{"id":50294391,"url":"https://github.com/tdiprima/vigil","last_synced_at":"2026-05-28T08:01:21.060Z","repository":{"id":354850020,"uuid":"1224712088","full_name":"tdiprima/vigil","owner":"tdiprima","description":"Bash-based Linux hardening monitor with systemd timers for daily drift checks, integrity scans, and email reports","archived":false,"fork":false,"pushed_at":"2026-05-19T14:28:54.000Z","size":183,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-19T17:35:56.498Z","etag":null,"topics":["intrusion-detection","linux-security","security-automation","server-hardening","system-monitoring"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tdiprima.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-29T14:51:16.000Z","updated_at":"2026-05-19T14:45:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tdiprima/vigil","commit_stats":null,"previous_names":["tdiprima/vigil"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tdiprima/vigil","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2Fvigil","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2Fvigil/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2Fvigil/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2Fvigil/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tdiprima","download_url":"https://codeload.github.com/tdiprima/vigil/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2Fvigil/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33599465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-28T02:00:06.440Z","response_time":99,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["intrusion-detection","linux-security","security-automation","server-hardening","system-monitoring"],"created_at":"2026-05-28T08:01:16.353Z","updated_at":"2026-05-28T08:01:21.053Z","avatar_url":"https://github.com/tdiprima.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vigil 🕯️\n\nA daily automated security sweep for Linux servers that catches drift, rootkits, tampered binaries, expiring certs, unauthorized ports, brute-force spikes, and full disks — then emails you a single digest before your morning coffee.\n\n## Servers Don't Tell You When They've Been Compromised\n\nA new user appears in `/etc/passwd` at 3 AM. A cron job shows up that nobody added. A binary's checksum no longer matches its package. A certificate quietly expires and takes down your API. Disk fills up overnight and your database crashes.\n\nThese things happen between your SSH sessions. Without automated daily checks, you find out from an outage — not from a report.\n\nMost teams either run nothing (too busy) or run expensive commercial agents (too complex). There's a gap for teams that want solid coverage from tools already on the box, wired together and scheduled to run every morning.\n\n## Seven Checks, One Report, Zero Agents to Install\n\nVigil is a pure-bash pipeline that runs seven security and health checks via a systemd timer, compiles the results into a single digest email, and fires immediate alerts for anything critical. No daemons, no databases, no external dependencies beyond standard Linux packages.\n\n| Check | What it uses | What it catches |\n|-------|-------------|-----------------|\n| Baseline drift | `diff` against snapshots | New users, cron jobs, SUID binaries |\n| Rootkit scan | `rkhunter --check` | Known rootkits, suspicious files |\n| Package integrity | `rpm -Va` / `debsums` | Modified system binaries |\n| Certificate expiry | `openssl x509 -enddate` | Certs expiring within 30 days (configurable) |\n| Listening ports | `ss -tlnp` diff against known-good | Unauthorized services |\n| Failed auth spike | Auth log parsing | Brute-force attempts beyond thresholds |\n| Disk/inode usage | `df -h` / `df -i` | Full disks before they kill services |\n\nEach check is an independent script that can run standalone or as part of the sweep. Critical findings trigger an immediate email the moment that check completes — the daily digest follows with everything.\n\n## What the Output Looks Like\n\n```\n=======================================================\n  VIGIL Security Sweep — prod-web-01 — 2026-04-29\n=======================================================\n\nSummary: 1 critical, 2 warnings, 4 clean\n\n--- Baseline Drift -----------------------------------------\n[CRIT] [baseline-drift] New SUID binary: /usr/local/bin/ncat\n[CRIT] [baseline-drift] New user: deploy:1001:/home/deploy:/bin/bash\n\n--- Rootkit Scan -------------------------------------------\n[OK] [rootkit-scan] No rootkits or suspicious files detected.