add ansible automation script

2025-12-17 11:34:46 +07:00
commit 1d7583de75
16 changed files with 3123 additions and 0 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
--- a/ansible/inventory/hosts
+++ b/ansible/inventory/hosts
@@ -0,0 +1,10 @@
+[proxmox]
+10.10.26.12
+10.10.26.13
+10.10.26.14
+
+[proxmox:vars]
+ansible_user=root
+ansible_password=Pnd77net!
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+ansible_python_interpreter=/usr/bin/python3
--- a/ansible/playbooks/gather_proxmox_vms_lxcs.yml
+++ b/ansible/playbooks/gather_proxmox_vms_lxcs.yml
@@ -0,0 +1,36 @@
+---
+- name: Gather Proxmox VM and LXC information
+  hosts: proxmox
+  gather_facts: false
+
+  tasks:
+    - name: Get list of KVM virtual machines
+      ansible.builtin.shell: |
+        qm list
+      register: qm_list_output
+      changed_when: false
+
+    - name: Get list of LXC containers
+      ansible.builtin.shell: |
+        pct list
+      register: pct_list_output
+      changed_when: false
+
+    - name: Ensure log directory exists on local machine
+      ansible.builtin.file:
+        path: "{{ playbook_dir }}/logs"
+        state: directory
+      delegate_to: localhost
+      run_once: true
+
+    - name: Write VM list to local log file
+      ansible.builtin.copy:
+        content: "{{ qm_list_output.stdout }}"
+        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_vms.log"
+      delegate_to: localhost
+
+    - name: Write LXC list to local log file
+      ansible.builtin.copy:
+        content: "{{ pct_list_output.stdout }}"
+        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_lxcs.log"
+      delegate_to: localhost
--- a/ansible/playbooks/logs/10.10.26.12_lxcs.log
+++ b/ansible/playbooks/logs/10.10.26.12_lxcs.log
@@ -0,0 +1,10 @@
+VMID       Status     Lock         Name                
+100        stopped                 apache-guacamole    
+106        stopped                 relay.avt.data-center.id
+109        stopped                 postgre-db          
+113        running                 new-web-portal      
+123        stopped                 moonwalker-web      
+124        stopped                 bacularis           
+140        stopped                 new-ssh-proxy       
+179        stopped                 jumphost-linux      
+183        stopped                 vaultwarden-revam   
--- a/ansible/playbooks/logs/10.10.26.12_lynis_report.log
+++ b/ansible/playbooks/logs/10.10.26.12_lynis_report.log
@@ -0,0 +1,957 @@
+
+[1;37m[ Lynis 3.1.4 ][0m
+
+################################################################################
+  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+  welcome to redistribute it under the terms of the GNU General Public License.
+  See the LICENSE file for details about using this software.
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+################################################################################
+
+
+[+] [1;33mInitializing program[0m
+------------------------------------
+[2C- Detecting OS... [41C [ [1;32mDONE[0m ]
+[2C- Checking profiles...[37C [ [1;32mDONE[0m ]
+
+  ---------------------------------------------------
+  Program version:           3.1.4
+  Operating system:          Linux
+  Operating system name:     Debian
+  Operating system version:  13
+  Kernel version:            6.17.2
+  Hardware platform:         x86_64
+  Hostname:                  ppve02
+  ---------------------------------------------------
+  Profiles:                  /etc/lynis/default.prf
+  Log file:                  /var/log/lynis.log
+  Report file:               /var/log/lynis-report.dat
+  Report version:            1.0
+  Plugin directory:          /etc/lynis/plugins
+  ---------------------------------------------------
+  Auditor:                   [Not Specified]
+  Language:                  en
+  Test category:             all
+  Test group:                all
+  ---------------------------------------------------
+[2C- Program update status... [32C [ [1;32mNO UPDATE[0m ]
+
+[+] [1;33mSystem tools[0m
+------------------------------------
+[2C- Scanning available tools...[30C
+[2C- Checking system binaries...[30C
+
+[+] [1;35mPlugins (phase 1)[0m
+------------------------------------
+[0CNote: plugins have more extensive tests and may take several minutes to complete[0C
+[0C [0C
+[2C- [0;36mPlugin[0m: [1;37mdebian[0m[21C
+    [
+[+] [1;33mDebian Tests[0m
+------------------------------------
+[2C- Checking for system binaries that are required by Debian Tests...[0C
+[4C- Checking /bin... [38C [ [1;32mFOUND[0m ]
+[4C- Checking /sbin... [37C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/bin... [34C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/sbin... [33C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/local/bin... [28C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/local/sbin... [27C [ [1;32mFOUND[0m ]
+[2C- Authentication:[42C
+[4C- PAM (Pluggable Authentication Modules):[16C
+[6C- libpam-tmpdir[40C [ [1;31mNot Installed[0m ]
+[2C- File System Checks:[38C
+[4C- DM-Crypt, Cryptsetup & Cryptmount:[21C
+[2C- Software:[48C
+[4C- apt-listbugs[43C [ [1;31mNot Installed[0m ]
+[4C- apt-listchanges[40C [ [1;32mInstalled and enabled for apt[0m ]
+[4C- needrestart[44C [ [1;31mNot Installed[0m ]
+[4C- fail2ban[47C [ [1;31mNot Installed[0m ]
+]
+
+[+] [1;33mBoot and services[0m
+------------------------------------
+[2C- Service Manager[42C [ [1;32msystemd[0m ]
+[2C- Checking UEFI boot[39C [ [1;32mENABLED[0m ]
+[2C- Checking Secure Boot[37C [ [1;33mDISABLED[0m ]
+[2C- Checking presence GRUB2[34C [ [1;32mFOUND[0m ]
+[4C- Checking for password protection[23C [ [1;31mNONE[0m ]
+[2C- Check running services (systemctl)[23C [ [1;32mDONE[0m ]
+[8CResult: found 46 running services[20C
+[2C- Check enabled services at boot (systemctl)[15C [ [1;32mDONE[0m ]
+[8CResult: found 68 enabled services[20C
+[2C- Check startup files (permissions)[24C [ [1;32mOK[0m ]
+[2C- Running 'systemd-analyze security'[23C
+[6CUnit name (exposure value) and predicate[15C
+[6C--------------------------------[23C
+[4C- check-mk-agent-async.service (value=9.6)[15C [ [1;33mUNSAFE[0m ]
+[4C- chrony.service (value=3.5)[29C [ [1;32mPROTECTED[0m ]
+[4C- cmk-agent-ctl-daemon.service (value=4.4)[15C [ [1;32mPROTECTED[0m ]
+[4C- console-getty.service (value=9.6)[22C [ [1;33mUNSAFE[0m ]
+[4C- corosync.service (value=9.2)[27C [ [1;33mUNSAFE[0m ]
+[4C- cron.service (value=9.6)[31C [ [1;33mUNSAFE[0m ]
+[4C- dbus.service (value=9.3)[31C [ [1;33mUNSAFE[0m ]
+[4C- dm-event.service (value=9.5)[27C [ [1;33mUNSAFE[0m ]
+[4C- dnsmasq@jualan.service (value=9.6)[21C [ [1;33mUNSAFE[0m ]
+[4C- dnsmasq@terakhir.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- emergency.service (value=9.5)[26C [ [1;33mUNSAFE[0m ]
+[4C- frr.service (value=9.8)[32C [ [1;33mUNSAFE[0m ]
+[4C- getty@tty1.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- iscsid.service (value=9.5)[29C [ [1;33mUNSAFE[0m ]
+[4C- keepalived.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- ksmtuned.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- kvm_backup_service.service (value=9.6)[17C [ [1;33mUNSAFE[0m ]
+[4C- kvm_virt_server.service (value=9.6)[20C [ [1;33mUNSAFE[0m ]
+[4C- lldpd.service (value=8.5)[30C [ [1;33mEXPOSED[0m ]
+[4C- lvm2-lvmpolld.service (value=9.5)[22C [ [1;33mUNSAFE[0m ]
+[4C- lxc-monitord.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- lxcfs.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- lynis.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- netavark-dhcp-proxy.service (value=9.6)[16C [ [1;33mUNSAFE[0m ]
+[4C- nfs-blkmap.service (value=9.5)[25C [ [1;33mUNSAFE[0m ]
+[4C- postfix.service (value=3.9)[28C [ [1;32mPROTECTED[0m ]
+[4C- postfix@-.service (value=3.9)[26C [ [1;32mPROTECTED[0m ]
+[4C- proxmenux-monitor.service (value=9.6)[18C [ [1;33mUNSAFE[0m ]
+[4C- proxmox-firewall.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- pve-cluster.service (value=9.5)[24C [ [1;33mUNSAFE[0m ]
+[4C- pve-container@113.service (value=9.6)[18C [ [1;33mUNSAFE[0m ]
+[4C- pve-firewall.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- pve-ha-crm.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- pve-ha-lrm.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- pve-lxc-syscalld.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- pvedaemon.service (value=9.6)[26C [ [1;33mUNSAFE[0m ]
+[4C- pvefw-logger.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- pveproxy.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- pvescheduler.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- pvestatd.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- qmeventd.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- rc-local.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- rescue.service (value=9.5)[29C [ [1;33mUNSAFE[0m ]
+[4C- rpc-gssd.service (value=9.5)[27C [ [1;33mUNSAFE[0m ]
+[4C- rpc-statd-notify.service (value=9.5)[19C [ [1;33mUNSAFE[0m ]
+[4C- rpc-statd.service (value=9.5)[26C [ [1;33mUNSAFE[0m ]
+[4C- rpc-svcgssd.service (value=9.5)[24C [ [1;33mUNSAFE[0m ]
+[4C- rpcbind.service (value=9.5)[28C [ [1;33mUNSAFE[0m ]
+[4C- rrdcached.service (value=9.6)[26C [ [1;33mUNSAFE[0m ]
+[4C- rsyslog.service (value=4.5)[28C [ [1;32mPROTECTED[0m ]
+[4C- smartmontools.service (value=9.6)[22C [ [1;33mUNSAFE[0m ]
+[4C- snmpd.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- spiceproxy.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- ssh.service (value=9.6)[32C [ [1;33mUNSAFE[0m ]
+[4C- sshd@sshd-keygen.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- systemd-ask-password-console.service (value=9.4)[7C [ [1;33mUNSAFE[0m ]
+[4C- systemd-ask-password-wall.service (value=9.4)[10C [ [1;33mUNSAFE[0m ]
+[4C- systemd-bsod.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- systemd-hostnamed.service (value=1.7)[18C [ [1;32mPROTECTED[0m ]
+[4C- systemd-initctl.service (value=9.4)[20C [ [1;33mUNSAFE[0m ]
+[4C- systemd-journald.service (value=4.9)[19C [ [1;32mPROTECTED[0m ]
+[4C- systemd-logind.service (value=2.8)[21C [ [1;32mPROTECTED[0m ]
+[4C- systemd-networkd.service (value=2.9)[19C [ [1;32mPROTECTED[0m ]
+[4C- systemd-rfkill.service (value=9.4)[21C [ [1;33mUNSAFE[0m ]
+[4C- systemd-udevd.service (value=7.1)[22C [ [1;37mMEDIUM[0m ]
+[4C- user@0.service (value=9.8)[29C [ [1;33mUNSAFE[0m ]
+[4C- watchdog-mux.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- wazuh-agent.service (value=9.6)[24C [ [1;33mUNSAFE[0m ]
+[4C- zfs-zed.service (value=9.6)[28C [ [1;33mUNSAFE[0m ]
+
+[+] [1;33mKernel[0m
+------------------------------------
+[2C- Checking default runlevel[32C [ [1;32mrunlevel 5[0m ]
+[2C- Checking CPU support (NX/PAE)[28C
+[4CCPU support: PAE and/or NoeXecute supported[14C [ [1;32mFOUND[0m ]
+[2C- Checking kernel version and release[22C [ [1;32mDONE[0m ]
+[2C- Checking kernel type[37C [ [1;32mDONE[0m ]
+[2C- Checking loaded kernel modules[27C [ [1;32mDONE[0m ]
+[6CFound 125 active modules[31C
+[2C- Checking Linux kernel configuration file[17C [ [1;32mFOUND[0m ]
+[2C- Checking default I/O kernel scheduler[20C [ [1;37mNOT FOUND[0m ]
+[2C- Checking core dumps configuration[24C
+[4C- configuration in systemd conf files[20C [ [1;37mDEFAULT[0m ]
+[4C- configuration in /etc/profile[26C [ [1;37mDEFAULT[0m ]
+[4C- 'hard' configuration in /etc/security/limits.conf[6C [ [1;31mENABLED[0m ]
+[4C- 'soft' configuration in /etc/security/limits.conf[6C [ [1;32mDISABLED[0m ]
+[4C- Checking setuid core dumps configuration[15C [ [1;32mDISABLED[0m ]
+[2C- Check if reboot is needed[32C [ [1;32mNO[0m ]
+
+[+] [1;33mMemory and Processes[0m
+------------------------------------
+[2C- Checking /proc/meminfo[35C [ [1;32mFOUND[0m ]
+[2C- Searching for dead/zombie processes[22C [ [1;32mNOT FOUND[0m ]
+[2C- Searching for IO waiting processes[23C [ [1;32mNOT FOUND[0m ]
+[2C- Search prelink tooling[35C [ [1;32mNOT FOUND[0m ]
+
+[+] [1;33mUsers, Groups and Authentication[0m
+------------------------------------
+[2C- Administrator accounts[35C [ [1;32mOK[0m ]
+[2C- Unique UIDs[46C [ [1;32mOK[0m ]
+[2C- Consistency of group files (grpck)[23C [ [1;32mOK[0m ]
+[2C- Unique group IDs[41C [ [1;32mOK[0m ]
+[2C- Unique group names[39C [ [1;32mOK[0m ]
+[2C- Password file consistency[32C [ [1;32mOK[0m ]
+[2C- Password hashing methods[33C [ [1;32mOK[0m ]
+[2C- Checking password hashing rounds[25C [ [1;33mDISABLED[0m ]
+[2C- Query system users (non daemons)[25C [ [1;32mDONE[0m ]
+[2C- NIS+ authentication support[30C [ [1;37mNOT ENABLED[0m ]
+[2C- NIS authentication support[31C [ [1;37mNOT ENABLED[0m ]
+[2C- Sudoers file(s)[42C [ [1;32mFOUND[0m ]
+[4C- Permissions for directory: /etc/sudoers.d[14C [ [1;31mWARNING[0m ]
+[4C- Permissions for: /etc/sudoers[26C [ [1;32mOK[0m ]
+[4C- Permissions for: /etc/sudoers.d/README[17C [ [1;32mOK[0m ]
+[4C- Permissions for: /etc/sudoers.d/zfs[20C [ [1;32mOK[0m ]
+[2C- PAM password strength tools[30C [ [1;33mSUGGESTION[0m ]
+[2C- PAM configuration files (pam.conf)[23C [ [1;32mFOUND[0m ]
+[2C- PAM configuration files (pam.d)[26C [ [1;32mFOUND[0m ]
+[2C- PAM modules[46C [ [1;32mFOUND[0m ]
+[2C- LDAP module in PAM[39C [ [1;37mNOT FOUND[0m ]
+[2C- Accounts without expire date[29C [ [1;33mSUGGESTION[0m ]
+[2C- Accounts without password[32C [ [1;32mOK[0m ]
+[2C- Locked accounts[42C [ [1;31mFOUND[0m ]
+[2C- Checking user password aging (minimum)[19C [ [1;33mDISABLED[0m ]
+[2C- User password aging (maximum)[28C [ [1;33mDISABLED[0m ]
+[2C- Checking expired passwords[31C [ [1;32mOK[0m ]
+[2C- Checking Linux single user mode authentication[11C [ [1;32mOK[0m ]
+[2C- Determining default umask[32C
+[4C- umask (/etc/profile)[35C [ [1;33mNOT FOUND[0m ]
+[4C- umask (/etc/login.defs)[32C [ [1;33mSUGGESTION[0m ]
+[2C- LDAP authentication support[30C [ [1;37mNOT ENABLED[0m ]
+[2C- Logging failed login attempts[28C [ [1;33mDISABLED[0m ]
+
+[+] [1;33mKerberos[0m
+------------------------------------
+[2C- Check for Kerberos KDC and principals[20C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mShells[0m
+------------------------------------
+[2C- Checking shells from /etc/shells[25C
+[4CResult: found 7 shells (valid shells: 7).[16C
+[4C- Session timeout settings/tools[25C [ [1;33mNONE[0m ]
+[2C- Checking default umask values[28C
+[4C- Checking default umask in /etc/bash.bashrc[13C [ [1;33mNONE[0m ]
+[4C- Checking default umask in /etc/profile[17C [ [1;33mNONE[0m ]
+
+[+] [1;33mFile systems[0m
+------------------------------------
+[2C- Checking mount points[36C
+[4C- Checking /home mount point[29C [ [1;33mSUGGESTION[0m ]
+[4C- Checking /tmp mount point[30C [ [1;32mOK[0m ]
+[4C- Checking /var mount point[30C [ [1;33mSUGGESTION[0m ]
+[2C- Checking LVM volume groups[31C [ [1;32mFOUND[0m ]
+[4C- Checking LVM volumes[35C [ [1;32mFOUND[0m ]
+[2C- Query swap partitions (fstab)[28C [ [1;32mOK[0m ]
+[2C- Testing swap partitions[34C [ [1;32mOK[0m ]
+[2C- Testing /proc mount (hidepid)[28C [ [1;33mSUGGESTION[0m ]
+[2C- Checking for old files in /tmp[27C [ [1;32mOK[0m ]
+[2C- Checking /tmp sticky bit[33C [ [1;32mOK[0m ]
+[2C- Checking /var/tmp sticky bit[29C [ [1;32mOK[0m ]
+[2C- ACL support root file system[29C [ [1;32mENABLED[0m ]
+[2C- Mount options of /[39C [ [1;33mNON DEFAULT[0m ]
+[2C- Mount options of /dev[36C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Mount options of /dev/shm[32C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Mount options of /run[36C [ [1;32mHARDENED[0m ]
+[2C- Mount options of /tmp[36C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Total without nodev:12 noexec:18 nosuid:10 ro or noexec (W^X): 17 of total 35[0C
+[2C- Disable kernel support of some filesystems[15C
+
+[+] [1;33mUSB Devices[0m
+------------------------------------
+[2C- Checking usb-storage driver (modprobe config)[12C [ [1;37mNOT DISABLED[0m ]
+[2C- Checking USB devices authorization[23C [ [1;33mENABLED[0m ]
+[2C- Checking USBGuard[40C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mStorage[0m
+------------------------------------
+[2C- Checking firewire ohci driver (modprobe config)[10C [ [1;37mNOT DISABLED[0m ]
+
+[+] [1;33mNFS[0m
+------------------------------------
+[2C- Query rpc registered programs[28C [ [1;32mDONE[0m ]
+[2C- Query NFS versions[39C [ [1;32mDONE[0m ]
+[2C- Query NFS protocols[38C [ [1;32mDONE[0m ]
+[2C- Check running NFS daemon[33C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mName services[0m
+------------------------------------
+[2C- Checking search domains[34C [ [1;32mFOUND[0m ]
+[2C- Searching DNS domain name[32C [ [1;32mFOUND[0m ]
+[6CDomain name: avt.data-center.id[24C
+[2C- Checking /etc/hosts[38C
+[4C- Duplicate entries in hosts file[24C [ [1;32mNONE[0m ]
+[4C- Presence of configured hostname in /etc/hosts[10C [ [1;32mFOUND[0m ]
+[4C- Hostname mapped to localhost[27C [ [1;32mNOT FOUND[0m ]
+[4C- Localhost mapping to IP address[24C [ [1;32mOK[0m ]
+
+[+] [1;33mPorts and packages[0m
+------------------------------------
+[2C- Searching package managers[31C
+
+  [30;43m[WARNING][0m: Test NAME-4408 had a long execution: 10.079518 seconds[0m
+
+[4C- Searching dpkg package manager[25C [ [1;32mFOUND[0m ]
+[6C- Querying package manager[29C
+[4C- Query unpurged packages[32C [ [1;33mFOUND[0m ]
+[2C- Checking security repository in sources.list.d directory[1C [ [1;32mOK[0m ]
+[2C- Checking APT package database[28C [ [1;32mOK[0m ]
+[2C- Checking vulnerable packages[29C [ [1;31mWARNING[0m ]
+
+  [30;43m[WARNING][0m: Test PKGS-7392 had a long execution: 12.672509 seconds[0m
+
+[2C- Checking upgradeable packages[28C [ [1;37mSKIPPED[0m ]
+[2C- Checking package audit tool[30C [ [1;32mINSTALLED[0m ]
+[4CFound: apt-get[43C
