Skip to content

jeffersoncesarantunes/LinSpec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

71 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

LinSpec

Lightweight kernel hardening audit tool for Linux forensic triage and security baseline verification.

Platform-Linux Language-C99 License-MIT Status CI CodeQL Docker Tested-on Domain


Etymology

LinSpec = Linux + Inspection (Specification).

A forensic entry-point that checks whether kernel-level protections are enforced before deeper analysis.


Overview

LinSpec audits the Linux kernel's security posture in real time. It reads from /proc/sys and /sys/devices, classifies parameters as PASS / WARN / VULN, and produces structured reports.

29 security checks across 7 categories:

Category Checks
Memory ASLR, mmap_min_addr
Kernel kptr_restrict, ptrace_scope, dmesg_restrict, userns_clone, kexec_disabled, perf_event_paranoid, unpriv_bpf, ftrace_enabled, core_uses_pid, sysrq
Network bpf_jit_harden, tcp_syncookies, ip_forward, rp_filter, tcp_rfc1337, icmp_ignore_bogus, arp_ignore, arp_announce
Filesystem protected_symlinks, protected_hardlinks
CPU spectre_v2, meltdown, l1tf, mds
Crypto entropy_avail
Exec core_pattern

Features

  • 29 kernel security checks with CVE mapping
  • Automated remediation (--apply)
  • Watch mode with configurable interval (--watch)
  • Customizable profiles (JSON-based baselines)
  • HTML / JSON / CSV report export
  • Pure C99, zero dependencies (optional: curl for --webhook)
  • Passive inspection (read-only by default)
  • PIE + RELRO + FORTIFY hardened binary
  • Natively compatible with LinDash via --webhook

Screenshots

LinSpec Screenshot 1 LinSpec Screenshot 2 LinSpec Screenshot 3


Quick Start

git clone https://github.com/jeffersoncesarantunes/LinSpec.git
cd LinSpec

# Build the project
make

# (Optional) Clean rebuild from scratch
make clean && make

# Run
sudo ./linspec --json --csv --html

Usage

LinSpec v2.0.0 - Kernel Hardening Audit Tool
Usage: linspec [options]

Options:
  -j, --json            Export JSON report
  -c, --csv             Export CSV report
  -H, --html            Export HTML report
  -o, --output-dir DIR  Output directory (default: reports/)
  -p, --profile FILE    Load custom audit profile
  -a, --apply           Apply remediation for VULN/WARN checks
  -f, --force           Skip confirmation prompt for --apply
  -w, --watch SEC       Watch mode with interval in seconds
  -W, --webhook URL     POST JSON report to URL (uses LINSPEC_API_KEY env)
  -V, --version         Show version
  -h, --help            Show this help

Examples

# Full audit with all reports
sudo ./linspec -j -c -H

# Custom output directory
sudo ./linspec -j -o /tmp/audit

# Use a custom profile
sudo ./linspec -j -p profiles/cis_benchmark.json

# Apply fixes automatically
sudo ./linspec -j -a -f

# Watch mode (check every 300 seconds)
sudo ./linspec -w 300 -j

# Send JSON report to LinDash
sudo LINSPEC_API_KEY=your-key ./linspec -j --webhook http://localhost:5000/api/scan

Remediation

The --apply flag writes hardened sysctl values for remediable checks:

  • Backs up the current value before changing
  • Verifies the write by reading back
  • Confirms each change unless --force is used
  • Requires root privileges

Profiles

Profiles allow customizing the expected baseline. Format:

{
  "name": "My Profile",
  "description": "Custom hardened baseline",
  "version": "1.0.0",
  "checks": {
    "aslr": { "expected": 2, "op": "eq" },
    "kptr_restrict": { "expected": 2, "op": "ge" }
  }
}

Built-in profiles:

  • profiles/default.json β€” LinSpec default baseline
  • profiles/cis_benchmark.json β€” CIS Benchmark aligned

Reports

Format File Content
JSON report.json Machine-readable with CVE mappings, hostname/kernel/os metadata, status/category/message per check
CSV report.csv Tabular with id, name, result, status, category, current, expected, detail
HTML report.html Self-contained dark-themed report

Each JSON check now includes status (PASS/WARN/VULN/SKIP), category (string), and message fields β€” natively compatible with LinDash.


The Forensic Ecosystem

LinSpec is Phase 1 (Audit) of a three-stage forensic workflow:

Phase 1: LinSpec (Audit)      --> report.json
Phase 2: S.I.R.E.N (Acquire)  --> memory dump + SHA256
Phase 3: K-Scanner (Analyze)  --> RWX detection + YARA

Roadmap

  • High-performance C99 Core Engine
  • 29 Security Checks Across 7 Categories
  • Side-channel Vulnerability Detection (Spectre/Meltdown/L1TF/MDS)
  • Automated Remediation with Verification
  • Customizable Profile System
  • HTML / JSON / CSV Export
  • Watch Mode (Continuous Monitoring)
  • CVE Mapping Per Check
  • Ecosystem Integration (S.I.R.E.N / K-Scanner)
  • CI/CD (CodeQL + Gitleaks)
  • Docker Container Image
  • Test Suite (Shell-based)

Build

make              # production build (stripped, hardened)
make debug        # debug build with symbols
make test         # run test suite
make lint         # static analysis (cppcheck + clang)
make docker       # build Docker image
make install      # install to /usr/local/bin

Repository Structure

β”œβ”€β”€ docs/
β”‚   β”œβ”€β”€ architecture.md
β”‚   β”œβ”€β”€ audit_reference.md
β”‚   β”œβ”€β”€ forensic_methodology.md
β”‚   └── threat_model.md
β”œβ”€β”€ Images/
β”‚   β”œβ”€β”€ linspec1.png
β”‚   β”œβ”€β”€ linspec2.png
β”‚   └── linspec3.png
β”œβ”€β”€ include/
β”‚   └── remediator.h
β”œβ”€β”€ man/
β”‚   └── linspec.1
β”œβ”€β”€ profiles/
β”‚   β”œβ”€β”€ cis_benchmark.json
β”‚   └── default.json
β”œβ”€β”€ scripts/
β”‚   └── install.sh
β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ checks.h
β”‚   β”œβ”€β”€ main.c
β”‚   β”œβ”€β”€ remediator.c
β”‚   └── system_audit.c
β”œβ”€β”€ tests/
β”‚   └── run_tests.sh
β”œβ”€β”€ Dockerfile
β”œβ”€β”€ LICENSE
β”œβ”€β”€ Makefile
β”œβ”€β”€ SECURITY.md
└── README.md

Security

  • --output-dir rejects path traversal sequences (..)
  • Remediation requires root (geteuid() != 0)
  • No system() or popen() calls β€” all external execution via execlp with separate arguments
  • Binary built with PIE, RELRO, NOW, no-exec stack, _FORTIFY_SOURCE=2, stack protector

Docs-Security


Documentation

Docs-Architecture Docs-Audit Docs-Methodology Docs-ThreatModel

About

🐧Lightweight forensic kernel hardening audit tool for Linux security baseline verification.

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors