]
+- kernel.perf_event_paranoid (exp: 2 3 4) [ OK ]
+- kernel.randomize_va_space (exp: 2) [ OK ]
+- kernel.sysrq (exp: 0) [ DIFFERENT ]
+- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ]
+- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
+- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ]
+- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
+- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
+- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
+- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
+- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
+- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
+- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
+- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
+- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
+- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
+- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
+- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
+- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
+- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
+- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
+
+[+] Hardening
+------------------------------------
+- Installed compiler(s) [ FOUND ]
+- Installed malware scanner [ NOT FOUND ]
+- Non-native binary formats [ FOUND ]
+
+[+] Custom tests
+------------------------------------
+- Running custom tests...  [ NONE ]
+
+[+] Plugins (phase 2)
+------------------------------------
+
+================================================================================
+
+  -[ Lynis 3.1.4 Results ]-
+
+  Warnings (12):
+  ----------------------------
+  ! Found one or more vulnerable packages. [PKGS-7392] 
+      https://cisofy.com/lynis/controls/PKGS-7392/
+
+  ! Nameserver 10.10.10.11 does not respond [NETW-2704] 
+      https://cisofy.com/lynis/controls/NETW-2704/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens27f0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens29f0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens29f1
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : bond0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap216i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap216i1
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2003i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap185i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
+      https://cisofy.com/lynis/controls/MAIL-8818/
+
+  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
+      https://cisofy.com/lynis/controls/FIRE-4512/
+
+  Suggestions (51):
+  ----------------------------
+  * This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LYNIS/
+
+  * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0280/
+
+  * Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0810/
+
+  * Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0831/
+
+  * Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0880/
+
+  * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/BOOT-5122/
+
+  * Determine runlevel and services at startup [BOOT-5180] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/BOOT-5180/
+
+  * Consider hardening system services [BOOT-5264] 
+    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service
+    - Related resources
+      * Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+      * Website: https://cisofy.com/lynis/controls/BOOT-5264/
+
+  * Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
+    - Details  : /vmlinuz or /boot/vmlinuz
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/KRNL-5788/
+
+  * Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
+    - Related resources
+      * Article: Linux password security: hashing rounds: https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9230/
+
+  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc [AUTH-9262] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9262/
+
+  * When possible set expire dates for all password protected accounts [AUTH-9282] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/AUTH-9282/
+
+  * Look at the locked accounts and consider removing them [AUTH-9284] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/AUTH-9284/
+
+  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9286/
+
+  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9286/
+
+  * Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [AUTH-9328] 
+    - Related resources
+      * Article: Set default file permissions on Linux with umask: https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9328/
+
+  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-6310/
+
+  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-6310/
+
+  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/USB-1000/
+
+  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/STRG-1846/
+
+  * Purge old/removed packages (10 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7346/
+
+  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7370/
+
+  * Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7392/
+
+  * Install package apt-show-versions for patch management purposes [PKGS-7394] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7394/
+
+  * Consider using a tool to automatically apply upgrades [PKGS-7420] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7420/
+
+  * Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-2704/
+
+  * Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'rds' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818] 
+    - Related resources
+      * Article: Postfix Hardening Guide for Security and Privacy: https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+      * Website: https://cisofy.com/lynis/controls/MAIL-8818/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : AllowTcpForwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : ClientAliveCountMax (set 3 to 2)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : LogLevel (set INFO to VERBOSE)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : MaxAuthTries (set 6 to 3)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : MaxSessions (set 10 to 2)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : Port (set 22 to )
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : TCPKeepAlive (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : X11Forwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : AllowAgentForwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Check what deleted files are still in use and why. [LOGG-2190] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LOGG-2190/
+
+  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
+    - Related resources
+      * Article: The real purpose of login banners: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: https://cisofy.com/lynis/controls/BANN-7126/
+
+  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
+    - Related resources
+      * Article: The real purpose of login banners: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: https://cisofy.com/lynis/controls/BANN-7130/
+
+  * Enable process accounting [ACCT-9622] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/ACCT-9622/
+
+  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/ACCT-9626/
+
+  * Enable auditd to collect audit information [ACCT-9628] 
+    - Related resources
+      * Article: Linux audit framework 101: basic rules for configuration: https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+      * Article: Monitoring Linux file access, changes and data modifications: https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+      * Website: https://cisofy.com/lynis/controls/ACCT-9628/
+
+  * Consider restricting file permissions [FILE-7524] 
+    - Details  : See screen output or log file
+    - Solution : Use chmod to change file permissions
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-7524/
+
+  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
+    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
+    - Related resources
+      * Article: Linux hardening with sysctl settings: https://linux-audit.com/linux-hardening-with-sysctl/
+      * Article: Overview of sysctl options and values: https://linux-audit.com/kernel/sysctl/
+      * Website: https://cisofy.com/lynis/controls/KRNL-6000/
+
+  * Harden compilers like restricting access to root user only [HRDN-7222] 
+    - Related resources
+      * Article: Why remove compilers from your system?: https://linux-audit.com/software/why-remove-compilers-from-your-system/
+      * Website: https://cisofy.com/lynis/controls/HRDN-7222/
+
+  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
+    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh
+    - Related resources
+      * Article: Antivirus for Linux: is it really needed?: https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+      * Article: Monitoring Linux Systems for Rootkits: https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+      * Website: https://cisofy.com/lynis/controls/HRDN-7230/
+
+  Follow-up:
+  ----------------------------
+  - Show details of a test (lynis show details TEST-ID)
+  - Check the logfile for all details (less /var/log/lynis.log)
+  - Read security controls texts (https://cisofy.com)
+  - Use --upload to upload data to central system (Lynis Enterprise users)
+
+================================================================================
+
+  Lynis security scan details:
+
+  Hardening index : 65 [#############       ]
+  Tests performed : 264
+  Plugins enabled : 1
+
+  Components:
+  - Firewall               [V]
+  - Malware scanner        [X]
+
+  Scan mode:
+  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+
+  Lynis modules:
+  - Compliance status      [?]
