Check catalogue

Every check Obexum ships, generated directly from the engine registry. Three deterministic engines: 447 native checks (Go probes with explicit pass/fail logic), 162 configuration controls (the config-rule engine, CFG-*), and 11 attack-chain detections (CHAIN-*) — 620 in total. Each maps to a rule_id you can drill into with obexum findings show <id>.

447
Native checks
162
Config controls
11
Attack chains
620
Total

Rule IDTitleSeverityCategoryPlatformEngine
AUD-LIN-IDENT-001Weak shadow passwords (dictionary)CRITICALidentityLinuxnative
AUD-LIN-IDENT-002Account with empty password in /etc/shadowCRITICALidentityLinuxnative
AUD-LIN-IDENT-007Non-root account with UID 0CRITICALidentityLinuxnative
AUD-LIN-IDENT-023SSH known_hosts records a known-malicious peerCRITICALthreatLinuxnative
AUD-LIN-MALWARE-006Known-malware signature match (rootkits, bots, C2, ransomware, stealers, webshells)CRITICALmalwareLinuxnative
AUD-LIN-NET-001Redis reachable without authenticationCRITICALnetworkLinuxnative
AUD-LIN-NET-002MongoDB accepts admin commands without authenticationCRITICALnetworkLinuxnative
AUD-LIN-NET-003MySQL/MariaDB root accepts empty passwordCRITICALnetworkLinuxnative
AUD-LIN-NET-004Elasticsearch REST API reachable without authenticationCRITICALnetworkLinuxnative
AUD-LIN-PROBE-004SMTP server is open relay (accepts mail to external domain without auth)CRITICALprobesLinuxnative
AUD-LIN-PROBE-013SMB server accepts SMBv1 dialect (WannaCry / EternalBlue exposure)CRITICALprobesLinuxnative
AUD-LIN-PROBE-020Redis accepts commands without AUTH (RCE surface)CRITICALprobesLinuxnative
AUD-LIN-PROBE-022MongoDB accepts commands without authenticationCRITICALprobesLinuxnative
AUD-LIN-PROBE-023Elasticsearch cluster state readable without authenticationCRITICALprobesLinuxnative
AUD-LIN-PROBE-024Docker Engine API :2375 exposed (no-TLS, no-auth)CRITICALprobesLinuxnative
AUD-LIN-PROBE-025Kubernetes API :6443 allows anonymous accessCRITICALprobesLinuxnative
AUD-LIN-THREAT-001Active connections to known-malicious IPsCRITICALthreatLinuxnative
AUD-LIN-THREAT-002Active peer in Spamhaus DROP netblock (hijacked / bulletproof hosting)CRITICALthreatLinuxnative
AUD-LIN-WEB-003.env file exposed via web serverCRITICALwebLinuxnative
AUD-LIN-WEB-005Webshell signature found in web rootCRITICALmalwareLinuxnative
AUD-WIN-ACL-001AD ACL: DCSync extended rights granted to non-Tier0 principalCRITICALidentityWindowsnative
AUD-WIN-ACL-002AD ACL: AdminSDHolder ACL drift — non-Tier0 holds dangerous rightsCRITICALidentityWindowsnative
AUD-WIN-ACL-003AD ACL: takeover rights on Tier0 group held by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-004AD ACL: takeover rights on domain root held by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-006AD ACL: ForceChangePassword on Tier0 user held by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-007AD ACL: AddMember (member WriteProperty) on Tier0 group held by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-008AD ACL: full control over Tier0 user held by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-009AD ACL: Shadow Credentials write on Tier0 held by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-010AD ACL: Tier0 object owner is non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-011AD ACL: Domain Controllers OU writable by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ACL-012AD ACL: DC computer object writable by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ADCS-001ADCS ESC1: certificate template allows alternate-SAN supply with client-auth EKUCRITICALidentityWindowsnative
AUD-WIN-ADCS-002ADCS ESC2: certificate template grants Any Purpose EKUCRITICALidentityWindowsnative
AUD-WIN-ADCS-004ADCS ESC4: certificate template ACL writable by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-ADCS-006ADCS ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 set on CACRITICALidentityWindowsnative
AUD-WIN-ADCS-008ADCS ESC8: web enrollment endpoint exposed without HTTPS+EPACRITICALidentityWindowsnative
AUD-WIN-ADCS-015ADCS ESC15 / EKUwu: schema-v1 template with ENROLLEE_SUPPLIES_SUBJECTCRITICALidentityWindowsnative
AUD-WIN-DC-008DC hardening: SMB1Protocol Windows feature still installedCRITICALnetworkWindowsnative
AUD-WIN-DCH-001DC hardening: Print Spooler service running on DCCRITICALnetworkWindowsnative
AUD-WIN-DCH-005DC hardening: DC computer object has constrained-delegation setCRITICALidentityWindowsnative
AUD-WIN-DCH-010DC hardening: WDigest UseLogonCredential allows cleartext credentialsCRITICALidentityWindowsnative
AUD-WIN-GPO-001GPO: Group Policy Preferences cpassword left in SYSVOLCRITICALidentityWindowsnative
AUD-WIN-GPO-002GPO: Policies\{GUID} folder writable by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-GPO-003GPO: Restricted Groups adds non-Tier0 to a Tier0 groupCRITICALidentityWindowsnative
AUD-WIN-GPO-004GPO: GPO linked to Domain Controllers OU writable by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-GPO-005GPO: NETLOGON script writable by non-Tier0 or contains cleartext credentialsCRITICALidentityWindowsnative
AUD-WIN-GPO-006GPO: SYSVOL share root writable by non-Tier0CRITICALidentityWindowsnative
AUD-WIN-KRB-003Kerberos: unconstrained delegation enabled on non-DC computerCRITICALidentityWindowsnative
AUD-WIN-KRB-009Kerberos: constrained delegation to sensitive serviceCRITICALidentityWindowsnative
AUD-WIN-NET-001SMBv1 protocol enabled (client driver and/or server)CRITICALnetworkWindowsnative
AUD-WIN-PERS-001AlwaysInstallElevated set to 1 (privesc primitive)CRITICALpersistenceWindowsnative
AUD-WIN-PERS-T-008Persistence: Winlogon Shell not baselineCRITICALpersistenceWindowsnative
AUD-WIN-PERS-T-010Persistence: Winlogon GinaDLL set (legacy NT)CRITICALpersistenceWindowsnative
AUD-WIN-PERS-T-012Persistence: Winlogon Notify subkeys presentCRITICALpersistenceWindowsnative
AUD-WIN-PERS-T-013Persistence: LSA Authentication/Notification/Security Packages off-baselineCRITICALpersistenceWindowsnative
AUD-WIN-PERS-T-015Persistence: Print Monitor / Print Processor DLL off-baselineCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-001Persistence T1546.012: IFEO Debugger value setCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-002Persistence T1546.012: IFEO SilentProcessExit MonitorProcessCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-003Persistence T1546.008: accessibility binary tamperCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-004Persistence T1546.009: AppCertDLLs registry not emptyCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-005Persistence T1546.010: AppInit_DLLs + LoadAppInit_DLLs enabledCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-006Persistence T1546.011: custom Application Shim Database installedCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-007Persistence T1546.007: Netsh Helper DLL off-baselineCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-009Persistence T1546.003: WMI EventFilter / Consumer / Binding presentCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-011Persistence T1574: kernel-mode driver ImagePath off-System32CRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-012Persistence T1547.002: LSA OSConfig / SSP driftCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-014Persistence T1547.006: boot/system start service has off-baseline ImagePathCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-015Persistence T1574: svchost service group has off-baseline ServiceDllCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-017Persistence T1543.003: service registry SDDL writable by Authenticated UsersCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-018Persistence T1543.003: service ImagePath has suspicious command-lineCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-021Persistence T1053.005: scheduled task SYSTEM + user-writable imageCRITICALpersistenceWindowsnative
