Configuration

infraudit can be configured via CLI flags (per-run) and JSON config files (persistent). CLI flags always take the highest priority.

CLI Flags Reference

Every flag available in infraudit, organized by command.

`infraudit`

Flag	Description
`-v, --version`	Print version (`infraudit v2.2.1`)
`-h, --help`	Show help

`infraudit audit`

Flag	Default	Description	Example
`--category`	(all)	Filter by category (comma-separated: auth,network,crypto)	`--category auth`
`--format`	`console`	Output format: `console`, `json`, `yaml`, `html`	`--format html`
`--output`	(stdout)	Write report to file	`--output report.json`
`--profile`	(none)	Server profile to apply	`--profile web-server`
`--skip`	(none)	Comma-separated check IDs to skip	`--skip HARD-007,NET-008`
`--parallel`	`0`	Run checks in parallel with N workers (0=sequential)	`--parallel 4`
`-q, --quiet`	`false`	Suppress progress output (auto-disabled in pipes)	`--quiet`
`--severity-min`	(none)	Show only results at or above this severity level	`--severity-min high`
`--check`	(none)	Run a single check by ID	`--check AUTH-001`
`--ignore-errors`	`false`	Don't count errors toward exit code 2	`--ignore-errors`
`-h, --help`		Show help for audit command

`infraudit list`

Flag	Description
`-h, --help`	Show help for list command

The list command shows all 287 registered checks with their ID, category, severity, and name. It does not accept filters — use it to discover check IDs for --skip or --category.

`infraudit completion <shell>`

Generates shell autocompletion scripts. Supported shells: bash, zsh, fish, powershell.

# Bash — load in current session
source <(infraudit completion bash)

# Bash — install permanently
infraudit completion bash > /etc/bash_completion.d/infraudit

# Zsh
infraudit completion zsh > "${fpath[1]}/_infraudit"

# Fish
infraudit completion fish > ~/.config/fish/completions/infraudit.fish

Config File

For persistent settings that apply on every run, create a JSON config file. infraudit loads and merges all config files found (system → user → directory), with deduplication:

Priority	Path	Scope
1	`/etc/infraudit/config.json`	System-wide — applies to all users
2	`~/.infraudit.json`	User-level — applies to current user
3	`./.infraudit.json`	Directory-level — applies in current directory

CLI flags (--skip, --profile) are merged with the config file — they don't replace it.

Config File Fields

Field	Type	Description	Example
`skip`	string array	Check IDs to skip on every run	`["HARD-007", "SVC-012"]`
`skip_categories`	string array	Entire categories to skip	`["container", "nfs"]`
`allowed_ports`	int array	Ports considered acceptable for NET-002	`[22, 80, 443]`
`allowed_root_processes`	string array	Process names allowed as root for SVC-008	`["sshd", "nginx"]`
`allowed_suid`	string array	SUID/SGID binaries to ignore for FS-001	`["/opt/myapp/bin/helper"]`
`command_timeout`	int	Override default timeout (seconds) for external commands	`30`

Example Config File

// ~/.infraudit.json
{
  "skip": [
    "HARD-007",    // Swap — unencrypted by design
    "NET-008",     // IPv6 — used in this environment
    "SVC-012"      // Desktop env — this is a jump box
  ],
  "skip_categories": [
    "container",   // No Docker on this server
    "nfs"          // No NFS in use
  ],
  "allowed_ports": [22, 80, 443],
  "allowed_root_processes": ["sshd", "nginx", "fail2ban"],
  "allowed_suid": ["/opt/myapp/bin/helper"],
  "command_timeout": 30
}

Server Profiles

Profiles are pre-built configurations for common server types. Use --profile <name> with infraudit audit. Profiles are merged with your config file — profile skips are added to any skips already defined.

Profile	Description	Skipped Categories	Allowed Ports
`web-server`	Nginx/Apache web servers	container, nfs	22, 80, 443
`db-server`	PostgreSQL, MySQL, Redis, MongoDB	container, nfs	22, 3306, 5432, 6379, 27017
`container-host`	Docker/Podman container hosts	nfs	22, 80, 443, 2376
`minimal`	Minimal server, core checks only	container, nfs, malware, backup	22

# Profile + custom skip + JSON output
sudo infraudit audit --profile web-server --skip AUTH-008 --format json --output report.json

Custom Checks (Plugins)

Define your own checks in /etc/infraudit/checks.d/*.yaml without recompiling infraudit. Plugin checks are loaded automatically during audits and appear in reports alongside the 287 built-in checks.