+  - Security audit         [V]
+  - Vulnerability scan     [V]
+
+  Files:
+  - Test and debug information      : /var/log/lynis.log
+  - Report data                     : /var/log/lynis-report.dat
+
+================================================================================
+
+  Lynis 3.1.4
+
+  Auditing, system hardening, and compliance for UNIX-based systems
+  (Linux, macOS, BSD, and others)
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+
+================================================================================
+
+  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

ansible/playbooks/logs/10.10.26.13_vms.log

@@ -0,0 +1,35 @@
+      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
+       115 pgsql-02             stopped    16384            300.00 0         
+       116 pgsql-03             stopped    16384            300.00 0         
+       118 haproxy-02           stopped    4096             100.00 0         
+       122 etcd                 stopped    16384            100.00 0         
+       185 pbs-test             running    8192              80.00 239608    
+       200 percona              stopped    16384            100.00 0         
+       210 nextcloud-new        stopped    32768             80.00 0         
+       216 packetfence          running    16384            200.00 11001     
+       217 greylog              stopped    16384            300.00 0         
+       222 bacula-client        stopped    4096              50.00 0         
+       270 liferay-portal-dxe   stopped    8192             100.00 0         
+       282 n8n                  stopped    16364            100.00 0         
+       306 ceph-02              stopped    16384             80.00 0         
+       351 grafana-tempo        stopped    16384            100.00 0         
+       355 opentelemetry        stopped    8192             100.00 0         
+       399 active-directory-server stopped    8192             100.00 0         
+       402 ns2.data-center.online stopped    4096             100.00 0         
+       453 haproxy-iam-01       stopped    4096             100.00 0         
+       565 haproxy-node-02      stopped    4096              50.00 0         
+       888 paperless-ngx        stopped    16384            300.00 0         
+      1000 kube-admin           stopped    8192             100.00 0         
+      1002 kube-master-02       stopped    16384            300.00 0         
+      1004 kube-worker-node-01  stopped    16384            300.00 0         
+      1006 kube-worker-node-03  stopped    16384            300.00 0         
+      2002 api-gateway          stopped    8192             300.00 0         
+      2003 open-project         running    8192             300.00 11505     
+      2004 gitlab               stopped    32768            300.00 0         
+      2007 minio-prod           stopped    16384            100.00 0         
+      2009 mail.server          stopped    24576            600.00 0         
+      2011 e-faktur.adastra.id  stopped    16000            300.00 0         
+      2016 collabora-office     stopped    8192              50.00 0         
+      2024 hrms                 stopped    8192             100.00 0         
+      2025 gitlab-ce            stopped    32768            300.00 0         
+      9999 vinchin-demo         stopped    16384            100.00 0         

ansible/playbooks/logs/10.10.26.14_lxcs.log

@@ -0,0 +1,8 @@
+VMID       Status     Lock         Name                
+107        stopped                 maria-db            
+127        stopped                 vaultwarden         
+129        stopped                 postgresql          
+130        stopped                 postgres-16         
+142        stopped                 ha-proxy-db         
+153        stopped                 traefik             
+158        stopped                 docker-controller-01

ansible/playbooks/logs/10.10.26.14_lynis_report.log

@@ -0,0 +1,967 @@
+
+[ Lynis 3.1.4 ]
+
+################################################################################
+  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+  welcome to redistribute it under the terms of the GNU General Public License.
+  See the LICENSE file for details about using this software.
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+################################################################################
+
+
+[+] Initializing program
+------------------------------------
+- Detecting OS...  [ DONE ]
+- Checking profiles... [ DONE ]
+
+  ---------------------------------------------------
+  Program version:           3.1.4
+  Operating system:          Linux
+  Operating system name:     Debian
+  Operating system version:  13
+  Kernel version:            6.17.2
+  Hardware platform:         x86_64
+  Hostname:                  ppve04
+  ---------------------------------------------------
+  Profiles:                  /etc/lynis/default.prf
+  Log file:                  /var/log/lynis.log
+  Report file:               /var/log/lynis-report.dat
+  Report version:            1.0
+  Plugin directory:          /etc/lynis/plugins
+  ---------------------------------------------------
+  Auditor:                   [Not Specified]
+  Language:                  en
+  Test category:             all
+  Test group:                all
+  ---------------------------------------------------
+- Program update status...  [ NO UPDATE ]
+
+[+] System tools
+------------------------------------
+- Scanning available tools...
+- Checking system binaries...
+
+[+] Plugins (phase 1)
+------------------------------------
+Note: plugins have more extensive tests and may take several minutes to complete
+ 
+- Plugin: debian
+    [
+[+] Debian Tests
+------------------------------------
+- Checking for system binaries that are required by Debian Tests...
+- Checking /bin...  [ FOUND ]
+- Checking /sbin...  [ FOUND ]
+- Checking /usr/bin...  [ FOUND ]
+- Checking /usr/sbin...  [ FOUND ]
+- Checking /usr/local/bin...  [ FOUND ]
+- Checking /usr/local/sbin...  [ FOUND ]
+- Authentication:
+- PAM (Pluggable Authentication Modules):
+- libpam-tmpdir [ Not Installed ]
+- File System Checks:
+- DM-Crypt, Cryptsetup & Cryptmount:
+- Checking / on /dev/sda3 [ NOT ENCRYPTED ]
+- Checking /boot/efi on /dev/sda2 [ NOT ENCRYPTED ]
+- Checking /tmp/.mount_ProxMenvRW4c on ProxMenux-Monitor.AppImage [ NOT ENCRYPTED ]
+- Checking /etc/pve on /dev/fuse [ NOT ENCRYPTED ]
+- Checking /proxmox-vm:/mnt/pve/dh-proxmox-vm on 10.10.21.11:/proxmox-vm [ NOT ENCRYPTED ]
+- Checking /proxmox-iso:/mnt/pve/dh-proxmox-iso on 10.10.21.11:/proxmox-iso [ NOT ENCRYPTED ]
+- Checking /promox-tpm:/mnt/pve/dh-proxmox-tpm on 10.10.21.11:/promox-tpm [ NOT ENCRYPTED ]
+- Checking /proxmox-backup:/mnt/pve/dh-proxmox-backup on 10.10.21.11:/proxmox-backup [ NOT ENCRYPTED ]
+- Checking /proxmox-ct:/mnt/pve/dh-proxmox-ct on 10.10.21.11:/proxmox-ct [ NOT ENCRYPTED ]
+- Software:
+- apt-listbugs [ Not Installed ]
+- apt-listchanges [ Installed and enabled for apt ]
+- needrestart [ Not Installed ]
+- fail2ban [ Not Installed ]
+]
+
+[+] Boot and services
+------------------------------------
+- Service Manager [ systemd ]
+- Checking UEFI boot [ ENABLED ]
+- Checking Secure Boot [ DISABLED ]
+- Checking presence GRUB2 [ FOUND ]
+- Checking for password protection [ NONE ]
+- Check running services (systemctl) [ DONE ]
+Result: found 44 running services
+- Check enabled services at boot (systemctl) [ DONE ]
+Result: found 66 enabled services
+- Check startup files (permissions) [ OK ]
+- Running 'systemd-analyze security'
+Unit name (exposure value) and predicate
+--------------------------------
+- check-mk-agent-async.service (value=9.6) [ UNSAFE ]
+- chrony.service (value=3.5) [ PROTECTED ]
+- cmk-agent-ctl-daemon.service (value=4.4) [ PROTECTED ]
+- console-getty.service (value=9.6) [ UNSAFE ]
+- corosync.service (value=9.2) [ UNSAFE ]
+- cron.service (value=9.6) [ UNSAFE ]
+- dbus.service (value=9.3) [ UNSAFE ]
+- dm-event.service (value=9.5) [ UNSAFE ]
+- dnsmasq@jualan.service (value=9.6) [ UNSAFE ]
+- dnsmasq@terakhir.service (value=9.6) [ UNSAFE ]
+- emergency.service (value=9.5) [ UNSAFE ]
+- frr.service (value=9.8) [ UNSAFE ]
+- getty@tty1.service (value=9.6) [ UNSAFE ]
+- iscsid.service (value=9.5) [ UNSAFE ]
+- keepalived.service (value=9.6) [ UNSAFE ]
+- ksmtuned.service (value=9.6) [ UNSAFE ]
+- kvm_backup_service.service (value=9.6) [ UNSAFE ]
+- kvm_virt_server.service (value=9.6) [ UNSAFE ]
+- lldpd.service (value=8.5) [ EXPOSED ]
+- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
+- lxc-monitord.service (value=9.6) [ UNSAFE ]
+- lxcfs.service (value=9.6) [ UNSAFE ]
+- lynis.service (value=9.6) [ UNSAFE ]
+- netavark-dhcp-proxy.service (value=9.6) [ UNSAFE ]
+- nfs-blkmap.service (value=9.5) [ UNSAFE ]
+- postfix.service (value=3.9) [ PROTECTED ]
+- postfix@-.service (value=3.9) [ PROTECTED ]
+- proxmenux-monitor.service (value=9.6) [ UNSAFE ]
+- proxmox-firewall.service (value=9.6) [ UNSAFE ]
+- pve-cluster.service (value=9.5) [ UNSAFE ]
+- pve-firewall.service (value=9.5) [ UNSAFE ]
+- pve-ha-crm.service (value=9.6) [ UNSAFE ]
+- pve-ha-lrm.service (value=9.6) [ UNSAFE ]
+- pve-lxc-syscalld.service (value=9.6) [ UNSAFE ]
+- pvedaemon.service (value=9.6) [ UNSAFE ]
+- pvefw-logger.service (value=9.5) [ UNSAFE ]
+- pveproxy.service (value=9.6) [ UNSAFE ]
+- pvescheduler.service (value=9.6) [ UNSAFE ]
+- pvestatd.service (value=9.6) [ UNSAFE ]
+- qmeventd.service (value=9.6) [ UNSAFE ]
+- rc-local.service (value=9.6) [ UNSAFE ]
+- rescue.service (value=9.5) [ UNSAFE ]
+- rpc-gssd.service (value=9.5) [ UNSAFE ]
+- rpc-statd-notify.service (value=9.5) [ UNSAFE ]
+- rpc-statd.service (value=9.5) [ UNSAFE ]
+- rpc-svcgssd.service (value=9.5) [ UNSAFE ]
+- rpcbind.service (value=9.5) [ UNSAFE ]
+- rrdcached.service (value=9.6) [ UNSAFE ]
+- smartmontools.service (value=9.6) [ UNSAFE ]
+- snmpd.service (value=9.6) [ UNSAFE ]
+- spiceproxy.service (value=9.6) [ UNSAFE ]
+- ssh.service (value=9.6) [ UNSAFE ]
+- sshd@sshd-keygen.service (value=9.6) [ UNSAFE ]
+- systemd-ask-password-console.service (value=9.4) [ UNSAFE ]
+- systemd-ask-password-wall.service (value=9.4) [ UNSAFE ]
+- systemd-bsod.service (value=9.5) [ UNSAFE ]
+- systemd-hostnamed.service (value=1.7) [ PROTECTED ]
+- systemd-initctl.service (value=9.4) [ UNSAFE ]
+- systemd-journald.service (value=4.9) [ PROTECTED ]
+- systemd-logind.service (value=2.8) [ PROTECTED ]
+- systemd-networkd.service (value=2.9) [ PROTECTED ]
+- systemd-rfkill.service (value=9.4) [ UNSAFE ]
+- systemd-udevd.service (value=7.1) [ MEDIUM ]
+- user@0.service (value=9.8) [ UNSAFE ]
+- uuidd.service (value=5.8) [ MEDIUM ]
+- watchdog-mux.service (value=9.6) [ UNSAFE ]
+- wazuh-agent.service (value=9.6) [ UNSAFE ]
+- zfs-zed.service (value=9.6) [ UNSAFE ]
+
+[+] Kernel
+------------------------------------
+- Checking default runlevel [ runlevel 5 ]
+- Checking CPU support (NX/PAE)
+CPU support: PAE and/or NoeXecute supported [ FOUND ]
+- Checking kernel version and release [ DONE ]
+- Checking kernel type [ DONE ]
+- Checking loaded kernel modules [ DONE ]
+Found 134 active modules
+- Checking Linux kernel configuration file [ FOUND ]
+- Checking default I/O kernel scheduler [ NOT FOUND ]
+- Checking core dumps configuration
+- configuration in systemd conf files [ DEFAULT ]
+- configuration in /etc/profile [ DEFAULT ]
+- 'hard' configuration in /etc/security/limits.conf [ ENABLED ]
+- 'soft' configuration in /etc/security/limits.conf [ DISABLED ]
+- Checking setuid core dumps configuration [ DISABLED ]
+- Check if reboot is needed [ NO ]
+
