Nightly Security Audit

Last updated: April 10, 2026

Nightly Security Audit System

File: assistant/sysafe_security_audit.go (~1008 lines)

The Nightly Security Audit is an autonomous system that runs comprehensive diagnostic scripts on hosting servers, then delegates analysis and remediation to the sysafe agent.

Architecture

RunNightlySecurityAudit()
    ↓
For each server in auditServers:
    auditServer() → 10 SSH diagnostic scripts
    ↓
Write JSON to assistant/memory/audit_data/
    ↓
AnalyzeServerAudit() → trigger sysafe agent
    ↓
sysafe agent analyzes results, blocks offenders via csf_management
    ↓
Report to appropriate NOC WhatsApp group

Audit Servers

Server Hostname Purpose
Sysafe hosting.sysafe.co.uk Primary hosting
London-Hosting ldn.london-hosting.com London datacenter

Diagnostic Scripts (per server)

# Script What It Checks
1 buildEnvironmentScript() Installed tools: CSF, LMD, CXS, ImunifyAV, rkhunter, ClamAV, CloudLinux
2 buildSystemHealthScript() Uptime, disk usage, memory, Exim queue, suspended accounts
3 buildBruteForceScript() SSH, cPanel, Exim, FTP failed logins + LFD blocks
4 buildCSFScript() CSF status, blocked IPs, ignore list, recent LFD events
5 buildModSecScript() ModSecurity rule trigger counts, offending IPs
6 buildAVScript() LMD/maldet, CXS, ImunifyAV, rkhunter, ClamAV scan results
7 buildSignatureUpdateScript() LMD version, ClamAV freshclam, rkhunter database, ImunifyAV definitions
8 buildRemoteHackingScript() Suspicious outbound connections, unusual listening ports, recently modified PHP files, cron anomalies, SUID binaries
9 buildCloudLinuxScript() LVE limits, CageFS status
10 buildRecentLoginsScript() cPanel, SSH, FTP, IMAP/POP3, WordPress, Joomla, Magento admin logins

Analysis & Remediation

AnalyzeServerAudit() triggers the sysafe agent via QueryAssistantWithOptions with:

  • Full diagnostic data as context
  • Autonomous prompt instructing it to identify and block persistent offenders via csf_management
  • Results reported to the appropriate NOC WhatsApp group (SysAid or London-Hosting)

Agent Restriction

The security audit is restricted to the sysafe agent via IsServerAllowedForAgent() checks in csf_management.go. Only sysafe can execute CSF commands.

Key Structs

Struct Purpose
serverAuditResult Stores per-server results: host, blocked IPs, brute force summary, ModSec violations, AV results, signature updates, concerns, raw output
auditServers Hardcoded list: ["hosting.sysafe.co.uk", "ldn.london-hosting.com"]

Output

  • JSON audit data: assistant/memory/audit_data/
  • WhatsApp notification: formatted summary with emoji headers
  • Agent analysis: full context sent to sysafe for autonomous remediation

See also: CSF Firewall Management, Infrastructure Tools