Check catalogue
Every check Obexum ships, generated directly from the engine registry. Three deterministic engines: 447 native checks (Go probes with explicit pass/fail logic), 162 configuration controls (the config-rule engine, CFG-*), and 11 attack-chain detections (CHAIN-*) — 620 in total. Each maps to a rule_id you can drill into with obexum findings show <id>.
447
Native checks
162
Config controls
11
Attack chains
620
Total
| Rule ID | Title | Severity | Category | Platform | Engine |
|---|---|---|---|---|---|
AUD-LIN-IDENT-001 | Weak shadow passwords (dictionary) | CRITICAL | identity | Linux | native |
AUD-LIN-IDENT-002 | Account with empty password in /etc/shadow | CRITICAL | identity | Linux | native |
AUD-LIN-IDENT-007 | Non-root account with UID 0 | CRITICAL | identity | Linux | native |
AUD-LIN-IDENT-023 | SSH known_hosts records a known-malicious peer | CRITICAL | threat | Linux | native |
AUD-LIN-MALWARE-006 | Known-malware signature match (rootkits, bots, C2, ransomware, stealers, webshells) | CRITICAL | malware | Linux | native |
AUD-LIN-NET-001 | Redis reachable without authentication | CRITICAL | network | Linux | native |
AUD-LIN-NET-002 | MongoDB accepts admin commands without authentication | CRITICAL | network | Linux | native |
AUD-LIN-NET-003 | MySQL/MariaDB root accepts empty password | CRITICAL | network | Linux | native |
AUD-LIN-NET-004 | Elasticsearch REST API reachable without authentication | CRITICAL | network | Linux | native |
AUD-LIN-PROBE-004 | SMTP server is open relay (accepts mail to external domain without auth) | CRITICAL | probes | Linux | native |
AUD-LIN-PROBE-013 | SMB server accepts SMBv1 dialect (WannaCry / EternalBlue exposure) | CRITICAL | probes | Linux | native |
AUD-LIN-PROBE-020 | Redis accepts commands without AUTH (RCE surface) | CRITICAL | probes | Linux | native |
AUD-LIN-PROBE-022 | MongoDB accepts commands without authentication | CRITICAL | probes | Linux | native |
AUD-LIN-PROBE-023 | Elasticsearch cluster state readable without authentication | CRITICAL | probes | Linux | native |
AUD-LIN-PROBE-024 | Docker Engine API :2375 exposed (no-TLS, no-auth) | CRITICAL | probes | Linux | native |
AUD-LIN-PROBE-025 | Kubernetes API :6443 allows anonymous access | CRITICAL | probes | Linux | native |
AUD-LIN-THREAT-001 | Active connections to known-malicious IPs | CRITICAL | threat | Linux | native |
AUD-LIN-THREAT-002 | Active peer in Spamhaus DROP netblock (hijacked / bulletproof hosting) | CRITICAL | threat | Linux | native |
AUD-LIN-WEB-003 | .env file exposed via web server | CRITICAL | web | Linux | native |
AUD-LIN-WEB-005 | Webshell signature found in web root | CRITICAL | malware | Linux | native |
AUD-WIN-ACL-001 | AD ACL: DCSync extended rights granted to non-Tier0 principal | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-002 | AD ACL: AdminSDHolder ACL drift — non-Tier0 holds dangerous rights | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-003 | AD ACL: takeover rights on Tier0 group held by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-004 | AD ACL: takeover rights on domain root held by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-006 | AD ACL: ForceChangePassword on Tier0 user held by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-007 | AD ACL: AddMember (member WriteProperty) on Tier0 group held by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-008 | AD ACL: full control over Tier0 user held by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-009 | AD ACL: Shadow Credentials write on Tier0 held by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-010 | AD ACL: Tier0 object owner is non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-011 | AD ACL: Domain Controllers OU writable by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ACL-012 | AD ACL: DC computer object writable by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ADCS-001 | ADCS ESC1: certificate template allows alternate-SAN supply with client-auth EKU | CRITICAL | identity | Windows | native |