+[+] Memory and Processes
+------------------------------------
+- Checking /proc/meminfo [ FOUND ]
+- Searching for dead/zombie processes [ NOT FOUND ]
+- Searching for IO waiting processes [ NOT FOUND ]
+- Search prelink tooling [ NOT FOUND ]
+
+[+] Users, Groups and Authentication
+------------------------------------
+- Administrator accounts [ OK ]
+- Unique UIDs [ OK ]
+- Consistency of group files (grpck) [ OK ]
+- Unique group IDs [ OK ]
+- Unique group names [ OK ]
+- Password file consistency [ OK ]
+- Password hashing methods [ OK ]
+- Checking password hashing rounds [ DISABLED ]
+- Query system users (non daemons) [ DONE ]
+- NIS+ authentication support [ NOT ENABLED ]
+- NIS authentication support [ NOT ENABLED ]
+- Sudoers file(s) [ FOUND ]
+- Permissions for directory: /etc/sudoers.d [ WARNING ]
+- Permissions for: /etc/sudoers [ OK ]
+- Permissions for: /etc/sudoers.d/README [ OK ]
+- Permissions for: /etc/sudoers.d/zfs [ OK ]
+- PAM password strength tools [ SUGGESTION ]
+- PAM configuration files (pam.conf) [ FOUND ]
+- PAM configuration files (pam.d) [ FOUND ]
+- PAM modules [ FOUND ]
+- LDAP module in PAM [ NOT FOUND ]
+- Accounts without expire date [ SUGGESTION ]
+- Accounts without password [ OK ]
+- Locked accounts [ FOUND ]
+- Checking user password aging (minimum) [ DISABLED ]
+- User password aging (maximum) [ DISABLED ]
+- Checking expired passwords [ OK ]
+- Checking Linux single user mode authentication [ OK ]
+- Determining default umask
+- umask (/etc/profile) [ NOT FOUND ]
+- umask (/etc/login.defs) [ SUGGESTION ]
+- LDAP authentication support [ NOT ENABLED ]
+- Logging failed login attempts [ DISABLED ]
+
+[+] Kerberos
+------------------------------------
+- Check for Kerberos KDC and principals [ NOT FOUND ]
+
+[+] Shells
+------------------------------------
+- Checking shells from /etc/shells
+Result: found 7 shells (valid shells: 7).
+- Session timeout settings/tools [ NONE ]
+- Checking default umask values
+- Checking default umask in /etc/bash.bashrc [ NONE ]
+- Checking default umask in /etc/profile [ NONE ]
+
+[+] File systems
+------------------------------------
+- Checking mount points
+- Checking /home mount point [ SUGGESTION ]
+- Checking /tmp mount point [ OK ]
+- Checking /var mount point [ SUGGESTION ]
+- Checking LVM volume groups [ FOUND ]
+- Checking LVM volumes [ FOUND ]
+- Query swap partitions (fstab) [ OK ]
+- Testing swap partitions [ OK ]
+- Testing /proc mount (hidepid) [ SUGGESTION ]
+- Checking for old files in /tmp [ OK ]
+- Checking /tmp sticky bit [ OK ]
+- Checking /var/tmp sticky bit [ OK ]
+- ACL support root file system [ ENABLED ]
+- Mount options of / [ NON DEFAULT ]
+- Mount options of /dev [ PARTIALLY HARDENED ]
+- Mount options of /dev/shm [ PARTIALLY HARDENED ]
+- Mount options of /run [ HARDENED ]
+- Mount options of /tmp [ PARTIALLY HARDENED ]
+- Total without nodev:12 noexec:18 nosuid:10 ro or noexec (W^X): 17 of total 35
+- Disable kernel support of some filesystems
+
+[+] USB Devices
+------------------------------------
+- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
+- Checking USB devices authorization [ ENABLED ]
+- Checking USBGuard [ NOT FOUND ]
+
+[+] Storage
+------------------------------------
+- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]
+
+[+] NFS
+------------------------------------
+- Query rpc registered programs [ DONE ]
+- Query NFS versions [ DONE ]
+- Query NFS protocols [ DONE ]
+- Check running NFS daemon [ NOT FOUND ]
+
+[+] Name services
+------------------------------------
+- Checking search domains [ FOUND ]
+- Searching DNS domain name [ FOUND ]
+Domain name: avt.data-center.id
+- Checking /etc/hosts
+- Duplicate entries in hosts file [ NONE ]
+- Presence of configured hostname in /etc/hosts [ FOUND ]
+- Hostname mapped to localhost [ NOT FOUND ]
+- Localhost mapping to IP address [ OK ]
+
+[+] Ports and packages
+------------------------------------
+- Searching package managers
+
+  [WARNING]: Test NAME-4408 had a long execution: 10.083140 seconds
+
+- Searching dpkg package manager [ FOUND ]
+- Querying package manager
+- Query unpurged packages [ FOUND ]
+- Checking security repository in sources.list.d directory [ OK ]
+- Checking APT package database [ OK ]
+- Checking vulnerable packages [ WARNING ]
+
+  [WARNING]: Test PKGS-7392 had a long execution: 12.526484 seconds
+
+- Checking upgradeable packages [ SKIPPED ]
+- Checking package audit tool [ INSTALLED ]
+Found: apt-get
+- Toolkit for automatic upgrades [ NOT FOUND ]
+
+[+] Networking
+------------------------------------
+- Checking IPv6 configuration [ ENABLED ]
+Configuration method [ AUTO ]
+IPv6 only [ NO ]
+
+  [WARNING]: Test NETW-2600 had a long execution: 28.033248 seconds
+
+- Checking configured nameservers
+- Testing nameservers
+Nameserver: 10.10.10.11 [ NO RESPONSE ]
+Nameserver: 10.10.10.12 [ OK ]
+Nameserver: 8.8.8.8 [ OK ]
+- Minimal of 2 responsive nameservers [ OK ]
+- Getting listening ports (TCP/UDP) [ DONE ]
+- Checking promiscuous interfaces [ WARNING ]
+- Checking status DHCP client [ NOT ACTIVE ]
+- Checking for ARP monitoring software [ NOT FOUND ]
+- Uncommon network protocols [ 0 ]
+
+[+] Printers and Spools
+------------------------------------
+- Checking cups daemon [ NOT FOUND ]
+- Checking lp daemon [ NOT RUNNING ]
+
+[+] Software: e-mail and messaging
+------------------------------------
+- Postfix status [ RUNNING ]
+- Postfix configuration [ FOUND ]
+- Postfix banner [ WARNING ]
+
+[+] Software: firewalls
+------------------------------------
+- Checking iptables kernel module [ FOUND ]
+- Checking iptables policies of chains [ FOUND ]
+- Chain INPUT (table: filter, target: ACCEPT) [ ACCEPT ]
+- Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
