Linux Fleet Audit
Thy servers are many and thy patience is not. This one reads them all over SSH, judges them, and writes down what it saw in a spreadsheet thou canst hand to an auditor without weeping.
“And the disk was at ninety-seven percent, and no one had looked.”
Findings 3:16
$
The Confession
One pass per host. One workbook. No agents.
It reads a list of hosts, connects with the keys thou already hast (or a password, if thy fleet is honest about what it is), escalates with sudo, and runs a single read-only collection pass per server. It changes nothing. It installs nothing. It only looks, and then it tells.
IP, distro, kernel, uptime, disk, listening ports, services, and every installed package.
Ranked High to Low, each with the fix. No blame. Blame is an anti-pattern.
Some thirty pass/fail/warn checks per host. The spreadsheet keeps score.
The Findings
Thy sins, ranked by severity
Every finding carries a recommendation. The colours are not decoration; they are the same fills the workbook writes, so the page and the report agree on what is bad.
| Severity | Finding | Recommendation |
|---|---|---|
| High | PermitRootLogin is enabled | Set it to no. Root is not a login; root is a consequence. |
| High | Filesystem / is 97% full | Free space. Thou wert paged for this at 81% and thou didst nothing. |
| High | Multiple UID 0 accounts | Only root shall be root. Investigate the pretender. |
| Medium | No active host firewall detected | Default-deny inbound. The network is not thy friend. |
| Medium | Reboot required | Schedule it. It will not schedule itself, and neither wilt thou. |
| Low | MaxAuthTries is high | Lower it to three. Grace is finite. |
The Checks
Weighed, and found wanting
Benchmark-style checks, honestly labelled: this is a hardening baseline, not a certified CIS-CAT scan. It will not lie to thee about that.
| Result | ID | Check | Detail |
|---|---|---|---|
| PASS | 5.2.1 | SSH: root login disabled | PermitRootLogin=no |
| PASS | 1.5.1 | ASLR enabled | randomize_va_space=2 |
| FAIL | 3.5.1 | Host firewall active | none |
| PASS | 6.2.1 | Only one UID 0 account | root |
| FAIL | 2.3 | No legacy insecure services | telnet |
The faithful may click a FAIL to remediate it. This is how most compliance is achieved.
The Rite of Installation
Three commands, no vestments required
What This Actually Is
Breaking the fourth wall, briefly
A real tool, written by a real sysadmin who got tired of checking eighty servers by hand. It is agentless, parallel, MIT licensed, and it fails gracefully: hosts it cannot reach are logged with the reason and the run carries on. Unreachable hosts go to an Errors sheet; the ones that answered go to a file thou canst feed straight back in.
It never writes a spreadsheet formula, either. Everything a host tells it is written as text, so a compromised server cannot hide a payload in its hostname and have it fire when thou openest the report. That part is not a joke.