AUD-WIN-PERS-X-025Persistence T1053.005: hidden task running SYSTEM with suspicious commandCRITICALpersistenceWindowsnative
AUD-WIN-PG-006Privileged groups: Pre-Windows 2000 Compatible Access has broad principalCRITICALidentityWindowsnative
AUD-WIN-PRIV-001Privesc T1574.007: writable directory in PATH before System32CRITICALpersistenceWindowsnative
AUD-WIN-PRIV-002Privesc T1574.001: KnownDLLs registry has off-baseline entryCRITICALpersistenceWindowsnative
AUD-WIN-PRIV-003Privesc T1574.012: COR_PROFILER environment variable / registry hijackCRITICALpersistenceWindowsnative
AUD-WIN-PRIV-004Privesc T1574.002: DNS ServerLevelPluginDll registry setCRITICALpersistenceWindowsnative
AUD-WIN-PRIV-005Privesc: WSUS configured over HTTP (not HTTPS)CRITICALnetworkWindowsnative
AUD-WIN-PRIV-007Privesc: AMSI Provider CLSID off-baselineCRITICALthreatWindowsnative
AUD-WIN-PRIV-012Privesc T1548.002: auto-elevate registry hijack (fodhelper / sdclt / eventvwr / computerdefaults)CRITICALpersistenceWindowsnative
AUD-WIN-THREAT-001Microsoft Defender engine pillar(s) disabledCRITICALthreatWindowsnative
AUD-WIN-TR-002Trust hygiene: inbound trust without SID filtering (Quarantined)CRITICALidentityWindowsnative
AUD-LIN-DATA-001Files or dirs in /var/log with lax permissionsHIGHdataLinuxnative
AUD-LIN-DATA-007Root filesystem / not on LUKS-encrypted block deviceHIGHdataLinuxnative
AUD-LIN-DATA-014No recent backup success event in journal (<72h)HIGHdataLinuxnative
AUD-LIN-DATA-015Backup target may be on the same host (no off-host copy)HIGHdataLinuxnative
AUD-LIN-DATA-016Backup not encrypted at restHIGHdataLinuxnative
AUD-LIN-DATA-018/var/backups/passwd*, shadow*, group*, gshadow* have lax permissionsHIGHdataLinuxnative
AUD-LIN-DATA-019`.env` file in web-accessible directory is world-readableHIGHdataLinuxnative
AUD-LIN-DATA-020Database dump (*.sql, *.sql.gz, *.dump) world-readableHIGHdataLinuxnative
AUD-LIN-DATA-021Credential-like string in world-readable /etc/**/*.confHIGHdataLinuxnative
AUD-LIN-DATA-022Process command-line contains credential stringHIGHdataLinuxnative
AUD-LIN-DATA-024Private-key PEM body in /tmp, /var/www, /srv, /opt or other public pathHIGHdataLinuxnative
AUD-LIN-DATA-025Secret / PII pattern in /tmp, /var/log, /var/tmp or /homeHIGHdataLinuxnative
AUD-LIN-FORENSIC-001/etc/ld.so.preload present (classic rootkit vector)HIGHforensicLinuxnative
AUD-LIN-FORENSIC-002Telemetry / firewall service masked (post-compromise silencing)HIGHforensicLinuxnative
AUD-LIN-FORENSIC-003Loaded kernel module without backing file (LKM rootkit signature)HIGHforensicLinuxnative
AUD-LIN-FORENSIC-004/etc/hosts overrides well-known production / update domainsHIGHforensicLinuxnative
AUD-LIN-FORENSIC-005Docker container running --privileged OR mounting / OR /var/run/docker.sockHIGHforensicLinuxnative
AUD-LIN-FORENSIC-007Shell history cleared / truncated for an active user (tampering evidence)HIGHforensicLinuxnative
AUD-LIN-FORENSIC-008systemd unit ExecStart targets a writable-scratch directoryHIGHforensicLinuxnative
AUD-LIN-FS-004/etc/fstab has lax permissions or dangerous mount optionsHIGHfilesystemLinuxnative
AUD-LIN-FS-005/tmp or /var/tmp missing sticky bitHIGHfilesystemLinuxnative
AUD-LIN-FS-006Unpackaged SUID / SGID binary detected (possible backdoor)HIGHfilesystemLinuxnative
AUD-LIN-FS-007World-writable file or directory without sticky bitHIGHfilesystemLinuxnative
AUD-LIN-FS-009Binary with dangerous Linux capability (cap_sys_admin / cap_setuid / ...)HIGHfilesystemLinuxnative
AUD-LIN-FS-010/etc/ld.so.conf* or /etc/ld.so.preload writable by non-root (dynlib hijack)HIGHfilesystemLinuxnative
AUD-LIN-FS-011Critical system file has wrong permissions or ownerHIGHfilesystemLinuxnative
AUD-LIN-FS-013root PATH contains `.` or a writable-by-non-root directoryHIGHfilesystemLinuxnative
AUD-LIN-FS-016System-wide shell init file is group- or world-writable, or not root-ownedHIGHfilesystemLinuxnative
AUD-LIN-FS-020New kernel installed but not running (reboot required for security patches)HIGHfilesystemLinuxnative
AUD-LIN-FS-027Loaded kernel module from non-standard path (possible LKM rootkit)HIGHfilesystemLinuxnative
AUD-LIN-FS-038systemd unit file writable by non-root (persistence vector)HIGHfilesystemLinuxnative
AUD-LIN-FS-040/etc/udev/rules.d/* file writable by non-rootHIGHfilesystemLinuxnative
AUD-LIN-FS-042/etc/cron.* directory or file has insecure permissionsHIGHfilesystemLinuxnative
AUD-LIN-FS-043Symlink in /tmp points to sensitive root-owned path (TOCTOU bait)HIGHfilesystemLinuxnative
AUD-LIN-IDENT-003Sudoers allow NOPASSWD escalationHIGHidentityLinuxnative
AUD-LIN-IDENT-004Users in root-equivalent groups (docker/lxd/kvm/disk/shadow)HIGHidentityLinuxnative
AUD-LIN-IDENT-005SSH daemon accepts weak authentication (sshd -T view)HIGHidentityLinuxnative
AUD-LIN-IDENT-006Duplicate UIDs in /etc/passwdHIGHidentityLinuxnative
AUD-LIN-IDENT-008System accounts with interactive login shellHIGHidentityLinuxnative
AUD-LIN-IDENT-011Identity files deviate from CIS permissions baselineHIGHidentityLinuxnative
AUD-LIN-IDENT-014No account-lockout on failed authentication (pam_faillock)HIGHidentityLinuxnative
AUD-LIN-IDENT-015/etc/securetty weaknesses (pts/vc/extra tty)HIGHidentityLinuxnative
AUD-LIN-IDENT-016Sudoers rule uses unsafe wildcard in command specHIGHidentityLinuxnative
AUD-LIN-IDENT-017Sudoers exposes LD_* env vars (privilege escalation vector)HIGHidentityLinuxnative
AUD-LIN-IDENT-018Sudoers permits a binary with a known shell-breakout (GTFObin)HIGHidentityLinuxnative
AUD-LIN-IDENT-020SSH host keys use weak algorithm or sizeHIGHidentityLinuxnative
AUD-LIN-IDENT-021Weak algorithms in user authorized_keysHIGHidentityLinuxnative
AUD-LIN-IDENT-022Root authorized_keys without `from=`/`command=`/`restrict`HIGHidentityLinuxnative
AUD-LIN-IDENT-024AuthorizedKeysCommand binary or its directory is writable by non-rootHIGHidentityLinuxnative
AUD-LIN-IDENT-027AWS long-lived access keys present in ~/.awsHIGHidentityLinuxnative
AUD-LIN-IDENT-028GCP credentials at rest in ~/.config/gcloudHIGHidentityLinuxnative
AUD-LIN-IDENT-029Azure CLI plaintext tokens in ~/.azureHIGHidentityLinuxnative
AUD-LIN-IDENT-030Kubernetes kubeconfig holds embedded client cert / bearer tokenHIGHidentityLinuxnative
AUD-LIN-IDENT-031.netrc stores plaintext credentialsHIGHidentityLinuxnative
AUD-LIN-IDENT-032Docker config.json stores registry passwords in base64HIGHidentityLinuxnative
AUD-LIN-IDENT-034LDAP client/daemon binds over plaintext or with broken cert validationHIGHidentityLinuxnative
