Security Stack: Lynis + AIDE + Falco

apt -y install msmtp msmtp-mta mailutils

defaults
tls            on
tls_starttls off
tls_certcheck off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

# University SMTP server
account        uni-bremen
host           smtp.uni-bremen.de
port           465
from           git_rot@uni-bremen.de
user           git_rot
password       REDACTED
set_from_header on
auth on

# Set a default account
account default : uni-bremen

aliases /etc/aliases

# Add official CISOfy repo (newer than Ubuntu's package)
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key \
  | sudo gpg --dearmor -o /usr/share/keyrings/cisofy-software.gpg

echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cisofy-software.gpg] \
  https://packages.cisofy.com/community/lynis/deb/ stable main" \
  | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

sudo apt update && sudo apt install lynis -y

# First run — full audit (read the output carefully!)
sudo lynis audit system

# Cron: daily audit at 01:00, log to file
echo "0 1 * * * root /usr/sbin/lynis audit system --cronjob --quiet \
  >> /var/log/lynis-cron.log 2>&1" \
  | sudo tee /etc/cron.d/lynis

# View results anytime
# sudo lynis show warnings
# sudo lynis show suggestions

sudo apt install aide aide-common -y

sudo tee -a /etc/aide/aide.conf << 'EOF'
# 1. Ignore the actual database/repository files (The "Noise")
!/docker/compose/forgejo/data
!/docker/compose/forgejo/var_data
!/docker/compose/mariadb/data
!/docker/compose/mariadb/backup
!/docker/compose/runner/data
!/docker/compose/runner/docker_certs

# 2. Watch the Configuration (The "Blueprints")
# This will watch the .yaml and .conf files in these folders
/docker/compose/forgejo/compose.yaml$ R
/docker/compose/mariadb/compose.yaml$ R
/docker/compose/nginx/nginx.conf$ R
/docker/compose/nginx/compose.yaml$ R 
/docker/compose/runner/compose.yaml$ R

# Ignore Docker's internal state and active containers
!/var/lib/docker
!/run/docker
!/var/lib/containerd

# Standard system "noise"
!/var/log
!/var/cache
!/run
!/tmp
!/var/tmp

# Ignore root's personal shell and editor history
!/root/\..*history
!/root/\.bash_history
!/root/\.viminfo
!/root/\.cache
!/root/\.config/mc
!/root/\.local/share/mc

EOF

sudo aide --init -c /etc/aide/aide.conf

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Test a manual check
sudo aide --check -c /etc/aide/aide.conf

#!/bin/bash
# Run the check and send output to a log file or email
/usr/bin/aide --check -c /etc/aide/aide.conf > /var/log/aide/daily_check.log 2>&1
   
# Optional: Send an alert if changes are found (Exit code 0 means no changes)
if [ $? -ne 0 ]; then
       echo "AIDE detected changes on $(hostname)" | mail -s "SECURITY ALERT: AIDE Changes" overleaf@uni-bremen.de
fi

sudo chmod +x /usr/local/bin/aide-check.sh

# Run at 3:00 AM every day
   0 3 * * * /usr/local/bin/aide-check.sh

sudo aide --update -c /etc/aide/aide.conf 
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

sudo apt update
sudo apt install build-essential clang llvm gcc make dkms -y

curl -fsSL https://falco.org/repo/falcosecurity-packages.asc \
  | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] \
  https://download.falco.org/packages/deb stable main" \
  | sudo tee /etc/apt/sources.list.d/falcosecurity.list

sudo apt update && sudo apt install falco -y

sudo systemctl daemon-reload
sudo systemctl enable falco-modern-bpf --now

sudo systemctl status falco-modern-bpf
sudo journalctl -fu falco-modern-bpf

sudo apt install -y rkhunter

WEB_CMD=/usr/bin/wget
MIRRORS_MODE=0
UPDATE_MIRRORS=1

rkhunter --update
rkhunter --propupd
rkhunter --check

/usr/bin/rkhunter --check --cronjob --report-warnings-only