Getting Started

Get infraudit running on your server in under a minute.

Installation

Option 1: Install script (recommended)

One command. Detects your server's architecture automatically and installs the correct binary:

curl -sL https://raw.githubusercontent.com/civanmoreno/infraudit/main/install.sh | sh

Option 2: Homebrew

brew tap civanmoreno/tap https://github.com/civanmoreno/infraudit.git
brew install infraudit

Option 3: Build from source

Requires Go 1.25+:

git clone https://github.com/civanmoreno/infraudit.git
cd infraudit
make build
sudo mv infraudit /usr/local/bin/
sudo make install-man  # Install man page (optional)

Option 4: Docker

docker build -t infraudit .
docker run --rm --privileged -v /:/host:ro infraudit audit

Commands

infraudit has three main commands:

Command	Description
`infraudit audit`	Run security checks and generate a report
`infraudit explain <ID>`	Explain a check in detail: CIS mapping, why it matters, remediation commands, verify fix, risk level (--run to also execute)
`infraudit diff <a> <b>`	Compare two JSON audit reports — shows improvements, regressions, and score delta
`infraudit scan --host user@server`	Audit a remote server via SSH — no installation needed on the remote
`infraudit doctor`	Check system readiness — shows available tools, permissions, and category readiness
`infraudit audit --enforce-policy`	Enforce a compliance policy — fails if score, findings, or required checks don't meet the policy
`infraudit compliance report.json`	Generate CIS Benchmark compliance report with % per section and gaps
`infraudit baseline save`	Save current audit as baseline for regression detection
`infraudit baseline check`	Run audit and compare against baseline — exit 1 on regressions
`infraudit list`	Show all available checks in a table
`infraudit categories`	Show available categories with check counts
`infraudit completion`	Generate shell autocompletion (bash, zsh, fish, powershell)

Basic Usage

Run a full audit

Most checks require root to read system configurations:

sudo infraudit audit

Audit a specific category

# Only authentication checks
sudo infraudit audit --category auth

# Only network and firewall checks
sudo infraudit audit --category network

List all available checks

infraudit list

Output:

ID          CATEGORY    SEVERITY  NAME
──          ────────    ────────  ────
AUTH-001    auth        CRITICAL  SSH root login disabled
AUTH-002    auth        HIGH      SSH password authentication disabled
AUTH-003    auth        CRITICAL  Only root has UID 0
...
Total: 287 checks

Export results

# JSON for CI/CD pipelines
sudo infraudit audit --format json --output report.json

# YAML for config management
sudo infraudit audit --format yaml --output report.yaml

Skip specific checks

# Skip checks you've accepted the risk for
sudo infraudit audit --skip HARD-007,SVC-012

# Combine skip with category filter
sudo infraudit audit --category auth --skip AUTH-008

Server Profiles

Profiles automatically skip categories not relevant to your server role and configure allowed ports:

# Web server — skips container & NFS, allows ports 22/80/443
sudo infraudit audit --profile web-server

# Database server — skips container & NFS, allows DB ports
sudo infraudit audit --profile db-server

# Container host — skips NFS, allows ports 22/80/443/2376
sudo infraudit audit --profile container-host

# Minimal — skips container, NFS, malware, backup categories
sudo infraudit audit --profile minimal

Complete CLI Reference

`infraudit` (root command)

Flag	Description
`-v, --version`	Print version information (`infraudit v2.2.1`)
`-h, --help`	Show help for the root command

`infraudit audit`

Execute security checks and generate a report.

Flag	Default	Description
`--category <name>`	(all)	Filter by category (comma-separated). Valid values: `auth`, `pam`, `network`, `services`, `filesystem`, `logging`, `packages`, `hardening`, `boot`, `cron`, `crypto`, `secrets`, `container`, `rlimit`, `nfs`, `malware`, `backup`
`--format <type>`	`console`	Output format. Values: `console` (colored table), `json` (machine-readable), `yaml` (structured text), `html` (visual report)
`--output <file>`	(stdout)	Write report to a file instead of stdout
`--profile <name>`	(none)	Apply a server profile. Values: `web-server`, `db-server`, `container-host`, `minimal`
`--skip <ids>`	(none)	Comma-separated list of check IDs to skip (e.g. `--skip HARD-007,NET-008`)
`--parallel <N>`	`0`	Run checks in parallel with N workers (0=sequential). Example: `--parallel 4`
`-q, --quiet`	`false`	Suppress progress output (auto-disabled in pipes)
`--severity-min`	(none)	Show only results at or above this severity level
`--check`	(none)	Run a single check by ID
`--status <statuses>`	(all)	Show only results with these statuses (comma-separated: `pass`, `warn`, `fail`, `error`). Summary and score reflect the full audit.
`--ignore-errors`	`false`	Don't count errors toward exit code 2
`-h, --help`		Show help for the audit command

`infraudit list`

Display all registered checks in a table with ID, category, severity, and name.

Flag	Description
`-h, --help`	Show help for the list command

`infraudit completion <shell>`

Generate autocompletion scripts for your shell:

# Bash
infraudit completion bash > /etc/bash_completion.d/infraudit

# Zsh
infraudit completion zsh > "${fpath[1]}/_infraudit"

# Fish
infraudit completion fish > ~/.config/fish/completions/infraudit.fish

Available Categories

Category	Prefix	Checks	Description
`auth`	AUTH-	8	Users, SSH, sudoers, passwords
`pam`	PAM-	5	PAM, password quality, lockout
`network`	NET-	11	Firewall, ports, DNS, SNMP
`services`	SVC-	13	Daemons, NTP, MTA, desktop
`filesystem`	FS-	12	Permissions, SUID, partitions
`logging`	LOG-	9	Syslog, auditd, AIDE
`packages`	PKG-	4	Updates, repos, kernel
`hardening`	HARD-	12	Kernel params, ASLR, modules
`boot`	BOOT-	8	GRUB, Secure Boot, SELinux/AppArmor
`cron`	CRON-	7	Cron/at permissions, job review
`crypto`	CRYPTO-	9	TLS, certificates, ciphers
`secrets`	SEC-	4	Exposed credentials, history
`container`	CTR-	11	Docker/Podman security
`rlimit`	RLIM-	7	Resource limits, disk, inodes
`nfs`	NFS-	4	NFS exports, Samba, rpcbind
`malware`	MAL-	4	Rootkits, antimalware
`backup`	BAK-	4	Backups, encryption, off-site

Exit Codes

Code	Meaning	Action
`0`	All checks passed	System meets security requirements
`1`	Warnings found (no failures)	Review recommended
`2`	Failures or errors found	Action required — fix critical issues

Permissions

infraudit reads system files like /etc/shadow, /etc/ssh/sshd_config, and kernel parameters. Most checks require root access. Checks that cannot run without proper permissions will report as ERROR with a clear message.

infraudit is read-only — it never modifies your system. It only inspects configurations and reports findings.

Configuration File

For persistent settings (skip lists, allowed ports), create a JSON config file. See Configuration for details.

# Example: ~/.infraudit.json
{
  "skip": ["HARD-007", "SVC-012"],
  "skip_categories": ["container"],
  "allowed_ports": [22, 80, 443]
}

Man Page

infraudit includes a Unix man page with the complete command reference. After installation:

man infraudit

If you built from source, install it with:

sudo make install-man