Standards & Methodology
This document explains the security standards, authoritative sources, and methodology behind infraudit's 287 checks. Every check is traceable to at least one recognized security framework.
Why infraudit Is Valid
infraudit does not invent security rules. Every check is derived from one or more of the following authoritative sources, maintained by recognized security organizations:
| Source | Publisher | Authority | Used For |
|---|---|---|---|
| CIS Benchmarks | Center for Internet Security | Industry-recognized, used by auditors, required by PCI-DSS, HIPAA, SOC 2, FedRAMP | Primary source for 90%+ of checks |
| DISA STIG | Defense Information Systems Agency (US DoD) | Required for US government and defense contractor systems | Container security, access controls, audit logging |
| NIST SP 800-53 | National Institute of Standards and Technology | Foundation for FedRAMP, FISMA, and many compliance frameworks | Control families: AC, AU, CM, IA, SC, SI |
| OWASP | Open Worldwide Application Security Project | Industry standard for application and infrastructure security | Docker/container security checks |
| Linux man pages & kernel docs | The Linux Kernel Organization / distribution maintainers | Definitive reference for sysctl, PAM, systemd, auditd, and file system behavior | Correct parameter values, default behaviors, configuration syntax |
CIS Benchmarks (Primary Source)
The CIS Benchmarks are consensus-based security configuration guides developed by a global community of security professionals. They are the most widely adopted hardening standards for Linux systems.
Benchmark Versions Used
| Benchmark | Version | Date |
|---|---|---|
| CIS Ubuntu Linux 24.04 LTS | v1.0.0 | 2024 |
| CIS Red Hat Enterprise Linux 9 | v2.2.1 | 2024 |
| CIS Debian Linux 12 | v1.0.0 | 2024 |
CIS Coverage by Section
| CIS Section | Topic | infraudit Category | Level 1 Controls | Level 2 Controls |
|---|---|---|---|---|
| 1. Initial Setup | Filesystem, bootloader, process hardening, MAC, integrity | FS, HARD, BOOT, LOG | ~30 mapped | ~10 mapped |
| 2. Services | Unnecessary services, NTP, MTA, NFS, DNS, DHCP, SNMP | SVC, NFS, NET | ~25 mapped | ~15 mapped |
| 3. Network Configuration | IP forwarding, source routing, redirects, TCP SYN cookies, firewall | NET, HARD | ~30 mapped | ~20 mapped |
| 4. Logging and Auditing | rsyslog, journald, auditd, log permissions, log retention | LOG | ~25 mapped | ~15 mapped |
| 5. Access, Authentication & Authorization | SSH, PAM, sudo, password policy, user accounts | AUTH, PAM, CRON | ~30 mapped | ~10 mapped |
| 6. System Maintenance | File permissions, user/group integrity, SUID/SGID | FS, AUTH | ~10 mapped | ~5 mapped |
Total CIS coverage: ~150 Level 1 controls (~95%) and ~75 Level 2 controls (~90%) are mapped to infraudit checks. Run infraudit compliance <report.json> for a detailed per-section compliance report.
CIS Levels Explained
| Level | Intent | Who Needs It |
|---|---|---|
| Level 1 | Essential security settings that can be applied without significant performance impact or service disruption | All servers in production |
| Level 2 | Defense-in-depth settings that may reduce functionality or require additional planning | High-security environments, regulated industries |
DISA STIG
The Security Technical Implementation Guides (STIGs) are published by the US Defense Information Systems Agency. They provide configuration standards for DoD systems and are widely adopted in government and defense.
