Posted on
Artificial Intelligence

Automating Vulnerability Checks with Artificial Intelligence

Author
  • User
    linuxbash
    Posts by this author
    Posts by this author

Automating Vulnerability Checks with Artificial Intelligence

If you manage Linux systems, you already know the drill: endless patch notes, compliance reports, and “what changed?” fire drills. The problem isn’t that we lack scanners or data—it’s that we drown in it. The value of bringing AI into your vulnerability checks is simple: turn noisy findings into prioritized, actionable tasks you can fix this week.

This article shows you how to combine trusted Linux security tools (Lynis and OpenSCAP) with lightweight AI automation to prioritize issues, suggest remediations, and notify your team—using Bash and curl.

Why automate with AI now?

  • Volume and velocity: Packages update constantly; scanning is easy, triage is hard.

  • Context matters: A “High” severity on a dev box might be less urgent than a “Medium” on a payment server. AI can help inject context from your environment.

  • Cost of delay: Unpatched systems are the leading cause of incidents. Even small process wins (auto-prioritization, ticket text, patch hints) meaningfully reduce MTTR.

  • Proven primitives: You don’t need exotic tools—rely on Lynis/OpenSCAP for evidence and let AI summarize and order the work.

What we’ll build

  • A repeatable baseline scan with Lynis and OpenSCAP

  • A Bash script that:

    • Extracts findings
    • Feeds them to an LLM for prioritization and remediation suggestions
    • Optionally posts a summary to Slack
  • A scheduled job to keep this running weekly


Prerequisites and installation

We’ll use:

  • lynis: system hardening audit

  • OpenSCAP (openscap-scanner, scap-security-guide): compliance checks

  • jq and curl: JSON handling and HTTP

Install with your package manager.

  • Debian/Ubuntu (apt):
sudo apt update
sudo apt install -y lynis openscap-scanner scap-security-guide jq curl
  • Fedora/RHEL/CentOS (dnf):
sudo dnf install -y lynis openscap-scanner scap-security-guide jq curl
  • openSUSE/SLES (zypper):
sudo zypper refresh
sudo zypper install -y lynis openscap-utils scap-security-guide jq curl

Notes:

  • On openSUSE/SLES, the OpenSCAP CLI is provided by the openscap-utils package.

  • You’ll also need an AI endpoint. Examples below show the OpenAI API via OPENAI_API_KEY. You can swap this for your preferred provider or a local model endpoint.


Step 1: Run baseline scans

Run Lynis for a fast system audit:

sudo lynis audit system --quick --quiet --report-file /var/log/lynis-report.dat

Run an OpenSCAP compliance evaluation. The exact datastream (ds.xml) depends on your distro and version; use this to locate a suitable content file:

sudo find /usr/share/xml /usr/share -type f -name '*ds.xml' 2>/dev/null | grep -E 'ssg|scap' | head -n 5

Example OpenSCAP command (replace the datastream with one that matches your system):

DS_FILE="/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml"   # example path
sudo oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_standard \
  --results-arf /var/tmp/openscap-arf.xml \
  --report /var/tmp/openscap-report.html \
  "$DS_FILE"

What you have now:

  • Lynis: /var/log/lynis-report.dat with warnings and suggestions

  • OpenSCAP: /var/tmp/openscap-arf.xml (machine-readable) and an HTML report


Step 2: Extract findings into structured data

Lynis writes findings as key-value lines. Convert them to JSON for the AI step:

LYNIS_JSON="/var/tmp/lynis-findings.json"
awk -F'= ' '
  /^warning\[\]=/   {sub(/^warning\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"warning\",\"text\":\"%s\"}\n",$0)}
  /^suggestion\[\]=/ {sub(/^suggestion\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"suggestion\",\"text\":\"%s\"}\n",$0)}
' /var/log/lynis-report.dat | jq -s '.' > "$LYNIS_JSON"

echo "Wrote $LYNIS_JSON"

(Parsing OpenSCAP ARF XML is more involved. For a minimal MVP, link to the HTML report in your AI prompt or attach specific failed rules later if you choose to parse ARF with xmlstarlet/xq.)


Step 3: Add AI prioritization and remediation suggestions

Create a small Bash script that:

  • Reads the Lynis JSON

  • Submits it to an LLM

  • Returns a prioritized plan with quick wins, risk notes, and suggested commands

Save as ai-prioritize.sh:

#!/usr/bin/env bash
set -euo pipefail

: "${OPENAI_API_KEY:?Set OPENAI_API_KEY first}"
MODEL="${MODEL:-gpt-4o-mini}"
LYNIS_JSON="${1:-/var/tmp/lynis-findings.json}"
HOST_META="$( { hostnamectl 2>/dev/null || true; cat /etc/os-release 2>/dev/null || true; uname -a; } )"
SCAP_REPORT="${SCAP_REPORT:-/var/tmp/openscap-report.html}"  # optional hint

if [ ! -s "$LYNIS_JSON" ]; then
  echo "No Lynis findings at $LYNIS_JSON" >&2
  exit 1
fi

USER_PROMPT=$(jq -Rs --arg meta "$HOST_META" --arg scap "$SCAP_REPORT" '
  "You are a Linux security assistant. Given:\n\n" +
  "Host metadata:\n" + $meta + "\n\n" +
  "Lynis findings (JSON array):\n" + . + "\n\n" +
  "Also consider (if present) the OpenSCAP HTML report at: " + $scap + "\n\n" +
  "Task:\n- Group related items\n- Prioritize by exploitability, exposure, and blast radius\n- Flag quick wins (<15 min)\n- Propose specific remediation commands or config changes with minimal risk\n- Note any potential service impact or reboot needs\n- Output a concise action plan (top 10 items) and a short backlog."
' < "$LYNIS_JSON")