+[2C- Toolkit for automatic upgrades[27C [ [1;33mNOT FOUND[0m ]
+
+[+] [1;33mNetworking[0m
+------------------------------------
+[2C- Checking IPv6 configuration[30C [ [1;37mENABLED[0m ]
+[6CConfiguration method[35C [ [1;37mAUTO[0m ]
+[6CIPv6 only[46C [ [1;37mNO[0m ]
+
+  [30;43m[WARNING][0m: Test NETW-2600 had a long execution: 22.215080 seconds[0m
+
+[2C- Checking configured nameservers[26C
+[4C- Testing nameservers[36C
+[8CNameserver: 10.10.10.11[30C [ [1;31mNO RESPONSE[0m ]
+[8CNameserver: 10.10.10.12[30C [ [1;32mOK[0m ]
+[8CNameserver: 8.8.8.8[34C [ [1;32mOK[0m ]
+[4C- Minimal of 2 responsive nameservers[20C [ [1;32mOK[0m ]
+[2C- Getting listening ports (TCP/UDP)[24C [ [1;32mDONE[0m ]
+[2C- Checking promiscuous interfaces[26C [ [1;31mWARNING[0m ]
+[2C- Checking status DHCP client[30C [ [1;37mNOT ACTIVE[0m ]
+[2C- Checking for ARP monitoring software[21C [ [1;33mNOT FOUND[0m ]
+[2C- Uncommon network protocols[31C [ [1;33m0[0m ]
+
+[+] [1;33mPrinters and Spools[0m
+------------------------------------
+[2C- Checking cups daemon[37C [ [1;37mNOT FOUND[0m ]
+[2C- Checking lp daemon[39C [ [1;37mNOT RUNNING[0m ]
+
+[+] [1;33mSoftware: e-mail and messaging[0m
+------------------------------------
+[2C- Postfix status[43C [ [1;32mRUNNING[0m ]
+[4C- Postfix configuration[34C [ [1;32mFOUND[0m ]
+[6C- Postfix banner[39C [ [1;31mWARNING[0m ]
+
+[+] [1;33mSoftware: firewalls[0m
+------------------------------------
+[2C- Checking iptables kernel module[26C [ [1;32mFOUND[0m ]
+[4C- Checking iptables policies of chains[19C [ [1;32mFOUND[0m ]
+[6C- Chain INPUT (table: filter, target: ACCEPT)[10C [ [1;33mACCEPT[0m ]
+[6C- Chain INPUT (table: security, target: ACCEPT)[8C [ [1;33mACCEPT[0m ]
+[4C- Checking for empty ruleset[29C [ [1;31mWARNING[0m ]
+[4C- Checking for unused rules[30C [ [1;32mOK[0m ]
+[2C- Checking host based firewall[29C [ [1;32mACTIVE[0m ]
+
+[+] [1;33mSoftware: webserver[0m
+------------------------------------
+[2C- Checking Apache[42C [ [1;37mNOT FOUND[0m ]
+[2C- Checking nginx[43C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSSH Support[0m
+------------------------------------
+[2C- Checking running SSH daemon[30C [ [1;32mFOUND[0m ]
+[4C- Searching SSH configuration[28C [ [1;32mFOUND[0m ]
+[4C- OpenSSH option: AllowTcpForwarding[21C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: ClientAliveCountMax[20C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: ClientAliveInterval[20C [ [1;32mOK[0m ]
+[4C- OpenSSH option: FingerprintHash[24C [ [1;32mOK[0m ]
+[4C- OpenSSH option: GatewayPorts[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: IgnoreRhosts[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: LoginGraceTime[25C [ [1;32mOK[0m ]
+[4C- OpenSSH option: LogLevel[31C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: MaxAuthTries[27C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: MaxSessions[28C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PermitRootLogin[24C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PermitUserEnvironment[18C [ [1;32mOK[0m ]
+[4C- OpenSSH option: PermitTunnel[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: Port[35C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PrintLastLog[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: StrictModes[28C [ [1;32mOK[0m ]
+[4C- OpenSSH option: TCPKeepAlive[27C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: UseDNS[33C [ [1;32mOK[0m ]
+[4C- OpenSSH option: X11Forwarding[26C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: AllowAgentForwarding[19C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: AllowUsers[29C [ [1;37mNOT FOUND[0m ]
+[4C- OpenSSH option: AllowGroups[28C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSNMP Support[0m
+------------------------------------
+[2C- Checking running SNMP daemon[29C [ [1;32mFOUND[0m ]
+[4C- Checking SNMP configuration[28C [ [1;32mFOUND[0m ]
+[2C- Checking SNMP community strings[26C [ [1;32mOK[0m ]
+
+[+] [1;33mDatabases[0m
+------------------------------------
+[2C- MySQL process status[37C [ [1;32mFOUND[0m ]
+
+[+] [1;33mLDAP Services[0m
+------------------------------------
+[2C- Checking OpenLDAP instance[31C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mPHP[0m
+------------------------------------
+[2C- Checking PHP[45C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSquid Support[0m
+------------------------------------
+[2C- Checking running Squid daemon[28C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mLogging and files[0m
+------------------------------------
+[2C- Checking for a running log daemon[24C [ [1;32mOK[0m ]
+[4C- Checking Syslog-NG status[30C [ [1;37mNOT FOUND[0m ]
+[4C- Checking systemd journal status[24C [ [1;32mFOUND[0m ]
+[4C- Checking Metalog status[32C [ [1;37mNOT FOUND[0m ]
+[4C- Checking RSyslog status[32C [ [1;32mFOUND[0m ]
+[4C- Checking RFC 3195 daemon status[24C [ [1;37mNOT FOUND[0m ]
+[4C- Checking minilogd instances[28C [ [1;37mNOT FOUND[0m ]
+[4C- Checking wazuh-agent daemon status[21C [ [1;37mNOT FOUND[0m ]
+[2C- Checking logrotate presence[30C [ [1;32mOK[0m ]
+[2C- Checking remote logging[34C [ [1;32mENABLED[0m ]
+[2C- Checking log directories (static list)[19C [ [1;32mDONE[0m ]
+[2C- Checking open log files[34C [ [1;32mDONE[0m ]
+[2C- Checking deleted files in use[28C [ [1;33mFILES FOUND[0m ]
+
+[+] [1;33mInsecure services[0m
+------------------------------------
+[2C- Installed inetd package[34C [ [1;32mNOT FOUND[0m ]
+[2C- Installed xinetd package[33C [ [1;32mOK[0m ]
+[4C- xinetd status[42C [ [1;32mNOT ACTIVE[0m ]
+[2C- Installed rsh client package[29C [ [1;32mOK[0m ]
+[2C- Installed rsh server package[29C [ [1;32mOK[0m ]
+[2C- Installed telnet client package[26C [ [1;32mOK[0m ]
+[2C- Installed telnet server package[26C [ [1;32mNOT FOUND[0m ]
+[2C- Checking NIS client installation[25C [ [1;32mOK[0m ]
+[2C- Checking NIS server installation[25C [ [1;32mOK[0m ]
+[2C- Checking TFTP client installation[24C [ [1;32mOK[0m ]
+[2C- Checking TFTP server installation[24C [ [1;32mOK[0m ]
+
+[+] [1;33mBanners and identification[0m
+------------------------------------
+[2C- /etc/issue[47C [ [1;32mFOUND[0m ]
+[4C- /etc/issue contents[36C [ [1;33mWEAK[0m ]
+[2C- /etc/issue.net[43C [ [1;32mFOUND[0m ]
+[4C- /etc/issue.net contents[32C [ [1;33mWEAK[0m ]
+
+[+] [1;33mScheduled tasks[0m
+------------------------------------
+[2C- Checking crontab and cronjob files[23C [ [1;32mDONE[0m ]
+
+[+] [1;33mAccounting[0m
+------------------------------------
+[2C- Checking accounting information[26C [ [1;33mNOT FOUND[0m ]
+[2C- Checking sysstat accounting data[25C [ [1;33mNOT FOUND[0m ]
+[2C- Checking auditd[42C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mTime and Synchronization[0m
+------------------------------------
+[2C- NTP daemon found: chronyd[32C [ [1;32mFOUND[0m ]
+[2C- Checking for a running NTP daemon or client[14C [ [1;32mOK[0m ]
+
+[+] [1;33mCryptography[0m
+------------------------------------
+[2C- Checking for expired SSL certificates [0/152][12C [ [1;32mNONE[0m ]
+
+  [30;43m[WARNING][0m: Test CRYP-7902 had a long execution: 13.384702 seconds[0m
+
+[2C- Kernel entropy is sufficient[29C [ [1;32mYES[0m ]
+[2C- HW RNG & rngd[44C [ [1;33mNO[0m ]
+[2C- SW prng[50C [ [1;33mNO[0m ]
+[2C- MOR variable not found[35C [ [1;37mWEAK[0m ]
+
+[+] [1;33mVirtualization[0m
+------------------------------------
+
+[+] [1;33mContainers[0m
+------------------------------------
+
+[+] [1;33mSecurity frameworks[0m
+------------------------------------
+[2C- Checking presence AppArmor[31C [ [1;32mFOUND[0m ]
+[4C- Checking AppArmor status[31C [ [1;32mENABLED[0m ]
+[8CFound 95 unconfined processes[24C
+[2C- Checking presence SELinux[32C [ [1;37mNOT FOUND[0m ]
+[2C- Checking presence TOMOYO Linux[27C [ [1;37mNOT FOUND[0m ]
+[2C- Checking presence grsecurity[29C [ [1;37mNOT FOUND[0m ]
+[2C- Checking for implemented MAC framework[19C [ [1;32mOK[0m ]
+
+[+] [1;33mSoftware: file integrity[0m
+------------------------------------
+[2C- Checking file integrity tools[28C
+[4C- Wazuh (syscheck)[39C [ [1;32mFOUND[0m ]
+[2C- Checking presence integrity tool[25C [ [1;32mFOUND[0m ]
+
+[+] [1;33mSoftware: System tooling[0m
+------------------------------------
+[2C- Checking automation tooling[30C
+[4C- Ansible artifact[39C [ [1;32mFOUND[0m ]
+[2C- Automation tooling[39C [ [1;32mFOUND[0m ]
+[2C- Checking presence of Wazuh (agent)[23C [ [1;32mFOUND[0m ]
+[2C- Checking for IDS/IPS tooling[29C [ [1;32mFOUND[0m ]
+
+[+] [1;33mSoftware: Malware[0m
+------------------------------------
+[2C- Malware software components[30C [ [1;33mNOT FOUND[0m ]
+
+[+] [1;33mFile Permissions[0m
+------------------------------------
+[2C- Starting file permissions check[26C
+[4CFile: /boot/grub/grub.cfg[32C [ [1;32mOK[0m ]
+[4CFile: /etc/crontab[39C [ [1;33mSUGGESTION[0m ]
+[4CFile: /etc/group[41C [ [1;32mOK[0m ]
+[4CFile: /etc/group-[40C [ [1;32mOK[0m ]
+[4CFile: /etc/hosts.allow[35C [ [1;32mOK[0m ]
+[4CFile: /etc/hosts.deny[36C [ [1;32mOK[0m ]
+[4CFile: /etc/issue[41C [ [1;32mOK[0m ]
+[4CFile: /etc/issue.net[37C [ [1;32mOK[0m ]
+[4CFile: /etc/motd[42C [ [1;32mOK[0m ]
+[4CFile: /etc/passwd[40C [ [1;32mOK[0m ]
+[4CFile: /etc/passwd-[39C [ [1;32mOK[0m ]
+[4CFile: /etc/ssh/sshd_config[31C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /root/.ssh[36C [ [1;32mOK[0m ]
+[4CDirectory: /etc/cron.d[35C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.daily[31C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.hourly[30C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.weekly[30C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.monthly[29C [ [1;33mSUGGESTION[0m ]
+
+[+] [1;33mHome directories[0m
+------------------------------------
+[2C- Permissions of home directories[26C [ [1;32mOK[0m ]
+[2C- Ownership of home directories[28C [ [1;32mOK[0m ]
+[2C- Checking shell history files[29C [ [1;32mOK[0m ]
+
+[+] [1;33mKernel Hardening[0m
+------------------------------------
+[2C- Comparing sysctl key pairs with scan profile[13C
+[4C- dev.tty.ldisc_autoload (exp: 0)[24C [ [1;31mDIFFERENT[0m ]
+[4C- fs.protected_fifos (exp: 2)[28C [ [1;31mDIFFERENT[0m ]
+[4C- fs.protected_hardlinks (exp: 1)[24C [ [1;32mOK[0m ]
+[4C- fs.protected_regular (exp: 2)[26C [ [1;32mOK[0m ]
+[4C- fs.protected_symlinks (exp: 1)[25C [ [1;32mOK[0m ]
+[4C- fs.suid_dumpable (exp: 0)[30C [ [1;32mOK[0m ]
+[4C- kernel.core_uses_pid (exp: 1)[26C [ [1;32mOK[0m ]
+[4C- kernel.ctrl-alt-del (exp: 0)[27C [ [1;32mOK[0m ]
+[4C- kernel.dmesg_restrict (exp: 1)[25C [ [1;32mOK[0m ]
+[4C- kernel.kptr_restrict (exp: 2)[26C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.modules_disabled (exp: 1)[23C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.perf_event_paranoid (exp: 2 3 4)[16C [ [1;32mOK[0m ]
+[4C- kernel.randomize_va_space (exp: 2)[21C [ [1;32mOK[0m ]
+[4C- kernel.sysrq (exp: 0)[34C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.unprivileged_bpf_disabled (exp: 1)[14C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.yama.ptrace_scope (exp: 1 2 3)[18C [ [1;32mOK[0m ]
+[4C- net.core.bpf_jit_harden (exp: 2)[23C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.accept_redirects (exp: 0)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.accept_source_route (exp: 0)[9C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.bootp_relay (exp: 0)[17C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.forwarding (exp: 0)[18C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.log_martians (exp: 1)[16C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.mc_forwarding (exp: 0)[15C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.proxy_arp (exp: 0)[19C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.rp_filter (exp: 1)[19C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.send_redirects (exp: 0)[14C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.default.accept_redirects (exp: 0)[8C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.default.accept_source_route (exp: 0)[5C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.default.log_martians (exp: 1)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)[10C [ [1;32mOK[0m ]
+[4C- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)[4C [ [1;32mOK[0m ]
+[4C- net.ipv4.tcp_syncookies (exp: 1)[23C [ [1;32mOK[0m ]
+[4C- net.ipv4.tcp_timestamps (exp: 0 1)[21C [ [1;32mOK[0m ]
+[4C- net.ipv6.conf.all.accept_redirects (exp: 0)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv6.conf.all.accept_source_route (exp: 0)[9C [ [1;32mOK[0m ]
+[4C- net.ipv6.conf.default.accept_redirects (exp: 0)[8C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv6.conf.default.accept_source_route (exp: 0)[5C [ [1;32mOK[0m ]
+
+[+] [1;33mHardening[0m
+------------------------------------
+[4C- Installed compiler(s)[34C [ [1;31mFOUND[0m ]
+[4C- Installed malware scanner[30C [ [1;31mNOT FOUND[0m ]
+[4C- Non-native binary formats[30C [ [1;31mFOUND[0m ]
+
+[+] [1;33mCustom tests[0m
+------------------------------------
+[2C- Running custom tests... [33C [ [1;37mNONE[0m ]
+
+[+] [1;35mPlugins (phase 2)[0m
+------------------------------------
+
+================================================================================
+
+  -[ [1;37mLynis 3.1.4 Results[0m ]-
+
+  [1;31mWarnings[0m (18):
+  [1;37m----------------------------[0m
+  [1;31m![0m Found one or more vulnerable packages. [PKGS-7392] 
+      https://cisofy.com/lynis/controls/PKGS-7392/
+
+  [1;31m![0m Nameserver 10.10.10.11 does not respond [NETW-2704] 
+      https://cisofy.com/lynis/controls/NETW-2704/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens27f0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens29f0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens29f1[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mbond0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap420i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap457i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2001i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2005i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2006i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2027i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap8080i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2032i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap137i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap137i1[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
+      https://cisofy.com/lynis/controls/MAIL-8818/
+
+  [1;31m![0m iptables module(s) loaded, but no rules active [FIRE-4512] 
+      https://cisofy.com/lynis/controls/FIRE-4512/
+
+  [1;33mSuggestions[0m (51):
+  [1;37m----------------------------[0m
+  [1;33m*[0m This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LYNIS/[0m
+
+  [1;33m*[0m Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0280/[0m
+
+  [1;33m*[0m Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0810/[0m
+
+  [1;33m*[0m Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0831/[0m
+
+  [1;33m*[0m Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0880/[0m
+
+  [1;33m*[0m Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5122/[0m
+
+  [1;33m*[0m Determine runlevel and services at startup [BOOT-5180] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5180/[0m
+
+  [1;33m*[0m Consider hardening system services [BOOT-5264] 
+    - Details  : [0;36mRun '/usr/bin/systemd-analyze security SERVICE' for each service[0m
+    - Related resources
+      * Article: [0;36mSystemd features to secure service files[0m: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5264/[0m
+
+  [1;33m*[0m Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
+    - Details  : [0;36m/vmlinuz or /boot/vmlinuz[0m
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/KRNL-5788/[0m
+
+  [1;33m*[0m Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
+    - Related resources
+      * Article: [0;36mLinux password security: hashing rounds[0m: https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9230/[0m
+
+  [1;33m*[0m Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc [AUTH-9262] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9262/[0m
+
+  [1;33m*[0m When possible set expire dates for all password protected accounts [AUTH-9282] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9282/[0m
+
+  [1;33m*[0m Look at the locked accounts and consider removing them [AUTH-9284] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9284/[0m
+
+  [1;33m*[0m Configure minimum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9286/[0m
+
+  [1;33m*[0m Configure maximum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9286/[0m
+
+  [1;33m*[0m Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [AUTH-9328] 
+    - Related resources
+      * Article: [0;36mSet default file permissions on Linux with umask[0m: https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9328/[0m
+
+  [1;33m*[0m To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-6310/[0m
+
+  [1;33m*[0m To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-6310/[0m
+
+  [1;33m*[0m Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/USB-1000/[0m
+
+  [1;33m*[0m Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/STRG-1846/[0m
+
+  [1;33m*[0m Purge old/removed packages (8 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7346/[0m
+
+  [1;33m*[0m Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7370/[0m
+
+  [1;33m*[0m Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7392/[0m
+
+  [1;33m*[0m Install package apt-show-versions for patch management purposes [PKGS-7394] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7394/[0m
