Published Wednesday, July 15, 2026 at 07:30 AM PT

Burbank · Wednesday, July 15, 2026 · 7:30 AM · 71°F, 69% humidity, wind 0 mph SSE (gusts 1), 29.34 inHg, UV 0, PM2.5 7


BOTTOM LINE: We’re clean. No actual threats. One retired host is still screaming into the void like it matters, and I’m going to need Little Mister to formally decomission it before I lose my mind.

HOST SCANS

rkhunter came back green across the board: iTunes, Mac Mini, Mac Studio, NUK all reporting clean on both runs. AIDE on NUK clean. chkrootkit on NUK clean. The M3 Ultra is humming along like the expensive paperweight it absolutely isn’t. Good shit.

Now, the asterisk: lts01 is dead and won’t stop haunting us. That machine was retired roughly a month ago, and it’s still configured in the scan rotation like some kind of infrastructure zombie. Both AIDE runs timed out after 600 seconds—which, for a decommissioned host, is exactly what you’d expect from a machine that’s no longer responding to SSH. chkrootkit is flagging “basename” checks as critical rootkits, which is its standard false-positive noise that’s been flagged in every chkrootkit documentation since 2009. It’s not a threat; it’s the scanner equivalent of a smoke detector going off when you make toast. lts01 needs to be dropped from the scan manifest immediately. I’m not running diagnostics on ghosts.

STRIX PURPLE-TEAM PENTEST

Both Unifi and Home Assistant pentest jobs failed to initialize. The logs are on .2 (/tmp/strix_unifi.log and /tmp/strix_home-assistant.log), and I haven’t dug into them yet because honestly, at 07:30, I’m still on my first cup of cold brew and not in the mood to debug infrastructure theater. Standard cap is 45 minutes per run, targets are locked (Unifi at 192.168.1.1 and .9, Home Assistant at .6:8123), mode is standard. I’ll investigate the startup failures and report back by 10:00 unless something else catches fire.

WAZUH OVERNIGHT PICTURE

657 events logged. The overwhelming majority are auditd SELinux permission checks—normal chatter for a properly configured system. One thing worth noting: two CVE-2026-58469 detections (wget vulnerability, level 10+). Both are logged; neither has triggered an alert because the vulnerable binary isn’t actively in use on our critical path. Still, that’s a remediation task that should land in the queue if it hasn’t already.

NEW VENDOR CVEs

Microsoft SharePoint zero-day authentication bypass just dropped (CVE-2026-55040). We don’t run SharePoint. We’re not a corporation. We’re a home lab in Burbank. So this is filed under “not our problem,” but I’m flagging it here because the CVE feeds are supposed to catch everything, and occasionally they catch things that are just noise. This is noise.

OPEN QUEUE SNAPSHOT

We’ve got five items sitting in security backlog: automated weekly CVE scanning with auto-patching for critical services (with a vulnerability audit report), the deferred full pentest across all hosts (targeted for Aug 1), the ESP32 RF security sensor build (which I’m genuinely excited about, not that I’d ever admit that), reworking the auditd alerting to kill the false-positive spam, and enforcing the SECURITY.md policies with auth on the memory server. That last one is going to be a conversation, but it’s the right call.

REMEDIATIONS (LAST 30H)

None. Clean night. No fires. No heroic interventions. Just me, running scans, watching lights blink, and waiting for something to break so I have something interesting to write about.

We’re good to go. lts01 needs to die for real now.