Roadmap
Development plan for infraudit, organized by phases.
Phase 1: Scaffold
DONE- Go module initialized with cobra
- Root command with --help and --version
- Version info package
- Project structure established
Phase 2: Audit Engine
DONE- Check interface (ID, Name, Category, Severity, Run)
- Result model (PASS / WARN / FAIL / ERROR + remediation)
- Check registry with auto-discovery
infraudit auditcommand with category filteringinfraudit listcommand
Phase 3–5: Core Checks
DONE- AUTH — Users, SSH, sudoers (8 checks) DONE
- PAM — Password policies, lockout (5 checks) DONE
- NET — Firewall, ports, DNS, SNMP (11 checks) DONE
Phase 6–9: System Checks
DONE- SVC — Services, NTP, MTA (13 checks) DONE
- FS — Filesystem, permissions, partitions (12 checks) DONE
- LOG — Logging, auditd, AIDE (9 checks) DONE
- PKG — Packages, updates, kernel (4 checks) DONE
Phase 10–12: Hardening Checks
DONE- HARD — Kernel params, modules, ASLR (12 checks) DONE
- BOOT — GRUB, Secure Boot, SELinux/AppArmor (8 checks) DONE
- CRON — Cron/at permissions, job review (7 checks) DONE
Phase 13–15: Advanced Checks
DONE- CRYPTO — TLS, certificates, ciphers, FIPS (9 checks) DONE
- SEC — Exposed secrets, credentials (4 checks) DONE
- CTR — Docker/Podman security (11 checks) DONE
Phase 16–19: Extended Checks
DONE- RLIM — Resource limits, disk, inodes (7 checks) DONE
- NFS — Network filesystems, Samba (4 checks) DONE
- MAL — Rootkits, antimalware (4 checks) DONE
- BAK — Backups, encryption (4 checks) DONE
Phase 20–21: Output & Configuration
DONE- Console output with ANSI colors and severity DONE
- Exit codes based on severity DONE
- Remediation recommendations DONE
- JSON and YAML export (--format) DONE
- File output (--output) DONE
- Skip checks (--skip) DONE
- Server profiles (--profile) DONE
- Config file (~/.infraudit.json) DONE
Phase 22: DevOps Hardening
DONE- Command timeouts (context.WithTimeout) on all external commands DONE
- Makefile with build, test, lint, release, docker targets DONE
- golangci-lint config (.golangci.yml) and CI integration DONE
- Race detector in CI (go test -race) DONE
- Integration tests for helpers, config, and report DONE
- Dockerfile — multi-stage build DONE
- Config merge across levels with deduplication DONE
- Parallel check execution (--parallel N) with progress DONE
- CI hardening: coverage, SBOM, cosign signing DONE
Phase 23: CLI UX Improvements
DONE- Auto-disable progress in pipes (TTY detection) DONE
- --quiet flag and ANSI escape line clearing DONE
- --category supports comma-separated values DONE
- --check ID for single check execution DONE
- --severity-min filter for results DONE
- --ignore-errors flag for exit code control DONE
- Duration in summary (console, JSON, YAML) DONE
- list command: sorted, filterable, JSON output DONE
- New categories subcommand DONE
Phase 24: HTML Report
DONE- --format html generates self-contained visual report DONE
- Dark theme with summary dashboard and progress bar DONE
- Checks grouped by category with status/severity badges DONE
- Responsive design and print-friendly CSS DONE
Phase 25: Hardening Index (Scoring)
DONE- Scoring algorithm weighted by severity (CRITICAL=10, HIGH=5, MEDIUM=3, LOW=1) DONE
- PASS=full, WARN=half, FAIL=0, ERROR=excluded DONE
- Letter grade: A (≥90), B (≥80), C (≥70), D (≥60), F (<60) DONE
- Score in console, JSON, YAML, and HTML reports DONE
- Unit tests for scoring logic DONE
Phase 26: Quality Hardening
DONE- Fix: UID string comparison bug in system account check DONE
- Fix: moduleBlacklisted() false positives on permission errors DONE
- Fix: Certificate parse errors surfaced as warnings DONE
- SUID scan expanded to /opt, /usr/local with -xdev DONE