STIG Coverage
| STIG Area | infraudit Coverage | Example Checks |
|---|---|---|
| Access Control | AUTH, PAM, CRON | SSH root login, empty passwords, account lockout, sudoers |
| Audit and Accountability | LOG | auditd rules, log integrity, log retention, AIDE |
| Configuration Management | HARD, BOOT, SVC | ASLR, kernel hardening, unnecessary services, bootloader |
| Identification and Authentication | AUTH, PAM, CRYPTO | Password policy, certificate validation, MFA readiness |
| System and Communications Protection | NET, CRYPTO, CTR | Firewall, TLS, cipher suites, container isolation |
| System and Information Integrity | PKG, MAL, LOG | Security updates, rootkit detection, file integrity |
NIST SP 800-53 Mapping
NIST SP 800-53 Rev. 5 defines security and privacy controls for federal information systems. Many compliance frameworks (FedRAMP, FISMA, CMMC) reference these controls. infraudit checks map to the following control families:
| Control Family | Name | infraudit Categories | Example Controls |
|---|---|---|---|
| AC | Access Control | AUTH, PAM, CRON, FS | AC-2 (account management), AC-3 (access enforcement), AC-6 (least privilege) |
| AU | Audit and Accountability | LOG | AU-2 (audit events), AU-3 (content of audit records), AU-8 (time stamps), AU-12 (audit generation) |
| CM | Configuration Management | HARD, SVC, PKG, BOOT | CM-6 (configuration settings), CM-7 (least functionality), CM-11 (user-installed software) |
| IA | Identification and Authentication | AUTH, PAM, CRYPTO | IA-2 (multi-factor), IA-5 (authenticator management), IA-7 (cryptographic module auth) |
| SC | System and Communications Protection | NET, CRYPTO, CTR | SC-8 (transmission confidentiality), SC-12 (crypto key management), SC-28 (data at rest) |
| SI | System and Information Integrity | PKG, MAL, LOG, SEC | SI-2 (flaw remediation), SI-3 (malicious code protection), SI-7 (software integrity) |
How Checks Are Derived
Each infraudit check follows a traceable process from standard to implementation:
- Control identification — A security requirement is identified from CIS Benchmarks, DISA STIG, or NIST SP 800-53.
- Technical mapping — The control is mapped to a specific Linux configuration: a file, a sysctl parameter, a service state, a permission, or a command output.
- Pass/Fail criteria — Objective, binary criteria are defined. For example:
PermitRootLoginmust beno, not just "reviewed." - Severity assignment — Based on exploitability and impact:
- CRITICAL — Directly exploitable without authentication (e.g., empty passwords, root SSH login)
- HIGH — Enables privilege escalation or significant data exposure (e.g., missing firewall, weak ciphers)
- MEDIUM — Security best practice not applied (e.g., log rotation, ASLR)
- LOW — Defense-in-depth improvement (e.g., login banners, NTP security)
- Remediation — Every check includes the exact command or configuration change to fix the finding.
- CIS mapping — The check is mapped to the specific CIS section (e.g., "5.2.1 Ensure SSH root login is disabled") and level (L1/L2).
What infraudit Inspects
infraudit reads system state through these mechanisms — it never modifies your system:
| Source | What It Reveals | Example Checks |
|---|---|---|
| Configuration files | Service settings, security policies, PAM configuration | /etc/ssh/sshd_config, /etc/security/pwquality.conf, /etc/audit/auditd.conf |
| File permissions | Access control on sensitive files | /etc/shadow (0640), /etc/crontab (0600), private keys (0600) |
| Kernel parameters | Hardening settings via /proc/sys/ |
ASLR, IP forwarding, SYN cookies, ptrace scope, dmesg restriction |
| Mount options | Filesystem security flags | noexec on /tmp, nosuid on /dev/shm, separate partitions |
| Service state | Running/enabled systemd units | auditd, fail2ban, chrony, unnecessary services |
| User/group databases | Account security, password hashes | /etc/passwd, /etc/shadow, /etc/group |
| Process table | Running processes and their privileges | Root processes, container runtime |
| Package manager | Installed packages and pending updates | Security updates, repository HTTPS, unwanted packages |
