# Weekly Security Posture Scan

## Targets
1. forge (localhost / 192.168.1.16) — James' home
2. james-old (192.168.1.17) — retired, still running
3. staging/dev (192.168.1.253) — home server
4. prod (192.168.100.2) — inou prod (when available)
5. caddy (192.168.0.2 / 100.84.42.55) — reverse proxy
6. zurich.inou.com (82.22.36.202) — VPS
7. amsterdam.inou.com (82.24.174.112) — VPS
8. UDM-Pro (192.168.0.1) — core router

## Per-Host Checks (VPS/Linux)

### Intrusion Detection
- [ ] `last -20` — any logins from unknown IPs?
- [ ] `lastb | head -30` — brute force attempts (volume/pattern)
- [ ] `cat /etc/passwd | awk -F: '$3>=1000'` — unauthorized users?
- [ ] `cat ~/.ssh/authorized_keys` — compare against known keys baseline
- [ ] `find /home -name authorized_keys -exec cat {} \;` — same for all users
- [ ] `crontab -l; ls /etc/cron.d/` — rogue cron jobs?
- [ ] `ps aux | grep -v '\[' | sort -k3 -rn | head -20` — suspicious processes?
- [ ] `ss -tnp | grep -v '127.0.0\|::1'` — unexpected outbound connections?
- [ ] `find / -mtime -7 -type f -name '*.sh' 2>/dev/null` — recently modified scripts
- [ ] `docker ps -a` — unauthorized containers?
- [ ] Check for rootkits: `rkhunter --check --skip-keypress` or `chkrootkit`

### Hardening Verification
- [ ] `sshd -T | grep -E 'passwordauth|permitroot'` — still hardened?
- [ ] `ufw status` — rules unchanged?
- [ ] `fail2ban-client status sshd` — running, banning?
- [ ] `ss -tlnp` — only expected ports listening?
- [ ] `apt list --upgradable` — outstanding security patches?
- [ ] File permissions on /etc/shadow, /etc/sudoers

### Caddy Specific
- [ ] TLS cert validity/expiry
- [ ] Reverse proxy rules — no unintended exposure
- [ ] Access logs — unusual patterns?

### UDM-Pro Specific
- [ ] Firmware version — current?
- [ ] Port forwards — only intended ones
- [ ] IDS/IPS enabled and signatures current
- [ ] Connected clients — any unknown devices?
- [ ] Exposed management ports?

## Baseline
First run establishes baseline files at `memory/security-baselines/`:
- `zurich-keys.txt` — authorized SSH keys
- `zurich-ports.txt` — expected listening ports
- `zurich-users.txt` — expected users
- Same for amsterdam, caddy, prod

## Reporting
- Clean scan → log to `memory/security-scans/YYYY-MM-DD.md`
- Any findings → Fully alert (warning/critical) + detailed log
- Track trends (ban count, failed login volume)