+- Checking for empty ruleset [ WARNING ]
+- Checking for unused rules [ OK ]
+- Checking host based firewall [ ACTIVE ]
+
+[+] Software: webserver
+------------------------------------
+- Checking Apache [ NOT FOUND ]
+- Checking nginx [ NOT FOUND ]
+
+[+] SSH Support
+------------------------------------
+- Checking running SSH daemon [ FOUND ]
+- Searching SSH configuration [ FOUND ]
+- OpenSSH option: AllowTcpForwarding [ SUGGESTION ]
+- OpenSSH option: ClientAliveCountMax [ SUGGESTION ]
+- OpenSSH option: ClientAliveInterval [ OK ]
+- OpenSSH option: FingerprintHash [ OK ]
+- OpenSSH option: GatewayPorts [ OK ]
+- OpenSSH option: IgnoreRhosts [ OK ]
+- OpenSSH option: LoginGraceTime [ OK ]
+- OpenSSH option: LogLevel [ SUGGESTION ]
+- OpenSSH option: MaxAuthTries [ SUGGESTION ]
+- OpenSSH option: MaxSessions [ SUGGESTION ]
+- OpenSSH option: PermitRootLogin [ SUGGESTION ]
+- OpenSSH option: PermitUserEnvironment [ OK ]
+- OpenSSH option: PermitTunnel [ OK ]
+- OpenSSH option: Port [ SUGGESTION ]
+- OpenSSH option: PrintLastLog [ OK ]
+- OpenSSH option: StrictModes [ OK ]
+- OpenSSH option: TCPKeepAlive [ SUGGESTION ]
+- OpenSSH option: UseDNS [ OK ]
+- OpenSSH option: X11Forwarding [ SUGGESTION ]
+- OpenSSH option: AllowAgentForwarding [ SUGGESTION ]
+- OpenSSH option: AllowUsers [ NOT FOUND ]
+- OpenSSH option: AllowGroups [ NOT FOUND ]
+
+[+] SNMP Support
+------------------------------------
+- Checking running SNMP daemon [ FOUND ]
+- Checking SNMP configuration [ FOUND ]
+- Checking SNMP community strings [ OK ]
+
+[+] Databases
+------------------------------------
+No database engines found
+
+[+] LDAP Services
+------------------------------------
+- Checking OpenLDAP instance [ NOT FOUND ]
+
+[+] PHP
+------------------------------------
+- Checking PHP [ NOT FOUND ]
+
+[+] Squid Support
+------------------------------------
+- Checking running Squid daemon [ NOT FOUND ]
+
+[+] Logging and files
+------------------------------------
+- Checking for a running log daemon [ OK ]
+- Checking Syslog-NG status [ NOT FOUND ]
+- Checking systemd journal status [ FOUND ]
+- Checking Metalog status [ NOT FOUND ]
+- Checking RSyslog status [ NOT FOUND ]
+- Checking RFC 3195 daemon status [ NOT FOUND ]
+- Checking minilogd instances [ NOT FOUND ]
+- Checking wazuh-agent daemon status [ NOT FOUND ]
+- Checking logrotate presence [ OK ]
+- Checking remote logging [ NOT ENABLED ]
+- Checking log directories (static list) [ DONE ]
+- Checking open log files [ DONE ]
+- Checking deleted files in use [ FILES FOUND ]
+
+[+] Insecure services
+------------------------------------
+- Installed inetd package [ NOT FOUND ]
+- Installed xinetd package [ OK ]
+- xinetd status [ NOT ACTIVE ]
+- Installed rsh client package [ OK ]
+- Installed rsh server package [ OK ]
+- Installed telnet client package [ OK ]
+- Installed telnet server package [ NOT FOUND ]
+- Checking NIS client installation [ OK ]
+- Checking NIS server installation [ OK ]
+- Checking TFTP client installation [ OK ]
+- Checking TFTP server installation [ OK ]
+
+[+] Banners and identification
+------------------------------------
+- /etc/issue [ FOUND ]
+- /etc/issue contents [ WEAK ]
+- /etc/issue.net [ FOUND ]
+- /etc/issue.net contents [ WEAK ]
+
+[+] Scheduled tasks
+------------------------------------
+- Checking crontab and cronjob files [ DONE ]
+
+[+] Accounting
+------------------------------------
+- Checking accounting information [ NOT FOUND ]
+- Checking sysstat accounting data [ NOT FOUND ]
+- Checking auditd [ NOT FOUND ]
+
+[+] Time and Synchronization
+------------------------------------
+- NTP daemon found: chronyd [ FOUND ]
+- Checking for a running NTP daemon or client [ OK ]
+
+[+] Cryptography
+------------------------------------
+- Checking for expired SSL certificates [0/152] [ NONE ]
+
+  [WARNING]: Test CRYP-7902 had a long execution: 12.849078 seconds
+
+- Found 0 encrypted and 1 unencrypted swap devices in use. [ OK ]
+- Kernel entropy is sufficient [ YES ]
+- HW RNG & rngd [ NO ]
+- SW prng [ NO ]
+- MOR variable not found [ WEAK ]
+
+[+] Virtualization
+------------------------------------
+
+[+] Containers
+------------------------------------
+
+[+] Security frameworks
+------------------------------------
+- Checking presence AppArmor [ FOUND ]
+- Checking AppArmor status [ ENABLED ]
+Found 91 unconfined processes
+- Checking presence SELinux [ NOT FOUND ]
+- Checking presence TOMOYO Linux [ NOT FOUND ]
+- Checking presence grsecurity [ NOT FOUND ]
+- Checking for implemented MAC framework [ OK ]
+
+[+] Software: file integrity
+------------------------------------
+- Checking file integrity tools
+- dm-integrity (status) [ DISABLED ]
+- dm-verity (status) [ DISABLED ]
+- Wazuh (syscheck) [ FOUND ]
+- Checking presence integrity tool [ FOUND ]
+
+[+] Software: System tooling
+------------------------------------
+- Checking automation tooling
+- Ansible artifact [ FOUND ]
+- Automation tooling [ FOUND ]
+- Checking presence of Wazuh (agent) [ FOUND ]
+- Checking for IDS/IPS tooling [ FOUND ]
+
+[+] Software: Malware
+------------------------------------
+- Malware software components [ NOT FOUND ]
+
+[+] File Permissions
+------------------------------------
+- Starting file permissions check
+File: /boot/grub/grub.cfg [ OK ]
+File: /etc/crontab [ SUGGESTION ]
+File: /etc/group [ OK ]
+File: /etc/group- [ OK ]
+File: /etc/hosts.allow [ OK ]
+File: /etc/hosts.deny [ OK ]
+File: /etc/issue [ OK ]
+File: /etc/issue.net [ OK ]
+File: /etc/motd [ OK ]
+File: /etc/passwd [ OK ]
+File: /etc/passwd- [ OK ]
+File: /etc/ssh/sshd_config [ SUGGESTION ]
+Directory: /root/.ssh [ OK ]
+Directory: /etc/cron.d [ SUGGESTION ]
+Directory: /etc/cron.daily [ SUGGESTION ]
+Directory: /etc/cron.hourly [ SUGGESTION ]
+Directory: /etc/cron.weekly [ SUGGESTION ]