| Certificate stores | TLS/SSL certificate health | Expired certs, weak algorithms, private key permissions |
| Container runtime | Docker/Podman security configuration | Privileged containers, resource limits, content trust |
Compliance Framework Applicability
Because infraudit's checks are derived from CIS and NIST, they are directly applicable to audits under the following frameworks:
| Framework | Requirement | How infraudit Helps |
|---|---|---|
| PCI-DSS v4.0 | Req. 2: Secure configurations for all system components | 287 checks validate configuration hardening across all layers |
| PCI-DSS v4.0 | Req. 5: Protect against malicious software | MAL checks verify antimalware, rootkit detection, definition updates |
| PCI-DSS v4.0 | Req. 6: Develop and maintain secure systems | PKG checks verify security patches and automatic updates |
| PCI-DSS v4.0 | Req. 8: Identify users and authenticate access | AUTH + PAM checks validate password policies, lockout, MFA readiness |
| PCI-DSS v4.0 | Req. 10: Log and monitor all access | LOG checks verify auditd, syslog, log integrity, retention |
| SOC 2 Type II | CC6.1: Logical and physical access controls | AUTH, PAM, FS, CRON checks cover access control requirements |
| SOC 2 Type II | CC7.2: Monitor system components for anomalies | LOG checks verify audit trail, file integrity monitoring (AIDE) |
| SOC 2 Type II | CC8.1: Change management | Baseline command detects security regressions after changes |
| HIPAA | 164.312(a): Access control | AUTH + PAM checks enforce authentication and authorization |
| HIPAA | 164.312(b): Audit controls | LOG checks verify audit logging is active and protected |
| HIPAA | 164.312(e): Transmission security | CRYPTO + NET checks verify TLS, cipher suites, network hardening |
| ISO 27001 | A.8: Asset management, A.9: Access control, A.12: Operations security | Broad coverage across all 17 categories |
| FedRAMP | Based on NIST SP 800-53 | Direct mapping to AC, AU, CM, IA, SC, SI control families |
Audit Methodology
Principles
- Read-only — infraudit never modifies system state. It only reads files, queries services, and inspects configurations.
- Deterministic — The same system state always produces the same results. No sampling, no heuristics.
- Objective — Pass/fail criteria are binary and documented. There is no subjective "risk assessment."
- Traceable — Every check maps to a specific CIS section, STIG rule, or NIST control.
- Actionable — Every finding includes a remediation command or configuration change.
Scoring Algorithm
The Hardening Index (0-100) weights each check by severity:
| Severity | Weight | PASS | WARN | FAIL |
|---|---|---|---|---|
| CRITICAL | 10 points | +10 | +5 | 0 |
| HIGH | 5 points | +5 | +2 | 0 |
| MEDIUM | 3 points | +3 | +1 | 0 |
| LOW | 1 point | +1 | +0 | 0 |
| INFO | 0 points | - | - | - |
ERROR and SKIPPED checks are excluded from scoring. The score maps to a letter grade: A (≥90), B (≥80), C (≥70), D (≥60), F (<60).
Platform Awareness
infraudit detects the operating system, package manager, and init system at startup. Checks that are specific to a platform (e.g., update-crypto-policies on RHEL, apport on Ubuntu) are automatically SKIPPED on systems where they don't apply, eliminating false positives.
Limitations & Scope
infraudit is designed for Linux server hardening validation. It is not:
- A vulnerability scanner — It does not scan for CVEs or perform port scanning. Use tools like Trivy, Nessus, or OpenVAS for that.
- A penetration testing tool — It does not attempt exploitation. Use tools like Metasploit or Burp Suite.
- A cloud configuration auditor — It does not check AWS IAM, S3 buckets, or GCP firewall rules. Use tools like Prowler, ScoutSuite, or Steampipe.
- A compliance certification — infraudit provides evidence to support compliance audits, but it is not a certification body. Compliance determination is made by qualified auditors.
References
- CIS Benchmarks — Center for Internet Security
- DISA STIGs — Defense Information Systems Agency
- NIST SP 800-53 Rev. 5 — National Institute of Standards and Technology
- OWASP Docker Security Cheat Sheet
- Linux Kernel Documentation
- Linux man pages