AUD-LIN-IDENT-035Kerberos keytab is world-readable (service principals leak)HIGHidentityLinuxnative
AUD-LIN-IDENT-036nsswitch.conf uses an unauthenticated source for identity dataHIGHidentityLinuxnative
AUD-LIN-IDENT-039Core identity file modified within the past 7 daysHIGHidentityLinuxnative
AUD-LIN-IDENT-040Root shell history carries attack-signature commandsHIGHidentityLinuxnative
AUD-LIN-INTEG-001/etc/ld.so.preload present (rootkit indicator)HIGHintegrityLinuxnative
AUD-LIN-INTEG-002SUID/SGID binaries outside the package managerHIGHintegrityLinuxnative
AUD-LIN-INTEG-003ELF binaries in /tmp, /dev/shm, /var/tmp without a packageHIGHmalwareLinuxnative
AUD-LIN-INTEG-004Installed packages differ from their manifest (integrity drift)HIGHintegrityLinuxnative
AUD-LIN-INTEG-005LD_PRELOAD set in a security-critical daemon processHIGHintegrityLinuxnative
AUD-LIN-INTEG-008ELF binary disguised with non-executable extensionHIGHintegrityLinuxnative
AUD-LIN-LOG-003Kernel audit subsystem not accepting events or losing eventsHIGHloggingLinuxnative
AUD-LIN-LOG-010Audit rules missing kernel module load coverageHIGHloggingLinuxnative
AUD-LIN-LOG-017Audit rules missing firewall-change coverageHIGHloggingLinuxnative
AUD-LIN-LOG-020No syslog daemon active (rsyslog / syslog-ng)HIGHloggingLinuxnative
AUD-LIN-MALWARE-001Listener process running from a deleted binaryHIGHmalwareLinuxnative
AUD-LIN-MALWARE-002Hidden PID: directory exists in /proc but not in ps outputHIGHmalwareLinuxnative
AUD-LIN-MALWARE-003Shell or text-utility process owns a live network socketHIGHmalwareLinuxnative
AUD-LIN-MALWARE-004Live network connection to a cryptominer pool or miner binary runningHIGHmalwareLinuxnative
AUD-LIN-NET-005Memcached reachable without authenticationHIGHnetworkLinuxnative
AUD-LIN-NET-006IPv6 enabled without ip6tables rulesHIGHnetworkLinuxnative
AUD-LIN-NET-007Listening socket visible to ss but not netstat (or vice versa) — possible rootkitHIGHnetworkLinuxnative
AUD-LIN-NET-009Host firewall absent or INPUT default policy is ACCEPTHIGHnetworkLinuxnative
AUD-LIN-NET-013/etc/hosts maps a high-value domain to a non-loopback IP (possible hijack)HIGHnetworkLinuxnative
AUD-LIN-NET-016Samba share exposes anonymous / SMB1 / unsigned accessHIGHnetworkLinuxnative
AUD-LIN-NET-017NFS export has no_root_squash / public host / anon=rootHIGHnetworkLinuxnative
AUD-LIN-NET-022TLS listener accepts deprecated SSL/TLS protocol versionsHIGHcryptoLinuxnative
AUD-LIN-NET-023TLS listener accepts broken / deprecated cipher suitesHIGHcryptoLinuxnative
AUD-LIN-NET-024TLS certificate uses weak key material or deprecated signatureHIGHcryptoLinuxnative
AUD-LIN-NET-025TLS endpoint vulnerable to named legacy CVE (Heartbleed/POODLE/CRIME/Logjam/BEAST/FREAK/SWEET32/DROWN/Renegotiation)HIGHcryptoLinuxnative
AUD-LIN-NET-026TLS certificate expired / near expiry / untrusted chainHIGHcryptoLinuxnative
AUD-LIN-NET-028TLS cert hostname mismatch or SAN-missingHIGHcryptoLinuxnative
AUD-LIN-NET-032HTTPS page embeds HTTP-served resources (mixed content)HIGHcryptoLinuxnative
AUD-LIN-NET-033SSH host key uses weak algorithm or weak key size, or has lax permissionsHIGHcryptoLinuxnative
AUD-LIN-NET-034sshd_config accepts weak ciphers / MACs / key-exchange algorithmsHIGHcryptoLinuxnative
AUD-LIN-NET-037APT/RPM GPG keyring contains weak, expired, or DSA keysHIGHcryptoLinuxnative
AUD-LIN-NET-038Plaintext legacy service listening (telnet/FTP/POP3/IMAP/rsh)HIGHcryptoLinuxnative
AUD-LIN-NET-039Critical data service has TLS disabled and binds public addressHIGHcryptoLinuxnative
AUD-LIN-PERSIST-001Cron job executes a path writable by non-rootHIGHpersistenceLinuxnative
AUD-LIN-PERSIST-002Systemd units execute from /tmp, /home or similar writable dirHIGHpersistenceLinuxnative
AUD-LIN-PERSIST-003Shell init files contain fetch-and-execute patternsHIGHpersistenceLinuxnative
AUD-LIN-PERSIST-004Cron/anacron entry contains attack-signature commandsHIGHpersistenceLinuxnative
AUD-LIN-PERSIST-007systemd unit ExecStart points at a writable-scratch pathHIGHpersistenceLinuxnative
AUD-LIN-PERSIST-009Unpackaged binary present in systemd generators search pathHIGHpersistenceLinuxnative
AUD-LIN-PERSIST-010Boot/init script anomaly (rc.local, init.d custom scripts)HIGHpersistenceLinuxnative
AUD-LIN-PROBE-001sshd runtime algorithms include weak KEX / ciphers / MACsHIGHprobesLinuxnative
AUD-LIN-PROBE-002sshd version banner within a known-CVE vulnerability windowHIGHprobesLinuxnative
AUD-LIN-PROBE-007DNS server allows zone transfer (AXFR) from arbitrary clientHIGHprobesLinuxnative
AUD-LIN-PROBE-008DNS server is an open recursive resolverHIGHprobesLinuxnative
AUD-LIN-PROBE-011SMB share list accessible via null session (anonymous enumeration)HIGHprobesLinuxnative
AUD-LIN-PROBE-012SMB server does not REQUIRE client signing (MITM-vulnerable)HIGHprobesLinuxnative
AUD-LIN-PROBE-014SMB server permits NTLMv1 authenticationHIGHprobesLinuxnative
AUD-LIN-PROBE-015FTP server accepts anonymous loginHIGHprobesLinuxnative
AUD-LIN-PROBE-016FTP server does not require TLS (plain FTP on :21)HIGHprobesLinuxnative
AUD-LIN-PROBE-018rsync module readable anonymously (first-level file listing)HIGHprobesLinuxnative
AUD-LIN-PROBE-019NFS export is world-readable or has no_root_squashHIGHprobesLinuxnative
AUD-LIN-PROBE-021memcached accepts ASCII stats without authenticationHIGHprobesLinuxnative
AUD-LIN-SVC-001PostgreSQL configuration deviates from hardening baselineHIGHservicesLinuxnative
AUD-LIN-SVC-002Redis configuration deviates from hardening baselineHIGHservicesLinuxnative
AUD-LIN-SVC-003MySQL / MariaDB configuration or accounts below hardening baselineHIGHservicesLinuxnative
AUD-LIN-SVC-004MongoDB configuration deviates from hardening baselineHIGHservicesLinuxnative
AUD-LIN-SVC-005Elasticsearch configuration deviates from hardening baselineHIGHservicesLinuxnative
AUD-LIN-SVC-006Mail server (Postfix/Exim4) configuration deviates from hardening baselineHIGHservicesLinuxnative
AUD-LIN-SVC-007Docker daemon or running container weakens host securityHIGHservicesLinuxnative
AUD-LIN-SVC-008Kubernetes control-plane or node weakens cluster securityHIGHservicesLinuxnative
AUD-LIN-THREAT-004Recent login / active peer is a blocklist.de SSH brute-forcerHIGHthreatLinuxnative
AUD-LIN-THREAT-006Active peer has high AbuseIPDB confidence scoreHIGHthreatLinuxnative
AUD-LIN-THREAT-009Active peer in low-reputation ASN (bulletproof / unrouted / high-abuse hoster)HIGHthreatLinuxnative
AUD-LIN-THREAT-012Outbound connection to canonical-attacker port (IRC/mining/backdoor)HIGHthreatLinuxnative
AUD-LIN-THREAT-013resolv.conf uses non-approved or low-reputation DNS serversHIGHthreatLinuxnative
AUD-LIN-THREAT-014Process with known-malicious name patternHIGHthreatLinuxnative
AUD-LIN-THREAT-016Web root contains file with webshell signatureHIGHthreatLinuxnative
AUD-LIN-WEB-002Git repository exposed via web serverHIGHwebLinuxnative
AUD-LIN-WEB-006Backup file accessible via web server (SQL dump, .bak, ~, .swp, tarball)HIGHwebLinuxnative
AUD-LIN-WEB-007Information-disclosure endpoint reachable (server-status, phpinfo, /metrics, /.env)HIGHwebLinuxnative