+
+  [1;33m*[0m Consider using a tool to automatically apply upgrades [PKGS-7420] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7420/[0m
+
+  [1;33m*[0m Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-2704/[0m
+
+  [1;33m*[0m Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'rds' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818] 
+    - Related resources
+      * Article: [0;36mPostfix Hardening Guide for Security and Privacy[0m: https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/MAIL-8818/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mAllowTcpForwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mClientAliveCountMax (set 3 to 2)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mLogLevel (set INFO to VERBOSE)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mMaxAuthTries (set 6 to 3)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mMaxSessions (set 10 to 2)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mPermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mPort (set 22 to )[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mTCPKeepAlive (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mX11Forwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mAllowAgentForwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Check what deleted files are still in use and why. [LOGG-2190] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LOGG-2190/[0m
+
+  [1;33m*[0m Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
+    - Related resources
+      * Article: [0;36mThe real purpose of login banners[0m: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BANN-7126/[0m
+
+  [1;33m*[0m Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
+    - Related resources
+      * Article: [0;36mThe real purpose of login banners[0m: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BANN-7130/[0m
+
+  [1;33m*[0m Enable process accounting [ACCT-9622] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9622/[0m
+
+  [1;33m*[0m Enable sysstat to collect accounting (no results) [ACCT-9626] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9626/[0m
+
+  [1;33m*[0m Enable auditd to collect audit information [ACCT-9628] 
+    - Related resources
+      * Article: [0;36mLinux audit framework 101: basic rules for configuration[0m: https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+      * Article: [0;36mMonitoring Linux file access, changes and data modifications[0m: https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9628/[0m
+
+  [1;33m*[0m Consider restricting file permissions [FILE-7524] 
+    - Details  : [0;36mSee screen output or log file[0m
+    - Solution : Use chmod to change file permissions
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-7524/[0m
+
+  [1;33m*[0m One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
+    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
+    - Related resources
+      * Article: [0;36mLinux hardening with sysctl settings[0m: https://linux-audit.com/linux-hardening-with-sysctl/
+      * Article: [0;36mOverview of sysctl options and values[0m: https://linux-audit.com/kernel/sysctl/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/KRNL-6000/[0m
+
+  [1;33m*[0m Harden compilers like restricting access to root user only [HRDN-7222] 
+    - Related resources
+      * Article: [0;36mWhy remove compilers from your system?[0m: https://linux-audit.com/software/why-remove-compilers-from-your-system/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/HRDN-7222/[0m
+
+  [1;33m*[0m Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
+    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh
+    - Related resources
+      * Article: [0;36mAntivirus for Linux: is it really needed?[0m: https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+      * Article: [0;36mMonitoring Linux Systems for Rootkits[0m: https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/HRDN-7230/[0m
+
+  [0;36mFollow-up[0m:
+  [1;37m----------------------------[0m
+  [1;37m-[0m Show details of a test (lynis show details TEST-ID)
+  [1;37m-[0m Check the logfile for all details (less /var/log/lynis.log)
+  [1;37m-[0m Read security controls texts (https://cisofy.com)
+  [1;37m-[0m Use --upload to upload data to central system (Lynis Enterprise users)
+
+================================================================================
+
+  [1;37mLynis security scan details[0m:
+
+  [0;36mHardening index[0m : [1;37m65[0m [[1;33m#############[0m       ]
+  [0;36mTests performed[0m : [1;37m264[0m
+  [0;36mPlugins enabled[0m : [1;37m1[0m
+
+  [1;37mComponents[0m:
+  - Firewall               [[1;32mV[0m]
+  - Malware scanner        [[1;31mX[0m]
+
+  [1;33mScan mode[0m:
+  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+
+  [1;33mLynis modules[0m:
+  - Compliance status      [[1;33m?[0m]
+  - Security audit         [[1;32mV[0m]
+  - Vulnerability scan     [[1;32mV[0m]
+
+  [1;33mFiles[0m:
+  - Test and debug information      : [1;37m/var/log/lynis.log[0m
+  - Report data                     : [1;37m/var/log/lynis-report.dat[0m
+
+================================================================================
+
+  [1;37mLynis[0m 3.1.4
+
+  Auditing, system hardening, and compliance for UNIX-based systems
+  (Linux, macOS, BSD, and others)
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  [1;37mEnterprise support available (compliance, plugins, interface and tools)[0m
+
+================================================================================
+
+  [0;44m[TIP][0m: [0;94mEnhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)[0m
--- a/ansible/playbooks/logs/10.10.26.12_vms.log
+++ b/ansible/playbooks/logs/10.10.26.12_vms.log
@@ -0,0 +1,56 @@
+      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
+       102 andromeda-vm-clone   stopped    32768            220.00 0         
+       103 andromedavm          stopped    32768            220.00 0         
+       114 pgsql-01             stopped    16384            300.00 0         
+       117 haproxy-01           stopped    4096             100.00 0         
+       137 milkywayvm           running    2048              20.00 12274     
+       160 foreman              stopped    8192              80.00 0         
+       220 bareos-server        stopped    8192             100.00 0         
+       221 bacula-server        stopped    8192              80.00 0         
+       305 ceph-01              stopped    16384             80.00 0         
+       307 ceph-03              stopped    16384             80.00 0         
+       350 grafana-loki         stopped    16384            100.00 0         
+       352 grafana-mimir        stopped    16384            100.00 0         
+       354 prometheus           stopped    8192             100.00 0         
+       401 ns1.data-center.online stopped    4096             100.00 0         
+       420 gitea                running    16384            300.00 10009     
+       421 seafile              stopped    32768             80.00 0         
+       450 local-dns-server     stopped    4096             100.00 0         
+       456 iam-datahall-01-new  stopped    8192             100.00 0         
+       457 iam-datahall-02-new  running    8192             100.00 10248     
+       458 kong-cluster-db      stopped    8192             100.00 0         
+       460 kong-node-1          stopped    8192              80.00 0         
+       461 kong-node-2          stopped    8192              80.00 0         
+       462 kong-node-3          stopped    8192              80.00 0         
+       463 kong-ha-1            stopped    8192              80.00 0         
+       464 kong-ha-2            stopped    8192              80.00 0         
+       465 open-km              stopped    8192             300.00 0         
+       561 minio-node-01        stopped    16384             80.00 0         
+       562 minio-node-02        stopped    16384             80.00 0         
+       563 minio-node-03        stopped    16384             80.00 0         
+       564 haproxy-node-01      stopped    4096              50.00 0         
+       899 excalidraw           stopped    8192             100.00 0         
+       901 web-jagatech         stopped    8192             100.00 0         
+      1003 kube-master-03       stopped    16384            300.00 0         
+      1005 kube-worker-node-02  stopped    16384            300.00 0         
+      2001 authentik            running    8192             300.00 10524     
+      2005 finops-revamp        running    8192             150.00 10718     
+      2006 vaultwarden          running    8192             100.00 10911     
+      2021 proxmox-backup       stopped    8192             300.00 0         
+      2022 jumpserver           stopped    32768            300.00 0         
+      2027 new-mail-server      running    32768            500.00 11113     
+      2029 penpot               stopped    8192             300.00 0         
+      2032 accurate-server      running    16384             80.00 11357     
+      5000 dxi-5000             stopped    16384            100.00 0         
+      8002 teraform             stopped    8192              50.00 0         
+      8080 service-desk         running    8192             100.00 11388     
+      9000 tester-bandwith      stopped    8192              50.00 0         
+      9001 gitea-runner-01      stopped    8192              50.00 0         
+     10000 docker-load-balancer stopped    16384            300.00 0         
+     10001 docker-node-01       stopped    16384            300.00 0         
+     10002 docker-node-02       stopped    16384            300.00 0         
+     10003 docker-node-03       stopped    16384            300.00 0         
+     10004 IOT-VM               stopped    16384            300.00 0         
+     90000 tools-baseos-massive stopped    8192              50.00 0         
+     99992 test-iam-dns         stopped    4096              50.00 0         
+    999999 kong-api-reff        stopped    2048              30.00 0         
--- a/ansible/playbooks/logs/10.10.26.13_lxcs.log
+++ b/ansible/playbooks/logs/10.10.26.13_lxcs.log
@@ -0,0 +1,8 @@
+VMID       Status     Lock         Name                
+101        running                 ns01.avt.data-center.id
+104        stopped                 grafana.avt.data-center.id
+105        stopped                 iam.avt.data-center.id
+110        stopped                 redis-db            
+178        stopped                 apache-guacamole    
+180        running                 oci-grafana         
+301        stopped                 ssh-proxy-poc       
--- a/ansible/playbooks/logs/10.10.26.13_lynis_report.log
+++ b/ansible/playbooks/logs/10.10.26.13_lynis_report.log
@@ -0,0 +1,931 @@
+
+[1;37m[ Lynis 3.1.4 ][0m
+
+################################################################################
+  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+  welcome to redistribute it under the terms of the GNU General Public License.
+  See the LICENSE file for details about using this software.
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+################################################################################
+
+
+[+] [1;33mInitializing program[0m
+------------------------------------
+[2C- Detecting OS... [41C [ [1;32mDONE[0m ]
+[2C- Checking profiles...[37C [ [1;32mDONE[0m ]
+
+  ---------------------------------------------------
+  Program version:           3.1.4
+  Operating system:          Linux
+  Operating system name:     Debian
+  Operating system version:  13
+  Kernel version:            6.17.2
+  Hardware platform:         x86_64
+  Hostname:                  ppve03
+  ---------------------------------------------------
+  Profiles:                  /etc/lynis/default.prf
+  Log file:                  /var/log/lynis.log
+  Report file:               /var/log/lynis-report.dat
+  Report version:            1.0
+  Plugin directory:          /etc/lynis/plugins
+  ---------------------------------------------------
+  Auditor:                   [Not Specified]
+  Language:                  en
+  Test category:             all
+  Test group:                all
+  ---------------------------------------------------
+[2C- Program update status... [32C [ [1;32mNO UPDATE[0m ]
+
+[+] [1;33mSystem tools[0m
+------------------------------------
+[2C- Scanning available tools...[30C
+[2C- Checking system binaries...[30C
+
+[+] [1;35mPlugins (phase 1)[0m
+------------------------------------
+[0CNote: plugins have more extensive tests and may take several minutes to complete[0C
+[0C [0C
+[2C- [0;36mPlugin[0m: [1;37mdebian[0m[21C
+    [
+[+] [1;33mDebian Tests[0m
+------------------------------------
+[2C- Checking for system binaries that are required by Debian Tests...[0C
+[4C- Checking /bin... [38C [ [1;32mFOUND[0m ]
+[4C- Checking /sbin... [37C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/bin... [34C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/sbin... [33C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/local/bin... [28C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/local/sbin... [27C [ [1;32mFOUND[0m ]
+[2C- Authentication:[42C
+[4C- PAM (Pluggable Authentication Modules):[16C
+
+  [30;43m[WARNING][0m: Test DEB-0001 had a long execution: 12.768266 seconds[0m
+
+[6C- libpam-tmpdir[40C [ [1;31mNot Installed[0m ]
+[2C- File System Checks:[38C
+[4C- DM-Crypt, Cryptsetup & Cryptmount:[21C
+[2C- Software:[48C
+[4C- apt-listbugs[43C [ [1;31mNot Installed[0m ]
+[4C- apt-listchanges[40C [ [1;32mInstalled and enabled for apt[0m ]
+[4C- needrestart[44C [ [1;31mNot Installed[0m ]
+[4C- fail2ban[47C [ [1;31mNot Installed[0m ]
+]
+
+[+] [1;33mBoot and services[0m
+------------------------------------
+[2C- Service Manager[42C [ [1;32msystemd[0m ]
+[2C- Checking UEFI boot[39C [ [1;32mENABLED[0m ]
+[2C- Checking Secure Boot[37C [ [1;33mDISABLED[0m ]
+[2C- Checking presence GRUB2[34C [ [1;32mFOUND[0m ]
+[4C- Checking for password protection[23C [ [1;31mNONE[0m ]
+[2C- Check running services (systemctl)[23C [ [1;32mDONE[0m ]
+[8CResult: found 47 running services[20C
+[2C- Check enabled services at boot (systemctl)[15C [ [1;32mDONE[0m ]
+[8CResult: found 67 enabled services[20C
+[2C- Check startup files (permissions)[24C [ [1;32mOK[0m ]
+[2C- Running 'systemd-analyze security'[23C
+[6CUnit name (exposure value) and predicate[15C
+[6C--------------------------------[23C
+[4C- check-mk-agent-async.service (value=9.6)[15C [ [1;33mUNSAFE[0m ]
+[4C- chrony.service (value=3.5)[29C [ [1;32mPROTECTED[0m ]
+[4C- cmk-agent-ctl-daemon.service (value=4.4)[15C [ [1;32mPROTECTED[0m ]
+[4C- console-getty.service (value=9.6)[22C [ [1;33mUNSAFE[0m ]
+[4C- corosync.service (value=9.2)[27C [ [1;33mUNSAFE[0m ]
+[4C- cron.service (value=9.6)[31C [ [1;33mUNSAFE[0m ]
+[4C- dbus.service (value=9.3)[31C [ [1;33mUNSAFE[0m ]
+[4C- dm-event.service (value=9.5)[27C [ [1;33mUNSAFE[0m ]
+[4C- dnsmasq@jualan.service (value=9.6)[21C [ [1;33mUNSAFE[0m ]
+[4C- dnsmasq@terakhir.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- emergency.service (value=9.5)[26C [ [1;33mUNSAFE[0m ]
+[4C- frr.service (value=9.8)[32C [ [1;33mUNSAFE[0m ]
+[4C- getty@tty1.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- iscsid.service (value=9.5)[29C [ [1;33mUNSAFE[0m ]
+[4C- keepalived.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- ksmtuned.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- kvm_backup_service.service (value=9.6)[17C [ [1;33mUNSAFE[0m ]
+[4C- kvm_virt_server.service (value=9.6)[20C [ [1;33mUNSAFE[0m ]
+[4C- lldpd.service (value=8.5)[30C [ [1;33mEXPOSED[0m ]
+[4C- lvm2-lvmpolld.service (value=9.5)[22C [ [1;33mUNSAFE[0m ]
+[4C- lxc-monitord.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- lxcfs.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- lynis.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- netavark-dhcp-proxy.service (value=9.6)[16C [ [1;33mUNSAFE[0m ]
+[4C- nfs-blkmap.service (value=9.5)[25C [ [1;33mUNSAFE[0m ]
+[4C- postfix.service (value=3.9)[28C [ [1;32mPROTECTED[0m ]
+[4C- postfix@-.service (value=3.9)[26C [ [1;32mPROTECTED[0m ]
+[4C- proxmenux-monitor.service (value=9.6)[18C [ [1;33mUNSAFE[0m ]
+[4C- proxmox-firewall.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- pve-cluster.service (value=9.5)[24C [ [1;33mUNSAFE[0m ]
+[4C- pve-container@101.service (value=9.6)[18C [ [1;33mUNSAFE[0m ]
+[4C- pve-container@180.service (value=9.6)[18C [ [1;33mUNSAFE[0m ]
+[4C- pve-firewall.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- pve-ha-crm.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- pve-ha-lrm.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- pve-lxc-syscalld.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- pvedaemon.service (value=9.6)[26C [ [1;33mUNSAFE[0m ]
+[4C- pvefw-logger.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- pveproxy.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- pvescheduler.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- pvestatd.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- qmeventd.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- rc-local.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- rescue.service (value=9.5)[29C [ [1;33mUNSAFE[0m ]
+[4C- rpc-gssd.service (value=9.5)[27C [ [1;33mUNSAFE[0m ]
+[4C- rpc-statd-notify.service (value=9.5)[19C [ [1;33mUNSAFE[0m ]
+[4C- rpc-statd.service (value=9.5)[26C [ [1;33mUNSAFE[0m ]
+[4C- rpc-svcgssd.service (value=9.5)[24C [ [1;33mUNSAFE[0m ]
