Skip to content

Security Policy

Ryan edited this page Jul 11, 2026 · 2 revisions

Security Policy

This page summarizes the project's security policy. For the full policy, see SECURITY.md in the main repository.


Supported Versions

Version Supported Notes
3.9.x Yes Current stable release
3.6.x - 3.8.x Limited Security fixes only until 2026-12-31
3.5.x and earlier No End of life

Reporting Vulnerabilities

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities through GitHub Security Advisories:

  1. Go to the Security tab
  2. Click "Report a vulnerability"
  3. Provide detailed information

Expected Response: 48-72 hours for initial acknowledgment.

Security Considerations

What the Tool Does

  • Reads system configuration files and /proc filesystem
  • Executes read-only system commands with intelligent caching
  • Generates local report files in reports/ directory
  • Writes structured logs to logs/ directory
  • Computes compliance scores against configurable thresholds

What the Tool Does NOT Do

  • Transmit data externally (fully offline)
  • Install software or external packages
  • Create network connections
  • Modify system configuration (unless remediation flags are explicitly used)
  • Access user personal data or files
  • Store credentials or sensitive authentication data

Report Security

  • Reports contain sensitive system configuration information
  • Report files are created with 600 permissions
  • Log files are created with 644 permissions
  • Store reports securely with appropriate access controls
  • Sanitize reports before sharing externally

See SECURITY.md for the complete security policy.

Home

Linux Security Audit

Version 3.9 - 16 modules - 2,297 checks


Getting Started


Reference


Architecture


Operations


Release Information


Quick Reference

Original modules (v2.0 baseline + v3.3 expansion)

Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG

New modules (v3.0+ Phase 3)

ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2

Output Formats

HTML - JSON - CSV - XML - Console

Status Values

Pass - Fail - Warning - Info - Error

Severity Levels

Critical - High - Medium - Low - Informational


External Links

Clone this wiki locally