AUD-WIN-ACL-005AD ACL: ReadGMSAPassword granted to non-Tier0HIGHidentityWindowsnative
AUD-WIN-ADCS-009ADCS ESC9: certificate template has no_security_extension flagHIGHidentityWindowsnative
AUD-WIN-ADCS-010ADCS ESC10: weak certificate-account mapping on Domain ControllersHIGHidentityWindowsnative
AUD-WIN-CRYPTO-001NTLM authentication crypto strength below baselineHIGHcryptoWindowsnative
AUD-WIN-CRYPTO-003LDAP client signing not required (LDAPClientIntegrity != 2)HIGHcryptoWindowsnative
AUD-WIN-CRYPTO-004Credential Guard / HVCI / VBS not runningHIGHcryptoWindowsnative
AUD-WIN-DC-001DC hardening: LDAPServerIntegrity not set to RequiredHIGHnetworkWindowsnative
AUD-WIN-DC-002DC hardening: LdapEnforceChannelBinding not Always (2)HIGHnetworkWindowsnative
AUD-WIN-DC-003DC hardening: anonymous SAM enumeration enabledHIGHidentityWindowsnative
AUD-WIN-DC-004DC hardening: server-side SMB signing not requiredHIGHnetworkWindowsnative
AUD-WIN-DC-005DC hardening: NTLMv1 / LM acceptedHIGHcryptoWindowsnative
AUD-WIN-DC-006DC hardening: NullSessionPipes or NullSessionShares non-emptyHIGHnetworkWindowsnative
AUD-WIN-DCH-002DC hardening: Point-and-Print not restricted to administratorsHIGHnetworkWindowsnative
AUD-WIN-DCH-003DC hardening: Defender ExclusionPath beyond MS DC baselineHIGHthreatWindowsnative
AUD-WIN-DCH-004DC hardening: DsrmAdminLogonBehavior allows DSRM admin in normal modeHIGHidentityWindowsnative
AUD-WIN-DCH-006DC hardening: DC OS below Server 2019HIGHintegrityWindowsnative
AUD-WIN-DCH-007DC hardening: latest hotfix older than 30 daysHIGHintegrityWindowsnative
AUD-WIN-DCH-008DC hardening: audit policy critical subcategories not at Success+FailureHIGHloggingWindowsnative
AUD-WIN-FH-001Forest hygiene: Domain Functional Level below Server 2016HIGHidentityWindowsnative
AUD-WIN-FH-002Forest hygiene: Forest Functional Level below Server 2016HIGHidentityWindowsnative
AUD-WIN-FH-003Forest hygiene: AD Recycle Bin not enabledHIGHidentityWindowsnative
AUD-WIN-FH-005Forest hygiene: SYSVOL replication still on FRS (deprecated)HIGHidentityWindowsnative
AUD-WIN-FH-006Forest hygiene: Default Domain Password Policy below baselineHIGHidentityWindowsnative
AUD-WIN-FH-007Forest hygiene: dSHeuristics anonymous LDAP bit setHIGHidentityWindowsnative
AUD-WIN-IDENT-001Built-in Administrator account (RID 500) is enabledHIGHidentityWindowsnative
AUD-WIN-IDENT-002Built-in Guest account (RID 501) is enabledHIGHidentityWindowsnative
AUD-WIN-IDENT-003Local password policy deviates from CIS / DISA STIG baselineHIGHidentityWindowsnative
AUD-WIN-IDENT-004Account lockout policy is below CIS / DISA STIG baselineHIGHidentityWindowsnative
AUD-WIN-IDENT-005Blank passwords are usable for network logons (LimitBlankPasswordUse=0)HIGHidentityWindowsnative
AUD-WIN-IDENT-006Anonymous (null-session) restrictions deviate from CIS / DISA STIGHIGHidentityWindowsnative
AUD-WIN-IDENT-007Local Administrators group membership has hygiene issuesHIGHidentityWindowsnative
AUD-WIN-IDENT-009LSASS / SAM credential storage protection below baselineHIGHidentityWindowsnative
AUD-WIN-IDENT-011UAC posture below CIS / DISA STIG baselineHIGHidentityWindowsnative
AUD-WIN-IDENT-012Sensitive User-Rights privileges granted to non-admin principalsHIGHidentityWindowsnative
AUD-WIN-INTEG-001BitLocker not configured / below CIS hardening baselineHIGHintegrityWindowsnative
AUD-WIN-INTEG-002Boot integrity below baseline (Secure Boot / TPM / ELAM)HIGHintegrityWindowsnative
AUD-WIN-INTEG-005Patch posture: stale last-update OR pending rebootHIGHintegrityWindowsnative
AUD-WIN-KRB-001Kerberos: user account with SPN is KerberoastableHIGHidentityWindowsnative
AUD-WIN-KRB-002Kerberos: account allows AS-REP roasting (DONT_REQUIRE_PREAUTH)HIGHidentityWindowsnative
AUD-WIN-KRB-004Kerberos: Resource-Based Constrained Delegation (RBCD) configuredHIGHidentityWindowsnative
AUD-WIN-KRB-005Kerberos: krbtgt account password not rotated within 180 daysHIGHidentityWindowsnative
AUD-WIN-KRB-006Kerberos: RC4 still allowed on Tier0 / privileged accountsHIGHcryptoWindowsnative
AUD-WIN-KRB-007Kerberos: krbtgt msDS-SupportedEncryptionTypes is not AES-onlyHIGHcryptoWindowsnative
AUD-WIN-KRB-008Kerberos: Domain Admins not protected from delegation abuseHIGHidentityWindowsnative
AUD-WIN-KRB-010Kerberos: ms-DS-MachineAccountQuota > 0 enables NoPac chainHIGHidentityWindowsnative
AUD-WIN-LOG-001PowerShell logging incomplete (Module / ScriptBlock / Transcription / PSv2)HIGHloggingWindowsnative
AUD-WIN-LOG-002Windows audit policy critical subcategories below baselineHIGHloggingWindowsnative
AUD-WIN-LOG-004Process Creation events missing command-line enrichmentHIGHloggingWindowsnative
AUD-WIN-LOG-005Recent log-tampering events present (1102 / 4719 / 104)HIGHforensicWindowsnative
AUD-WIN-NET-002SMB signing not required (client and/or server)HIGHnetworkWindowsnative
AUD-WIN-NET-003Name-resolution poisoning surface (LLMNR / NetBT) not disabledHIGHnetworkWindowsnative
AUD-WIN-NET-004Windows Defender Firewall posture below baselineHIGHnetworkWindowsnative
AUD-WIN-NET-006Hardened UNC Paths for SYSVOL / NETLOGON not configured (domain-joined)HIGHnetworkWindowsnative
AUD-WIN-PERS-002Service hardening: unquoted paths or non-admin-writable binariesHIGHpersistenceWindowsnative
AUD-WIN-PERS-003DLL hijacking surface: SafeDllSearchMode and writable PATH directoriesHIGHpersistenceWindowsnative
AUD-WIN-PERS-004Scheduled tasks: SYSTEM-as-RunAs with user-writable script, or Hidden flagHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-003Persistence: HKLM Explorer Run policy off-baseline entriesHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-004Persistence: HKEY_USERS\.DEFAULT Run / RunOnce off-baselineHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-005Persistence: Active Setup StubPath off-baselineHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-006Persistence: All Users / Default Startup folder contains off-baseline fileHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-007Persistence: Winlogon Userinit not baselineHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-009Persistence: Winlogon Taskman setHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-011Persistence: UserInitMprLogonScript setHIGHpersistenceWindowsnative
AUD-WIN-PERS-T-014Persistence: Time Provider DLL off-baselineHIGHpersistenceWindowsnative
AUD-WIN-PERS-X-008Persistence T1546.015: COM hijack — CLSID InProcServer32 off-baselineHIGHpersistenceWindowsnative
AUD-WIN-PERS-X-010Persistence T1546.013: PowerShell profile.ps1 presentHIGHpersistenceWindowsnative
AUD-WIN-PERS-X-013Persistence T1068: known-vulnerable driver loaded (BYOVD)HIGHpersistenceWindowsnative
AUD-WIN-PERS-X-016Persistence T1543.003: service ImagePath in user-writable directoryHIGHpersistenceWindowsnative
AUD-WIN-PERS-X-020Persistence T1543.003: service Failure Command setHIGHpersistenceWindowsnative
AUD-WIN-PERS-X-022Persistence T1053.005: task Author / Principal mismatchHIGHpersistenceWindowsnative
AUD-WIN-PERS-X-023Persistence T1053.005: task with rare exotic trigger (COM/Boot/SessionStateChange)HIGHpersistenceWindowsnative
AUD-WIN-PERS-X-024Persistence T1053.002: legacy at.exe / .job in C:\Windows\TasksHIGHpersistenceWindowsnative
