infraudit
Linux server security auditing from the command line.
A single binary you drop on any Linux server to audit its security posture. No dependencies, no agents, no runtime — just copy and run. Validates 287 checks across 17 categories based on CIS Benchmarks, DISA STIG, and industry best practices.
Why infraudit?
How infraudit compares to other Linux security auditing tools:
| Feature | infraudit | Lynis | CIS-CAT Pro | OpenSCAP |
|---|---|---|---|---|
| License | BSL-1.1 (free internal use) | GPL-3.0 | Commercial | LGPL |
| Security Checks | 287 | ~400 | Varies by benchmark | Varies by profile |
| CIS Mapping | ~90% Level 1 & 2 | Partial | Full | Full |
| Dependencies | Zero (single static binary) | Bash + system tools | Java runtime | Multiple libraries |
| Remote SSH Scan | Built-in (zero-install) | No | No | No |
| CI/CD GitHub Action | Official | No | No | No |
| Plugin System | YAML | Shell | XML | XCCDF |
| Baseline Tracking | Built-in | No | Yes | No |
| Hardening Score | 0-100 with A-F grades | Hardening index | Pass/fail percentage | Pass/fail percentage |
| Price | Free (internal use) | Free / Enterprise paid | $$$ per host | Free |
Quick Start
# Install (detects architecture automatically)
curl -sL https://raw.githubusercontent.com/civanmoreno/infraudit/main/install.sh | sh
# Run full audit
sudo infraudit audit
# Audit a specific category
sudo infraudit audit --category auth
# Use a server profile
sudo infraudit audit --profile web-server
# Export as JSON for CI/CD
sudo infraudit audit --format json --output report.json
# Full command reference
man infrauditFeatures
287 Security Checks
Each check includes severity, detailed findings, and the exact command to remediate.
17 Audit Categories
From SSH and PAM to Docker containers and TLS certificates — comprehensive server coverage.
Standards Based
Aligned with CIS Benchmarks (Ubuntu, RHEL, Debian), DISA STIG, and Lynis audit categories.
Single Binary
Written in Go. No dependencies, no runtime, no agents. Just copy and run on any Linux server.
Hardening Index
A 0–100 score weighted by severity with letter grades (A–F). Track your security posture over time.
Multiple Output Formats
Console with colors, JSON for CI/CD pipelines, YAML for config management, and self-contained HTML reports.
Server Profiles
Pre-built profiles for web servers, database servers, container hosts, and minimal installs.
What It Audits
infraudit inspects every layer of your server's security:
| Category | Checks | What it reviews |
|---|---|---|
| AUTH | 8 | SSH root login, password auth, UID 0 accounts, empty passwords, sudoers NOPASSWD, shadow file permissions |
| PAM | 5 | Password quality (pam_pwquality), reuse prevention, account lockout (pam_faillock), expiration policies |
| NET | 11 | Firewall active, open ports, IP forwarding, bind addresses, DNS/DNSSEC/DoT, SNMP v1/v2c, default community strings |
| SVC | 13 | Insecure services (telnet/rsh), SSH ciphers, NTP sync, fail2ban/crowdsec, MTA open relay, desktop environment |
| FS | 12 | SUID/SGID binaries, world-writable files, sticky bit, mount options (noexec/nosuid), /dev/shm, partitions |
| LOG | 9 | Syslog/journald, auditd rules, log rotation, log permissions, AIDE file integrity monitoring |
| PKG | 4 | Pending security updates, HTTPS repos, kernel updates, automatic security patches |
| HARD | 12 | ASLR, core dumps, ptrace, dmesg restrict, kernel modules (USB, wireless, firewire), bluetooth |
| BOOT | 8 | GRUB password, bootloader permissions, Secure Boot, SELinux/AppArmor enforcing, unconfined processes |
| CRON | 7 | Crontab permissions, cron directories, cron.allow/deny whitelist, suspicious jobs (curl/wget/nc in cron) |
| CRYPTO | 9 | Expired certificates, TLS 1.0/1.1, weak ciphers (RC4/DES/3DES), private key permissions, MD5 password hashes |
| SEC | 4 | Secrets in env vars, passwords in bash_history, world-readable credential files (.pgpass, .my.cnf, .aws/credentials) |
| CTR | 11 | Docker socket permissions, containers as root, privileged mode, resource limits, content trust, ICC, logging |
| RLIM | 7 | Open files limit, nproc (fork bomb protection), disk usage >85%, inode exhaustion |
| NFS | 4 | NFS world exports, no_root_squash, Samba guest access, rpcbind when unused |
| MAL | 4 | rkhunter/chkrootkit installed, scheduled scans, ClamAV, malware definitions up to date |
| BAK | 4 | Backup schedule exists, backups encrypted, backup permissions, off-site/off-host backup |
See the Checks Reference for detailed descriptions, security impact, and remediation for every check.
Where You Can Run It
Any Linux server with root access:
VPS Providers
DigitalOcean, Linode, Vultr, Hetzner, OVH, Contabo
Cloud
AWS EC2, GCP Compute Engine, Azure VMs, Oracle Cloud
Bare Metal
Dedicated servers, colocation, on-premise datacenters
ARM Servers
AWS Graviton, Oracle Ampere, Raspberry Pi, Apple Silicon VMs
Supported distros: Ubuntu, Debian, RHEL, CentOS, Fedora, AlmaLinux, Rocky Linux, and any systemd-based distribution.
Sample Output
infraudit v2.2.1 — Security Audit Report
────────────────────────────────────────────────────
AUTH — Users & Authentication 5 passed 2 warn 1 fail
──────────────────────────────────────────────────────────────
✗ FAIL AUTH-001 CRITICAL PermitRootLogin is set to 'yes'
↳ Set 'PermitRootLogin no' in /etc/ssh/sshd_config
! WARN AUTH-006 HIGH Found 2 NOPASSWD entries in sudoers
↳ Review NOPASSWD entries and remove unnecessary ones
✓ PASS AUTH-003 CRITICAL Only root has UID 0
✓ PASS AUTH-007 HIGH Permissions correct
══════════════════════════════════════════════════════════════
SUMMARY
████████████████████████████████████████ 5/8 checks
✓ 5 Passed ! 2 Warnings ✗ 1 Failures 0 Errors
Hardening Index: 72/100 (C)
══════════════════════════════════════════════════════════════Also available in JSON, YAML, and HTML. See Output & Reports for details.
Severity Levels
| Level | Risk | Response Time |
|---|---|---|
| CRITICAL | Exploitable vulnerability — attacker can gain access or full system control | Immediate |
| HIGH | Significant risk — may enable privilege escalation or data exposure | Within days |
| MEDIUM | Security best practice not applied — increases overall risk | Within weeks |
| LOW | Recommended improvement — defense-in-depth measure | Backlog |
| INFO | Informational — no action needed | None |
Exit Codes
For scripting and CI/CD pipeline integration:
| Code | Meaning | CI/CD Action |
|---|---|---|
0 |
All checks passed | Proceed — system meets security requirements |
1 |
Warnings found (no failures) | Review recommended before production |
2 |
Failures or errors found | Block deployment — resolve issues first |
Standards Coverage
| Standard | Coverage |
|---|---|
| CIS Benchmark Level 1 | ~90% of applicable controls |
| CIS Benchmark Level 2 | ~90% of applicable controls |
| DISA STIG | Key findings covered |
| Lynis categories | All major categories mapped |