- Posted on
- • Artificial Intelligence
Automating Vulnerability Checks with Artificial Intelligence
- Author
-
-
- User
- linuxbash
- Posts by this author
- Posts by this author
-
Automating Vulnerability Checks with Artificial Intelligence
If you manage Linux systems, you already know the drill: endless patch notes, compliance reports, and “what changed?” fire drills. The problem isn’t that we lack scanners or data—it’s that we drown in it. The value of bringing AI into your vulnerability checks is simple: turn noisy findings into prioritized, actionable tasks you can fix this week.
This article shows you how to combine trusted Linux security tools (Lynis and OpenSCAP) with lightweight AI automation to prioritize issues, suggest remediations, and notify your team—using Bash and curl.
Why automate with AI now?
Volume and velocity: Packages update constantly; scanning is easy, triage is hard.
Context matters: A “High” severity on a dev box might be less urgent than a “Medium” on a payment server. AI can help inject context from your environment.
Cost of delay: Unpatched systems are the leading cause of incidents. Even small process wins (auto-prioritization, ticket text, patch hints) meaningfully reduce MTTR.
Proven primitives: You don’t need exotic tools—rely on Lynis/OpenSCAP for evidence and let AI summarize and order the work.
What we’ll build
A repeatable baseline scan with Lynis and OpenSCAP
A Bash script that:
- Extracts findings
- Feeds them to an LLM for prioritization and remediation suggestions
- Optionally posts a summary to Slack
A scheduled job to keep this running weekly
Prerequisites and installation
We’ll use:
lynis: system hardening audit
OpenSCAP (openscap-scanner, scap-security-guide): compliance checks
jq and curl: JSON handling and HTTP
Install with your package manager.
- Debian/Ubuntu (apt):
sudo apt update
sudo apt install -y lynis openscap-scanner scap-security-guide jq curl
- Fedora/RHEL/CentOS (dnf):
sudo dnf install -y lynis openscap-scanner scap-security-guide jq curl
- openSUSE/SLES (zypper):
sudo zypper refresh
sudo zypper install -y lynis openscap-utils scap-security-guide jq curl
Notes:
On openSUSE/SLES, the OpenSCAP CLI is provided by the openscap-utils package.
You’ll also need an AI endpoint. Examples below show the OpenAI API via
OPENAI_API_KEY. You can swap this for your preferred provider or a local model endpoint.
Step 1: Run baseline scans
Run Lynis for a fast system audit:
sudo lynis audit system --quick --quiet --report-file /var/log/lynis-report.dat
Run an OpenSCAP compliance evaluation. The exact datastream (ds.xml) depends on your distro and version; use this to locate a suitable content file:
sudo find /usr/share/xml /usr/share -type f -name '*ds.xml' 2>/dev/null | grep -E 'ssg|scap' | head -n 5
Example OpenSCAP command (replace the datastream with one that matches your system):
DS_FILE="/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml" # example path
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
--results-arf /var/tmp/openscap-arf.xml \
--report /var/tmp/openscap-report.html \
"$DS_FILE"
What you have now:
Lynis: /var/log/lynis-report.dat with warnings and suggestions
OpenSCAP: /var/tmp/openscap-arf.xml (machine-readable) and an HTML report
Step 2: Extract findings into structured data
Lynis writes findings as key-value lines. Convert them to JSON for the AI step:
LYNIS_JSON="/var/tmp/lynis-findings.json"
awk -F'= ' '
/^warning\[\]=/ {sub(/^warning\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"warning\",\"text\":\"%s\"}\n",$0)}
/^suggestion\[\]=/ {sub(/^suggestion\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"suggestion\",\"text\":\"%s\"}\n",$0)}
' /var/log/lynis-report.dat | jq -s '.' > "$LYNIS_JSON"
echo "Wrote $LYNIS_JSON"
(Parsing OpenSCAP ARF XML is more involved. For a minimal MVP, link to the HTML report in your AI prompt or attach specific failed rules later if you choose to parse ARF with xmlstarlet/xq.)
Step 3: Add AI prioritization and remediation suggestions
Create a small Bash script that:
Reads the Lynis JSON
Submits it to an LLM
Returns a prioritized plan with quick wins, risk notes, and suggested commands
Save as ai-prioritize.sh:
#!/usr/bin/env bash
set -euo pipefail
: "${OPENAI_API_KEY:?Set OPENAI_API_KEY first}"
MODEL="${MODEL:-gpt-4o-mini}"
LYNIS_JSON="${1:-/var/tmp/lynis-findings.json}"
HOST_META="$( { hostnamectl 2>/dev/null || true; cat /etc/os-release 2>/dev/null || true; uname -a; } )"
SCAP_REPORT="${SCAP_REPORT:-/var/tmp/openscap-report.html}" # optional hint
if [ ! -s "$LYNIS_JSON" ]; then
echo "No Lynis findings at $LYNIS_JSON" >&2
exit 1
fi
USER_PROMPT=$(jq -Rs --arg meta "$HOST_META" --arg scap "$SCAP_REPORT" '
"You are a Linux security assistant. Given:\n\n" +
"Host metadata:\n" + $meta + "\n\n" +
"Lynis findings (JSON array):\n" + . + "\n\n" +
"Also consider (if present) the OpenSCAP HTML report at: " + $scap + "\n\n" +
"Task:\n- Group related items\n- Prioritize by exploitability, exposure, and blast radius\n- Flag quick wins (<15 min)\n- Propose specific remediation commands or config changes with minimal risk\n- Note any potential service impact or reboot needs\n- Output a concise action plan (top 10 items) and a short backlog."