AUD-WIN-PG-001Privileged groups: Domain Admins inflationHIGHidentityWindowsnative
AUD-WIN-PG-002Privileged groups: Enterprise Admins non-emptyHIGHidentityWindowsnative
AUD-WIN-PG-003Privileged groups: Schema Admins non-emptyHIGHidentityWindowsnative
AUD-WIN-PG-004Privileged groups: DnsAdmins has non-Tier0 membersHIGHidentityWindowsnative
AUD-WIN-PG-007LAPS: coverage gap on managed computersHIGHidentityWindowsnative
AUD-WIN-PG-008LAPS: password attribute readable by non-Tier0HIGHidentityWindowsnative
AUD-WIN-PRIV-006Privesc: PowerShell v2 Optional Feature still installedHIGHloggingWindowsnative
AUD-WIN-PRIV-008Privesc T1562.001: Defender exclusion list excessive (>20 paths)HIGHthreatWindowsnative
AUD-WIN-PRIV-009Privesc T1003.001: LSASS RunAsPPL not enabledHIGHidentityWindowsnative
AUD-WIN-PRIV-010Privesc: LocalAccountTokenFilterPolicy = 1 (remote admin token)HIGHidentityWindowsnative
AUD-WIN-PRIV-011Privesc: UAC ConsentPromptBehaviorAdmin lowered below baselineHIGHidentityWindowsnative
AUD-WIN-PRIV-013Privesc T1098: built-in Administrator (RID 500) renamed or duplicatedHIGHidentityWindowsnative
AUD-WIN-PRIV-014Privesc T1003: DisableRestrictedAdmin = 0 (RestrictedAdmin allowed)HIGHidentityWindowsnative
AUD-WIN-PRIV-015Privesc T1574.001: SafeDllSearchMode disabled or CWDIllegalInDllSearch missingHIGHpersistenceWindowsnative
AUD-WIN-THREAT-002Defender cloud protection / sample submission / signatures staleHIGHthreatWindowsnative
AUD-WIN-THREAT-003Microsoft Defender Tamper Protection is OFFHIGHthreatWindowsnative
AUD-WIN-THREAT-004Microsoft Defender exclusions include overly-broad / abusable entriesHIGHthreatWindowsnative
AUD-WIN-THREAT-005Microsoft Defender ASR rules not in Block modeHIGHthreatWindowsnative
AUD-WIN-THREAT-006Defender Network Protection / Controlled Folder Access / PUA below baselineHIGHthreatWindowsnative
AUD-WIN-THREAT-007System-wide Exploit Protection (DEP/SEHOP/ASLR/CFG) below baselineHIGHthreatWindowsnative
AUD-WIN-TR-001Trust hygiene: sIDHistory present on user accountsHIGHidentityWindowsnative
AUD-WIN-TR-003Trust hygiene: forest trust without selective authenticationHIGHidentityWindowsnative
AUD-WIN-TR-004Trust hygiene: trust enctype includes RC4 or excludes AESHIGHcryptoWindowsnative
AUD-WIN-TR-005Trust hygiene: outbound forest trust without TGT-delegation blockHIGHidentityWindowsnative
AUD-LIN-DATA-004Session telemetry files (wtmp/btmp/lastlog) missing or with wrong permsMEDIUMdataLinuxnative
AUD-LIN-DATA-005pam_lastlog not enabled in /etc/pam.d/sshd or /etc/pam.d/loginMEDIUMdataLinuxnative
AUD-LIN-DATA-006No account-lockout module (pam_faillock / pam_tally2) in auth stackMEDIUMdataLinuxnative
AUD-LIN-DATA-008Data mount (/home, /var, /opt, /srv, /mnt/data) not on LUKSMEDIUMdataLinuxnative
AUD-LIN-DATA-009LUKS cipher or KDF below modern baselineMEDIUMdataLinuxnative
AUD-LIN-DATA-012No backup tool installed (borg/restic/duplicity/bacula/rclone)MEDIUMdataLinuxnative
AUD-LIN-DATA-013Backup tool installed but not scheduledMEDIUMdataLinuxnative
AUD-LIN-DATA-017Backup integrity check not run in last 90 daysMEDIUMdataLinuxnative
AUD-LIN-DATA-023SSH private key in user's ~/.ssh without passphraseMEDIUMdataLinuxnative
AUD-LIN-FORENSIC-006SSH authorized_keys file modified within the past 7 daysMEDIUMforensicLinuxnative
AUD-LIN-FS-001Sensitive mount point missing nodev / nosuid / noexecMEDIUMfilesystemLinuxnative
AUD-LIN-FS-008Files or directories with unowned (no user/group) UID/GIDMEDIUMfilesystemLinuxnative
AUD-LIN-FS-015/etc/login.defs policy too permissive (password aging, encrypt method, login retries)MEDIUMfilesystemLinuxnative
AUD-LIN-FS-017Kernel/fs sysctl deviates from CIS hardening baselineMEDIUMfilesystemLinuxnative
AUD-LIN-FS-018GRUB bootloader without password protectionMEDIUMfilesystemLinuxnative
AUD-LIN-FS-028Core dumps not fully disabled (limits.conf + suid_dumpable)MEDIUMfilesystemLinuxnative
AUD-LIN-FS-030/var/crash directory is group/world-writable or not root-ownedMEDIUMfilesystemLinuxnative
AUD-LIN-FS-035No File Integrity Monitoring (AIDE / tripwire / samhain) installedMEDIUMfilesystemLinuxnative
AUD-LIN-FS-036SELinux / AppArmor not enforcing (permissive or disabled)MEDIUMfilesystemLinuxnative
AUD-LIN-IDENT-009Password aging policy violations per-accountMEDIUMidentityLinuxnative
AUD-LIN-IDENT-010/etc/login.defs defaults off the CIS baselineMEDIUMidentityLinuxnative
AUD-LIN-IDENT-012Default umask permits group/world writeMEDIUMidentityLinuxnative
AUD-LIN-IDENT-013pam_pwquality not enforcing the CIS baselineMEDIUMidentityLinuxnative
AUD-LIN-IDENT-019Sudo credential cache lifetime violates CIS baselineMEDIUMidentityLinuxnative
AUD-LIN-IDENT-025SSH GSSAPI/Kerberos enabled without proper hardeningMEDIUMidentityLinuxnative
AUD-LIN-IDENT-026Account has SSH authorized_keys but hasn't logged in in 90+ daysMEDIUMidentityLinuxnative
AUD-LIN-IDENT-033Git credential helper = store (plaintext on disk)MEDIUMidentityLinuxnative
AUD-LIN-IDENT-037Account has interactive shell but has never been logged in (> 30 days old)MEDIUMidentityLinuxnative
AUD-LIN-IDENT-038SSH authentication failure spike from a single source IP (last 24h)MEDIUMidentityLinuxnative
AUD-LIN-INTEG-006Regular file with deliberately anomalous timestamp (epoch / Y2K / future)MEDIUMintegrityLinuxnative
AUD-LIN-INTEG-007Filename uses Unicode bidi control or homoglyph (name-spoof technique)MEDIUMintegrityLinuxnative
AUD-LIN-LOG-001auditd not present, not running, or has no rules loadedMEDIUMloggingLinuxnative
AUD-LIN-LOG-002Syslog has no remote forwarding configuredMEDIUMloggingLinuxnative
AUD-LIN-LOG-004auditd.conf not hardened to CIS recommendationsMEDIUMloggingLinuxnative
AUD-LIN-LOG-005Audit rules not set to immutable (-e 2)MEDIUMloggingLinuxnative
AUD-LIN-LOG-007Audit rules missing identity-file watches (passwd/shadow/group/sudoers)MEDIUMloggingLinuxnative
AUD-LIN-LOG-008Audit rules missing privilege-escalation coverage (setuid/setgid + security dir)MEDIUMloggingLinuxnative
AUD-LIN-LOG-009Audit rules missing execve syscall coverageMEDIUMloggingLinuxnative
AUD-LIN-LOG-011Audit rules missing file-delete coverage (unlink/rename)MEDIUMloggingLinuxnative
AUD-LIN-LOG-013Audit rules missing time-change coverageMEDIUMloggingLinuxnative
AUD-LIN-LOG-014Audit rules missing network-config coverageMEDIUMloggingLinuxnative
AUD-LIN-LOG-015Audit rules missing MAC-policy coverage (SELinux / AppArmor)MEDIUMloggingLinuxnative
AUD-LIN-LOG-016Audit rules missing session-event coverage (utmp/wtmp/btmp/lastlog)MEDIUMloggingLinuxnative
AUD-LIN-LOG-018Audit rules missing sysctl-change coverageMEDIUMloggingLinuxnative
AUD-LIN-LOG-019Audit rules missing cron-change coverageMEDIUMloggingLinuxnative
AUD-LIN-LOG-022rsyslog remote forwarding not using TLSMEDIUMloggingLinuxnative
AUD-LIN-LOG-023systemd-journal not persistent (volatile storage)MEDIUMloggingLinuxnative
AUD-LIN-MALWARE-005Running process executes from a deleted binaryMEDIUMmalwareLinuxnative
AUD-LIN-NET-008Public-address network listener inventoryMEDIUMnetworkLinuxnative
AUD-LIN-NET-011Kernel sysctl deviates from network / hardening baselineMEDIUMnetworkLinuxnative
AUD-LIN-NET-012/etc/resolv.conf points at an unrecognised public DNS serverMEDIUMnetworkLinuxnative