+Directory: /etc/cron.monthly [ SUGGESTION ]
+
+[+] Home directories
+------------------------------------
+- Permissions of home directories [ OK ]
+- Ownership of home directories [ OK ]
+- Checking shell history files [ OK ]
+
+[+] Kernel Hardening
+------------------------------------
+- Comparing sysctl key pairs with scan profile
+- dev.tty.ldisc_autoload (exp: 0) [ DIFFERENT ]
+- fs.protected_fifos (exp: 2) [ DIFFERENT ]
+- fs.protected_hardlinks (exp: 1) [ OK ]
+- fs.protected_regular (exp: 2) [ OK ]
+- fs.protected_symlinks (exp: 1) [ OK ]
+- fs.suid_dumpable (exp: 0) [ OK ]
+- kernel.core_uses_pid (exp: 1) [ OK ]
+- kernel.ctrl-alt-del (exp: 0) [ OK ]
+- kernel.dmesg_restrict (exp: 1) [ OK ]
+- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
+- kernel.modules_disabled (exp: 1) [ DIFFERENT ]
+- kernel.perf_event_paranoid (exp: 2 3 4) [ OK ]
+- kernel.randomize_va_space (exp: 2) [ OK ]
+- kernel.sysrq (exp: 0) [ DIFFERENT ]
+- kernel.unprivileged_bpf_disabled (exp: 1) [ DIFFERENT ]
+- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
+- net.core.bpf_jit_harden (exp: 2) [ DIFFERENT ]
+- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
+- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
+- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
+- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
+- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
+- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
+- net.ipv4.conf.all.rp_filter (exp: 1) [ DIFFERENT ]
+- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
+- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
+- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
+- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
+- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
+- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
+- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
+- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
+- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
+
+[+] Hardening
+------------------------------------
+- Installed compiler(s) [ FOUND ]
+- Installed malware scanner [ NOT FOUND ]
+- Non-native binary formats [ FOUND ]
+
+[+] Custom tests
+------------------------------------
+- Running custom tests...  [ NONE ]
+
+[+] Plugins (phase 2)
+------------------------------------
+
+================================================================================
+
+  -[ Lynis 3.1.4 Results ]-
+
+  Warnings (17):
+  ----------------------------
+  ! Found one or more vulnerable packages. [PKGS-7392] 
+      https://cisofy.com/lynis/controls/PKGS-7392/
+
+  ! Nameserver 10.10.10.11 does not respond [NETW-2704] 
+      https://cisofy.com/lynis/controls/NETW-2704/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens27f0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens29f0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : ens29f1
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : bond0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap170i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap215i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap900i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2010i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap2014i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap121i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap121i1
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap108i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found promiscuous interface [NETW-3015] 
+    - Details  : tap184i0
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  ! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
+      https://cisofy.com/lynis/controls/MAIL-8818/
+
+  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
+      https://cisofy.com/lynis/controls/FIRE-4512/
+
+  Suggestions (52):
+  ----------------------------
+  * This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LYNIS/
+
+  * Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0280/
+
+  * Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0810/
+
+  * Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0831/
+
+  * Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/DEB-0880/
+
+  * Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/BOOT-5122/
+
+  * Determine runlevel and services at startup [BOOT-5180] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/BOOT-5180/
+
+  * Consider hardening system services [BOOT-5264] 
+    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service
+    - Related resources
+      * Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+      * Website: https://cisofy.com/lynis/controls/BOOT-5264/
+
+  * Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
+    - Details  : /vmlinuz or /boot/vmlinuz
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/KRNL-5788/
+
+  * Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
+    - Related resources
+      * Article: Linux password security: hashing rounds: https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9230/
+
+  * Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc [AUTH-9262] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9262/
+
+  * When possible set expire dates for all password protected accounts [AUTH-9282] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/AUTH-9282/
+
+  * Look at the locked accounts and consider removing them [AUTH-9284] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/AUTH-9284/
+
+  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9286/
+
+  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: Configure minimum password length for Linux systems: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9286/
+
+  * Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [AUTH-9328] 