- SSH config parser handles Key=Value format DONE
- Details map added to SNMP, container, and crypto checks DONE
- Shared helpers: ParsePasswd, ParseShadow, ParseMounts DONE
- Config: allowed_suid whitelist for FS-001 DONE
- Samba pattern matching normalized for spacing variants DONE
Phase 27: Code Consolidation
DONE- Adopt shared ParsePasswd/ParseShadow helpers across auth, boot, crypto checks DONE
- Adopt shared ParseMounts/HasMountOption across filesystem and hardening checks DONE
- Fix error handling: return Error instead of Pass when commands fail DONE
- Unit tests for shared helpers (HasMountOption, ParseMounts, ParsePasswd) DONE
- Documentation updated with Hardening Index and HTML output DONE
Phase 28: Check Validation Tests & Performance Cache
DONE- Registry validation: 8 tests for all 132 checks (IDs, categories, severities, prefixes) DONE
- Performance: sync.Once cache for ParsePasswd, ParseShadow, ParseMounts DONE
Phase 29: Status Filter
DONE- --status flag to filter by result status (pass, warn, fail, error) DONE
- Score computed on full audit, not filtered view DONE
Phase 30: Man Page
DONE- Full man page (docs/infraudit.1) with all commands, flags, examples DONE
- make install-man target and install.sh integration DONE
Phase 31: Explain Command & Severity Breakdown
DONE- infraudit explain command with CIS/STIG mapping and --run flag DONE
- Severity breakdown (critical/high/medium/low) in console summary DONE
Phase 32: Top Command, Markdown & Completions
DONE- infraudit top — most critical findings sorted by severity DONE
- --format markdown for tickets and wikis DONE
- Shell completion for all flags (check IDs, categories, profiles, formats) DONE
Phase 33: Enhanced Explain — Remediation Guidance
DONE- Copy-paste ready remediation commands for 50+ checks DONE
- Verification commands to confirm fixes were applied DONE
- Remediation risk level (LOW/MEDIUM/HIGH) with context DONE
- Expanded "why it matters" from 14 to 60+ checks DONE
- Remediation shown by default without --run flag DONE
Phase 34: Diff Command
DONE- infraudit diff to compare two JSON audit reports DONE
- Detects improvements, regressions, new and removed checks DONE
- Hardening Index delta with color-coded score change DONE
- Exit code 1 on regressions for CI/CD gates DONE
Phase 35: Remote SSH Scanning
DONE- infraudit scan --host for remote server auditing via SSH DONE
- Zero-install: copies binary, executes, collects results, cleans up DONE
- Multi-host support with concurrent scanning DONE
- Auto architecture detection and cross-compilation support DONE
- Fleet summary table with per-host scores DONE
- Password auth support via --password (uses sshpass) DONE
Phase 36: SARIF Output
DONE- --format sarif for GitHub Code Scanning integration DONE
- SARIF 2.1.0 compliant with rules, results, fixes, and locations DONE
- Severity mapped to CVSS-like security-severity scores DONE
- Compatible with GitHub, GitLab, and VS Code DONE
Phase 37: Doctor Command
DONE- infraudit doctor — system readiness diagnostic DONE
- Detects core tools, security tools, firewall, container runtime DONE
- Category readiness summary with root access awareness DONE
- Remote scanning readiness (ssh, scp, sshpass) DONE
Phase 38: Policy-as-Code
DONE- --enforce-policy flag for compliance enforcement DONE
- Policy rules: min_score, max_critical, max_high, required_pass, ignore DONE
- Auto-detection of policy file in standard locations DONE
- Exit code 1 on policy violation for CI/CD gates DONE
Phase 39: CIS Compliance Report
DONE- infraudit compliance command with 90 CIS controls mapped DONE
- Compliance % per CIS section with gaps list DONE