AUD-LIN-NET-015VPN client stack configured or activeMEDIUMnetworkLinuxnative
AUD-LIN-NET-018IP forwarding enabled on non-router hostMEDIUMnetworkLinuxnative
AUD-LIN-NET-019IPv6 enabled without matching firewall coverageMEDIUMnetworkLinuxnative
AUD-LIN-NET-020Docker bypasses host firewall (ufw / firewalld)MEDIUMnetworkLinuxnative
AUD-LIN-NET-021fail2ban absent / inactive / without SSH jail on Internet-exposed hostMEDIUMnetworkLinuxnative
AUD-LIN-NET-027TLS certificate exceeds 398-day validity, wildcards, or missing must-stapleMEDIUMcryptoLinuxnative
AUD-LIN-NET-030HTTPS endpoint missing or weak Strict-Transport-Security headerMEDIUMcryptoLinuxnative
AUD-LIN-NET-035sshd advertises RSA-SHA1 signature algorithm (ssh-rsa)MEDIUMcryptoLinuxnative
AUD-LIN-NET-036Local CA certificate added to system trust storeMEDIUMcryptoLinuxnative
AUD-LIN-PERSIST-005at(1) scheduler queue holds pending jobsMEDIUMpersistenceLinuxnative
AUD-LIN-PERSIST-006Cron/anacron file modified within the past 7 daysMEDIUMpersistenceLinuxnative
AUD-LIN-PERSIST-008Per-user systemd unit file present in a home directoryMEDIUMpersistenceLinuxnative
AUD-LIN-PERSIST-011Shell init file modified within the past 7 daysMEDIUMpersistenceLinuxnative
AUD-LIN-PROBE-005SMTP :25 accepts mail transactions without STARTTLSMEDIUMprobesLinuxnative
AUD-LIN-PROBE-006SMTP offers AUTH PLAIN / LOGIN before STARTTLS (cleartext credential risk)MEDIUMprobesLinuxnative
AUD-LIN-PROBE-009DNS server responds to ANY query with large amplified responseMEDIUMprobesLinuxnative
AUD-LIN-PROBE-010DNS resolver does not validate DNSSEC responsesMEDIUMprobesLinuxnative
AUD-LIN-PROBE-017rsync daemon on :873 lists modules anonymouslyMEDIUMprobesLinuxnative
AUD-LIN-SYSD-001Admin-installed root service missing systemd sandboxingMEDIUMservicesLinuxnative
AUD-LIN-THREAT-003Active peer in FireHOL Level 1 aggregated blocklistMEDIUMthreatLinuxnative
AUD-LIN-THREAT-007Active peer classified malicious by GreyNoise CommunityMEDIUMthreatLinuxnative
AUD-LIN-THREAT-011DNS queries match DGA / beacon patterns in recent journalMEDIUMthreatLinuxnative
AUD-LIN-THREAT-015Suspicious / unexpected eBPF program loadedMEDIUMthreatLinuxnative
AUD-LIN-THREAT-017System binary in /usr/bin /usr/sbin modified recently without package provenanceMEDIUMthreatLinuxnative
AUD-LIN-WEB-001Web server returns an auto-generated directory listingMEDIUMwebLinuxnative
AUD-LIN-WEB-004Web server missing core security headersMEDIUMwebLinuxnative
AUD-LIN-WEB-008Admin panel reachable (phpMyAdmin, wp-admin, Grafana, Jenkins, /console)MEDIUMwebLinuxnative
AUD-LIN-WEB-009Cookie flags or CORS policy weak on a reachable endpointMEDIUMwebLinuxnative
AUD-LIN-WEB-010Error page leaks server version, path, or framework internalsMEDIUMwebLinuxnative
AUD-WIN-CRYPTO-002NTLM outbound restriction / inbound audit not configuredMEDIUMcryptoWindowsnative
AUD-WIN-DC-007DC hardening: LDAP simple-bind audit not enabledMEDIUMloggingWindowsnative
AUD-WIN-DCH-009DC hardening: NTLM inbound not restricted or auditedMEDIUMnetworkWindowsnative
AUD-WIN-FH-004Forest hygiene: tombstone lifetime below 180 daysMEDIUMidentityWindowsnative
AUD-WIN-IDENT-008Local Administrator-group member appears dormant or staleMEDIUMidentityWindowsnative
AUD-WIN-IDENT-010Cached domain credential surface above CIS L2 baselineMEDIUMidentityWindowsnative
AUD-WIN-INTEG-003Kernel DMA Protection enumeration policy not set to Block allMEDIUMintegrityWindowsnative
AUD-WIN-INTEG-004Application Control (WDAC / Smart App Control) not enforcedMEDIUMintegrityWindowsnative
AUD-WIN-INTEG-006AutoPlay / AutoRun not disabled (USB privesc surface)MEDIUMintegrityWindowsnative
AUD-WIN-LOG-003Event Log channels below minimum size / unsafe retention modeMEDIUMloggingWindowsnative
AUD-WIN-LOG-006Sysmon not installed / not configuredMEDIUMloggingWindowsnative
AUD-WIN-NET-005WPAD service not disabled (proxy-poisoning surface)MEDIUMnetworkWindowsnative
AUD-WIN-PERS-T-001Persistence: HKLM Run / Wow6432Node Run off-baseline entriesMEDIUMpersistenceWindowsnative
AUD-WIN-PERS-T-002Persistence: HKLM RunOnce / RunOnceEx off-baseline entriesMEDIUMpersistenceWindowsnative
AUD-WIN-PERS-X-019Persistence T1543.003: service registry key created within 30 daysMEDIUMpersistenceWindowsnative
AUD-WIN-PG-005Privileged groups: Operators groups populatedMEDIUMidentityWindowsnative
AUD-LIN-DATA-002Critical logs missing append-only (chattr +a) attributeLOWdataLinuxnative
AUD-LIN-DATA-003Log rotation gaps — most recent rotated log is oldLOWdataLinuxnative
AUD-LIN-DATA-010LUKS keyslots inventory (advisory)LOWdataLinuxnative
AUD-LIN-DATA-011Hibernation enabled AND swap unencrypted — memory-to-disk leakLOWdataLinuxnative
AUD-LIN-FS-002CIS-required mountpoint not on a separate partitionLOWfilesystemLinuxnative
AUD-LIN-FS-003/proc not mounted with hidepid=2 (unprivileged users enumerate all processes)LOWfilesystemLinuxnative
AUD-LIN-FS-012Critical identity files lack immutable attribute (chattr +i)LOWfilesystemLinuxnative
AUD-LIN-FS-014Default umask for new users is too permissive (>022)LOWfilesystemLinuxnative
AUD-LIN-FS-019Kernel cmdline missing CPU mitigations / hardening flagsLOWfilesystemLinuxnative
AUD-LIN-FS-021UEFI Secure Boot disabledLOWfilesystemLinuxnative
AUD-LIN-FS-022Kernel lockdown LSM not active (state=none)LOWfilesystemLinuxnative
AUD-LIN-FS-023Legacy filesystem kernel modules not blacklisted (cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf)LOWfilesystemLinuxnative
AUD-LIN-FS-024Rare net-protocol kernel modules not blacklisted (dccp, rds, sctp, tipc)LOWfilesystemLinuxnative
AUD-LIN-FS-025USB-storage / firewire / thunderbolt kernel modules enabledLOWfilesystemLinuxnative
AUD-LIN-FS-026Kernel accepts unsigned modules (module signing not enforced)LOWfilesystemLinuxnative
AUD-LIN-FS-029systemd-coredump configured to store cores on diskLOWfilesystemLinuxnative
AUD-LIN-FS-031kdump target directory insecure or kdump mis-configuredLOWfilesystemLinuxnative
AUD-LIN-FS-032NTP configured without authentication (NTS)LOWfilesystemLinuxnative
AUD-LIN-FS-033NTP configured with fewer than 3 servers (no fault tolerance)LOWfilesystemLinuxnative
AUD-LIN-FS-034systemd-timesyncd relies only on FallbackNTP (no explicit NTP= primary servers)LOWfilesystemLinuxnative
AUD-LIN-FS-037/boot directory has lax permissionsLOWfilesystemLinuxnative
AUD-LIN-FS-039Swap on unencrypted block device (memory leak on disk)LOWfilesystemLinuxnative
AUD-LIN-FS-041/etc/security/limits.conf missing nproc / nofile caps (DoS surface)LOWfilesystemLinuxnative
AUD-LIN-FS-044initramfs image has lax permissionsLOWfilesystemLinuxnative
AUD-LIN-FS-045Recent modifications to /etc (post-compromise detection)LOWfilesystemLinuxnative
AUD-LIN-FS-046/proc missing nosuid / nodev mount optionsLOWfilesystemLinuxnative
AUD-LIN-FS-047Additional hardening sysctl knobs beyond network + kernel/fsLOWfilesystemLinuxnative
AUD-LIN-LOG-006Audit rules not loaded or critically sparse (<20)LOWloggingLinuxnative
AUD-LIN-LOG-012Audit rules missing mount/umount coverageLOWloggingLinuxnative
AUD-LIN-LOG-021rsyslog config has syntax errors (rsyslogd -N1 non-zero)LOWloggingLinuxnative
AUD-LIN-LOG-024journald retention policy not explicitly setLOWloggingLinuxnative
