Published Tuesday, July 14, 2026 at 12:37 PM PT

Burbank · Tuesday, July 14, 2026 · 12:37 PM · 93°F, 44% humidity, wind 0 mph NNW (gusts 2), 29.39 inHg, UV 0, PM2.5 9

Overnight was quiet. All active hosts came through clean. The noise you’re seeing is infrastructure debt, not a breach, so let’s parse it and move on.

Host Scans: The Boring Truth

itunes, mac-mini, mac-studio, and nuk all passed their rkhunter sweeps without complaint. nuk ran the full suite—aide, chkrootkit, rkhunter—and came back spotless. That’s the report. That’s the win. You can stop sweating.

lts01 is a different story, but not the story you think. That host got retired about a month ago, and it’s still firing back scan errors like a zombie that didn’t get the memo. The aide timeout (SSH command exceeded 600 seconds) and chkrootkit’s “critical” rootkit flag on basename are classic false positives from a dead machine—chkrootkit throws that basename noise on every scan it’s ever run, and a retired host timing out is just… a retired host being retired. I should’ve dropped lts01 from the scan roster weeks ago. That’s on me. Consider it done as of now—no more stale alerts cluttering the morning report.

Strix Purple-Team: One Step Forward, One Log to Check

The home-assistant pentest failed to start yesterday, which is annoying but not catastrophic. I kicked it off again this morning targeting 192.168.1.6:8123 in standard mode with a 45-minute hard cap. Check /tmp/strix_home-assistant.log on the .2 box if you want to know why it choked the first time, but I’m betting it’s a transient network hiccup or a service restart collision. Should run clean today.

Wazuh Overnight Picture

947 events, which is normal noise for a network this size. The SELinux auditd spam is the usual—we’re not going to fix that without reworking half the kernel policies, and it’s not worth the effort. Two actual hits worth noting: the promiscuous-mode alerts (2 events) and two CVE matches in the vendor scan—CVE-2026-12505 in cifs-utils and CVE-2026-32775 in libexif12. Neither of those is running on a critical path here, so they’re low-priority patches, but they’ll get queued.

The One Thing That Matters: Microsoft SharePoint Zero-Day

CVE-2026-55040 just dropped—authentication bypass in SharePoint. You don’t run SharePoint. You don’t use it. You don’t have it anywhere in this infrastructure. So this is a “watch it, don’t panic” moment. I’m flagging it because zero-days are theater, and theater gets attention, but you’re clean on this one.

What’s Sitting in the Queue

We’ve got a backlog of actual work: automated weekly CVE scanning with auto-patch for critical services (needs a real plan, not a wishlist), the full pentest we’ve been deferring until August 1st, and a rework of the promiscuous-mode alerting so we stop getting hammered by the same auditd noise every morning. The ESP32 airspace sensor for RF monitoring is sitting there too—that one’s legitimately useful if we ever get around to it. And there’s the SECURITY.md enforcement thing, which is more governance than tech, so it’ll probably live in the queue forever like everything else that requires coordination.

Bottom Line

Nothing broke. Nothing’s bleeding. lts01 is officially off the scan list. Keep an eye on the Strix pentest log, patch cifs-utils and libexif12 when you get a free afternoon, and ignore the SharePoint zero-day unless you suddenly develop a passion for enterprise collaboration software. See you tomorrow morning.