+[4C- rpcbind.service (value=9.5)[28C [ [1;33mUNSAFE[0m ]
+[4C- rrdcached.service (value=9.6)[26C [ [1;33mUNSAFE[0m ]
+[4C- rsyslog.service (value=4.5)[28C [ [1;32mPROTECTED[0m ]
+[4C- smartmontools.service (value=9.6)[22C [ [1;33mUNSAFE[0m ]
+[4C- snmpd.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- spiceproxy.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- ssh.service (value=9.6)[32C [ [1;33mUNSAFE[0m ]
+[4C- sshd@sshd-keygen.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- systemd-ask-password-console.service (value=9.4)[7C [ [1;33mUNSAFE[0m ]
+[4C- systemd-ask-password-wall.service (value=9.4)[10C [ [1;33mUNSAFE[0m ]
+[4C- systemd-bsod.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- systemd-hostnamed.service (value=1.7)[18C [ [1;32mPROTECTED[0m ]
+[4C- systemd-initctl.service (value=9.4)[20C [ [1;33mUNSAFE[0m ]
+[4C- systemd-journald.service (value=4.9)[19C [ [1;32mPROTECTED[0m ]
+[4C- systemd-logind.service (value=2.8)[21C [ [1;32mPROTECTED[0m ]
+[4C- systemd-networkd.service (value=2.9)[19C [ [1;32mPROTECTED[0m ]
+[4C- systemd-rfkill.service (value=9.4)[21C [ [1;33mUNSAFE[0m ]
+[4C- systemd-udevd.service (value=7.1)[22C [ [1;37mMEDIUM[0m ]
+[4C- user@0.service (value=9.8)[29C [ [1;33mUNSAFE[0m ]
+[4C- watchdog-mux.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- wazuh-agent.service (value=9.6)[24C [ [1;33mUNSAFE[0m ]
+[4C- zfs-zed.service (value=9.6)[28C [ [1;33mUNSAFE[0m ]
+
+[+] [1;33mKernel[0m
+------------------------------------
+[2C- Checking default runlevel[32C [ [1;32mrunlevel 5[0m ]
+[2C- Checking CPU support (NX/PAE)[28C
+[4CCPU support: PAE and/or NoeXecute supported[14C [ [1;32mFOUND[0m ]
+[2C- Checking kernel version and release[22C [ [1;32mDONE[0m ]
+[2C- Checking kernel type[37C [ [1;32mDONE[0m ]
+[2C- Checking loaded kernel modules[27C [ [1;32mDONE[0m ]
+[6CFound 125 active modules[31C
+[2C- Checking Linux kernel configuration file[17C [ [1;32mFOUND[0m ]
+[2C- Checking default I/O kernel scheduler[20C [ [1;37mNOT FOUND[0m ]
+[2C- Checking core dumps configuration[24C
+[4C- configuration in systemd conf files[20C [ [1;37mDEFAULT[0m ]
+[4C- configuration in /etc/profile[26C [ [1;37mDEFAULT[0m ]
+[4C- 'hard' configuration in /etc/security/limits.conf[6C [ [1;31mENABLED[0m ]
+[4C- 'soft' configuration in /etc/security/limits.conf[6C [ [1;32mDISABLED[0m ]
+[4C- Checking setuid core dumps configuration[15C [ [1;32mDISABLED[0m ]
+[2C- Check if reboot is needed[32C [ [1;32mNO[0m ]
+
+[+] [1;33mMemory and Processes[0m
+------------------------------------
+[2C- Checking /proc/meminfo[35C [ [1;32mFOUND[0m ]
+[2C- Searching for dead/zombie processes[22C [ [1;32mNOT FOUND[0m ]
+[2C- Searching for IO waiting processes[23C [ [1;32mNOT FOUND[0m ]
+[2C- Search prelink tooling[35C [ [1;32mNOT FOUND[0m ]
+
+[+] [1;33mUsers, Groups and Authentication[0m
+------------------------------------
+[2C- Administrator accounts[35C [ [1;32mOK[0m ]
+[2C- Unique UIDs[46C [ [1;32mOK[0m ]
+[2C- Consistency of group files (grpck)[23C [ [1;32mOK[0m ]
+[2C- Unique group IDs[41C [ [1;32mOK[0m ]
+[2C- Unique group names[39C [ [1;32mOK[0m ]
+[2C- Password file consistency[32C [ [1;32mOK[0m ]
+[2C- Password hashing methods[33C [ [1;32mOK[0m ]
+[2C- Checking password hashing rounds[25C [ [1;33mDISABLED[0m ]
+[2C- Query system users (non daemons)[25C [ [1;32mDONE[0m ]
+[2C- NIS+ authentication support[30C [ [1;37mNOT ENABLED[0m ]
+[2C- NIS authentication support[31C [ [1;37mNOT ENABLED[0m ]
+[2C- Sudoers file(s)[42C [ [1;32mFOUND[0m ]
+[4C- Permissions for directory: /etc/sudoers.d[14C [ [1;31mWARNING[0m ]
+[4C- Permissions for: /etc/sudoers[26C [ [1;32mOK[0m ]
+[4C- Permissions for: /etc/sudoers.d/zfs[20C [ [1;32mOK[0m ]
+[4C- Permissions for: /etc/sudoers.d/README[17C [ [1;32mOK[0m ]
+[2C- PAM password strength tools[30C [ [1;33mSUGGESTION[0m ]
+[2C- PAM configuration files (pam.conf)[23C [ [1;32mFOUND[0m ]
+[2C- PAM configuration files (pam.d)[26C [ [1;32mFOUND[0m ]
+[2C- PAM modules[46C [ [1;32mFOUND[0m ]
+[2C- LDAP module in PAM[39C [ [1;37mNOT FOUND[0m ]
+[2C- Accounts without expire date[29C [ [1;33mSUGGESTION[0m ]
+[2C- Accounts without password[32C [ [1;32mOK[0m ]
+[2C- Locked accounts[42C [ [1;31mFOUND[0m ]
+[2C- Checking user password aging (minimum)[19C [ [1;33mDISABLED[0m ]
+[2C- User password aging (maximum)[28C [ [1;33mDISABLED[0m ]
+[2C- Checking expired passwords[31C [ [1;32mOK[0m ]
+[2C- Checking Linux single user mode authentication[11C [ [1;32mOK[0m ]
+[2C- Determining default umask[32C
+[4C- umask (/etc/profile)[35C [ [1;33mNOT FOUND[0m ]
+[4C- umask (/etc/login.defs)[32C [ [1;33mSUGGESTION[0m ]
+[2C- LDAP authentication support[30C [ [1;37mNOT ENABLED[0m ]
+[2C- Logging failed login attempts[28C [ [1;33mDISABLED[0m ]
+
+[+] [1;33mKerberos[0m
+------------------------------------
+[2C- Check for Kerberos KDC and principals[20C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mShells[0m
+------------------------------------
+[2C- Checking shells from /etc/shells[25C
+[4CResult: found 7 shells (valid shells: 7).[16C
+[4C- Session timeout settings/tools[25C [ [1;33mNONE[0m ]
+[2C- Checking default umask values[28C
+[4C- Checking default umask in /etc/bash.bashrc[13C [ [1;33mNONE[0m ]
+[4C- Checking default umask in /etc/profile[17C [ [1;33mNONE[0m ]
+
+[+] [1;33mFile systems[0m
+------------------------------------
+[2C- Checking mount points[36C
+[4C- Checking /home mount point[29C [ [1;33mSUGGESTION[0m ]
+[4C- Checking /tmp mount point[30C [ [1;32mOK[0m ]
+[4C- Checking /var mount point[30C [ [1;33mSUGGESTION[0m ]
+[2C- Checking LVM volume groups[31C [ [1;32mFOUND[0m ]
+[4C- Checking LVM volumes[35C [ [1;32mFOUND[0m ]
+[2C- Query swap partitions (fstab)[28C [ [1;32mOK[0m ]
+[2C- Testing swap partitions[34C [ [1;32mOK[0m ]
+[2C- Testing /proc mount (hidepid)[28C [ [1;33mSUGGESTION[0m ]
+[2C- Checking for old files in /tmp[27C [ [1;32mOK[0m ]
+[2C- Checking /tmp sticky bit[33C [ [1;32mOK[0m ]
+[2C- Checking /var/tmp sticky bit[29C [ [1;32mOK[0m ]
+[2C- ACL support root file system[29C [ [1;32mENABLED[0m ]
+[2C- Mount options of /[39C [ [1;33mNON DEFAULT[0m ]
+[2C- Mount options of /dev[36C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Mount options of /dev/shm[32C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Mount options of /run[36C [ [1;32mHARDENED[0m ]
+[2C- Mount options of /tmp[36C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Total without nodev:12 noexec:18 nosuid:10 ro or noexec (W^X): 17 of total 35[0C
+[2C- Disable kernel support of some filesystems[15C
+
+[+] [1;33mUSB Devices[0m
+------------------------------------
+[2C- Checking usb-storage driver (modprobe config)[12C [ [1;37mNOT DISABLED[0m ]
+[2C- Checking USB devices authorization[23C [ [1;33mENABLED[0m ]
+[2C- Checking USBGuard[40C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mStorage[0m
+------------------------------------
+[2C- Checking firewire ohci driver (modprobe config)[10C [ [1;37mNOT DISABLED[0m ]
+
+[+] [1;33mNFS[0m
+------------------------------------
+[2C- Query rpc registered programs[28C [ [1;32mDONE[0m ]
+[2C- Query NFS versions[39C [ [1;32mDONE[0m ]
+[2C- Query NFS protocols[38C [ [1;32mDONE[0m ]
+[2C- Check running NFS daemon[33C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mName services[0m
+------------------------------------
+[2C- Checking search domains[34C [ [1;32mFOUND[0m ]
+[2C- Searching DNS domain name[32C [ [1;32mFOUND[0m ]
+[6CDomain name: avt.data-center.id[24C
+[2C- Checking /etc/hosts[38C
+[4C- Duplicate entries in hosts file[24C [ [1;32mNONE[0m ]
+[4C- Presence of configured hostname in /etc/hosts[10C [ [1;32mFOUND[0m ]
+[4C- Hostname mapped to localhost[27C [ [1;32mNOT FOUND[0m ]
+[4C- Localhost mapping to IP address[24C [ [1;32mOK[0m ]
+
+[+] [1;33mPorts and packages[0m
+------------------------------------
+[2C- Searching package managers[31C
+
+  [30;43m[WARNING][0m: Test NAME-4408 had a long execution: 10.121023 seconds[0m
+
+[4C- Searching dpkg package manager[25C [ [1;32mFOUND[0m ]
+[6C- Querying package manager[29C
+[4C- Query unpurged packages[32C [ [1;33mFOUND[0m ]
+[2C- Checking security repository in sources.list.d directory[1C [ [1;32mOK[0m ]
+[2C- Checking APT package database[28C [ [1;32mOK[0m ]
+[2C- Checking vulnerable packages[29C [ [1;31mWARNING[0m ]
+
+  [30;43m[WARNING][0m: Test PKGS-7392 had a long execution: 12.847876 seconds[0m
+
+[2C- Checking upgradeable packages[28C [ [1;37mSKIPPED[0m ]
+[2C- Checking package audit tool[30C [ [1;32mINSTALLED[0m ]
+[4CFound: apt-get[43C
+[2C- Toolkit for automatic upgrades[27C [ [1;33mNOT FOUND[0m ]
+
+[+] [1;33mNetworking[0m
+------------------------------------
+[2C- Checking IPv6 configuration[30C [ [1;37mENABLED[0m ]
+[6CConfiguration method[35C [ [1;37mAUTO[0m ]
+[6CIPv6 only[46C [ [1;37mNO[0m ]
+
+  [30;43m[WARNING][0m: Test NETW-2600 had a long execution: 29.914320 seconds[0m
+
+[2C- Checking configured nameservers[26C
+[4C- Testing nameservers[36C
+[8CNameserver: 10.10.10.11[30C [ [1;31mNO RESPONSE[0m ]
+[8CNameserver: 10.10.10.12[30C [ [1;32mOK[0m ]
+[8CNameserver: 8.8.8.8[34C [ [1;32mOK[0m ]
+[4C- Minimal of 2 responsive nameservers[20C [ [1;32mOK[0m ]
+[2C- Getting listening ports (TCP/UDP)[24C [ [1;32mDONE[0m ]
+[2C- Checking promiscuous interfaces[26C [ [1;31mWARNING[0m ]
+[2C- Checking status DHCP client[30C [ [1;37mNOT ACTIVE[0m ]
+[2C- Checking for ARP monitoring software[21C [ [1;33mNOT FOUND[0m ]
+[2C- Uncommon network protocols[31C [ [1;33m0[0m ]
+
+[+] [1;33mPrinters and Spools[0m
+------------------------------------
+[2C- Checking cups daemon[37C [ [1;37mNOT FOUND[0m ]
+[2C- Checking lp daemon[39C [ [1;37mNOT RUNNING[0m ]
+
+[+] [1;33mSoftware: e-mail and messaging[0m
+------------------------------------
+[2C- Postfix status[43C [ [1;32mRUNNING[0m ]
+[4C- Postfix configuration[34C [ [1;32mFOUND[0m ]
+[6C- Postfix banner[39C [ [1;31mWARNING[0m ]
+
+[+] [1;33mSoftware: firewalls[0m
+------------------------------------
+[2C- Checking iptables kernel module[26C [ [1;32mFOUND[0m ]
+[4C- Checking iptables policies of chains[19C [ [1;32mFOUND[0m ]
+[6C- Chain INPUT (table: filter, target: ACCEPT)[10C [ [1;33mACCEPT[0m ]
+[6C- Chain INPUT (table: security, target: ACCEPT)[8C [ [1;33mACCEPT[0m ]
+[4C- Checking for empty ruleset[29C [ [1;31mWARNING[0m ]
+[4C- Checking for unused rules[30C [ [1;32mOK[0m ]
+[2C- Checking host based firewall[29C [ [1;32mACTIVE[0m ]
+
+[+] [1;33mSoftware: webserver[0m
+------------------------------------
+[2C- Checking Apache[42C [ [1;37mNOT FOUND[0m ]
+[2C- Checking nginx[43C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSSH Support[0m
+------------------------------------
+[2C- Checking running SSH daemon[30C [ [1;32mFOUND[0m ]
+[4C- Searching SSH configuration[28C [ [1;32mFOUND[0m ]
+[4C- OpenSSH option: AllowTcpForwarding[21C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: ClientAliveCountMax[20C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: ClientAliveInterval[20C [ [1;32mOK[0m ]
+[4C- OpenSSH option: FingerprintHash[24C [ [1;32mOK[0m ]
+[4C- OpenSSH option: GatewayPorts[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: IgnoreRhosts[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: LoginGraceTime[25C [ [1;32mOK[0m ]
+[4C- OpenSSH option: LogLevel[31C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: MaxAuthTries[27C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: MaxSessions[28C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PermitRootLogin[24C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PermitUserEnvironment[18C [ [1;32mOK[0m ]
+[4C- OpenSSH option: PermitTunnel[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: Port[35C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PrintLastLog[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: StrictModes[28C [ [1;32mOK[0m ]
+[4C- OpenSSH option: TCPKeepAlive[27C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: UseDNS[33C [ [1;32mOK[0m ]
+[4C- OpenSSH option: X11Forwarding[26C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: AllowAgentForwarding[19C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: AllowUsers[29C [ [1;37mNOT FOUND[0m ]
+[4C- OpenSSH option: AllowGroups[28C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSNMP Support[0m
+------------------------------------
+[2C- Checking running SNMP daemon[29C [ [1;32mFOUND[0m ]
+[4C- Checking SNMP configuration[28C [ [1;32mFOUND[0m ]
+[2C- Checking SNMP community strings[26C [ [1;32mOK[0m ]
+
+[+] [1;33mDatabases[0m
+------------------------------------
+[4CNo database engines found[32C
+
+[+] [1;33mLDAP Services[0m
+------------------------------------
+[2C- Checking OpenLDAP instance[31C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mPHP[0m
+------------------------------------
+[2C- Checking PHP[45C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSquid Support[0m
+------------------------------------
+[2C- Checking running Squid daemon[28C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mLogging and files[0m
+------------------------------------
+[2C- Checking for a running log daemon[24C [ [1;32mOK[0m ]
+[4C- Checking Syslog-NG status[30C [ [1;37mNOT FOUND[0m ]
+[4C- Checking systemd journal status[24C [ [1;32mFOUND[0m ]
+[4C- Checking Metalog status[32C [ [1;37mNOT FOUND[0m ]
+[4C- Checking RSyslog status[32C [ [1;32mFOUND[0m ]
+[4C- Checking RFC 3195 daemon status[24C [ [1;37mNOT FOUND[0m ]
+[4C- Checking minilogd instances[28C [ [1;37mNOT FOUND[0m ]
+[4C- Checking wazuh-agent daemon status[21C [ [1;37mNOT FOUND[0m ]
+[2C- Checking logrotate presence[30C [ [1;32mOK[0m ]
+[2C- Checking remote logging[34C [ [1;32mENABLED[0m ]
+[2C- Checking log directories (static list)[19C [ [1;32mDONE[0m ]
+[2C- Checking open log files[34C [ [1;32mDONE[0m ]
+[2C- Checking deleted files in use[28C [ [1;33mFILES FOUND[0m ]
+
+[+] [1;33mInsecure services[0m
+------------------------------------
+[2C- Installed inetd package[34C [ [1;32mNOT FOUND[0m ]
+[2C- Installed xinetd package[33C [ [1;32mOK[0m ]
+[4C- xinetd status[42C [ [1;32mNOT ACTIVE[0m ]
+[2C- Installed rsh client package[29C [ [1;32mOK[0m ]
+[2C- Installed rsh server package[29C [ [1;32mOK[0m ]
+[2C- Installed telnet client package[26C [ [1;32mOK[0m ]
+[2C- Installed telnet server package[26C [ [1;32mNOT FOUND[0m ]
+[2C- Checking NIS client installation[25C [ [1;32mOK[0m ]
+[2C- Checking NIS server installation[25C [ [1;32mOK[0m ]
+[2C- Checking TFTP client installation[24C [ [1;32mOK[0m ]
+[2C- Checking TFTP server installation[24C [ [1;32mOK[0m ]
+
+[+] [1;33mBanners and identification[0m
+------------------------------------
+[2C- /etc/issue[47C [ [1;32mFOUND[0m ]
+[4C- /etc/issue contents[36C [ [1;33mWEAK[0m ]
+[2C- /etc/issue.net[43C [ [1;32mFOUND[0m ]
+[4C- /etc/issue.net contents[32C [ [1;33mWEAK[0m ]
+
+[+] [1;33mScheduled tasks[0m
+------------------------------------
+[2C- Checking crontab and cronjob files[23C [ [1;32mDONE[0m ]
+
+[+] [1;33mAccounting[0m
+------------------------------------
+[2C- Checking accounting information[26C [ [1;33mNOT FOUND[0m ]
+[2C- Checking sysstat accounting data[25C [ [1;33mNOT FOUND[0m ]
+[2C- Checking auditd[42C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mTime and Synchronization[0m
+------------------------------------
+[2C- NTP daemon found: chronyd[32C [ [1;32mFOUND[0m ]
+[2C- Checking for a running NTP daemon or client[14C [ [1;32mOK[0m ]
+
+[+] [1;33mCryptography[0m
+------------------------------------
+[2C- Checking for expired SSL certificates [0/152][12C [ [1;32mNONE[0m ]
+
+  [30;43m[WARNING][0m: Test CRYP-7902 had a long execution: 16.766634 seconds[0m
+
+[2C- Kernel entropy is sufficient[29C [ [1;32mYES[0m ]
+[2C- HW RNG & rngd[44C [ [1;33mNO[0m ]
+[2C- SW prng[50C [ [1;33mNO[0m ]
+[2C- MOR variable not found[35C [ [1;37mWEAK[0m ]
+
+[+] [1;33mVirtualization[0m
+------------------------------------
+
+[+] [1;33mContainers[0m
+------------------------------------
+
+[+] [1;33mSecurity frameworks[0m
+------------------------------------
+[2C- Checking presence AppArmor[31C [ [1;32mFOUND[0m ]
+[4C- Checking AppArmor status[31C [ [1;32mENABLED[0m ]
+[8CFound 84 unconfined processes[24C
+[2C- Checking presence SELinux[32C [ [1;37mNOT FOUND[0m ]
+[2C- Checking presence TOMOYO Linux[27C [ [1;37mNOT FOUND[0m ]
+[2C- Checking presence grsecurity[29C [ [1;37mNOT FOUND[0m ]
+[2C- Checking for implemented MAC framework[19C [ [1;32mOK[0m ]
+
+[+] [1;33mSoftware: file integrity[0m
+------------------------------------
+[2C- Checking file integrity tools[28C
+[4C- Wazuh (syscheck)[39C [ [1;32mFOUND[0m ]
+[2C- Checking presence integrity tool[25C [ [1;32mFOUND[0m ]
+
+[+] [1;33mSoftware: System tooling[0m
+------------------------------------
+[2C- Checking automation tooling[30C
+[4C- Ansible artifact[39C [ [1;32mFOUND[0m ]
+[2C- Automation tooling[39C [ [1;32mFOUND[0m ]
+[2C- Checking presence of Wazuh (agent)[23C [ [1;32mFOUND[0m ]
+[2C- Checking for IDS/IPS tooling[29C [ [1;32mFOUND[0m ]
+
+[+] [1;33mSoftware: Malware[0m
+------------------------------------
+[2C- Malware software components[30C [ [1;33mNOT FOUND[0m ]
+
+[+] [1;33mFile Permissions[0m
+------------------------------------
+[2C- Starting file permissions check[26C
+[4CFile: /boot/grub/grub.cfg[32C [ [1;32mOK[0m ]
+[4CFile: /etc/crontab[39C [ [1;33mSUGGESTION[0m ]
+[4CFile: /etc/group[41C [ [1;32mOK[0m ]
+[4CFile: /etc/group-[40C [ [1;32mOK[0m ]
+[4CFile: /etc/hosts.allow[35C [ [1;32mOK[0m ]
+[4CFile: /etc/hosts.deny[36C [ [1;32mOK[0m ]
+[4CFile: /etc/issue[41C [ [1;32mOK[0m ]
+[4CFile: /etc/issue.net[37C [ [1;32mOK[0m ]