AUD-WIN-ADCS-002 | ADCS ESC2: certificate template grants Any Purpose EKU | CRITICAL | identity | Windows | native |
AUD-WIN-ADCS-004 | ADCS ESC4: certificate template ACL writable by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-ADCS-006 | ADCS ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 set on CA | CRITICAL | identity | Windows | native |
AUD-WIN-ADCS-008 | ADCS ESC8: web enrollment endpoint exposed without HTTPS+EPA | CRITICAL | identity | Windows | native |
AUD-WIN-ADCS-015 | ADCS ESC15 / EKUwu: schema-v1 template with ENROLLEE_SUPPLIES_SUBJECT | CRITICAL | identity | Windows | native |
AUD-WIN-DC-008 | DC hardening: SMB1Protocol Windows feature still installed | CRITICAL | network | Windows | native |
AUD-WIN-DCH-001 | DC hardening: Print Spooler service running on DC | CRITICAL | network | Windows | native |
AUD-WIN-DCH-005 | DC hardening: DC computer object has constrained-delegation set | CRITICAL | identity | Windows | native |
AUD-WIN-DCH-010 | DC hardening: WDigest UseLogonCredential allows cleartext credentials | CRITICAL | identity | Windows | native |
AUD-WIN-GPO-001 | GPO: Group Policy Preferences cpassword left in SYSVOL | CRITICAL | identity | Windows | native |
AUD-WIN-GPO-002 | GPO: Policies\{GUID} folder writable by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-GPO-003 | GPO: Restricted Groups adds non-Tier0 to a Tier0 group | CRITICAL | identity | Windows | native |
AUD-WIN-GPO-004 | GPO: GPO linked to Domain Controllers OU writable by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-GPO-005 | GPO: NETLOGON script writable by non-Tier0 or contains cleartext credentials | CRITICAL | identity | Windows | native |
AUD-WIN-GPO-006 | GPO: SYSVOL share root writable by non-Tier0 | CRITICAL | identity | Windows | native |
AUD-WIN-KRB-003 | Kerberos: unconstrained delegation enabled on non-DC computer | CRITICAL | identity | Windows | native |
AUD-WIN-KRB-009 | Kerberos: constrained delegation to sensitive service | CRITICAL | identity | Windows | native |
AUD-WIN-NET-001 | SMBv1 protocol enabled (client driver and/or server) | CRITICAL | network | Windows | native |
AUD-WIN-PERS-001 | AlwaysInstallElevated set to 1 (privesc primitive) | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-T-008 | Persistence: Winlogon Shell not baseline | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-T-010 | Persistence: Winlogon GinaDLL set (legacy NT) | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-T-012 | Persistence: Winlogon Notify subkeys present | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-T-013 | Persistence: LSA Authentication/Notification/Security Packages off-baseline | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-T-015 | Persistence: Print Monitor / Print Processor DLL off-baseline | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-001 | Persistence T1546.012: IFEO Debugger value set | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-002 | Persistence T1546.012: IFEO SilentProcessExit MonitorProcess | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-003 | Persistence T1546.008: accessibility binary tamper | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-004 | Persistence T1546.009: AppCertDLLs registry not empty | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-005 | Persistence T1546.010: AppInit_DLLs + LoadAppInit_DLLs enabled | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-006 | Persistence T1546.011: custom Application Shim Database installed | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-007 | Persistence T1546.007: Netsh Helper DLL off-baseline | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-009 | Persistence T1546.003: WMI EventFilter / Consumer / Binding present | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-011 | Persistence T1574: kernel-mode driver ImagePath off-System32 | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-012 | Persistence T1547.002: LSA OSConfig / SSP drift | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-014 | Persistence T1547.006: boot/system start service has off-baseline ImagePath | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-015 | Persistence T1574: svchost service group has off-baseline ServiceDll | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-017 | Persistence T1543.003: service registry SDDL writable by Authenticated Users | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-018 | Persistence T1543.003: service ImagePath has suspicious command-line | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-021 | Persistence T1053.005: scheduled task SYSTEM + user-writable image | CRITICAL | persistence | Windows | native |
