ilia
de49b34cdc
Some checks failed
CI / skip-ci-check (pull_request) Successful in 6s
CI / lint-and-test (pull_request) Failing after 9s
CI / ansible-validation (pull_request) Failing after 6s
CI / secret-scanning (pull_request) Successful in 5s
CI / dependency-scan (pull_request) Successful in 8s
CI / sast-scan (pull_request) Failing after 5s
CI / license-check (pull_request) Successful in 11s
CI / vault-check (pull_request) Failing after 6s
CI / playbook-test (pull_request) Failing after 6s
CI / container-scan (pull_request) Failing after 6s
CI / sonar-analysis (pull_request) Failing after 2s
CI / workflow-summary (pull_request) Successful in 4s
Document pve10 static IPs, monitoring stack, and site LXCs; add portfolio to inventory; Mailcow mailbox automation; vault import/export scripts; security audit guides and UniFi DHCP reference. Co-authored-by: Cursor <cursoragent@cursor.com>
40 lines
1.6 KiB
Bash
Executable File
40 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Audit LXCs on a Proxmox node via pct exec (run ON the PVE host as root).
|
|
set -u
|
|
|
|
AUDIT='#!/bin/bash
|
|
echo "=== identity ==="
|
|
hostname -f 2>/dev/null || hostname
|
|
[ -f /etc/os-release ] && . /etc/os-release && echo "os=${PRETTY_NAME:-unknown}"
|
|
echo "ip=$(hostname -I 2>/dev/null | awk "{print \$1}")"
|
|
echo "=== sshd (effective) ==="
|
|
if command -v sshd >/dev/null 2>&1; then
|
|
sshd -T 2>/dev/null | grep -E "^(permitrootlogin|passwordauthentication|pubkeyauthentication|permitemptypasswords|port) " || true
|
|
else
|
|
grep -E "^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|Port) " /etc/ssh/sshd_config 2>/dev/null | grep -v "^#" || echo "sshd not installed"
|
|
fi
|
|
echo "=== firewall ==="
|
|
ufw status 2>/dev/null | head -3 || echo "no ufw"
|
|
echo "=== fail2ban ==="
|
|
systemctl is-active fail2ban 2>/dev/null || echo "inactive/missing"
|
|
echo "=== pending upgrades ==="
|
|
apt-get -s upgrade 2>/dev/null | grep -c "^Inst" || echo 0
|
|
echo "=== public listeners ==="
|
|
ss -tlnp 2>/dev/null | grep LISTEN | grep -v "127.0.0.1:" | grep -v "\[::1\]:" | head -12
|
|
'
|
|
|
|
echo "PVE_NODE=$(hostname -f 2>/dev/null || hostname)"
|
|
echo "PVE_IP=$(hostname -I | awk '{print $1}')"
|
|
|
|
for id in $(pct list 2>/dev/null | awk 'NR>1 {print $1}'); do
|
|
name=$(pct list | awk -v id="$id" '$1==id {print $4}')
|
|
status=$(pct list | awk -v id="$id" '$1==id {print $2}')
|
|
echo ""
|
|
echo "######## LXC vmid=$id name=$name status=$status ########"
|
|
if [ "$status" != "running" ]; then
|
|
echo "SKIP: not running"
|
|
continue
|
|
fi
|
|
pct exec "$id" -- bash -c "$AUDIT" 2>&1 || echo "ERROR: pct exec failed"
|
|
done
|