Self-hosted, open-source vulnerability monitoring & daily security reporting for RHEL-family fleets.
CI License Docker Python Ansible Tests
📊 Live presentation → hacknow-uz.github.io/Warden
Warden continuously watches every server, container image, and code dependency across your infrastructure for known vulnerabilities, runs CIS/SCAP compliance checks, aggregates everything into one dashboard, and emails a full security report every day — all from open-source components, wired together with a small, well-tested orchestrator. No SaaS, no per-host licensing.
Note: low-level infrastructure identifiers use the short codename
tizim(e.g. thetizim_netDocker network and/opt/tizimpaths).
| Dimension | Engine |
|---|---|
| 🖥️ OS package CVEs (installed RPMs) | Wazuh agent + CTI feed |
| 🐳 Docker image vulnerabilities | Trivy + Grype |
| 🧩 Code dependencies (pip / npm / go.mod) | Trivy filesystem scan |
| 📋 CIS Benchmark / SCAP compliance | OpenSCAP + SSG |
Findings from all sources are aggregated in DefectDojo (dedup + trend) and a daily HTML report (summary + every Critical inline, full findings as an attachment) is delivered via email/Telegram.
flowchart LR
subgraph SRV["RHEL / Rocky / Alma servers"]
A1["wazuh-agent"]
A2["wazuh-agent"]
end
subgraph CORE["Wazuh — central platform"]
M["Manager<br/>Vuln Detection + SCA/CIS"]
IDX[("Indexer")]
DSH["Dashboard"]
end
CTI{{"CTI feed<br/>RHEL · Rocky · Alma · NVD"}}
subgraph SCAN["Scanners"]
T["Trivy"]
G["Grype + Syft"]
end
OR["Orchestrator<br/>(Python, cron 02:00)"]
DD[("DefectDojo")]
RPT["Daily report<br/>Email / Telegram"]
A1 --> M
A2 --> M
CTI --> M
M <--> IDX --> DSH
OR -->|query| IDX
OR --> T --> DD
OR --> G --> DD
OR --> RPT
DD --> RPT
Two layers: a central Docker Compose stack (Wazuh + DefectDojo + orchestrator) and
Ansible roles that provision wazuh-agent + OpenSCAP on RHEL targets.
Full diagrams: docs/architecture.md.
Wazuh 4.9 · Trivy · Grype · Syft · DefectDojo · OpenSCAP ·
Python 3.12 (pytest) · Docker Compose · Ansible · GitHub Actions CI
- 🔁 Fully automated daily cycle (cron) — scan → aggregate → report → heartbeat.
- 🔐 Security-first: secrets required (no defaults), TLS verification never disabled,
no
docker.sockmount, internal-only port binding, automated Wazuh password rotation. - 🧱 Infrastructure-as-Code: declarative networking, resource limits, healthchecks, one-command bootstrap, idempotent scripts.
- ✅ Tested: 20 unit tests, CI validates pytest + compose + Ansible + shell syntax.
- 📊 Rich reporting: HTML report with severity-coded tables, full findings attachment.
- ♻️ Operable: ISM retention, DB backups, log rotation, dead-man's-switch monitoring.
git clone https://github.com/HackNow-uz/Warden && cd Warden ./setup.sh # preflight + auto-generates secrets + brings up the full stack bash test/e2e.sh # end-to-end smoke test
setup.sh checks Docker / RAM / vm.max_map_count / ports, auto-generates DefectDojo
secrets (no manual editing), then bootstraps Wazuh + DefectDojo + orchestrator.
Just want to verify prerequisites? ./setup.sh --check. Then optionally:
bash scripts/configure-retention.sh (index retention).
Access (internal-only) via SSH tunnel:
ssh -L 8444:127.0.0.1:8444 -L 8888:127.0.0.1:8888 user@host
# Wazuh: https://localhost:8444 · DefectDojo: http://localhost:8888Full stack needs ~12 GB RAM. See the guide for low-RAM staging.
- 📘 Full Guide — install · configure · operate · troubleshoot · extend
- 🚀 Production Readiness — deploy runbook + checklist
- 🏗️ Architecture — components, data flow, diagrams
- 📐 Design spec · Build plan
compose/ central stack — wazuh/ · defectdojo/ · orchestrator/ (Python)
ansible/ wazuh_agent + openscap roles, inventory
scanning/ scan targets (images.txt, repos.yml)
scripts/ bootstrap, secret rotation, telegram, retention, backup, enroll
test/ e2e smoke test
docs/ guide, architecture, production readiness, spec, plan