Plugin Format

id: CUSTOM-001                       # Unique check ID
name: App config has secure mode     # Human-readable name
category: custom                     # Category (new or existing)
severity: high                       # critical, high, medium, low, info
description: Verify secure mode      # What this check validates
remediation: Set secure_mode=true    # How to fix if it fails

# Optional: restrict to specific systems
os: [debian, redhat]                 # Only run on these OS families
init: systemd                        # Require systemd
pkg_manager: apt                     # Require apt

rule:
  type: file_contains                # Rule type (see below)
  path: /etc/myapp/config            # File to inspect
  pattern: "secure_mode=true"        # Regex pattern to match

Rule Types

Type	Description	PASS when	Required Fields
`file_exists`	Verify a file exists	File is present	`path`
`file_missing`	Verify a file does NOT exist	File is absent	`path`
`file_contains`	Search for a regex pattern in file content	Pattern matches a line	`path`, `pattern`
`file_not_contains`	Verify a regex pattern is NOT in file content	No line matches pattern	`path`, `pattern`
`file_perms`	Verify file permissions don't exceed a maximum	Permissions ≤ max_perm	`path`, `max_perm` (octal, e.g. `"0600"`)
`command`	Execute a command and evaluate stdout	`expect` matches or `expect_fail` doesn't match	`command`, `expect` or `expect_fail`

Plugin Examples

# Verify nginx hides version information
id: CUSTOM-002
name: Nginx hides server version
category: hardening
severity: medium
remediation: Add "server_tokens off" to nginx.conf
rule:
  type: file_contains
  path: /etc/nginx/nginx.conf
  pattern: "server_tokens\\s+off"

# Verify no database dumps in /tmp
id: CUSTOM-003
name: No database dump in /tmp
category: secrets
severity: critical
remediation: Remove the dump file immediately
rule:
  type: file_missing
  path: /tmp/production.sql

# Verify application secrets file permissions
id: CUSTOM-004
name: App secrets file permissions
category: secrets
severity: high
remediation: "chmod 600 /opt/myapp/.env"
rule:
  type: file_perms
  path: /opt/myapp/.env
  max_perm: "0600"

# Verify Docker uses overlay2 storage driver
id: CUSTOM-005
name: Docker uses overlay2 storage
category: container
severity: medium
init: systemd
remediation: Configure overlay2 in /etc/docker/daemon.json
rule:
  type: command
  command: docker
  args:
    - info
    - --format
    - "{{.Driver}}"
  expect: "overlay2"

Multiple Checks per File

Use the checks: key to define multiple checks in a single YAML file:

checks:
  - id: MYAPP-001
    name: Config file exists
    category: custom
    severity: high
    description: Application config must be present
    rule:
      type: file_exists
      path: /etc/myapp/config

  - id: MYAPP-002
    name: Debug mode disabled
    category: custom
    severity: critical
    description: Debug must be off in production
    remediation: Set DEBUG=false in /etc/myapp/config
    rule:
      type: file_not_contains
      path: /etc/myapp/config
      pattern: "DEBUG=true"

Validation

Each plugin is validated at load time. Required: id, name, category, severity, and a valid rule.type with its required fields. Invalid plugins are skipped with a warning — they don't break the audit.

Baseline & Regression Detection

Save audit snapshots as baselines and compare future audits against them to detect regressions. Useful for CI/CD pipelines and change management.

Commands

Command	Description
`infraudit baseline save`	Run a full audit and save the result as a baseline snapshot
`infraudit baseline check`	Run audit, compare against baseline, report regressions and improvements
`infraudit baseline show`	Display saved baseline info (score, date, host, OS)
`infraudit baseline clear`	Remove the saved baseline

Default baseline path: /etc/infraudit/baseline.json. Override with --file <path>.

Usage

# Save current state as baseline
sudo infraudit baseline save

# After changes, check for regressions
sudo infraudit baseline check

# View baseline details
infraudit baseline show

# Remove baseline
infraudit baseline clear

CI/CD Integration

baseline check exits with code 1 if any regressions are found (a check that was PASS is now FAIL/WARN). Use this in pipelines to block deployments that degrade security posture:

# In CI pipeline
sudo infraudit baseline check
if [ $? -eq 1 ]; then
    echo "Security regression detected — blocking deployment"
    exit 1
fi

Exit Codes

Code	Meaning	CI/CD Action
`0`	All checks passed	Proceed
`1`	Warnings found (no failures)	Review before production
`2`	Failures or errors found	Block — fix issues first

Common Examples

# Full audit as root
sudo infraudit audit

# Quick check of auth and network
sudo infraudit audit --category auth
sudo infraudit audit --category network

# Web server audit to JSON file
sudo infraudit audit --profile web-server --format json --output /var/log/infraudit.json

# Skip accepted risks
sudo infraudit audit --skip HARD-007,NET-003,SVC-012

# See what checks are available
infraudit list

# Check version
infraudit --version