+[4CFile: /etc/motd[42C [ [1;32mOK[0m ]
+[4CFile: /etc/passwd[40C [ [1;32mOK[0m ]
+[4CFile: /etc/passwd-[39C [ [1;32mOK[0m ]
+[4CFile: /etc/ssh/sshd_config[31C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /root/.ssh[36C [ [1;32mOK[0m ]
+[4CDirectory: /etc/cron.d[35C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.daily[31C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.hourly[30C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.weekly[30C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.monthly[29C [ [1;33mSUGGESTION[0m ]
+
+[+] [1;33mHome directories[0m
+------------------------------------
+[2C- Permissions of home directories[26C [ [1;32mOK[0m ]
+[2C- Ownership of home directories[28C [ [1;32mOK[0m ]
+[2C- Checking shell history files[29C [ [1;32mOK[0m ]
+
+[+] [1;33mKernel Hardening[0m
+------------------------------------
+[2C- Comparing sysctl key pairs with scan profile[13C
+[4C- dev.tty.ldisc_autoload (exp: 0)[24C [ [1;31mDIFFERENT[0m ]
+[4C- fs.protected_fifos (exp: 2)[28C [ [1;31mDIFFERENT[0m ]
+[4C- fs.protected_hardlinks (exp: 1)[24C [ [1;32mOK[0m ]
+[4C- fs.protected_regular (exp: 2)[26C [ [1;32mOK[0m ]
+[4C- fs.protected_symlinks (exp: 1)[25C [ [1;32mOK[0m ]
+[4C- fs.suid_dumpable (exp: 0)[30C [ [1;32mOK[0m ]
+[4C- kernel.core_uses_pid (exp: 1)[26C [ [1;32mOK[0m ]
+[4C- kernel.ctrl-alt-del (exp: 0)[27C [ [1;32mOK[0m ]
+[4C- kernel.dmesg_restrict (exp: 1)[25C [ [1;32mOK[0m ]
+[4C- kernel.kptr_restrict (exp: 2)[26C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.modules_disabled (exp: 1)[23C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.perf_event_paranoid (exp: 2 3 4)[16C [ [1;32mOK[0m ]
+[4C- kernel.randomize_va_space (exp: 2)[21C [ [1;32mOK[0m ]
+[4C- kernel.sysrq (exp: 0)[34C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.unprivileged_bpf_disabled (exp: 1)[14C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.yama.ptrace_scope (exp: 1 2 3)[18C [ [1;32mOK[0m ]
+[4C- net.core.bpf_jit_harden (exp: 2)[23C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.accept_redirects (exp: 0)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.accept_source_route (exp: 0)[9C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.bootp_relay (exp: 0)[17C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.forwarding (exp: 0)[18C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.log_martians (exp: 1)[16C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.mc_forwarding (exp: 0)[15C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.proxy_arp (exp: 0)[19C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.rp_filter (exp: 1)[19C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.send_redirects (exp: 0)[14C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.default.accept_redirects (exp: 0)[8C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.default.accept_source_route (exp: 0)[5C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.default.log_martians (exp: 1)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)[10C [ [1;32mOK[0m ]
+[4C- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)[4C [ [1;32mOK[0m ]
+[4C- net.ipv4.tcp_syncookies (exp: 1)[23C [ [1;32mOK[0m ]
+[4C- net.ipv4.tcp_timestamps (exp: 0 1)[21C [ [1;32mOK[0m ]
+[4C- net.ipv6.conf.all.accept_redirects (exp: 0)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv6.conf.all.accept_source_route (exp: 0)[9C [ [1;32mOK[0m ]
+[4C- net.ipv6.conf.default.accept_redirects (exp: 0)[8C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv6.conf.default.accept_source_route (exp: 0)[5C [ [1;32mOK[0m ]
+
+[+] [1;33mHardening[0m
+------------------------------------
+[4C- Installed compiler(s)[34C [ [1;31mFOUND[0m ]
+[4C- Installed malware scanner[30C [ [1;31mNOT FOUND[0m ]
+[4C- Non-native binary formats[30C [ [1;31mFOUND[0m ]
+
+[+] [1;33mCustom tests[0m
+------------------------------------
+[2C- Running custom tests... [33C [ [1;37mNONE[0m ]
+
+[+] [1;35mPlugins (phase 2)[0m
+------------------------------------
+
+================================================================================
+
+  -[ [1;37mLynis 3.1.4 Results[0m ]-
+
+  [1;31mWarnings[0m (12):
+  [1;37m----------------------------[0m
+  [1;31m![0m Found one or more vulnerable packages. [PKGS-7392] 
+      https://cisofy.com/lynis/controls/PKGS-7392/
+
+  [1;31m![0m Nameserver 10.10.10.11 does not respond [NETW-2704] 
+      https://cisofy.com/lynis/controls/NETW-2704/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens27f0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens29f0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens29f1[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mbond0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap216i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap216i1[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2003i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap185i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
+      https://cisofy.com/lynis/controls/MAIL-8818/
+
+  [1;31m![0m iptables module(s) loaded, but no rules active [FIRE-4512] 
+      https://cisofy.com/lynis/controls/FIRE-4512/
+
+  [1;33mSuggestions[0m (51):
+  [1;37m----------------------------[0m
+  [1;33m*[0m This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LYNIS/[0m
+
+  [1;33m*[0m Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0280/[0m
+
+  [1;33m*[0m Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0810/[0m
+
+  [1;33m*[0m Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0831/[0m
+
+  [1;33m*[0m Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0880/[0m
+
+  [1;33m*[0m Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5122/[0m
+
+  [1;33m*[0m Determine runlevel and services at startup [BOOT-5180] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5180/[0m
+
+  [1;33m*[0m Consider hardening system services [BOOT-5264] 
+    - Details  : [0;36mRun '/usr/bin/systemd-analyze security SERVICE' for each service[0m
+    - Related resources
+      * Article: [0;36mSystemd features to secure service files[0m: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5264/[0m
+
+  [1;33m*[0m Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
+    - Details  : [0;36m/vmlinuz or /boot/vmlinuz[0m
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/KRNL-5788/[0m
+
+  [1;33m*[0m Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
+    - Related resources
+      * Article: [0;36mLinux password security: hashing rounds[0m: https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9230/[0m
+
+  [1;33m*[0m Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc [AUTH-9262] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9262/[0m
+
+  [1;33m*[0m When possible set expire dates for all password protected accounts [AUTH-9282] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9282/[0m
+
+  [1;33m*[0m Look at the locked accounts and consider removing them [AUTH-9284] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9284/[0m
+
+  [1;33m*[0m Configure minimum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9286/[0m
+
+  [1;33m*[0m Configure maximum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9286/[0m
+
+  [1;33m*[0m Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [AUTH-9328] 
+    - Related resources
+      * Article: [0;36mSet default file permissions on Linux with umask[0m: https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9328/[0m
+
+  [1;33m*[0m To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-6310/[0m
+
+  [1;33m*[0m To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-6310/[0m
+
+  [1;33m*[0m Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/USB-1000/[0m
+
+  [1;33m*[0m Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/STRG-1846/[0m
+
+  [1;33m*[0m Purge old/removed packages (10 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7346/[0m
+
+  [1;33m*[0m Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7370/[0m
+
+  [1;33m*[0m Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7392/[0m
+
+  [1;33m*[0m Install package apt-show-versions for patch management purposes [PKGS-7394] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7394/[0m
+
+  [1;33m*[0m Consider using a tool to automatically apply upgrades [PKGS-7420] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7420/[0m
+
+  [1;33m*[0m Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-2704/[0m
+
+  [1;33m*[0m Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'rds' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818] 
+    - Related resources
+      * Article: [0;36mPostfix Hardening Guide for Security and Privacy[0m: https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/MAIL-8818/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mAllowTcpForwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mClientAliveCountMax (set 3 to 2)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mLogLevel (set INFO to VERBOSE)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mMaxAuthTries (set 6 to 3)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mMaxSessions (set 10 to 2)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mPermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mPort (set 22 to )[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mTCPKeepAlive (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mX11Forwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mAllowAgentForwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Check what deleted files are still in use and why. [LOGG-2190] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LOGG-2190/[0m
+
+  [1;33m*[0m Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
+    - Related resources
+      * Article: [0;36mThe real purpose of login banners[0m: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BANN-7126/[0m
+
+  [1;33m*[0m Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
+    - Related resources
+      * Article: [0;36mThe real purpose of login banners[0m: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BANN-7130/[0m
+
+  [1;33m*[0m Enable process accounting [ACCT-9622] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9622/[0m
+
+  [1;33m*[0m Enable sysstat to collect accounting (no results) [ACCT-9626] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9626/[0m
+
+  [1;33m*[0m Enable auditd to collect audit information [ACCT-9628] 
+    - Related resources
+      * Article: [0;36mLinux audit framework 101: basic rules for configuration[0m: https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+      * Article: [0;36mMonitoring Linux file access, changes and data modifications[0m: https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9628/[0m
+
+  [1;33m*[0m Consider restricting file permissions [FILE-7524] 
+    - Details  : [0;36mSee screen output or log file[0m
+    - Solution : Use chmod to change file permissions
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-7524/[0m
+
+  [1;33m*[0m One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
+    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
+    - Related resources
+      * Article: [0;36mLinux hardening with sysctl settings[0m: https://linux-audit.com/linux-hardening-with-sysctl/
+      * Article: [0;36mOverview of sysctl options and values[0m: https://linux-audit.com/kernel/sysctl/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/KRNL-6000/[0m
+
+  [1;33m*[0m Harden compilers like restricting access to root user only [HRDN-7222] 
+    - Related resources
+      * Article: [0;36mWhy remove compilers from your system?[0m: https://linux-audit.com/software/why-remove-compilers-from-your-system/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/HRDN-7222/[0m
+
+  [1;33m*[0m Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
+    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh
+    - Related resources
+      * Article: [0;36mAntivirus for Linux: is it really needed?[0m: https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+      * Article: [0;36mMonitoring Linux Systems for Rootkits[0m: https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/HRDN-7230/[0m
+
+  [0;36mFollow-up[0m:
+  [1;37m----------------------------[0m
+  [1;37m-[0m Show details of a test (lynis show details TEST-ID)
+  [1;37m-[0m Check the logfile for all details (less /var/log/lynis.log)
+  [1;37m-[0m Read security controls texts (https://cisofy.com)
+  [1;37m-[0m Use --upload to upload data to central system (Lynis Enterprise users)
+
+================================================================================
+
+  [1;37mLynis security scan details[0m:
+
+  [0;36mHardening index[0m : [1;37m65[0m [[1;33m#############[0m       ]
+  [0;36mTests performed[0m : [1;37m264[0m
+  [0;36mPlugins enabled[0m : [1;37m1[0m
+
+  [1;37mComponents[0m:
+  - Firewall               [[1;32mV[0m]
+  - Malware scanner        [[1;31mX[0m]
+
+  [1;33mScan mode[0m:
+  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+
+  [1;33mLynis modules[0m:
+  - Compliance status      [[1;33m?[0m]
+  - Security audit         [[1;32mV[0m]
+  - Vulnerability scan     [[1;32mV[0m]
+
+  [1;33mFiles[0m:
+  - Test and debug information      : [1;37m/var/log/lynis.log[0m
+  - Report data                     : [1;37m/var/log/lynis-report.dat[0m
+
+================================================================================
+
+  [1;37mLynis[0m 3.1.4
+
+  Auditing, system hardening, and compliance for UNIX-based systems
+  (Linux, macOS, BSD, and others)
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  [1;37mEnterprise support available (compliance, plugins, interface and tools)[0m
+
+================================================================================
+
+  [0;44m[TIP][0m: [0;94mEnhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)[0m
--- a/ansible/playbooks/logs/10.10.26.13_vms.log
+++ b/ansible/playbooks/logs/10.10.26.13_vms.log
@@ -0,0 +1,35 @@
+      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
+       115 pgsql-02             stopped    16384            300.00 0         
+       116 pgsql-03             stopped    16384            300.00 0         
+       118 haproxy-02           stopped    4096             100.00 0         
+       122 etcd                 stopped    16384            100.00 0         
+       185 pbs-test             running    8192              80.00 239608    
+       200 percona              stopped    16384            100.00 0         
+       210 nextcloud-new        stopped    32768             80.00 0         
+       216 packetfence          running    16384            200.00 11001     
+       217 greylog              stopped    16384            300.00 0         
+       222 bacula-client        stopped    4096              50.00 0         
+       270 liferay-portal-dxe   stopped    8192             100.00 0         
+       282 n8n                  stopped    16364            100.00 0         
+       306 ceph-02              stopped    16384             80.00 0         
+       351 grafana-tempo        stopped    16384            100.00 0         
+       355 opentelemetry        stopped    8192             100.00 0         
+       399 active-directory-server stopped    8192             100.00 0         
+       402 ns2.data-center.online stopped    4096             100.00 0         
+       453 haproxy-iam-01       stopped    4096             100.00 0         
+       565 haproxy-node-02      stopped    4096              50.00 0         
+       888 paperless-ngx        stopped    16384            300.00 0         
+      1000 kube-admin           stopped    8192             100.00 0         
+      1002 kube-master-02       stopped    16384            300.00 0         
+      1004 kube-worker-node-01  stopped    16384            300.00 0         
+      1006 kube-worker-node-03  stopped    16384            300.00 0         
+      2002 api-gateway          stopped    8192             300.00 0         
+      2003 open-project         running    8192             300.00 11505     
+      2004 gitlab               stopped    32768            300.00 0         
+      2007 minio-prod           stopped    16384            100.00 0         
+      2009 mail.server          stopped    24576            600.00 0         
+      2011 e-faktur.adastra.id  stopped    16000            300.00 0         
+      2016 collabora-office     stopped    8192              50.00 0         
+      2024 hrms                 stopped    8192             100.00 0         
+      2025 gitlab-ce            stopped    32768            300.00 0         
+      9999 vinchin-demo         stopped    16384            100.00 0         
--- a/ansible/playbooks/logs/10.10.26.14_lxcs.log
+++ b/ansible/playbooks/logs/10.10.26.14_lxcs.log
@@ -0,0 +1,8 @@
+VMID       Status     Lock         Name                
+107        stopped                 maria-db            
+127        stopped                 vaultwarden         
+129        stopped                 postgresql          
+130        stopped                 postgres-16         
+142        stopped                 ha-proxy-db         
+153        stopped                 traefik             
+158        stopped                 docker-controller-01
--- a/ansible/playbooks/logs/10.10.26.14_lynis_report.log
+++ b/ansible/playbooks/logs/10.10.26.14_lynis_report.log
@@ -0,0 +1,967 @@
+
+[1;37m[ Lynis 3.1.4 ][0m
+
+################################################################################
+  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+  welcome to redistribute it under the terms of the GNU General Public License.