AUD-LIN-LOG-025systemd-journal Forward Secure Sealing (FSS) not enabledLOWloggingLinuxnative
AUD-LIN-LOG-026logrotate timer inactive or config has errorsLOWloggingLinuxnative
AUD-LIN-LOG-027auditd events not forwarded to SIEM (audispd-plugins / laurel inactive)LOWloggingLinuxnative
AUD-LIN-LOG-028systemd-journal-upload not configured or inactiveLOWloggingLinuxnative
AUD-LIN-NET-010No rate-limit rules detected on Internet-reachable hostLOWnetworkLinuxnative
AUD-LIN-NET-014Wireless or Bluetooth stack active on server hostLOWnetworkLinuxnative
AUD-LIN-NET-029Domain serving TLS has no DNS CAA recordLOWcryptoLinuxnative
AUD-LIN-NET-031TLS endpoint does not staple OCSP responsesLOWcryptoLinuxnative
AUD-LIN-PROBE-003SSH banner leaks distro / OpenSSH version (pre-auth info disclosure)LOWprobesLinuxnative
AUD-LIN-THREAT-005Active peer or recent login is a TOR exit nodeLOWthreatLinuxnative
AUD-LIN-THREAT-008Embedded threat feeds are staleLOWthreatLinuxnative
AUD-LIN-THREAT-010Active peer in country outside operator's business geographyLOWthreatLinuxnative
CFG-DOCKER-001Docker daemon listens on TCP without TLSCRITICALhardeningLinuxconfig
CFG-MYSQL-001MySQL binds to 0.0.0.0 (publicly reachable)CRITICALhardeningLinuxconfig
CFG-PG-001PostgreSQL listens on all interfacesCRITICALhardeningLinuxconfig
CFG-REDIS-001Redis listens on 0.0.0.0 without passwordCRITICALhardeningLinuxconfig
CFG-SSH-002SSH allows password authenticationCRITICALhardeningLinuxconfig
CHAIN-DB-EXPOSED-WEAK-AUTHDatabase exposed publicly with weak auth mechanismCRITICALchainLinuxchain
CHAIN-DOCKER-SOCKETDocker socket mount + privileged container = host rootCRITICALchainLinuxchain
CHAIN-KEV-EXPOSEDInternet-exposed service with KEV vulnerabilityCRITICALchainLinuxchain
CHAIN-ROOT-PASS-SSHDirect root SSH + no lockout → trivial compromiseCRITICALchainLinuxchain
CHAIN-SSH-KEY-LEAKSSH private key found + key reused across hostsCRITICALchainLinuxchain
CFG-APACHE-001Apache allows legacy TLS protocolsHIGHhardeningLinuxconfig
CFG-APACHE-002Apache allows weak SSL ciphersHIGHhardeningLinuxconfig
CFG-APACHE-007Apache FollowSymLinks without SymLinksIfOwnerMatchHIGHhardeningLinuxconfig
CFG-APACHE-012Apache HTTP methods include PUT/DELETE without WebDAV configurationHIGHhardeningLinuxconfig
CFG-CADDY-001Caddy admin API exposed beyond localhostHIGHhardeningLinuxconfig
CFG-CRON-002Cron job downloads and executes remote scriptHIGHhardeningLinuxconfig
CFG-CRONTAB-001System crontab runs scripts from /tmp or /var/tmpHIGHhardeningLinuxconfig
CFG-DOCKER-002Docker userns-remap not enabledHIGHhardeningLinuxconfig
CFG-DOCKER-007Docker compose runs privileged containersHIGHhardeningLinuxconfig
CFG-DOCKER-008Docker compose mounts host docker.sockHIGHhardeningLinuxconfig
CFG-ENV-001Environment file contains secretsHIGHhardeningLinuxconfig
CFG-K8S-001Kubernetes Pod without securityContextHIGHhardeningLinuxconfig
CFG-K8S-002Kubernetes Pod with privileged: trueHIGHhardeningLinuxconfig
CFG-K8S-003Kubernetes Pod with hostNetwork: trueHIGHhardeningLinuxconfig
CFG-K8S-004Kubernetes Pod with hostPID: trueHIGHhardeningLinuxconfig
CFG-K8S-005Kubernetes Pod mounts host filesystemHIGHhardeningLinuxconfig
CFG-MYSQL-002MySQL local_infile enabledHIGHhardeningLinuxconfig
CFG-MYSQL-003MySQL skip-grant-tables modeHIGHhardeningLinuxconfig
CFG-NGINX-001Nginx uses legacy TLS protocols (TLSv1.0/1.1)HIGHhardeningLinuxconfig
CFG-NGINX-002Nginx allows weak SSL ciphersHIGHhardeningLinuxconfig
CFG-NGINX-009Nginx SSL session ticket keys may leak PFSHIGHhardeningLinuxconfig
CFG-PAM-001PAM password quality enforcement missingHIGHhardeningLinuxconfig
CFG-PG-002pg_hba allows trust authenticationHIGHhardeningLinuxconfig
CFG-PG-003pg_hba uses MD5 password authHIGHhardeningLinuxconfig
CFG-PG-004pg_hba allows 0.0.0.0/0 (world-accessible)HIGHhardeningLinuxconfig
CFG-REDIS-002Redis protected-mode disabledHIGHhardeningLinuxconfig
CFG-REDIS-003Redis without requirepassHIGHhardeningLinuxconfig
CFG-SSH-001SSH permits root login with passwordHIGHhardeningLinuxconfig
CFG-SSH-003SSH allows empty passwordsHIGHhardeningLinuxconfig
CFG-SUDOERS-001sudoers allows NOPASSWD for ALL commandsHIGHhardeningLinuxconfig
CFG-SUDOERS-002sudoers.d contains NOPASSWD wildcardsHIGHhardeningLinuxconfig
CFG-UFW-002UFW disabledHIGHhardeningLinuxconfig
CHAIN-LEGACY-AUTHPassword auth + no rate limit + no 2FAHIGHchainLinuxchain
CHAIN-SSH-BRUTESSH brute-force → account takeoverHIGHchainLinuxchain
CHAIN-SUDO-NOPASSWD-WEBWeb user has NOPASSWD sudo — RCE becomes rootHIGHchainLinuxchain
CHAIN-TLS-WEAK-HSTS-NONEWeak TLS + no HSTS = MITM downgrade viableHIGHchainLinuxchain
CHAIN-WEAK-POLICY-PIIWeak password policy on system that stores PIIHIGHchainLinuxchain
CHAIN-WRITABLE-CRONWorld-writable cron-invoked script = persistenceHIGHchainLinuxchain
CFG-APACHE-003Apache ServerTokens leaks versionIMPORTANThardeningLinuxconfig
CFG-APACHE-004Apache ServerSignature onIMPORTANThardeningLinuxconfig
CFG-APACHE-005Apache directory listing enabled (Options Indexes)IMPORTANThardeningLinuxconfig
CFG-APACHE-006Apache TRACE method enabledIMPORTANThardeningLinuxconfig
CFG-APACHE-011Apache runs as root (User root)IMPORTANThardeningLinuxconfig
CFG-CADDY-002Caddy missing HSTS headerIMPORTANThardeningLinuxconfig
CFG-CADDY-007Caddy missing CSP headerIMPORTANThardeningLinuxconfig
CFG-CRON-005/etc/cron.allow missing — any user can install cron jobsIMPORTANThardeningLinuxconfig
CFG-DOCKER-003Docker live-restore disabledIMPORTANThardeningLinuxconfig
CFG-DOCKER-004Docker icc=true (default) — inter-container communicationIMPORTANThardeningLinuxconfig
CFG-DOCKER-006Docker log-driver leaves containers unloggedIMPORTANThardeningLinuxconfig
CFG-DOCKER-009Docker compose uses host networkIMPORTANThardeningLinuxconfig
CFG-DOCKER-010Docker compose uses pid=hostIMPORTANThardeningLinuxconfig
CFG-IPT-001iptables config has ACCEPT policy on INPUTIMPORTANThardeningLinuxconfig
CFG-K8S-006Kubernetes Pod runs as rootIMPORTANThardeningLinuxconfig
CFG-K8S-007Kubernetes Pod without resource limitsIMPORTANThardeningLinuxconfig
CFG-K8S-009Kubernetes ServiceAccount auto-mountedIMPORTANThardeningLinuxconfig
CFG-K8S-010Kubernetes Pod uses :latest image tagIMPORTANThardeningLinuxconfig
CFG-LOGIN-001Password max age too long or unsetIMPORTANThardeningLinuxconfig
CFG-LOGIN-003Weak password hashing algorithmIMPORTANThardeningLinuxconfig
CFG-MYSQL-004MySQL skip-networking off + no bind restrictionIMPORTANThardeningLinuxconfig
CFG-MYSQL-005MySQL ssl not explicitly enabledIMPORTANThardeningLinuxconfig
CFG-MYSQL-007MySQL validate_password plugin not configuredIMPORTANThardeningLinuxconfig
CFG-MYSQL-009MySQL old_passwords hash algorithmIMPORTANThardeningLinuxconfig
CFG-NGINX-003Nginx server_tokens enabled (version leak)IMPORTANThardeningLinuxconfig
CFG-NGINX-004Nginx missing HSTS headerIMPORTANThardeningLinuxconfig
CFG-NGINX-008Nginx autoindex enabled (directory listing)IMPORTANThardeningLinuxconfig
CFG-NGINX-011Nginx access_log disabled globallyIMPORTANThardeningLinuxconfig
CFG-NGINX-014Nginx listens on 0.0.0.0 for status/stub endpointIMPORTANThardeningLinuxconfig
CFG-NGINX-015Nginx ssl_prefer_server_ciphers not setIMPORTANThardeningLinuxconfig