RESP=$(curl -sS https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer ${OPENAI_API_KEY}" \
  -H "Content-Type: application/json" \
  -d @- <<EOF
{
  "model": "${MODEL}",
  "temperature": 0.2,
  "messages": [
    {"role":"system","content":"You turn raw vuln findings into a clear, minimally risky, prioritized plan for Linux admins."},
    {"role":"user","content": ${USER_PROMPT} }
  ]
}
EOF
)

SUMMARY_FILE="/var/tmp/vuln-ai-summary.txt"
echo "$RESP" | jq -r '.choices[0].message.content' > "$SUMMARY_FILE"
echo "Wrote prioritized plan to $SUMMARY_FILE"

# Optional Slack notification
if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then
  # Truncate if too long for Slack; send first 3500 chars
  MSG=$(head -c 3500 "$SUMMARY_FILE")
  curl -sS -X POST -H 'Content-type: application/json' \
    --data "$(jq -n --arg text "$MSG" '{text: $text}')" \
    "$SLACK_WEBHOOK_URL" >/dev/null && echo "Posted summary to Slack"
fi

Make it executable:

chmod +x ai-prioritize.sh

Run the end-to-end flow:

# 1) Baseline scans
sudo lynis audit system --quick --quiet --report-file /var/log/lynis-report.dat
# Optionally rerun/adjust your OpenSCAP command from Step 1

# 2) Extract findings
awk -F'= ' '
  /^warning\[\]=/   {sub(/^warning\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"warning\",\"text\":\"%s\"}\n",$0)}
  /^suggestion\[\]=/ {sub(/^suggestion\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"suggestion\",\"text\":\"%s\"}\n",$0)}
' /var/log/lynis-report.dat | jq -s '.' > /var/tmp/lynis-findings.json

# 3) Prioritize with AI
export OPENAI_API_KEY="sk-..."     # set your key
export SLACK_WEBHOOK_URL=""        # optional
./ai-prioritize.sh /var/tmp/lynis-findings.json

Tip: For environments where external AI is not allowed, point the script to a private or on-prem LLM endpoint by swapping the curl URL and headers.


Step 4: Automate on a schedule

Use cron to run weekly:

crontab -e

Add:

# Every Sunday at 02:00
0 2 * * 0 sudo lynis audit system --quick --quiet --report-file /var/log/lynis-report.dat && \
awk -F'= ' '/^warning\[\]=/ {sub(/^warning\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"warning\",\"text\":\"%s\"}\n",$0)} /^suggestion\[\]=/ {sub(/^suggestion\[\]=/,""); gsub(/"/,"\\\""); printf("{\"type\":\"suggestion\",\"text\":\"%s\"}\n",$0)}' /var/log/lynis-report.dat | jq -s '.' > /var/tmp/lynis-findings.json && \
OPENAI_API_KEY=YOUR_KEY_HERE /path/to/ai-prioritize.sh /var/tmp/lynis-findings.json

Or wrap this in a systemd timer for better logging.


Step 5: Real-world patterns to watch for (and quick wins)

  • World-writable files and directories:

    • Quick win: sudo chmod -R go-w /path on non-shared trees; verify with find / -xdev -type d -perm -0002 -print
  • Weak SSH settings:

    • Quick win: In /etc/ssh/sshd_config, set PasswordAuthentication no, PermitRootLogin no, KexAlgorithms/Ciphers to strong sets; sudo systemctl reload sshd
  • Unattended upgrades disabled on non-critical servers:

    • Quick win (Debian/Ubuntu): sudo apt install -y unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgrades
  • Kernel or OpenSSL lagging behind:

    • Plan reboot windows. Commands:
    • apt: sudo apt update && sudo apt full-upgrade -y
    • dnf: sudo dnf upgrade -y
    • zypper: sudo zypper refresh && sudo zypper update -y
  • Logging gaps and time drift:

    • Ensure chrony/systemd-timesyncd is enabled; forward logs to a central place (rsyslog/journal-remote/ELK)

Security and operational notes

  • AI is an accelerator, not an authority. Validate remediation steps in a staging environment.

  • Keep model prompts free of secrets. Don’t paste private keys or proprietary code.

  • Version and archive your reports. AI summaries are more useful when you can compare week-over-week changes.

  • Consider scoping: run on dedicated jump boxes and limit outbound API calls as per policy.


Conclusion and next steps

By combining proven scanners (Lynis, OpenSCAP) with a thin AI layer, you can turn raw findings into a focused, low-risk plan in minutes. This reduces toil, makes compliance reviews easier, and keeps patching aligned with business impact.

Your next steps:

  • Install the prerequisites with apt/dnf/zypper

  • Run the baseline scans and the ai-prioritize.sh script

  • Schedule it weekly and post summaries to your team’s channel

  • Iterate: add context (asset criticality tags), parse OpenSCAP ARF for failed rules, and auto-open tickets with the AI plan

If you’d like a follow-up, I can share an extended script that parses OpenSCAP ARF into JSON, tags hosts by environment (prod/dev), and opens GitHub/GitLab issues automatically.