Skip to content

Security Policy

Ryan edited this page Apr 26, 2026 · 2 revisions

Security Policy

This page summarizes the project's security policy. For the full policy, see SECURITY.md in the main repository.


Supported Versions

Version Supported Notes
2.0.x ✅ Yes Current stable release
1.1.x ⚠️ Limited Security fixes only until 2026-09-30
1.0.x ❌ No End of life

Reporting Vulnerabilities

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities through GitHub Security Advisories:

  1. Go to the Security tab
  2. Click "Report a vulnerability"
  3. Provide detailed information

Expected Response: 48-72 hours for initial acknowledgment.

Security Considerations

What the Tool Does

  • ✅ Reads system configuration files and /proc filesystem
  • ✅ Executes read-only system commands with intelligent caching
  • ✅ Generates local report files in reports/ directory
  • ✅ Writes structured logs to logs/ directory
  • ✅ Computes compliance scores against configurable thresholds

What the Tool Does NOT Do

  • ❌ Transmit data externally (fully offline)
  • ❌ Install software or external packages
  • ❌ Create network connections
  • ❌ Modify system configuration (unless remediation flags are explicitly used)
  • ❌ Access user personal data or files
  • ❌ Store credentials or sensitive authentication data

Report Security

  • Reports contain sensitive system configuration information
  • Report files are created with 600 permissions
  • Log files are created with 644 permissions
  • Store reports securely with appropriate access controls
  • Sanitize reports before sharing externally

See SECURITY.md for the complete security policy.

Home

Linux Security Audit

Version 3.9 - 16 modules - 2,297 checks


Getting Started


Reference


Architecture


Operations


Release Information


Quick Reference

Original modules (v2.0 baseline + v3.3 expansion)

Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG

New modules (v3.0+ Phase 3)

ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2

Output Formats

HTML - JSON - CSV - XML - Console

Status Values

Pass - Fail - Warning - Info - Error

Severity Levels

Critical - High - Medium - Low - Informational


External Links

Clone this wiki locally