+  See the LICENSE file for details about using this software.
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  Enterprise support available (compliance, plugins, interface and tools)
+################################################################################
+
+
+[+] [1;33mInitializing program[0m
+------------------------------------
+[2C- Detecting OS... [41C [ [1;32mDONE[0m ]
+[2C- Checking profiles...[37C [ [1;32mDONE[0m ]
+
+  ---------------------------------------------------
+  Program version:           3.1.4
+  Operating system:          Linux
+  Operating system name:     Debian
+  Operating system version:  13
+  Kernel version:            6.17.2
+  Hardware platform:         x86_64
+  Hostname:                  ppve04
+  ---------------------------------------------------
+  Profiles:                  /etc/lynis/default.prf
+  Log file:                  /var/log/lynis.log
+  Report file:               /var/log/lynis-report.dat
+  Report version:            1.0
+  Plugin directory:          /etc/lynis/plugins
+  ---------------------------------------------------
+  Auditor:                   [Not Specified]
+  Language:                  en
+  Test category:             all
+  Test group:                all
+  ---------------------------------------------------
+[2C- Program update status... [32C [ [1;32mNO UPDATE[0m ]
+
+[+] [1;33mSystem tools[0m
+------------------------------------
+[2C- Scanning available tools...[30C
+[2C- Checking system binaries...[30C
+
+[+] [1;35mPlugins (phase 1)[0m
+------------------------------------
+[0CNote: plugins have more extensive tests and may take several minutes to complete[0C
+[0C [0C
+[2C- [0;36mPlugin[0m: [1;37mdebian[0m[21C
+    [
+[+] [1;33mDebian Tests[0m
+------------------------------------
+[2C- Checking for system binaries that are required by Debian Tests...[0C
+[4C- Checking /bin... [38C [ [1;32mFOUND[0m ]
+[4C- Checking /sbin... [37C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/bin... [34C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/sbin... [33C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/local/bin... [28C [ [1;32mFOUND[0m ]
+[4C- Checking /usr/local/sbin... [27C [ [1;32mFOUND[0m ]
+[2C- Authentication:[42C
+[4C- PAM (Pluggable Authentication Modules):[16C
+[6C- libpam-tmpdir[40C [ [1;31mNot Installed[0m ]
+[2C- File System Checks:[38C
+[4C- DM-Crypt, Cryptsetup & Cryptmount:[21C
+[6C- Checking / on /dev/sda3[30C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /boot/efi on /dev/sda2[22C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /tmp/.mount_ProxMenvRW4c on ProxMenux-Monitor.AppImage[0C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /etc/pve on /dev/fuse[23C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /proxmox-vm:/mnt/pve/dh-proxmox-vm on 10.10.21.11:/proxmox-vm[0C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /proxmox-iso:/mnt/pve/dh-proxmox-iso on 10.10.21.11:/proxmox-iso[0C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /promox-tpm:/mnt/pve/dh-proxmox-tpm on 10.10.21.11:/promox-tpm[0C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /proxmox-backup:/mnt/pve/dh-proxmox-backup on 10.10.21.11:/proxmox-backup[0C [ [1;37mNOT ENCRYPTED[0m ]
+[6C- Checking /proxmox-ct:/mnt/pve/dh-proxmox-ct on 10.10.21.11:/proxmox-ct[0C [ [1;37mNOT ENCRYPTED[0m ]
+[2C- Software:[48C
+[4C- apt-listbugs[43C [ [1;31mNot Installed[0m ]
+[4C- apt-listchanges[40C [ [1;32mInstalled and enabled for apt[0m ]
+[4C- needrestart[44C [ [1;31mNot Installed[0m ]
+[4C- fail2ban[47C [ [1;31mNot Installed[0m ]
+]
+
+[+] [1;33mBoot and services[0m
+------------------------------------
+[2C- Service Manager[42C [ [1;32msystemd[0m ]
+[2C- Checking UEFI boot[39C [ [1;32mENABLED[0m ]
+[2C- Checking Secure Boot[37C [ [1;33mDISABLED[0m ]
+[2C- Checking presence GRUB2[34C [ [1;32mFOUND[0m ]
+[4C- Checking for password protection[23C [ [1;31mNONE[0m ]
+[2C- Check running services (systemctl)[23C [ [1;32mDONE[0m ]
+[8CResult: found 44 running services[20C
+[2C- Check enabled services at boot (systemctl)[15C [ [1;32mDONE[0m ]
+[8CResult: found 66 enabled services[20C
+[2C- Check startup files (permissions)[24C [ [1;32mOK[0m ]
+[2C- Running 'systemd-analyze security'[23C
+[6CUnit name (exposure value) and predicate[15C
+[6C--------------------------------[23C
+[4C- check-mk-agent-async.service (value=9.6)[15C [ [1;33mUNSAFE[0m ]
+[4C- chrony.service (value=3.5)[29C [ [1;32mPROTECTED[0m ]
+[4C- cmk-agent-ctl-daemon.service (value=4.4)[15C [ [1;32mPROTECTED[0m ]
+[4C- console-getty.service (value=9.6)[22C [ [1;33mUNSAFE[0m ]
+[4C- corosync.service (value=9.2)[27C [ [1;33mUNSAFE[0m ]
+[4C- cron.service (value=9.6)[31C [ [1;33mUNSAFE[0m ]
+[4C- dbus.service (value=9.3)[31C [ [1;33mUNSAFE[0m ]
+[4C- dm-event.service (value=9.5)[27C [ [1;33mUNSAFE[0m ]
+[4C- dnsmasq@jualan.service (value=9.6)[21C [ [1;33mUNSAFE[0m ]
+[4C- dnsmasq@terakhir.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- emergency.service (value=9.5)[26C [ [1;33mUNSAFE[0m ]
+[4C- frr.service (value=9.8)[32C [ [1;33mUNSAFE[0m ]
+[4C- getty@tty1.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- iscsid.service (value=9.5)[29C [ [1;33mUNSAFE[0m ]
+[4C- keepalived.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- ksmtuned.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- kvm_backup_service.service (value=9.6)[17C [ [1;33mUNSAFE[0m ]
+[4C- kvm_virt_server.service (value=9.6)[20C [ [1;33mUNSAFE[0m ]
+[4C- lldpd.service (value=8.5)[30C [ [1;33mEXPOSED[0m ]
+[4C- lvm2-lvmpolld.service (value=9.5)[22C [ [1;33mUNSAFE[0m ]
+[4C- lxc-monitord.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- lxcfs.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- lynis.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- netavark-dhcp-proxy.service (value=9.6)[16C [ [1;33mUNSAFE[0m ]
+[4C- nfs-blkmap.service (value=9.5)[25C [ [1;33mUNSAFE[0m ]
+[4C- postfix.service (value=3.9)[28C [ [1;32mPROTECTED[0m ]
+[4C- postfix@-.service (value=3.9)[26C [ [1;32mPROTECTED[0m ]
+[4C- proxmenux-monitor.service (value=9.6)[18C [ [1;33mUNSAFE[0m ]
+[4C- proxmox-firewall.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- pve-cluster.service (value=9.5)[24C [ [1;33mUNSAFE[0m ]
+[4C- pve-firewall.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- pve-ha-crm.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- pve-ha-lrm.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- pve-lxc-syscalld.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- pvedaemon.service (value=9.6)[26C [ [1;33mUNSAFE[0m ]
+[4C- pvefw-logger.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- pveproxy.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- pvescheduler.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- pvestatd.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- qmeventd.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- rc-local.service (value=9.6)[27C [ [1;33mUNSAFE[0m ]
+[4C- rescue.service (value=9.5)[29C [ [1;33mUNSAFE[0m ]
+[4C- rpc-gssd.service (value=9.5)[27C [ [1;33mUNSAFE[0m ]
+[4C- rpc-statd-notify.service (value=9.5)[19C [ [1;33mUNSAFE[0m ]
+[4C- rpc-statd.service (value=9.5)[26C [ [1;33mUNSAFE[0m ]
+[4C- rpc-svcgssd.service (value=9.5)[24C [ [1;33mUNSAFE[0m ]
+[4C- rpcbind.service (value=9.5)[28C [ [1;33mUNSAFE[0m ]
+[4C- rrdcached.service (value=9.6)[26C [ [1;33mUNSAFE[0m ]
+[4C- smartmontools.service (value=9.6)[22C [ [1;33mUNSAFE[0m ]
+[4C- snmpd.service (value=9.6)[30C [ [1;33mUNSAFE[0m ]
+[4C- spiceproxy.service (value=9.6)[25C [ [1;33mUNSAFE[0m ]
+[4C- ssh.service (value=9.6)[32C [ [1;33mUNSAFE[0m ]
+[4C- sshd@sshd-keygen.service (value=9.6)[19C [ [1;33mUNSAFE[0m ]
+[4C- systemd-ask-password-console.service (value=9.4)[7C [ [1;33mUNSAFE[0m ]
+[4C- systemd-ask-password-wall.service (value=9.4)[10C [ [1;33mUNSAFE[0m ]
+[4C- systemd-bsod.service (value=9.5)[23C [ [1;33mUNSAFE[0m ]
+[4C- systemd-hostnamed.service (value=1.7)[18C [ [1;32mPROTECTED[0m ]
+[4C- systemd-initctl.service (value=9.4)[20C [ [1;33mUNSAFE[0m ]
+[4C- systemd-journald.service (value=4.9)[19C [ [1;32mPROTECTED[0m ]
+[4C- systemd-logind.service (value=2.8)[21C [ [1;32mPROTECTED[0m ]
+[4C- systemd-networkd.service (value=2.9)[19C [ [1;32mPROTECTED[0m ]
+[4C- systemd-rfkill.service (value=9.4)[21C [ [1;33mUNSAFE[0m ]
+[4C- systemd-udevd.service (value=7.1)[22C [ [1;37mMEDIUM[0m ]
+[4C- user@0.service (value=9.8)[29C [ [1;33mUNSAFE[0m ]
+[4C- uuidd.service (value=5.8)[30C [ [1;37mMEDIUM[0m ]
+[4C- watchdog-mux.service (value=9.6)[23C [ [1;33mUNSAFE[0m ]
+[4C- wazuh-agent.service (value=9.6)[24C [ [1;33mUNSAFE[0m ]
+[4C- zfs-zed.service (value=9.6)[28C [ [1;33mUNSAFE[0m ]
+
+[+] [1;33mKernel[0m
+------------------------------------
+[2C- Checking default runlevel[32C [ [1;32mrunlevel 5[0m ]
+[2C- Checking CPU support (NX/PAE)[28C
+[4CCPU support: PAE and/or NoeXecute supported[14C [ [1;32mFOUND[0m ]
+[2C- Checking kernel version and release[22C [ [1;32mDONE[0m ]
+[2C- Checking kernel type[37C [ [1;32mDONE[0m ]
+[2C- Checking loaded kernel modules[27C [ [1;32mDONE[0m ]
+[6CFound 134 active modules[31C
+[2C- Checking Linux kernel configuration file[17C [ [1;32mFOUND[0m ]
+[2C- Checking default I/O kernel scheduler[20C [ [1;37mNOT FOUND[0m ]
+[2C- Checking core dumps configuration[24C
+[4C- configuration in systemd conf files[20C [ [1;37mDEFAULT[0m ]
+[4C- configuration in /etc/profile[26C [ [1;37mDEFAULT[0m ]
+[4C- 'hard' configuration in /etc/security/limits.conf[6C [ [1;31mENABLED[0m ]
+[4C- 'soft' configuration in /etc/security/limits.conf[6C [ [1;32mDISABLED[0m ]
+[4C- Checking setuid core dumps configuration[15C [ [1;32mDISABLED[0m ]
+[2C- Check if reboot is needed[32C [ [1;32mNO[0m ]
+
+[+] [1;33mMemory and Processes[0m
+------------------------------------
+[2C- Checking /proc/meminfo[35C [ [1;32mFOUND[0m ]
+[2C- Searching for dead/zombie processes[22C [ [1;32mNOT FOUND[0m ]
+[2C- Searching for IO waiting processes[23C [ [1;32mNOT FOUND[0m ]
+[2C- Search prelink tooling[35C [ [1;32mNOT FOUND[0m ]
+
+[+] [1;33mUsers, Groups and Authentication[0m
+------------------------------------
+[2C- Administrator accounts[35C [ [1;32mOK[0m ]
+[2C- Unique UIDs[46C [ [1;32mOK[0m ]
+[2C- Consistency of group files (grpck)[23C [ [1;32mOK[0m ]
+[2C- Unique group IDs[41C [ [1;32mOK[0m ]
+[2C- Unique group names[39C [ [1;32mOK[0m ]
+[2C- Password file consistency[32C [ [1;32mOK[0m ]
+[2C- Password hashing methods[33C [ [1;32mOK[0m ]
+[2C- Checking password hashing rounds[25C [ [1;33mDISABLED[0m ]
+[2C- Query system users (non daemons)[25C [ [1;32mDONE[0m ]
+[2C- NIS+ authentication support[30C [ [1;37mNOT ENABLED[0m ]
+[2C- NIS authentication support[31C [ [1;37mNOT ENABLED[0m ]
+[2C- Sudoers file(s)[42C [ [1;32mFOUND[0m ]
+[4C- Permissions for directory: /etc/sudoers.d[14C [ [1;31mWARNING[0m ]
+[4C- Permissions for: /etc/sudoers[26C [ [1;32mOK[0m ]
+[4C- Permissions for: /etc/sudoers.d/README[17C [ [1;32mOK[0m ]
+[4C- Permissions for: /etc/sudoers.d/zfs[20C [ [1;32mOK[0m ]
+[2C- PAM password strength tools[30C [ [1;33mSUGGESTION[0m ]
+[2C- PAM configuration files (pam.conf)[23C [ [1;32mFOUND[0m ]
+[2C- PAM configuration files (pam.d)[26C [ [1;32mFOUND[0m ]
+[2C- PAM modules[46C [ [1;32mFOUND[0m ]
+[2C- LDAP module in PAM[39C [ [1;37mNOT FOUND[0m ]
+[2C- Accounts without expire date[29C [ [1;33mSUGGESTION[0m ]
+[2C- Accounts without password[32C [ [1;32mOK[0m ]
+[2C- Locked accounts[42C [ [1;31mFOUND[0m ]
+[2C- Checking user password aging (minimum)[19C [ [1;33mDISABLED[0m ]
+[2C- User password aging (maximum)[28C [ [1;33mDISABLED[0m ]
+[2C- Checking expired passwords[31C [ [1;32mOK[0m ]
+[2C- Checking Linux single user mode authentication[11C [ [1;32mOK[0m ]
+[2C- Determining default umask[32C
+[4C- umask (/etc/profile)[35C [ [1;33mNOT FOUND[0m ]
+[4C- umask (/etc/login.defs)[32C [ [1;33mSUGGESTION[0m ]
+[2C- LDAP authentication support[30C [ [1;37mNOT ENABLED[0m ]
+[2C- Logging failed login attempts[28C [ [1;33mDISABLED[0m ]
+
+[+] [1;33mKerberos[0m
+------------------------------------
+[2C- Check for Kerberos KDC and principals[20C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mShells[0m
+------------------------------------
+[2C- Checking shells from /etc/shells[25C
+[4CResult: found 7 shells (valid shells: 7).[16C
+[4C- Session timeout settings/tools[25C [ [1;33mNONE[0m ]
+[2C- Checking default umask values[28C
+[4C- Checking default umask in /etc/bash.bashrc[13C [ [1;33mNONE[0m ]
+[4C- Checking default umask in /etc/profile[17C [ [1;33mNONE[0m ]
+
+[+] [1;33mFile systems[0m
+------------------------------------
+[2C- Checking mount points[36C
+[4C- Checking /home mount point[29C [ [1;33mSUGGESTION[0m ]
+[4C- Checking /tmp mount point[30C [ [1;32mOK[0m ]
+[4C- Checking /var mount point[30C [ [1;33mSUGGESTION[0m ]
+[2C- Checking LVM volume groups[31C [ [1;32mFOUND[0m ]
+[4C- Checking LVM volumes[35C [ [1;32mFOUND[0m ]
+[2C- Query swap partitions (fstab)[28C [ [1;32mOK[0m ]
+[2C- Testing swap partitions[34C [ [1;32mOK[0m ]
+[2C- Testing /proc mount (hidepid)[28C [ [1;33mSUGGESTION[0m ]
+[2C- Checking for old files in /tmp[27C [ [1;32mOK[0m ]
+[2C- Checking /tmp sticky bit[33C [ [1;32mOK[0m ]
+[2C- Checking /var/tmp sticky bit[29C [ [1;32mOK[0m ]
+[2C- ACL support root file system[29C [ [1;32mENABLED[0m ]
+[2C- Mount options of /[39C [ [1;33mNON DEFAULT[0m ]
+[2C- Mount options of /dev[36C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Mount options of /dev/shm[32C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Mount options of /run[36C [ [1;32mHARDENED[0m ]
+[2C- Mount options of /tmp[36C [ [1;33mPARTIALLY HARDENED[0m ]
+[2C- Total without nodev:12 noexec:18 nosuid:10 ro or noexec (W^X): 17 of total 35[0C
+[2C- Disable kernel support of some filesystems[15C
+
+[+] [1;33mUSB Devices[0m
+------------------------------------
+[2C- Checking usb-storage driver (modprobe config)[12C [ [1;37mNOT DISABLED[0m ]
+[2C- Checking USB devices authorization[23C [ [1;33mENABLED[0m ]
+[2C- Checking USBGuard[40C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mStorage[0m
+------------------------------------
+[2C- Checking firewire ohci driver (modprobe config)[10C [ [1;37mNOT DISABLED[0m ]
+
+[+] [1;33mNFS[0m
+------------------------------------
+[2C- Query rpc registered programs[28C [ [1;32mDONE[0m ]
+[2C- Query NFS versions[39C [ [1;32mDONE[0m ]
+[2C- Query NFS protocols[38C [ [1;32mDONE[0m ]
+[2C- Check running NFS daemon[33C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mName services[0m
+------------------------------------
+[2C- Checking search domains[34C [ [1;32mFOUND[0m ]
+[2C- Searching DNS domain name[32C [ [1;32mFOUND[0m ]
+[6CDomain name: avt.data-center.id[24C
+[2C- Checking /etc/hosts[38C
+[4C- Duplicate entries in hosts file[24C [ [1;32mNONE[0m ]
+[4C- Presence of configured hostname in /etc/hosts[10C [ [1;32mFOUND[0m ]
+[4C- Hostname mapped to localhost[27C [ [1;32mNOT FOUND[0m ]
+[4C- Localhost mapping to IP address[24C [ [1;32mOK[0m ]
+
+[+] [1;33mPorts and packages[0m
+------------------------------------
+[2C- Searching package managers[31C
+
+  [30;43m[WARNING][0m: Test NAME-4408 had a long execution: 10.083140 seconds[0m
+
+[4C- Searching dpkg package manager[25C [ [1;32mFOUND[0m ]
+[6C- Querying package manager[29C
+[4C- Query unpurged packages[32C [ [1;33mFOUND[0m ]
+[2C- Checking security repository in sources.list.d directory[1C [ [1;32mOK[0m ]
+[2C- Checking APT package database[28C [ [1;32mOK[0m ]
+[2C- Checking vulnerable packages[29C [ [1;31mWARNING[0m ]
+
+  [30;43m[WARNING][0m: Test PKGS-7392 had a long execution: 12.526484 seconds[0m
+
+[2C- Checking upgradeable packages[28C [ [1;37mSKIPPED[0m ]
+[2C- Checking package audit tool[30C [ [1;32mINSTALLED[0m ]
+[4CFound: apt-get[43C
