ilia
de49b34cdc
Some checks failed
CI / skip-ci-check (pull_request) Successful in 6s
CI / lint-and-test (pull_request) Failing after 9s
CI / ansible-validation (pull_request) Failing after 6s
CI / secret-scanning (pull_request) Successful in 5s
CI / dependency-scan (pull_request) Successful in 8s
CI / sast-scan (pull_request) Failing after 5s
CI / license-check (pull_request) Successful in 11s
CI / vault-check (pull_request) Failing after 6s
CI / playbook-test (pull_request) Failing after 6s
CI / container-scan (pull_request) Failing after 6s
CI / sonar-analysis (pull_request) Failing after 2s
CI / workflow-summary (pull_request) Successful in 4s
Document pve10 static IPs, monitoring stack, and site LXCs; add portfolio to inventory; Mailcow mailbox automation; vault import/export scripts; security audit guides and UniFi DHCP reference. Co-authored-by: Cursor <cursoragent@cursor.com>
49 lines
1.6 KiB
Bash
Executable File
49 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Quick read-only security snapshot (run on target host).
|
|
set -euo pipefail
|
|
|
|
echo "=== identity ==="
|
|
hostname -f 2>/dev/null || hostname
|
|
if [ -f /etc/os-release ]; then . /etc/os-release; echo "os=${PRETTY_NAME:-unknown}"; fi
|
|
echo "kernel=$(uname -r)"
|
|
echo "uptime=$(uptime -p 2>/dev/null || uptime)"
|
|
|
|
echo "=== sshd (effective) ==="
|
|
if command -v sshd >/dev/null 2>&1; then
|
|
sshd -T 2>/dev/null | grep -E '^(permitrootlogin|passwordauthentication|pubkeyauthentication|permitemptypasswords|port|x11forwarding|allowtcpforwarding) ' || true
|
|
else
|
|
grep -E '^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|Port) ' /etc/ssh/sshd_config 2>/dev/null | grep -v '^#' || echo "sshd not found"
|
|
fi
|
|
|
|
echo "=== firewall ==="
|
|
if command -v ufw >/dev/null 2>&1; then
|
|
ufw status verbose 2>/dev/null | head -8
|
|
elif command -v firewall-cmd >/dev/null 2>&1; then
|
|
firewall-cmd --state 2>/dev/null || true
|
|
else
|
|
echo "no ufw/firewalld"
|
|
fi
|
|
|
|
echo "=== fail2ban ==="
|
|
systemctl is-active fail2ban 2>/dev/null || echo "fail2ban: inactive or missing"
|
|
|
|
echo "=== unattended-upgrades ==="
|
|
systemctl is-active unattended-upgrades 2>/dev/null || echo "unattended-upgrades: inactive or missing"
|
|
|
|
echo "=== pending apt upgrades ==="
|
|
if command -v apt >/dev/null 2>&1; then
|
|
apt-get -s upgrade 2>/dev/null | grep -c '^Inst' || echo 0
|
|
else
|
|
echo "n/a"
|
|
fi
|
|
|
|
echo "=== listening tcp (public) ==="
|
|
ss -tlnp 2>/dev/null | awk 'NR==1 || /LISTEN/ {print}' | grep -v '127.0.0.1:' | grep -v '\[::1\]:' | head -20
|
|
|
|
echo "=== uid 0 accounts ==="
|
|
awk -F: '$3==0 {print $1}' /etc/passwd | tr '\n' ' '
|
|
echo
|
|
|
|
echo "=== last logins (top 5) ==="
|
|
last -n 5 2>/dev/null | head -5 || true
|