+    - Related resources
+      * Article: Set default file permissions on Linux with umask: https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+      * Website: https://cisofy.com/lynis/controls/AUTH-9328/
+
+  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-6310/
+
+  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-6310/
+
+  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/USB-1000/
+
+  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/STRG-1846/
+
+  * Purge old/removed packages (11 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7346/
+
+  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7370/
+
+  * Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7392/
+
+  * Install package apt-show-versions for patch management purposes [PKGS-7394] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7394/
+
+  * Consider using a tool to automatically apply upgrades [PKGS-7420] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/PKGS-7420/
+
+  * Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-2704/
+
+  * Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'rds' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/NETW-3200/
+
+  * You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818] 
+    - Related resources
+      * Article: Postfix Hardening Guide for Security and Privacy: https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+      * Website: https://cisofy.com/lynis/controls/MAIL-8818/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : AllowTcpForwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : ClientAliveCountMax (set 3 to 2)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : LogLevel (set INFO to VERBOSE)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : MaxAuthTries (set 6 to 3)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : MaxSessions (set 10 to 2)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : Port (set 22 to )
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : TCPKeepAlive (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : X11Forwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Consider hardening SSH configuration [SSH-7408] 
+    - Details  : AllowAgentForwarding (set YES to NO)
+    - Related resources
+      * Article: OpenSSH security and hardening: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: https://cisofy.com/lynis/controls/SSH-7408/
+
+  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LOGG-2154/
+
+  * Check what deleted files are still in use and why. [LOGG-2190] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/LOGG-2190/
+
+  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
+    - Related resources
+      * Article: The real purpose of login banners: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: https://cisofy.com/lynis/controls/BANN-7126/
+
+  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
+    - Related resources
+      * Article: The real purpose of login banners: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: https://cisofy.com/lynis/controls/BANN-7130/
+
+  * Enable process accounting [ACCT-9622] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/ACCT-9622/
+
+  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/ACCT-9626/
+
+  * Enable auditd to collect audit information [ACCT-9628] 
+    - Related resources
+      * Article: Linux audit framework 101: basic rules for configuration: https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+      * Article: Monitoring Linux file access, changes and data modifications: https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+      * Website: https://cisofy.com/lynis/controls/ACCT-9628/
+
+  * Consider restricting file permissions [FILE-7524] 
+    - Details  : See screen output or log file
+    - Solution : Use chmod to change file permissions
+    - Related resources
+      * Website: https://cisofy.com/lynis/controls/FILE-7524/
+
+  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
+    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
+    - Related resources
+      * Article: Linux hardening with sysctl settings: https://linux-audit.com/linux-hardening-with-sysctl/
+      * Article: Overview of sysctl options and values: https://linux-audit.com/kernel/sysctl/
+      * Website: https://cisofy.com/lynis/controls/KRNL-6000/
+
+  * Harden compilers like restricting access to root user only [HRDN-7222] 
+    - Related resources
+      * Article: Why remove compilers from your system?: https://linux-audit.com/software/why-remove-compilers-from-your-system/
+      * Website: https://cisofy.com/lynis/controls/HRDN-7222/
+
+  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
+    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh
+    - Related resources
+      * Article: Antivirus for Linux: is it really needed?: https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+      * Article: Monitoring Linux Systems for Rootkits: https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+      * Website: https://cisofy.com/lynis/controls/HRDN-7230/
+
+  Follow-up:
+  ----------------------------
+  - Show details of a test (lynis show details TEST-ID)
+  - Check the logfile for all details (less /var/log/lynis.log)
+  - Read security controls texts (https://cisofy.com)
+  - Use --upload to upload data to central system (Lynis Enterprise users)
+
+================================================================================
+
+  Lynis security scan details:
+
+  Hardening index : 63 [############        ]
+  Tests performed : 268
+  Plugins enabled : 1
+
+  Components:
+  - Firewall               [V]
+  - Malware scanner        [X]
+
+  Scan mode:
+  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+
+  Lynis modules:
+  - Compliance status      [?]