' < "$LYNIS_JSON")
RESP=$(curl -sS https://api.openai.com/v1/chat/completions \
-H "Authorization: Bearer ${OPENAI_API_KEY}" \
-H "Content-Type: application/json" \
-d @- <<EOF
{
"model": "${MODEL}",
"temperature": 0.2,
"messages": [
{"role":"system","content":"You turn raw vuln findings into a clear, minimally risky, prioritized plan for Linux admins."},
{"role":"user","content": ${USER_PROMPT} }
]
}
EOF
)
SUMMARY_FILE="/var/tmp/vuln-ai-summary.txt"
echo "$RESP" | jq -r '.choices[0].message.content' > "$SUMMARY_FILE"
echo "Wrote prioritized plan to $SUMMARY_FILE"
# Optional Slack notification
if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then
# Truncate if too long for Slack; send first 3500 chars
MSG=$(head -c 3500 "$SUMMARY_FILE")
curl -sS -X POST -H 'Content-type: application/json' \
--data "$(jq -n --arg text "$MSG" '{text: $text}')" \
"$SLACK_WEBHOOK_URL" >/dev/null && echo "Posted summary to Slack"
fi
Make it executable:
chmod +x ai-prioritize.sh
Run the end-to-end flow:
# 1) Baseline scans
sudo lynis audit system --quick --quiet --report-file /var/log/lynis-report.dat
# Optionally rerun/adjust your OpenSCAP command from Step 1
# 2) Extract findings
awk -F'= ' '
/^warning\[\]=/ {sub(/^warning\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"warning\",\"text\":\"%s\"}\n",$0)}
/^suggestion\[\]=/ {sub(/^suggestion\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"suggestion\",\"text\":\"%s\"}\n",$0)}
' /var/log/lynis-report.dat | jq -s '.' > /var/tmp/lynis-findings.json
# 3) Prioritize with AI
export OPENAI_API_KEY="sk-..." # set your key
export SLACK_WEBHOOK_URL="" # optional
./ai-prioritize.sh /var/tmp/lynis-findings.json
Tip: For environments where external AI is not allowed, point the script to a private or on-prem LLM endpoint by swapping the curl URL and headers.
Step 4: Automate on a schedule
Use cron to run weekly:
crontab -e
Add:
# Every Sunday at 02:00
0 2 * * 0 sudo lynis audit system --quick --quiet --report-file /var/log/lynis-report.dat && \
awk -F'= ' '/^warning\[\]=/ {sub(/^warning\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"warning\",\"text\":\"%s\"}\n",$0)} /^suggestion\[\]=/ {sub(/^suggestion\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"suggestion\",\"text\":\"%s\"}\n",$0)}' /var/log/lynis-report.dat | jq -s '.' > /var/tmp/lynis-findings.json && \
OPENAI_API_KEY=YOUR_KEY_HERE /path/to/ai-prioritize.sh /var/tmp/lynis-findings.json
Or wrap this in a systemd timer for better logging.
Step 5: Real-world patterns to watch for (and quick wins)
World-writable files and directories:
- Quick win:
sudo chmod -R go-w /pathon non-shared trees; verify withfind / -xdev -type d -perm -0002 -print
- Quick win:
Weak SSH settings:
- Quick win: In
/etc/ssh/sshd_config, setPasswordAuthentication no,PermitRootLogin no,KexAlgorithms/Ciphersto strong sets;sudo systemctl reload sshd
- Quick win: In
Unattended upgrades disabled on non-critical servers:
- Quick win (Debian/Ubuntu):
sudo apt install -y unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgrades
- Quick win (Debian/Ubuntu):
Kernel or OpenSSL lagging behind:
- Plan reboot windows. Commands:
- apt:
sudo apt update && sudo apt full-upgrade -y - dnf:
sudo dnf upgrade -y - zypper:
sudo zypper refresh && sudo zypper update -y
Logging gaps and time drift:
- Ensure
chrony/systemd-timesyncdis enabled; forward logs to a central place (rsyslog/journal-remote/ELK)
- Ensure
Security and operational notes
AI is an accelerator, not an authority. Validate remediation steps in a staging environment.
Keep model prompts free of secrets. Don’t paste private keys or proprietary code.
Version and archive your reports. AI summaries are more useful when you can compare week-over-week changes.
Consider scoping: run on dedicated jump boxes and limit outbound API calls as per policy.
Conclusion and next steps
By combining proven scanners (Lynis, OpenSCAP) with a thin AI layer, you can turn raw findings into a focused, low-risk plan in minutes. This reduces toil, makes compliance reviews easier, and keeps patching aligned with business impact.
Your next steps:
Install the prerequisites with apt/dnf/zypper
Run the baseline scans and the ai-prioritize.sh script
Schedule it weekly and post summaries to your team’s channel
Iterate: add context (asset criticality tags), parse OpenSCAP ARF for failed rules, and auto-open tickets with the AI plan
If you’d like a follow-up, I can share an extended script that parses OpenSCAP ARF into JSON, tags hosts by environment (prod/dev), and opens GitHub/GitLab issues automatically.