AUD-WIN-PERS-X-025 | Persistence T1053.005: hidden task running SYSTEM with suspicious command | CRITICAL | persistence | Windows | native |
AUD-WIN-PG-006 | Privileged groups: Pre-Windows 2000 Compatible Access has broad principal | CRITICAL | identity | Windows | native |
AUD-WIN-PRIV-001 | Privesc T1574.007: writable directory in PATH before System32 | CRITICAL | persistence | Windows | native |
AUD-WIN-PRIV-002 | Privesc T1574.001: KnownDLLs registry has off-baseline entry | CRITICAL | persistence | Windows | native |
AUD-WIN-PRIV-003 | Privesc T1574.012: COR_PROFILER environment variable / registry hijack | CRITICAL | persistence | Windows | native |
AUD-WIN-PRIV-004 | Privesc T1574.002: DNS ServerLevelPluginDll registry set | CRITICAL | persistence | Windows | native |
AUD-WIN-PRIV-005 | Privesc: WSUS configured over HTTP (not HTTPS) | CRITICAL | network | Windows | native |
AUD-WIN-PRIV-007 | Privesc: AMSI Provider CLSID off-baseline | CRITICAL | threat | Windows | native |
AUD-WIN-PRIV-012 | Privesc T1548.002: auto-elevate registry hijack (fodhelper / sdclt / eventvwr / computerdefaults) | CRITICAL | persistence | Windows | native |
AUD-WIN-THREAT-001 | Microsoft Defender engine pillar(s) disabled | CRITICAL | threat | Windows | native |
AUD-WIN-TR-002 | Trust hygiene: inbound trust without SID filtering (Quarantined) | CRITICAL | identity | Windows | native |
AUD-LIN-DATA-001 | Files or dirs in /var/log with lax permissions | HIGH | data | Linux | native |
AUD-LIN-DATA-007 | Root filesystem / not on LUKS-encrypted block device | HIGH | data | Linux | native |
AUD-LIN-DATA-014 | No recent backup success event in journal (<72h) | HIGH | data | Linux | native |
AUD-LIN-DATA-015 | Backup target may be on the same host (no off-host copy) | HIGH | data | Linux | native |
AUD-LIN-DATA-016 | Backup not encrypted at rest | HIGH | data | Linux | native |
AUD-LIN-DATA-018 | /var/backups/passwd*, shadow*, group*, gshadow* have lax permissions | HIGH | data | Linux | native |
AUD-LIN-DATA-019 | `.env` file in web-accessible directory is world-readable | HIGH | data | Linux | native |
AUD-LIN-DATA-020 | Database dump (*.sql, *.sql.gz, *.dump) world-readable | HIGH | data | Linux | native |
AUD-LIN-DATA-021 | Credential-like string in world-readable /etc/**/*.conf | HIGH | data | Linux | native |
AUD-LIN-DATA-022 | Process command-line contains credential string | HIGH | data | Linux | native |
AUD-LIN-DATA-024 | Private-key PEM body in /tmp, /var/www, /srv, /opt or other public path | HIGH | data | Linux | native |
AUD-LIN-DATA-025 | Secret / PII pattern in /tmp, /var/log, /var/tmp or /home | HIGH | data | Linux | native |
AUD-LIN-FORENSIC-001 | /etc/ld.so.preload present (classic rootkit vector) | HIGH | forensic | Linux | native |
AUD-LIN-FORENSIC-002 | Telemetry / firewall service masked (post-compromise silencing) | HIGH | forensic | Linux | native |
AUD-LIN-FORENSIC-003 | Loaded kernel module without backing file (LKM rootkit signature) | HIGH | forensic | Linux | native |
AUD-LIN-FORENSIC-004 | /etc/hosts overrides well-known production / update domains | HIGH | forensic | Linux | native |
AUD-LIN-FORENSIC-005 | Docker container running --privileged OR mounting / OR /var/run/docker.sock | HIGH | forensic | Linux | native |
AUD-LIN-FORENSIC-007 | Shell history cleared / truncated for an active user (tampering evidence) | HIGH | forensic | Linux | native |
