kai/pve-security-scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
pve-security-scanner/vm/05-monitoring.sh
Yaojia Wang 5e49b977ab feat: initial setup for PVE security scanner VM 
Scripts for deploying a hardened internal network security scanner on Proxmox VE:
- PVE-level firewall and VM creation
- System hardening (sysctl, auditd, AIDE)
- nftables firewall with dynamic IP blocking
- SSH hardening with fail2ban
- Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec)
- Monitoring, logging, and Docker autostart
2026-03-08 20:21:29 +01:00

167 lines
5.3 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# =============================================================================
# Monitoring and Logging for Security Scanner VM
# Run this inside the VM as root
# =============================================================================
set -euo pipefail
echo "============================================"
echo " Monitoring & Logging - Security Scanner VM"
echo "============================================"
# --- 1. Configure rsyslog for centralized logging ---
echo "[+] Configuring rsyslog..."
cat > /etc/rsyslog.d/99-scanner.conf << 'EOF'
# Log all scanner-related activity to dedicated file
:programname, startswith, "nmap" /var/log/scanner/nmap.log
:programname, startswith, "nuclei" /var/log/scanner/nuclei.log
:programname, startswith, "nft" /var/log/scanner/firewall.log
# Log auth separately with more detail
auth,authpriv.* /var/log/scanner/auth.log
# Uncomment to forward to remote syslog server
# *.* @@syslog.internal.lan:514
EOF
mkdir -p /var/log/scanner
systemctl restart rsyslog
# --- 2. Log rotation ---
echo "[+] Configuring log rotation..."
cat > /etc/logrotate.d/scanner << 'EOF'
/var/log/scanner/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
/opt/scans/results/*/*.txt {
weekly
missingok
rotate 12
compress
notifempty
}
EOF
# --- 3. Logwatch (daily summary reports) ---
echo "[+] Configuring Logwatch..."
cat > /etc/logwatch/conf/logwatch.conf << 'EOF'
LogDir = /var/log
MailTo = root
MailFrom = scanner@localhost
Range = yesterday
Detail = Med
Service = All
Format = text
EOF
# --- 4. Disk usage monitoring ---
echo "[+] Setting up disk usage monitoring..."
cat > /opt/scans/scripts/check-disk.sh << 'DISKEOF'
#!/bin/bash
set -euo pipefail
# Alert if disk usage exceeds threshold
THRESHOLD=85
USAGE=$(df / | tail -1 | awk '{print $5}' | sed 's/%//')
if [ "${USAGE}" -ge "${THRESHOLD}" ]; then
echo "[ALERT] Disk usage at ${USAGE}% on security scanner" | \
logger -t disk-monitor -p user.warning
echo "[ALERT] Disk usage at ${USAGE}% - consider cleaning /opt/scans/results/"
fi
DISKEOF
chmod +x /opt/scans/scripts/check-disk.sh
# --- 5. Docker health check ---
cat > /opt/scans/scripts/check-openvas.sh << 'HEALTHEOF'
#!/bin/bash
set -euo pipefail
# Check if OpenVAS containers are healthy
if [[ ! -d /opt/greenbone ]]; then
echo "[!] /opt/greenbone not found - skipping health check"
exit 0
fi
UNHEALTHY=$(docker compose -f /opt/greenbone/docker-compose.yml ps --format json 2>/dev/null | jq -r 'select(.State != "running") | .Name' 2>/dev/null || true)
if [ -n "${UNHEALTHY}" ]; then
echo "[ALERT] Unhealthy OpenVAS containers: ${UNHEALTHY}" | \
logger -t openvas-health -p user.warning
echo "[ALERT] Restarting unhealthy containers..."
docker compose -f /opt/greenbone/docker-compose.yml up -d
fi
HEALTHEOF
chmod +x /opt/scans/scripts/check-openvas.sh
# --- 6. Cron jobs ---
echo "[+] Setting up monitoring cron jobs..."
cat > /etc/cron.d/scanner-monitoring << 'EOF'
# Disk check every 6 hours
0 */6 * * * root /opt/scans/scripts/check-disk.sh
# OpenVAS health check every 30 minutes
*/30 * * * * root /opt/scans/scripts/check-openvas.sh
# AIDE integrity check daily at 3am
0 3 * * * root /usr/bin/aide --check 2>&1 | logger -t aide-check -p user.info
# Lynis security audit weekly (Sunday 2am)
0 2 * * 0 root /usr/sbin/lynis audit system --quick --no-colors 2>&1 | logger -t lynis-audit -p user.info
# Clean scan results older than 90 days (maxdepth 1 for safety, log to syslog)
0 4 * * 0 root find /opt/scans/results -maxdepth 1 -type d -mtime +90 -print -exec rm -rf {} + 2>&1 | logger -t scan-cleanup
# Update Nuclei templates weekly
0 5 * * 1 root /usr/local/bin/nuclei -update-templates 2>&1 | logger -t nuclei-update -p user.info
EOF
# --- 7. Login banner ---
echo "[+] Setting login banner..."
cat > /etc/motd << 'EOF'
+=====================================================+
| SECURITY SCANNER - AUTHORIZED ACCESS ONLY |
| |
| All activity on this system is logged and audited. |
| Unauthorized access is prohibited. |
+=====================================================+
Tools: nmap | nuclei | httpx | nikto | testssl | OpenVAS
Scans: /opt/scans/scripts/quick-scan.sh <target>
Logs: /var/log/scanner/
OpenVAS: http://localhost:9392
EOF
cat > /etc/issue.net << 'EOF'
*************************************************************
* WARNING: This is a restricted system. *
* All connections are monitored and recorded. *
* Disconnect IMMEDIATELY if you are not authorized. *
*************************************************************
EOF
# Banner is configured in /etc/ssh/sshd_config.d/99-scanner-hardening.conf by 03-ssh-harden.sh
systemctl reload ssh 2>/dev/null || systemctl reload sshd 2>/dev/null || true
echo ""
echo "[+] Monitoring and logging configured."
echo ""
echo "Summary:"
echo " Logs: /var/log/scanner/"
echo " Scan results: /opt/scans/results/"
echo " Cron jobs: /etc/cron.d/scanner-monitoring"
echo " Logwatch: Daily email summary to root"
echo " AIDE: File integrity check daily at 3am"
echo " Lynis: Security audit weekly (Sunday 2am)"
Reference in New Issue View Git Blame Copy Permalink