+  - Security audit         [V]
+  - Vulnerability scan     [V]
+
+  Files:
+  - Test and debug information      : /var/log/lynis.log
+  - Report data                     : /var/log/lynis-report.dat
+
+================================================================================
+
+  Lynis 3.1.4
+
+  Auditing, system hardening, and compliance for UNIX-based systems
+  (Linux, macOS, BSD, and others)
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+
+================================================================================
+
+  [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

ansible/playbooks/logs/10.10.26.14_vms.log

@@ -0,0 +1,69 @@
+      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
+       108 storage-appliance-dev running    8192              70.00 235436    
+       121 tokoserver-dev       running    24576            340.00 11573     
+       125 teraform-20250116150711 stopped    4096             100.00 0         
+       126 haproxy-wi           stopped    8192             100.00 0         
+       150 phpipam              stopped    8192              80.00 0         
+       152 joko-vm              stopped    1024              20.00 0         
+       155 cl7                  stopped    1024              10.00 0         
+       157 test-7               stopped    1024              20.00 0         
+       161 teshiki              stopped    1024              20.00 0         
+       170 misp                 running    16384            300.00 9930      
+       175 dasi                 stopped    8192             120.00 0         
+       184 vtl-dev              running    8192              80.00 235587    
+       201 pgbackrest           stopped    16384            100.00 0         
+       215 wazuh                running    16384            300.00 10180     
+       353 grafana-alloy        stopped    4096             100.00 0         
+       400 active-directory-client stopped    8192              80.00 0         
+       454 haproxy-iam-02       stopped    4096             100.00 0         
+       455 kong-dev             stopped    8192              80.00 0         
+       900 cmk                  running    16384            100.00 10500     
+      1007 kube-master-04       stopped    16384            300.00 0         
+      2010 nextcloud            running    49152            600.00 10794     
+      2014 reverse-proxy-manager running    8192             100.00 10983     
+      2019 kasm-workspace       stopped    32768            300.00 0         
+      2020 windows-accurate-client stopped    16384              0.00 0         
+      2026 reverse-proxy-01     stopped    8192             100.00 0         
+      2028 syslog-central       stopped    8192             300.00 0         
+      2030 osticket             stopped    8192             150.00 0         
+      2033 jgc-hyperos-alpha    stopped    8192              10.00 0         
+      2034 netbox               stopped    8192              80.00 0         
+      2035 microcloud-node-01   stopped    8192              70.00 0         
+      2036 microcloud-node-02   stopped    8192              70.00 0         
+      2037 microcloud-node-03   stopped    8192              70.00 0         
+      2121 windows-accurate-client stopped    16384             80.00 0         
+      3232 windows-client       stopped    16384             80.00 0         
+      3333 windows-bacula-client stopped    8192               0.00 0         
+      8100 molmod-jupyterhub    stopped    16384            200.00 0         
+      8300 local-repo           stopped    16384             50.00 0         
+      8509 wazuh-poc            stopped    16384            300.00 0         
+      8510 iris-shuflle         stopped    32768            100.00 0         
+      8511 thehive-cortex       stopped    32768            100.00 0         
+      8512 nxlog-ng-ce          stopped    8192             300.00 0         
+      9099 windows-server-poc   stopped    65536              0.00 0         
+     50001 kong                 stopped    16384            100.00 0         
+     80000 ubuntu-jammy-template stopped    1024              10.00 0         
+     80001 ubuntu-focal-template stopped    1024              10.00 0         
+     80002 ubuntu-noble-template stopped    8192              10.00 0         
+     80003 debian-11-template   stopped    1024              10.00 0         
+     80004 debian-12-template   stopped    1024              10.00 0         
+     80005 alma-linux-8-template stopped    1024              10.00 0         
+     80006 alma-linux-9-template stopped    1024              10.00 0         
+     80008 cloudlinux-7.9-template stopped    1024              10.00 0         
+     80009 rocky-linux-8-template stopped    1024              10.00 0         
+     80010 rocky-linux-9-template stopped    1024              10.00 0         
+     80011 vzlinux-template     stopped    1024              32.00 0         
+     80012 fedora-32-template   stopped    1024              10.00 0         
+     80013 rhel-7.9-template    stopped    1024               0.00 0         
+     80014 rhel-8.4-template    stopped    1024              10.00 0         
+     80015 cloudlinux-8-template stopped    1024              42.00 0         
+     80016 Centos-9-template    stopped    1024              10.00 0         
+     80017 open-suse-15.3-template stopped    1024              10.00 0         
+     80018 Windows-server-2012-template stopped    8192               0.00 0         
+     80020 oracle-linux9.5-template stopped    8192              32.00 0         
+     80123 postgresql-db-template stopped    2048              32.00 0         
+     80138 fedora-40-template   stopped    2048               5.00 0         
+     80139 fedora-39-template   stopped    2048               5.00 0         
+     80598 MVP                  stopped    8192             100.00 0         
+     99996 test-minio           stopped    4096              59.00 0         
+    900000 tools-testing-host   stopped    16384            100.00 0         

ansible/playbooks/run_lynis_audit.yml

@@ -0,0 +1,36 @@
+---
+- name: Run Lynis security audit on Proxmox hosts
+  hosts: proxmox
+  gather_facts: false
+
+  tasks:
+    - name: Update apt cache
+      ansible.builtin.apt:
+        update_cache: true
+      become: true
+
+    - name: Install Lynis
+      ansible.builtin.apt:
+        name: lynis
+        state: present
+      become: true
+
+    - name: Run Lynis audit
+      ansible.builtin.shell: |
+        lynis audit system
+      register: lynis_audit_output
+      changed_when: false
+      become: true
+
+    - name: Ensure log directory exists on local machine
+      ansible.builtin.file:
+        path: "{{ playbook_dir }}/logs"
+        state: directory
+      delegate_to: localhost
+      run_once: true
+
+    - name: Save Lynis audit report to local log file
+      ansible.builtin.copy:
+        content: "{{ lynis_audit_output.stdout }}"
+        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_lynis_report.log"
+      delegate_to: localhost