+[2C- Toolkit for automatic upgrades[27C [ [1;33mNOT FOUND[0m ]
+
+[+] [1;33mNetworking[0m
+------------------------------------
+[2C- Checking IPv6 configuration[30C [ [1;37mENABLED[0m ]
+[6CConfiguration method[35C [ [1;37mAUTO[0m ]
+[6CIPv6 only[46C [ [1;37mNO[0m ]
+
+  [30;43m[WARNING][0m: Test NETW-2600 had a long execution: 28.033248 seconds[0m
+
+[2C- Checking configured nameservers[26C
+[4C- Testing nameservers[36C
+[8CNameserver: 10.10.10.11[30C [ [1;31mNO RESPONSE[0m ]
+[8CNameserver: 10.10.10.12[30C [ [1;32mOK[0m ]
+[8CNameserver: 8.8.8.8[34C [ [1;32mOK[0m ]
+[4C- Minimal of 2 responsive nameservers[20C [ [1;32mOK[0m ]
+[2C- Getting listening ports (TCP/UDP)[24C [ [1;32mDONE[0m ]
+[2C- Checking promiscuous interfaces[26C [ [1;31mWARNING[0m ]
+[2C- Checking status DHCP client[30C [ [1;37mNOT ACTIVE[0m ]
+[2C- Checking for ARP monitoring software[21C [ [1;33mNOT FOUND[0m ]
+[2C- Uncommon network protocols[31C [ [1;33m0[0m ]
+
+[+] [1;33mPrinters and Spools[0m
+------------------------------------
+[2C- Checking cups daemon[37C [ [1;37mNOT FOUND[0m ]
+[2C- Checking lp daemon[39C [ [1;37mNOT RUNNING[0m ]
+
+[+] [1;33mSoftware: e-mail and messaging[0m
+------------------------------------
+[2C- Postfix status[43C [ [1;32mRUNNING[0m ]
+[4C- Postfix configuration[34C [ [1;32mFOUND[0m ]
+[6C- Postfix banner[39C [ [1;31mWARNING[0m ]
+
+[+] [1;33mSoftware: firewalls[0m
+------------------------------------
+[2C- Checking iptables kernel module[26C [ [1;32mFOUND[0m ]
+[4C- Checking iptables policies of chains[19C [ [1;32mFOUND[0m ]
+[6C- Chain INPUT (table: filter, target: ACCEPT)[10C [ [1;33mACCEPT[0m ]
+[6C- Chain INPUT (table: security, target: ACCEPT)[8C [ [1;33mACCEPT[0m ]
+[4C- Checking for empty ruleset[29C [ [1;31mWARNING[0m ]
+[4C- Checking for unused rules[30C [ [1;32mOK[0m ]
+[2C- Checking host based firewall[29C [ [1;32mACTIVE[0m ]
+
+[+] [1;33mSoftware: webserver[0m
+------------------------------------
+[2C- Checking Apache[42C [ [1;37mNOT FOUND[0m ]
+[2C- Checking nginx[43C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSSH Support[0m
+------------------------------------
+[2C- Checking running SSH daemon[30C [ [1;32mFOUND[0m ]
+[4C- Searching SSH configuration[28C [ [1;32mFOUND[0m ]
+[4C- OpenSSH option: AllowTcpForwarding[21C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: ClientAliveCountMax[20C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: ClientAliveInterval[20C [ [1;32mOK[0m ]
+[4C- OpenSSH option: FingerprintHash[24C [ [1;32mOK[0m ]
+[4C- OpenSSH option: GatewayPorts[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: IgnoreRhosts[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: LoginGraceTime[25C [ [1;32mOK[0m ]
+[4C- OpenSSH option: LogLevel[31C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: MaxAuthTries[27C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: MaxSessions[28C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PermitRootLogin[24C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PermitUserEnvironment[18C [ [1;32mOK[0m ]
+[4C- OpenSSH option: PermitTunnel[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: Port[35C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: PrintLastLog[27C [ [1;32mOK[0m ]
+[4C- OpenSSH option: StrictModes[28C [ [1;32mOK[0m ]
+[4C- OpenSSH option: TCPKeepAlive[27C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: UseDNS[33C [ [1;32mOK[0m ]
+[4C- OpenSSH option: X11Forwarding[26C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: AllowAgentForwarding[19C [ [1;33mSUGGESTION[0m ]
+[4C- OpenSSH option: AllowUsers[29C [ [1;37mNOT FOUND[0m ]
+[4C- OpenSSH option: AllowGroups[28C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSNMP Support[0m
+------------------------------------
+[2C- Checking running SNMP daemon[29C [ [1;32mFOUND[0m ]
+[4C- Checking SNMP configuration[28C [ [1;32mFOUND[0m ]
+[2C- Checking SNMP community strings[26C [ [1;32mOK[0m ]
+
+[+] [1;33mDatabases[0m
+------------------------------------
+[4CNo database engines found[32C
+
+[+] [1;33mLDAP Services[0m
+------------------------------------
+[2C- Checking OpenLDAP instance[31C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mPHP[0m
+------------------------------------
+[2C- Checking PHP[45C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mSquid Support[0m
+------------------------------------
+[2C- Checking running Squid daemon[28C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mLogging and files[0m
+------------------------------------
+[2C- Checking for a running log daemon[24C [ [1;32mOK[0m ]
+[4C- Checking Syslog-NG status[30C [ [1;37mNOT FOUND[0m ]
+[4C- Checking systemd journal status[24C [ [1;32mFOUND[0m ]
+[4C- Checking Metalog status[32C [ [1;37mNOT FOUND[0m ]
+[4C- Checking RSyslog status[32C [ [1;37mNOT FOUND[0m ]
+[4C- Checking RFC 3195 daemon status[24C [ [1;37mNOT FOUND[0m ]
+[4C- Checking minilogd instances[28C [ [1;37mNOT FOUND[0m ]
+[4C- Checking wazuh-agent daemon status[21C [ [1;37mNOT FOUND[0m ]
+[2C- Checking logrotate presence[30C [ [1;32mOK[0m ]
+[2C- Checking remote logging[34C [ [1;33mNOT ENABLED[0m ]
+[2C- Checking log directories (static list)[19C [ [1;32mDONE[0m ]
+[2C- Checking open log files[34C [ [1;32mDONE[0m ]
+[2C- Checking deleted files in use[28C [ [1;33mFILES FOUND[0m ]
+
+[+] [1;33mInsecure services[0m
+------------------------------------
+[2C- Installed inetd package[34C [ [1;32mNOT FOUND[0m ]
+[2C- Installed xinetd package[33C [ [1;32mOK[0m ]
+[4C- xinetd status[42C [ [1;32mNOT ACTIVE[0m ]
+[2C- Installed rsh client package[29C [ [1;32mOK[0m ]
+[2C- Installed rsh server package[29C [ [1;32mOK[0m ]
+[2C- Installed telnet client package[26C [ [1;32mOK[0m ]
+[2C- Installed telnet server package[26C [ [1;32mNOT FOUND[0m ]
+[2C- Checking NIS client installation[25C [ [1;32mOK[0m ]
+[2C- Checking NIS server installation[25C [ [1;32mOK[0m ]
+[2C- Checking TFTP client installation[24C [ [1;32mOK[0m ]
+[2C- Checking TFTP server installation[24C [ [1;32mOK[0m ]
+
+[+] [1;33mBanners and identification[0m
+------------------------------------
+[2C- /etc/issue[47C [ [1;32mFOUND[0m ]
+[4C- /etc/issue contents[36C [ [1;33mWEAK[0m ]
+[2C- /etc/issue.net[43C [ [1;32mFOUND[0m ]
+[4C- /etc/issue.net contents[32C [ [1;33mWEAK[0m ]
+
+[+] [1;33mScheduled tasks[0m
+------------------------------------
+[2C- Checking crontab and cronjob files[23C [ [1;32mDONE[0m ]
+
+[+] [1;33mAccounting[0m
+------------------------------------
+[2C- Checking accounting information[26C [ [1;33mNOT FOUND[0m ]
+[2C- Checking sysstat accounting data[25C [ [1;33mNOT FOUND[0m ]
+[2C- Checking auditd[42C [ [1;37mNOT FOUND[0m ]
+
+[+] [1;33mTime and Synchronization[0m
+------------------------------------
+[2C- NTP daemon found: chronyd[32C [ [1;32mFOUND[0m ]
+[2C- Checking for a running NTP daemon or client[14C [ [1;32mOK[0m ]
+
+[+] [1;33mCryptography[0m
+------------------------------------
+[2C- Checking for expired SSL certificates [0/152][12C [ [1;32mNONE[0m ]
+
+  [30;43m[WARNING][0m: Test CRYP-7902 had a long execution: 12.849078 seconds[0m
+
+[2C- Found 0 encrypted and 1 unencrypted swap devices in use.[1C [ [1;37mOK[0m ]
+[2C- Kernel entropy is sufficient[29C [ [1;32mYES[0m ]
+[2C- HW RNG & rngd[44C [ [1;33mNO[0m ]
+[2C- SW prng[50C [ [1;33mNO[0m ]
+[2C- MOR variable not found[35C [ [1;37mWEAK[0m ]
+
+[+] [1;33mVirtualization[0m
+------------------------------------
+
+[+] [1;33mContainers[0m
+------------------------------------
+
+[+] [1;33mSecurity frameworks[0m
+------------------------------------
+[2C- Checking presence AppArmor[31C [ [1;32mFOUND[0m ]
+[4C- Checking AppArmor status[31C [ [1;32mENABLED[0m ]
+[8CFound 91 unconfined processes[24C
+[2C- Checking presence SELinux[32C [ [1;37mNOT FOUND[0m ]
+[2C- Checking presence TOMOYO Linux[27C [ [1;37mNOT FOUND[0m ]
+[2C- Checking presence grsecurity[29C [ [1;37mNOT FOUND[0m ]
+[2C- Checking for implemented MAC framework[19C [ [1;32mOK[0m ]
+
+[+] [1;33mSoftware: file integrity[0m
+------------------------------------
+[2C- Checking file integrity tools[28C
+[2C- dm-integrity (status)[36C [ [1;37mDISABLED[0m ]
+[2C- dm-verity (status)[39C [ [1;37mDISABLED[0m ]
+[4C- Wazuh (syscheck)[39C [ [1;32mFOUND[0m ]
+[2C- Checking presence integrity tool[25C [ [1;32mFOUND[0m ]
+
+[+] [1;33mSoftware: System tooling[0m
+------------------------------------
+[2C- Checking automation tooling[30C
+[4C- Ansible artifact[39C [ [1;32mFOUND[0m ]
+[2C- Automation tooling[39C [ [1;32mFOUND[0m ]
+[2C- Checking presence of Wazuh (agent)[23C [ [1;32mFOUND[0m ]
+[2C- Checking for IDS/IPS tooling[29C [ [1;32mFOUND[0m ]
+
+[+] [1;33mSoftware: Malware[0m
+------------------------------------
+[2C- Malware software components[30C [ [1;33mNOT FOUND[0m ]
+
+[+] [1;33mFile Permissions[0m
+------------------------------------
+[2C- Starting file permissions check[26C
+[4CFile: /boot/grub/grub.cfg[32C [ [1;32mOK[0m ]
+[4CFile: /etc/crontab[39C [ [1;33mSUGGESTION[0m ]
+[4CFile: /etc/group[41C [ [1;32mOK[0m ]
+[4CFile: /etc/group-[40C [ [1;32mOK[0m ]
+[4CFile: /etc/hosts.allow[35C [ [1;32mOK[0m ]
+[4CFile: /etc/hosts.deny[36C [ [1;32mOK[0m ]
+[4CFile: /etc/issue[41C [ [1;32mOK[0m ]
+[4CFile: /etc/issue.net[37C [ [1;32mOK[0m ]
+[4CFile: /etc/motd[42C [ [1;32mOK[0m ]
+[4CFile: /etc/passwd[40C [ [1;32mOK[0m ]
+[4CFile: /etc/passwd-[39C [ [1;32mOK[0m ]
+[4CFile: /etc/ssh/sshd_config[31C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /root/.ssh[36C [ [1;32mOK[0m ]
+[4CDirectory: /etc/cron.d[35C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.daily[31C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.hourly[30C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.weekly[30C [ [1;33mSUGGESTION[0m ]
+[4CDirectory: /etc/cron.monthly[29C [ [1;33mSUGGESTION[0m ]
+
+[+] [1;33mHome directories[0m
+------------------------------------
+[2C- Permissions of home directories[26C [ [1;32mOK[0m ]
+[2C- Ownership of home directories[28C [ [1;32mOK[0m ]
+[2C- Checking shell history files[29C [ [1;32mOK[0m ]
+
+[+] [1;33mKernel Hardening[0m
+------------------------------------
+[2C- Comparing sysctl key pairs with scan profile[13C
+[4C- dev.tty.ldisc_autoload (exp: 0)[24C [ [1;31mDIFFERENT[0m ]
+[4C- fs.protected_fifos (exp: 2)[28C [ [1;31mDIFFERENT[0m ]
+[4C- fs.protected_hardlinks (exp: 1)[24C [ [1;32mOK[0m ]
+[4C- fs.protected_regular (exp: 2)[26C [ [1;32mOK[0m ]
+[4C- fs.protected_symlinks (exp: 1)[25C [ [1;32mOK[0m ]
+[4C- fs.suid_dumpable (exp: 0)[30C [ [1;32mOK[0m ]
+[4C- kernel.core_uses_pid (exp: 1)[26C [ [1;32mOK[0m ]
+[4C- kernel.ctrl-alt-del (exp: 0)[27C [ [1;32mOK[0m ]
+[4C- kernel.dmesg_restrict (exp: 1)[25C [ [1;32mOK[0m ]
+[4C- kernel.kptr_restrict (exp: 2)[26C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.modules_disabled (exp: 1)[23C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.perf_event_paranoid (exp: 2 3 4)[16C [ [1;32mOK[0m ]
+[4C- kernel.randomize_va_space (exp: 2)[21C [ [1;32mOK[0m ]
+[4C- kernel.sysrq (exp: 0)[34C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.unprivileged_bpf_disabled (exp: 1)[14C [ [1;31mDIFFERENT[0m ]
+[4C- kernel.yama.ptrace_scope (exp: 1 2 3)[18C [ [1;32mOK[0m ]
+[4C- net.core.bpf_jit_harden (exp: 2)[23C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.accept_redirects (exp: 0)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.accept_source_route (exp: 0)[9C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.bootp_relay (exp: 0)[17C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.forwarding (exp: 0)[18C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.log_martians (exp: 1)[16C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.mc_forwarding (exp: 0)[15C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.proxy_arp (exp: 0)[19C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.all.rp_filter (exp: 1)[19C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.all.send_redirects (exp: 0)[14C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.default.accept_redirects (exp: 0)[8C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.conf.default.accept_source_route (exp: 0)[5C [ [1;32mOK[0m ]
+[4C- net.ipv4.conf.default.log_martians (exp: 1)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1)[10C [ [1;32mOK[0m ]
+[4C- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1)[4C [ [1;32mOK[0m ]
+[4C- net.ipv4.tcp_syncookies (exp: 1)[23C [ [1;32mOK[0m ]
+[4C- net.ipv4.tcp_timestamps (exp: 0 1)[21C [ [1;32mOK[0m ]
+[4C- net.ipv6.conf.all.accept_redirects (exp: 0)[12C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv6.conf.all.accept_source_route (exp: 0)[9C [ [1;32mOK[0m ]
+[4C- net.ipv6.conf.default.accept_redirects (exp: 0)[8C [ [1;31mDIFFERENT[0m ]
+[4C- net.ipv6.conf.default.accept_source_route (exp: 0)[5C [ [1;32mOK[0m ]
+
+[+] [1;33mHardening[0m
+------------------------------------
+[4C- Installed compiler(s)[34C [ [1;31mFOUND[0m ]
+[4C- Installed malware scanner[30C [ [1;31mNOT FOUND[0m ]
+[4C- Non-native binary formats[30C [ [1;31mFOUND[0m ]
+
+[+] [1;33mCustom tests[0m
+------------------------------------
+[2C- Running custom tests... [33C [ [1;37mNONE[0m ]
+
+[+] [1;35mPlugins (phase 2)[0m
+------------------------------------
+
+================================================================================
+
+  -[ [1;37mLynis 3.1.4 Results[0m ]-
+
+  [1;31mWarnings[0m (17):
+  [1;37m----------------------------[0m
+  [1;31m![0m Found one or more vulnerable packages. [PKGS-7392] 
+      https://cisofy.com/lynis/controls/PKGS-7392/
+
+  [1;31m![0m Nameserver 10.10.10.11 does not respond [NETW-2704] 
+      https://cisofy.com/lynis/controls/NETW-2704/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens27f0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens29f0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mens29f1[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mbond0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap170i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap215i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap900i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2010i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap2014i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap121i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap121i1[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap108i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found promiscuous interface [NETW-3015] 
+    - Details  : [0;36mtap184i0[0m
+    - Solution : Determine if this mode is required or whitelist interface in profile
+      https://cisofy.com/lynis/controls/NETW-3015/
+
+  [1;31m![0m Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818] 
+      https://cisofy.com/lynis/controls/MAIL-8818/
+
+  [1;31m![0m iptables module(s) loaded, but no rules active [FIRE-4512] 
+      https://cisofy.com/lynis/controls/FIRE-4512/
+
+  [1;33mSuggestions[0m (52):
+  [1;37m----------------------------[0m
+  [1;33m*[0m This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [LYNIS] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LYNIS/[0m
+
+  [1;33m*[0m Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [DEB-0280] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0280/[0m
+
+  [1;33m*[0m Install apt-listbugs to display a list of critical bugs prior to each APT installation. [DEB-0810] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0810/[0m
+
+  [1;33m*[0m Install needrestart, alternatively to debian-goodies, so that you can run needrestart after upgrades to determine which daemons are using old versions of libraries and need restarting. [DEB-0831] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0831/[0m
+
+  [1;33m*[0m Install fail2ban to automatically ban hosts that commit multiple authentication errors. [DEB-0880] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/DEB-0880/[0m