\n\n--- Package Integrity --------------------------------------\n[WARN] [package-integrity] 2 config file(s) modified:\n[WARN] [package-integrity]   ..5....T.  c /etc/ssh/sshd_config\n\n--- Certificate Expiry -------------------------------------\n[WARN] [cert-expiry] /etc/letsencrypt/live/api.example.com/cert.pem expires in 12 days\n\n--- Listening Ports ----------------------------------------\n[CRIT] [listening-ports] Unknown listener: 0.0.0.0:4444 users:((\"nc\",pid=8821,fd=3))\n\n--- Failed Auth --------------------------------------------\n[OK] [failed-auth] Auth failures normal. 23 total attempts.\n\n--- Disk Usage ---------------------------------------------\n[OK] [disk-usage] All filesystems within thresholds.\n\n=======================================================\n  End of Report — 2026-04-29 05:03:17\n=======================================================\n```\n\n## Getting Started\n\n### Prerequisites\n\nRHEL/CentOS/Rocky/Alma or Ubuntu/Debian. Vigil autodetects the OS family and uses the right package manager and log paths.\n\n### Install\n\n```bash\ngit clone https://github.com/tdiprima/vigil.git\ncd vigil\n\n# Check what's needed and install missing packages\nsudo ./install-deps.sh\n\n# Preview without installing\n./install-deps.sh --dry-run\n```\n\n### Configure\n\n```bash\n# Copy to deployment location\nsudo cp -r . /opt/vigil\n\n# Edit the config\nsudo vim /opt/vigil/vigil.conf\n```\n\nKey settings in `vigil.conf`:\n\n```bash\nEMAIL_RECIPIENT=\"you@example.com\"\nSMTP_METHOD=\"mailx\"            # mailx, sendmail, or msmtp\nCERT_WARN_DAYS=30              # days before cert expiry triggers warning\nDISK_WARN_PCT=80               # disk usage warning threshold\nAUTH_FAIL_WARN_THRESHOLD=50    # failed auths per IP before alerting\n```\n\n### Create the Baseline\n\nVigil compares current system state against a known-good snapshot. Create one after setup:\n\n```bash\nsudo /opt/vigil/vigil-baseline.sh\n```\n\nThis captures users, cron jobs, SUID files, and listening ports. Re-run it after intentional system changes (new packages, new users, new services).\n\n### Test Run\n\n```bash\n# Run all checks, print report, skip email\nsudo /opt/vigil/vigil-sweep.sh --no-email\n```\n\n### Schedule It\n\n```bash\n# Install the systemd timer (runs daily at 05:00 with up to 30 min jitter)\nsudo cp /opt/vigil/systemd/vigil-sweep.service /etc/systemd/system/\nsudo cp /opt/vigil/systemd/vigil-sweep.timer /etc/systemd/system/\nsudo systemctl daemon-reload\nsudo systemctl enable --now vigil-sweep.timer\n\n# Verify it's scheduled\nsystemctl list-timers vigil-sweep.timer\n```\n\n## Project Structure\n\n```\nvigil/\n├── vigil.conf                 # Thresholds, paths, email settings\n├── vigil-sweep.sh             # Orchestrator — runs all checks, builds report\n├── vigil-baseline.sh          # Snapshot known-good system state\n├── install-deps.sh            # Detect + install missing packages\n├── lib/\n│   ├── common.sh              # OS detection, logging, severity levels\n│   └── alert.sh               # Email dispatch (mailx/sendmail/msmtp)\n├── checks/\n│   ├── baseline-drift.sh      # Users, cron jobs, SUID changes\n│   ├── rootkit-scan.sh        # rkhunter wrapper\n│   ├── package-integrity.sh   # rpm -Va or debsums\n│   ├── cert-expiry.sh         # TLS certificate expiration\n│   ├── listening-ports.sh     # Ports vs known-good list\n│   ├── failed-auth.sh         # Auth log brute-force detection\n│   └── disk-usage.sh          # Disk space and inode thresholds\n└── systemd/\n    ├── vigil-sweep.service    # oneshot service unit\n    └── vigil-sweep.timer      # daily timer with jitter\n```\n\n## Running Individual Checks\n\nEvery check script is independently executable:\n\n```bash\nsudo ./checks/cert-expiry.sh /opt/vigil/vigil.conf\nsudo ./checks/disk-usage.sh /opt/vigil/vigil.conf\n```\n\nExit codes follow a consistent convention: `0` = clean, `1` = warning, `2` = critical.\n\n## License\n\n[MIT](LICENSE)\n\n\u003cBR\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftdiprima%2Fvigil","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftdiprima%2Fvigil","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftdiprima%2Fvigil/lists"}