CFG-NGINX-018Nginx location allows .git / .env / backup file accessIMPORTANThardeningLinuxconfig
CFG-PAM-002PAM does not enforce strong password hashingIMPORTANThardeningLinuxconfig
CFG-PAM-003PAM allows empty passwords via nullokIMPORTANThardeningLinuxconfig
CFG-PAM-004PAM account lockout missingIMPORTANThardeningLinuxconfig
CFG-PAM-008PAM password policy not enforced for rootIMPORTANThardeningLinuxconfig
CFG-PG-005Postgres SSL disabledIMPORTANThardeningLinuxconfig
CFG-PG-006Postgres password_encryption weaker than scram-sha-256IMPORTANThardeningLinuxconfig
CFG-PG-008Postgres log_connections / log_disconnections offIMPORTANThardeningLinuxconfig
CFG-PG-009Postgres log_disconnections offIMPORTANThardeningLinuxconfig
CFG-PG-012Postgres ssl_min_protocol_version below TLSv1.2IMPORTANThardeningLinuxconfig
CFG-PG-014Postgres port is default 5432 and listening publiclyIMPORTANThardeningLinuxconfig
CFG-PG-015Postgres row_security disabled globallyIMPORTANThardeningLinuxconfig
CFG-REDIS-004Redis dangerous commands not renamedIMPORTANThardeningLinuxconfig
CFG-REDIS-007Redis uses weak ACL or no ACLIMPORTANThardeningLinuxconfig
CFG-SSH-004SSH MaxAuthTries too permissiveIMPORTANThardeningLinuxconfig
CFG-SSH-005SSH LoginGraceTime too longIMPORTANThardeningLinuxconfig
CFG-SSH-006SSH uses weak ciphersIMPORTANThardeningLinuxconfig
CFG-SSH-007SSH uses weak MACsIMPORTANThardeningLinuxconfig
CFG-SSH-008SSH X11 forwarding enabledIMPORTANThardeningLinuxconfig
CFG-SSH-010SSH protocol 1 enabledIMPORTANThardeningLinuxconfig
CFG-SSH-011SSH ClientAliveInterval not setIMPORTANThardeningLinuxconfig
CFG-SSH-013SSH uses weak KexAlgorithmsIMPORTANThardeningLinuxconfig
CFG-SSH-014SSH MaxSessions too highIMPORTANThardeningLinuxconfig
CFG-SSH-016SSH HostbasedAuthentication enabledIMPORTANThardeningLinuxconfig
CFG-SSH-019SSH allows non-approved usersIMPORTANThardeningLinuxconfig
CFG-SUDOERS-003sudoers allows !authenticate globallyIMPORTANThardeningLinuxconfig
CFG-SYSCTL-001Kernel ASLR not fully enabledIMPORTANThardeningLinuxconfig
CFG-SYSCTL-002Kernel pointers leak via /procIMPORTANThardeningLinuxconfig
CFG-SYSCTL-012dmesg readable by unprivileged usersIMPORTANThardeningLinuxconfig
CFG-SYSCTL-013Unprivileged eBPF allowedIMPORTANThardeningLinuxconfig
CFG-SYSCTL-014kexec runtime replacement allowedIMPORTANThardeningLinuxconfig
CFG-UFW-001UFW default incoming policy is allowIMPORTANThardeningLinuxconfig
CFG-APACHE-008Apache missing HSTS headerMEDIUMhardeningLinuxconfig
CFG-APACHE-009Apache missing X-Frame-OptionsMEDIUMhardeningLinuxconfig
CFG-APACHE-010Apache missing X-Content-Type-OptionsMEDIUMhardeningLinuxconfig
CFG-CADDY-003Caddy missing X-Frame-Options / clickjacking defenseMEDIUMhardeningLinuxconfig
CFG-CADDY-004Caddy missing X-Content-Type-OptionsMEDIUMhardeningLinuxconfig
CFG-CADDY-005Caddy TLS config allows legacy protocolsMEDIUMhardeningLinuxconfig
CFG-CADDY-006Caddy access log disabledMEDIUMhardeningLinuxconfig
CFG-CRON-003Cron job uses shell with relative pathMEDIUMhardeningLinuxconfig
CFG-CRON-004Cron PATH includes current directoryMEDIUMhardeningLinuxconfig
CFG-DOCKER-005Docker disable-legacy-registry not setMEDIUMhardeningLinuxconfig
CFG-DOCKER-011Docker default bridge not isolatedMEDIUMhardeningLinuxconfig
CFG-DOCKER-012Docker no-new-privileges not set on containersMEDIUMhardeningLinuxconfig
CFG-HOSTS-001/etc/hosts has unexpected remote IPsMEDIUMhardeningLinuxconfig
CFG-K8S-008Kubernetes Pod without readOnlyRootFilesystemMEDIUMhardeningLinuxconfig
CFG-LOGIN-002Password min age not enforcedMEDIUMhardeningLinuxconfig
CFG-LOGIN-004SHA_CRYPT rounds below 65536 (only relevant when ENCRYPT_METHOD=SHA512)MEDIUMhardeningLinuxconfig
CFG-LOGIN-005Default UMASK too permissiveMEDIUMhardeningLinuxconfig
CFG-MYSQL-006MySQL log_error points to a world-readable locationMEDIUMhardeningLinuxconfig
CFG-MYSQL-008MySQL general_log enabled (performance + privacy)MEDIUMhardeningLinuxconfig
CFG-MYSQL-010MySQL secure_file_priv empty (arbitrary filesystem access)MEDIUMhardeningLinuxconfig
CFG-NGINX-005Nginx missing X-Frame-OptionsMEDIUMhardeningLinuxconfig
CFG-NGINX-006Nginx missing X-Content-Type-OptionsMEDIUMhardeningLinuxconfig
CFG-NGINX-007Nginx missing Content-Security-Policy headerMEDIUMhardeningLinuxconfig
CFG-NGINX-010Nginx client_max_body_size very large or defaultMEDIUMhardeningLinuxconfig
CFG-NGINX-012Nginx OCSP stapling not enabledMEDIUMhardeningLinuxconfig
CFG-NGINX-013Nginx keepalive_timeout very longMEDIUMhardeningLinuxconfig
CFG-NGINX-016Nginx missing Referrer-PolicyMEDIUMhardeningLinuxconfig
CFG-PAM-005PAM password reuse history not enforcedMEDIUMhardeningLinuxconfig
CFG-PAM-006PAM pwquality minclass not enforcedMEDIUMhardeningLinuxconfig
CFG-PAM-007PAM pwquality minlen too shortMEDIUMhardeningLinuxconfig
CFG-PAM-009PAM doesn't enforce difokMEDIUMhardeningLinuxconfig
CFG-PG-007Postgres logging disabled or minimalMEDIUMhardeningLinuxconfig
CFG-PG-010Postgres statement_timeout unlimitedMEDIUMhardeningLinuxconfig
CFG-PG-011Postgres log_line_prefix missing %h (host) or %u (user)MEDIUMhardeningLinuxconfig
CFG-PG-013Postgres shared_preload_libraries misses pg_stat_statementsMEDIUMhardeningLinuxconfig
CFG-REDIS-005Redis uses default port 6379MEDIUMhardeningLinuxconfig
CFG-REDIS-008Redis logs to stdout without rotationMEDIUMhardeningLinuxconfig
CFG-RESOLV-001/etc/resolv.conf uses unknown DNS serverMEDIUMhardeningLinuxconfig
CFG-SSH-009SSH AllowTcpForwarding enabledMEDIUMhardeningLinuxconfig
CFG-SSH-015SSH UsePAM offMEDIUMhardeningLinuxconfig
CFG-SSH-017SSH IgnoreRhosts noMEDIUMhardeningLinuxconfig
CFG-SSH-018SSH banner not setMEDIUMhardeningLinuxconfig
CFG-SSH-020SSH PermitUserEnvironment yesMEDIUMhardeningLinuxconfig
CFG-SUDOERS-004sudoers missing log_input/log_outputMEDIUMhardeningLinuxconfig
CFG-SYSCTL-003TCP SYN cookies disabledMEDIUMhardeningLinuxconfig
CFG-SYSCTL-004ICMP redirects acceptedMEDIUMhardeningLinuxconfig
CFG-SYSCTL-005IP source routing acceptedMEDIUMhardeningLinuxconfig
CFG-SYSCTL-006Core dumps not disabled for SUID binariesMEDIUMhardeningLinuxconfig
CFG-SYSCTL-007Reverse path filtering disabledMEDIUMhardeningLinuxconfig
CFG-SYSCTL-008IP forwarding enabled on non-routerMEDIUMhardeningLinuxconfig
CFG-SYSCTL-009Martian packets not loggedMEDIUMhardeningLinuxconfig
CFG-SYSCTL-010ICMP echo broadcasts allowedMEDIUMhardeningLinuxconfig
CFG-SYSCTL-011TCP timestamps enabled (uptime leak)MEDIUMhardeningLinuxconfig
CFG-SYSCTL-015ptrace unrestricted for sibling processesMEDIUMhardeningLinuxconfig
CFG-SYSCTL-016Hardlink/symlink protections disabledMEDIUMhardeningLinuxconfig
CFG-UFW-003UFW logging disabledMEDIUMhardeningLinuxconfig
CFG-UFW-004UFW IPv6 disabledMEDIUMhardeningLinuxconfig
CFG-CADDY-008Caddy header reveals unnecessary Server infoLOWhardeningLinuxconfig
CFG-CRON-001No cron jobs found in /etc/crontab — verify systemd-timers cover periodic tasksLOWhardeningLinuxconfig
CFG-NGINX-017Nginx missing Permissions-PolicyLOWhardeningLinuxconfig
CFG-PAM-010PAM gecoscheck disabledLOWhardeningLinuxconfig
CFG-REDIS-006Redis AOF persistence disabled (data-integrity, not security)LOWhardeningLinuxconfig
CFG-SSH-012SSH listens on default port 22 (operational note)LOWhardeningLinuxconfig