Lightweight kernel hardening audit tool for Linux forensic triage and security baseline verification.
LinSpec = Linux + Inspection (Specification).
A forensic entry-point that checks whether kernel-level protections are enforced before deeper analysis.
LinSpec audits the Linux kernel's security posture in real time. It reads from /proc/sys and /sys/devices, classifies parameters as PASS / WARN / VULN, and produces structured reports.
29 security checks across 7 categories:
| Category | Checks |
|---|---|
| Memory | ASLR, mmap_min_addr |
| Kernel | kptr_restrict, ptrace_scope, dmesg_restrict, userns_clone, kexec_disabled, perf_event_paranoid, unpriv_bpf, ftrace_enabled, core_uses_pid, sysrq |
| Network | bpf_jit_harden, tcp_syncookies, ip_forward, rp_filter, tcp_rfc1337, icmp_ignore_bogus, arp_ignore, arp_announce |
| Filesystem | protected_symlinks, protected_hardlinks |
| CPU | spectre_v2, meltdown, l1tf, mds |
| Crypto | entropy_avail |
| Exec | core_pattern |
- 29 kernel security checks with CVE mapping
- Automated remediation (
--apply) - Watch mode with configurable interval (
--watch) - Customizable profiles (JSON-based baselines)
- HTML / JSON / CSV report export
- Pure C99, zero dependencies (optional:
curlfor--webhook) - Passive inspection (read-only by default)
- PIE + RELRO + FORTIFY hardened binary
- Natively compatible with LinDash via
--webhook
git clone https://github.com/jeffersoncesarantunes/LinSpec.git
cd LinSpec
# Build the project
make
# (Optional) Clean rebuild from scratch
make clean && make
# Run
sudo ./linspec --json --csv --htmlLinSpec v2.0.0 - Kernel Hardening Audit Tool
Usage: linspec [options]
Options:
-j, --json Export JSON report
-c, --csv Export CSV report
-H, --html Export HTML report
-o, --output-dir DIR Output directory (default: reports/)
-p, --profile FILE Load custom audit profile
-a, --apply Apply remediation for VULN/WARN checks
-f, --force Skip confirmation prompt for --apply
-w, --watch SEC Watch mode with interval in seconds
-W, --webhook URL POST JSON report to URL (uses LINSPEC_API_KEY env)
-V, --version Show version
-h, --help Show this help
# Full audit with all reports
sudo ./linspec -j -c -H
# Custom output directory
sudo ./linspec -j -o /tmp/audit
# Use a custom profile
sudo ./linspec -j -p profiles/cis_benchmark.json
# Apply fixes automatically
sudo ./linspec -j -a -f
# Watch mode (check every 300 seconds)
sudo ./linspec -w 300 -j
# Send JSON report to LinDash
sudo LINSPEC_API_KEY=your-key ./linspec -j --webhook http://localhost:5000/api/scanThe --apply flag writes hardened sysctl values for remediable checks:
- Backs up the current value before changing
- Verifies the write by reading back
- Confirms each change unless
--forceis used - Requires root privileges
Profiles allow customizing the expected baseline. Format:
{
"name": "My Profile",
"description": "Custom hardened baseline",
"version": "1.0.0",
"checks": {
"aslr": { "expected": 2, "op": "eq" },
"kptr_restrict": { "expected": 2, "op": "ge" }
}
}Built-in profiles:
profiles/default.jsonβ LinSpec default baselineprofiles/cis_benchmark.jsonβ CIS Benchmark aligned
| Format | File | Content |
|---|---|---|
| JSON | report.json |
Machine-readable with CVE mappings, hostname/kernel/os metadata, status/category/message per check |
| CSV | report.csv |
Tabular with id, name, result, status, category, current, expected, detail |
| HTML | report.html |
Self-contained dark-themed report |
Each JSON check now includes status (PASS/WARN/VULN/SKIP), category (string), and message fields β natively compatible with LinDash.
LinSpec is Phase 1 (Audit) of a three-stage forensic workflow:
Phase 1: LinSpec (Audit) --> report.json
Phase 2: S.I.R.E.N (Acquire) --> memory dump + SHA256
Phase 3: K-Scanner (Analyze) --> RWX detection + YARA
- High-performance C99 Core Engine
- 29 Security Checks Across 7 Categories
- Side-channel Vulnerability Detection (Spectre/Meltdown/L1TF/MDS)
- Automated Remediation with Verification
- Customizable Profile System
- HTML / JSON / CSV Export
- Watch Mode (Continuous Monitoring)
- CVE Mapping Per Check
- Ecosystem Integration (S.I.R.E.N / K-Scanner)
- CI/CD (CodeQL + Gitleaks)
- Docker Container Image
- Test Suite (Shell-based)
make # production build (stripped, hardened)
make debug # debug build with symbols
make test # run test suite
make lint # static analysis (cppcheck + clang)
make docker # build Docker image
make install # install to /usr/local/binβββ docs/
β βββ architecture.md
β βββ audit_reference.md
β βββ forensic_methodology.md
β βββ threat_model.md
βββ Images/
β βββ linspec1.png
β βββ linspec2.png
β βββ linspec3.png
βββ include/
β βββ remediator.h
βββ man/
β βββ linspec.1
βββ profiles/
β βββ cis_benchmark.json
β βββ default.json
βββ scripts/
β βββ install.sh
βββ src/
β βββ checks.h
β βββ main.c
β βββ remediator.c
β βββ system_audit.c
βββ tests/
β βββ run_tests.sh
βββ Dockerfile
βββ LICENSE
βββ Makefile
βββ SECURITY.md
βββ README.md
--output-dirrejects path traversal sequences (..)- Remediation requires root (
geteuid() != 0) - No
system()orpopen()calls β all external execution viaexeclpwith separate arguments - Binary built with PIE, RELRO, NOW, no-exec stack,
_FORTIFY_SOURCE=2, stack protector