+
+  [1;33m*[0m Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5122/[0m
+
+  [1;33m*[0m Determine runlevel and services at startup [BOOT-5180] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5180/[0m
+
+  [1;33m*[0m Consider hardening system services [BOOT-5264] 
+    - Details  : [0;36mRun '/usr/bin/systemd-analyze security SERVICE' for each service[0m
+    - Related resources
+      * Article: [0;36mSystemd features to secure service files[0m: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BOOT-5264/[0m
+
+  [1;33m*[0m Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
+    - Details  : [0;36m/vmlinuz or /boot/vmlinuz[0m
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/KRNL-5788/[0m
+
+  [1;33m*[0m Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
+    - Related resources
+      * Article: [0;36mLinux password security: hashing rounds[0m: https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9230/[0m
+
+  [1;33m*[0m Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc [AUTH-9262] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9262/[0m
+
+  [1;33m*[0m When possible set expire dates for all password protected accounts [AUTH-9282] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9282/[0m
+
+  [1;33m*[0m Look at the locked accounts and consider removing them [AUTH-9284] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9284/[0m
+
+  [1;33m*[0m Configure minimum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9286/[0m
+
+  [1;33m*[0m Configure maximum password age in /etc/login.defs [AUTH-9286] 
+    - Related resources
+      * Article: [0;36mConfigure minimum password length for Linux systems[0m: https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9286/[0m
+
+  [1;33m*[0m Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [AUTH-9328] 
+    - Related resources
+      * Article: [0;36mSet default file permissions on Linux with umask[0m: https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/AUTH-9328/[0m
+
+  [1;33m*[0m To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-6310/[0m
+
+  [1;33m*[0m To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-6310/[0m
+
+  [1;33m*[0m Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/USB-1000/[0m
+
+  [1;33m*[0m Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/STRG-1846/[0m
+
+  [1;33m*[0m Purge old/removed packages (11 found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts. [PKGS-7346] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7346/[0m
+
+  [1;33m*[0m Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7370/[0m
+
+  [1;33m*[0m Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7392/[0m
+
+  [1;33m*[0m Install package apt-show-versions for patch management purposes [PKGS-7394] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7394/[0m
+
+  [1;33m*[0m Consider using a tool to automatically apply upgrades [PKGS-7420] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/PKGS-7420/[0m
+
+  [1;33m*[0m Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-2704/[0m
+
+  [1;33m*[0m Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'rds' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/NETW-3200/[0m
+
+  [1;33m*[0m You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818] 
+    - Related resources
+      * Article: [0;36mPostfix Hardening Guide for Security and Privacy[0m: https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/MAIL-8818/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mAllowTcpForwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mClientAliveCountMax (set 3 to 2)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mLogLevel (set INFO to VERBOSE)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mMaxAuthTries (set 6 to 3)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mMaxSessions (set 10 to 2)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mPermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mPort (set 22 to )[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mTCPKeepAlive (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mX11Forwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Consider hardening SSH configuration [SSH-7408] 
+    - Details  : [0;36mAllowAgentForwarding (set YES to NO)[0m
+    - Related resources
+      * Article: [0;36mOpenSSH security and hardening[0m: https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/SSH-7408/[0m
+
+  [1;33m*[0m Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LOGG-2154/[0m
+
+  [1;33m*[0m Check what deleted files are still in use and why. [LOGG-2190] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/LOGG-2190/[0m
+
+  [1;33m*[0m Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
+    - Related resources
+      * Article: [0;36mThe real purpose of login banners[0m: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BANN-7126/[0m
+
+  [1;33m*[0m Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
+    - Related resources
+      * Article: [0;36mThe real purpose of login banners[0m: https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/BANN-7130/[0m
+
+  [1;33m*[0m Enable process accounting [ACCT-9622] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9622/[0m
+
+  [1;33m*[0m Enable sysstat to collect accounting (no results) [ACCT-9626] 
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9626/[0m
+
+  [1;33m*[0m Enable auditd to collect audit information [ACCT-9628] 
+    - Related resources
+      * Article: [0;36mLinux audit framework 101: basic rules for configuration[0m: https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+      * Article: [0;36mMonitoring Linux file access, changes and data modifications[0m: https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/ACCT-9628/[0m
+
+  [1;33m*[0m Consider restricting file permissions [FILE-7524] 
+    - Details  : [0;36mSee screen output or log file[0m
+    - Solution : Use chmod to change file permissions
+    - Related resources
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/FILE-7524/[0m
+
+  [1;33m*[0m One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
+    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
+    - Related resources
+      * Article: [0;36mLinux hardening with sysctl settings[0m: https://linux-audit.com/linux-hardening-with-sysctl/
+      * Article: [0;36mOverview of sysctl options and values[0m: https://linux-audit.com/kernel/sysctl/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/KRNL-6000/[0m
+
+  [1;33m*[0m Harden compilers like restricting access to root user only [HRDN-7222] 
+    - Related resources
+      * Article: [0;36mWhy remove compilers from your system?[0m: https://linux-audit.com/software/why-remove-compilers-from-your-system/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/HRDN-7222/[0m
+
+  [1;33m*[0m Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
+    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh
+    - Related resources
+      * Article: [0;36mAntivirus for Linux: is it really needed?[0m: https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+      * Article: [0;36mMonitoring Linux Systems for Rootkits[0m: https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+      * Website: [0;37mhttps://cisofy.com/lynis/controls/HRDN-7230/[0m
+
+  [0;36mFollow-up[0m:
+  [1;37m----------------------------[0m
+  [1;37m-[0m Show details of a test (lynis show details TEST-ID)
+  [1;37m-[0m Check the logfile for all details (less /var/log/lynis.log)
+  [1;37m-[0m Read security controls texts (https://cisofy.com)
+  [1;37m-[0m Use --upload to upload data to central system (Lynis Enterprise users)
+
+================================================================================
+
+  [1;37mLynis security scan details[0m:
+
+  [0;36mHardening index[0m : [1;37m63[0m [[1;33m############[0m        ]
+  [0;36mTests performed[0m : [1;37m268[0m
+  [0;36mPlugins enabled[0m : [1;37m1[0m
+
+  [1;37mComponents[0m:
+  - Firewall               [[1;32mV[0m]
+  - Malware scanner        [[1;31mX[0m]
+
+  [1;33mScan mode[0m:
+  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+
+  [1;33mLynis modules[0m:
+  - Compliance status      [[1;33m?[0m]
+  - Security audit         [[1;32mV[0m]
+  - Vulnerability scan     [[1;32mV[0m]
+
+  [1;33mFiles[0m:
+  - Test and debug information      : [1;37m/var/log/lynis.log[0m
+  - Report data                     : [1;37m/var/log/lynis-report.dat[0m
+
+================================================================================
+
+  [1;37mLynis[0m 3.1.4
+
+  Auditing, system hardening, and compliance for UNIX-based systems
+  (Linux, macOS, BSD, and others)
+
+  2007-2024, CISOfy - https://cisofy.com/lynis/
+  [1;37mEnterprise support available (compliance, plugins, interface and tools)[0m
+
+================================================================================
+
+  [0;44m[TIP][0m: [0;94mEnhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)[0m
--- a/ansible/playbooks/logs/10.10.26.14_vms.log
+++ b/ansible/playbooks/logs/10.10.26.14_vms.log
@@ -0,0 +1,69 @@
+      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
+       108 storage-appliance-dev running    8192              70.00 235436    
+       121 tokoserver-dev       running    24576            340.00 11573     
+       125 teraform-20250116150711 stopped    4096             100.00 0         
+       126 haproxy-wi           stopped    8192             100.00 0         
+       150 phpipam              stopped    8192              80.00 0         
+       152 joko-vm              stopped    1024              20.00 0         
+       155 cl7                  stopped    1024              10.00 0         
+       157 test-7               stopped    1024              20.00 0         
+       161 teshiki              stopped    1024              20.00 0         
+       170 misp                 running    16384            300.00 9930      
+       175 dasi                 stopped    8192             120.00 0         
+       184 vtl-dev              running    8192              80.00 235587    
+       201 pgbackrest           stopped    16384            100.00 0         
+       215 wazuh                running    16384            300.00 10180     
+       353 grafana-alloy        stopped    4096             100.00 0         
+       400 active-directory-client stopped    8192              80.00 0         
+       454 haproxy-iam-02       stopped    4096             100.00 0         
+       455 kong-dev             stopped    8192              80.00 0         
+       900 cmk                  running    16384            100.00 10500     
+      1007 kube-master-04       stopped    16384            300.00 0         
+      2010 nextcloud            running    49152            600.00 10794     
+      2014 reverse-proxy-manager running    8192             100.00 10983     
+      2019 kasm-workspace       stopped    32768            300.00 0         
+      2020 windows-accurate-client stopped    16384              0.00 0         
+      2026 reverse-proxy-01     stopped    8192             100.00 0         
+      2028 syslog-central       stopped    8192             300.00 0         
+      2030 osticket             stopped    8192             150.00 0         
+      2033 jgc-hyperos-alpha    stopped    8192              10.00 0         
+      2034 netbox               stopped    8192              80.00 0         
+      2035 microcloud-node-01   stopped    8192              70.00 0         
+      2036 microcloud-node-02   stopped    8192              70.00 0         
+      2037 microcloud-node-03   stopped    8192              70.00 0         
+      2121 windows-accurate-client stopped    16384             80.00 0         
+      3232 windows-client       stopped    16384             80.00 0         
+      3333 windows-bacula-client stopped    8192               0.00 0         
+      8100 molmod-jupyterhub    stopped    16384            200.00 0         
+      8300 local-repo           stopped    16384             50.00 0         
+      8509 wazuh-poc            stopped    16384            300.00 0         
+      8510 iris-shuflle         stopped    32768            100.00 0         
+      8511 thehive-cortex       stopped    32768            100.00 0         
+      8512 nxlog-ng-ce          stopped    8192             300.00 0         
+      9099 windows-server-poc   stopped    65536              0.00 0         
+     50001 kong                 stopped    16384            100.00 0         
+     80000 ubuntu-jammy-template stopped    1024              10.00 0         
+     80001 ubuntu-focal-template stopped    1024              10.00 0         
+     80002 ubuntu-noble-template stopped    8192              10.00 0         
+     80003 debian-11-template   stopped    1024              10.00 0         
+     80004 debian-12-template   stopped    1024              10.00 0         
+     80005 alma-linux-8-template stopped    1024              10.00 0         
+     80006 alma-linux-9-template stopped    1024              10.00 0         
+     80008 cloudlinux-7.9-template stopped    1024              10.00 0         
+     80009 rocky-linux-8-template stopped    1024              10.00 0         
+     80010 rocky-linux-9-template stopped    1024              10.00 0         
+     80011 vzlinux-template     stopped    1024              32.00 0         
+     80012 fedora-32-template   stopped    1024              10.00 0         
+     80013 rhel-7.9-template    stopped    1024               0.00 0         
+     80014 rhel-8.4-template    stopped    1024              10.00 0         
+     80015 cloudlinux-8-template stopped    1024              42.00 0         
+     80016 Centos-9-template    stopped    1024              10.00 0         
+     80017 open-suse-15.3-template stopped    1024              10.00 0         
+     80018 Windows-server-2012-template stopped    8192               0.00 0         
+     80020 oracle-linux9.5-template stopped    8192              32.00 0         
+     80123 postgresql-db-template stopped    2048              32.00 0         
+     80138 fedora-40-template   stopped    2048               5.00 0         
+     80139 fedora-39-template   stopped    2048               5.00 0         
+     80598 MVP                  stopped    8192             100.00 0         
+     99996 test-minio           stopped    4096              59.00 0         
+    900000 tools-testing-host   stopped    16384            100.00 0         
--- a/ansible/playbooks/run_lynis_audit.yml
+++ b/ansible/playbooks/run_lynis_audit.yml
@@ -0,0 +1,36 @@
+---
+- name: Run Lynis security audit on Proxmox hosts
+  hosts: proxmox
+  gather_facts: false
+
+  tasks:
+    - name: Update apt cache
+      ansible.builtin.apt:
+        update_cache: true
+      become: true
+
+    - name: Install Lynis
+      ansible.builtin.apt:
+        name: lynis
+        state: present
+      become: true
+
+    - name: Run Lynis audit
+      ansible.builtin.shell: |
+        lynis audit system
+      register: lynis_audit_output
+      changed_when: false
+      become: true
+
+    - name: Ensure log directory exists on local machine
+      ansible.builtin.file:
+        path: "{{ playbook_dir }}/logs"
+        state: directory
+      delegate_to: localhost
+      run_once: true
+
+    - name: Save Lynis audit report to local log file
+      ansible.builtin.copy:
+        content: "{{ lynis_audit_output.stdout }}"
+        dest: "{{ playbook_dir }}/logs/{{ inventory_hostname }}_lynis_report.log"
+      delegate_to: localhost
--- a/opentofu/main.tf
+++ b/opentofu/main.tf
--- a/opentofu/outputs.tf
+++ b/opentofu/outputs.tf
--- a/opentofu/variables.tf
+++ b/opentofu/variables.tf