johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/scripts/security-posture-scan.md

2.4 KiB
Raw Blame History

Weekly Security Posture Scan

Targets

  1. forge (localhost / 192.168.1.16) — James' home
  2. james-old (192.168.1.17) — retired, still running
  3. staging/dev (192.168.1.253) — home server
  4. prod (192.168.100.2) — inou prod (when available)
  5. caddy (192.168.0.2 / 100.84.42.55) — reverse proxy
  6. zurich.inou.com (82.22.36.202) — VPS
  7. amsterdam.inou.com (82.24.174.112) — VPS
  8. UDM-Pro (192.168.0.1) — core router

Per-Host Checks (VPS/Linux)

Intrusion Detection

  • last -20 — any logins from unknown IPs?
  • lastb | head -30 — brute force attempts (volume/pattern)
  • cat /etc/passwd | awk -F: '$3>=1000' — unauthorized users?
  • cat ~/.ssh/authorized_keys — compare against known keys baseline
  • find /home -name authorized_keys -exec cat {} \; — same for all users
  • crontab -l; ls /etc/cron.d/ — rogue cron jobs?
  • ps aux | grep -v '\[' | sort -k3 -rn | head -20 — suspicious processes?
  • ss -tnp | grep -v '127.0.0\|::1' — unexpected outbound connections?
  • find / -mtime -7 -type f -name '*.sh' 2>/dev/null — recently modified scripts
  • docker ps -a — unauthorized containers?
  • Check for rootkits: rkhunter --check --skip-keypress or chkrootkit

Hardening Verification

  • sshd -T | grep -E 'passwordauth|permitroot' — still hardened?
  • ufw status — rules unchanged?
  • fail2ban-client status sshd — running, banning?
  • ss -tlnp — only expected ports listening?
  • apt list --upgradable — outstanding security patches?
  • File permissions on /etc/shadow, /etc/sudoers

Caddy Specific

  • TLS cert validity/expiry
  • Reverse proxy rules — no unintended exposure
  • Access logs — unusual patterns?

UDM-Pro Specific

  • Firmware version — current?
  • Port forwards — only intended ones
  • IDS/IPS enabled and signatures current
  • Connected clients — any unknown devices?
  • Exposed management ports?

Baseline

First run establishes baseline files at memory/security-baselines/:

  • zurich-keys.txt — authorized SSH keys
  • zurich-ports.txt — expected listening ports
  • zurich-users.txt — expected users
  • Same for amsterdam, caddy, prod

Reporting

  • Clean scan → log to memory/security-scans/YYYY-MM-DD.md
  • Any findings → Fully alert (warning/critical) + detailed log
  • Track trends (ban count, failed login volume)