fx
=AUDIT(thy.fleet)
1
lfa.kosir.info · agentless · MIT

Linux Fleet Audit

Thy servers are many and thy patience is not. This one reads them all over SSH, judges them, and writes down what it saw in a spreadsheet thou canst hand to an auditor without weeping.

“And the disk was at ninety-seven percent, and no one had looked.”
Findings 3:16

  sa.vko@localhost — the reckoning
$ 
2

The Confession

One pass per host. One workbook. No agents.

It reads a list of hosts, connects with the keys thou already hast (or a password, if thy fleet is honest about what it is), escalates with sudo, and runs a single read-only collection pass per server. It changes nothing. It installs nothing. It only looks, and then it tells.

Inventory

IP, distro, kernel, uptime, disk, listening ports, services, and every installed package.

Findings

Ranked High to Low, each with the fix. No blame. Blame is an anti-pattern.

CIS Checks

Some thirty pass/fail/warn checks per host. The spreadsheet keeps score.

3

The Findings

Thy sins, ranked by severity

Every finding carries a recommendation. The colours are not decoration; they are the same fills the workbook writes, so the page and the report agree on what is bad.

SeverityFindingRecommendation
HighPermitRootLogin is enabledSet it to no. Root is not a login; root is a consequence.
HighFilesystem / is 97% fullFree space. Thou wert paged for this at 81% and thou didst nothing.
HighMultiple UID 0 accountsOnly root shall be root. Investigate the pretender.
MediumNo active host firewall detectedDefault-deny inbound. The network is not thy friend.
MediumReboot requiredSchedule it. It will not schedule itself, and neither wilt thou.
LowMaxAuthTries is highLower it to three. Grace is finite.
4

The Checks

Weighed, and found wanting

Benchmark-style checks, honestly labelled: this is a hardening baseline, not a certified CIS-CAT scan. It will not lie to thee about that.

ResultIDCheckDetail
PASS5.2.1SSH: root login disabledPermitRootLogin=no
PASS1.5.1ASLR enabledrandomize_va_space=2
FAIL3.5.1Host firewall activenone
PASS6.2.1Only one UID 0 accountroot
FAIL2.3No legacy insecure servicestelnet

The faithful may click a FAIL to remediate it. This is how most compliance is achieved.

5

The Rite of Installation

Three commands, no vestments required

# receive the canon git clone https://github.com/vikozs/linux-audit.git cd linux-audit python3 -m pip install -r requirements.txt
# keys and passwordless sudo: the state of grace python3 linux_audit.py -H hosts.txt -o audit.xlsx
# passwords, because thy fleet is honest about what it is python3 linux_audit.py -H hosts.txt -u sa.vko \ --ask-ssh-pass --sudo-pass-same-as-ssh -o audit.xlsx

Read the source ↗ See a sample report

6

What This Actually Is

Breaking the fourth wall, briefly

A real tool, written by a real sysadmin who got tired of checking eighty servers by hand. It is agentless, parallel, MIT licensed, and it fails gracefully: hosts it cannot reach are logged with the reason and the run carries on. Unreachable hosts go to an Errors sheet; the ones that answered go to a file thou canst feed straight back in.

It never writes a spreadsheet formula, either. Everything a host tells it is written as text, so a compromised server cannot hide a payload in its hostname and have it fire when thou openest the report. That part is not a joke.