- Level 1 and Level 2 support DONE
- Console and JSON output formats DONE
Phase 40: Complete CIS Benchmark Coverage
DONE- 89 new checks: 132 → 221 total DONE
- 150 CIS Level 1 + 170 Level 2 controls mapped DONE
- 6 batches: services, network sysctl, audit/logging, SSH, user accounts, filesystem DONE
Phase 41: v2.2.1 — 287 Checks
DONE- 66 additional checks: SSH, firewall, kernel, filesystem, logging, PAM, services DONE
- Version bumped to v2.2.1 DONE
- All 287 checks have remediation text — zero exceptions DONE
Phase 43: OS Detection & Platform Support
DONE- osinfo package: detect OS family, distro, package manager, init system via /etc/os-release DONE
- 6 families supported: Debian, RedHat, SUSE, Alpine, Arch, Unknown DONE
- OSAware, InitAware, PkgAware interfaces for platform-aware checks DONE
- SKIPPED status for checks with unmet platform requirements DONE
- OS info in JSON, YAML, HTML, SARIF, Markdown, and console reports DONE
- doctor command shows detected OS, family, pkg manager, init system DONE
Phase 44: Test Coverage (10% → 36%)
DONE- ~270 new unit tests across 12 packages DONE
- auth (61%), pam (61%), secrets (78%), cron (59%), hardening (49%) DONE
- crypto (51%), filesystem (47%), logging (35%), services (23%), network (9%) DONE
- report (81%), osinfo (82%), cmd (15%) DONE
- FSRoot-based test isolation for file-reading checks DONE
Phase 45: OS Annotations for All Checks
DONE- 24 checks annotated with RequiredInit("systemd") across 14 files DONE
- Backup, cron, filesystem, logging, NFS, packages, services checks now skip on non-systemd DONE
- File-only checks (journald.conf, auditd.conf, rsyslog.conf) correctly left universal DONE
- CRYPTO-001 (redhat) and SVC-052 (debian) SupportedOS verified DONE
Phase 46: YAML Plugin System
DONE- Custom checks in /etc/infraudit/checks.d/*.yaml — no recompilation needed DONE
- 6 rule types: file_exists, file_missing, file_contains, file_not_contains, file_perms, command DONE
- Plugin checks support OS, init system, and package manager annotations DONE
- 22 unit tests covering all rule types, validation, and loading DONE
Phase 47: Baseline & Regression Detection
DONE- infraudit baseline save — save audit snapshot as accepted baseline DONE
- infraudit baseline check — compare against baseline, exit 1 on regressions DONE
- infraudit baseline show/clear — view info or remove baseline DONE
- Score delta, regression/improvement detection, CI-friendly exit codes DONE
Phase 48: Test Coverage (36% → 47%)
DONE- Eliminated all 0% coverage packages — all 17 check categories now tested DONE
- ~110 new tests: boot, backup, malware, nfs, container, rlimit, packages DONE
- Network expanded 9% → 53% (SNMP, DNS, IPv6, DNSSEC, DoT) DONE
- Services expanded 23% → 32% (XDMCP, MTA, sudo, SSH) DONE
- 15+ source files updated to use check.P() for FSRoot test isolation DONE
Phase 49: GitHub Action
DONE- Composite action with local and SSH execution modes DONE
- Auto-download binary from releases (amd64/arm64) DONE
- SARIF upload for GitHub Code Scanning integration DONE
- min-score gate, job summary, outputs, SSH key cleanup DONE
- Examples: local, SSH, fleet matrix, policy enforcement DONE
Phase 50: Homebrew Formula
DONE- Homebrew formula for amd64/arm64 — brew install infraudit DONE
- Auto-update script for SHA256 and version on new releases DONE
- Documented in RELEASING.md release process DONE
Standards Coverage
| Standard | Coverage |
|---|---|
| CIS Benchmark Level 1 | 150 controls mapped (~95% coverage) |
| CIS Benchmark Level 2 | 170 controls mapped (~90% coverage) |
| DISA STIG | Key findings covered |
| Lynis categories | All major categories mapped |