AUD-LIN-FORENSIC-008 | systemd unit ExecStart targets a writable-scratch directory | HIGH | forensic | Linux | native |
AUD-LIN-FS-004 | /etc/fstab has lax permissions or dangerous mount options | HIGH | filesystem | Linux | native |
AUD-LIN-FS-005 | /tmp or /var/tmp missing sticky bit | HIGH | filesystem | Linux | native |
AUD-LIN-FS-006 | Unpackaged SUID / SGID binary detected (possible backdoor) | HIGH | filesystem | Linux | native |
AUD-LIN-FS-007 | World-writable file or directory without sticky bit | HIGH | filesystem | Linux | native |
AUD-LIN-FS-009 | Binary with dangerous Linux capability (cap_sys_admin / cap_setuid / ...) | HIGH | filesystem | Linux | native |
AUD-LIN-FS-010 | /etc/ld.so.conf* or /etc/ld.so.preload writable by non-root (dynlib hijack) | HIGH | filesystem | Linux | native |
AUD-LIN-FS-011 | Critical system file has wrong permissions or owner | HIGH | filesystem | Linux | native |
AUD-LIN-FS-013 | root PATH contains `.` or a writable-by-non-root directory | HIGH | filesystem | Linux | native |
AUD-LIN-FS-016 | System-wide shell init file is group- or world-writable, or not root-owned | HIGH | filesystem | Linux | native |
AUD-LIN-FS-020 | New kernel installed but not running (reboot required for security patches) | HIGH | filesystem | Linux | native |
AUD-LIN-FS-027 | Loaded kernel module from non-standard path (possible LKM rootkit) | HIGH | filesystem | Linux | native |
AUD-LIN-FS-038 | systemd unit file writable by non-root (persistence vector) | HIGH | filesystem | Linux | native |
AUD-LIN-FS-040 | /etc/udev/rules.d/* file writable by non-root | HIGH | filesystem | Linux | native |
AUD-LIN-FS-042 | /etc/cron.* directory or file has insecure permissions | HIGH | filesystem | Linux | native |
AUD-LIN-FS-043 | Symlink in /tmp points to sensitive root-owned path (TOCTOU bait) | HIGH | filesystem | Linux | native |
AUD-LIN-IDENT-003 | Sudoers allow NOPASSWD escalation | HIGH | identity | Linux | native |
AUD-LIN-IDENT-004 | Users in root-equivalent groups (docker/lxd/kvm/disk/shadow) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-005 | SSH daemon accepts weak authentication (sshd -T view) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-006 | Duplicate UIDs in /etc/passwd | HIGH | identity | Linux | native |
AUD-LIN-IDENT-008 | System accounts with interactive login shell | HIGH | identity | Linux | native |
AUD-LIN-IDENT-011 | Identity files deviate from CIS permissions baseline | HIGH | identity | Linux | native |
AUD-LIN-IDENT-014 | No account-lockout on failed authentication (pam_faillock) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-015 | /etc/securetty weaknesses (pts/vc/extra tty) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-016 | Sudoers rule uses unsafe wildcard in command spec | HIGH | identity | Linux | native |
AUD-LIN-IDENT-017 | Sudoers exposes LD_* env vars (privilege escalation vector) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-018 | Sudoers permits a binary with a known shell-breakout (GTFObin) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-020 | SSH host keys use weak algorithm or size | HIGH | identity | Linux | native |
AUD-LIN-IDENT-021 | Weak algorithms in user authorized_keys | HIGH | identity | Linux | native |
AUD-LIN-IDENT-022 | Root authorized_keys without `from=`/`command=`/`restrict` | HIGH | identity | Linux | native |
AUD-LIN-IDENT-024 | AuthorizedKeysCommand binary or its directory is writable by non-root | HIGH | identity | Linux | native |
AUD-LIN-IDENT-027 | AWS long-lived access keys present in ~/.aws | HIGH | identity | Linux | native |
AUD-LIN-IDENT-028 | GCP credentials at rest in ~/.config/gcloud | HIGH | identity | Linux | native |
AUD-LIN-IDENT-029 | Azure CLI plaintext tokens in ~/.azure | HIGH | identity | Linux | native |
AUD-LIN-IDENT-030 | Kubernetes kubeconfig holds embedded client cert / bearer token | HIGH | identity | Linux | native |
AUD-LIN-IDENT-031 | .netrc stores plaintext credentials | HIGH | identity | Linux | native |
AUD-LIN-IDENT-032 | Docker config.json stores registry passwords in base64 | HIGH | identity | Linux | native |
AUD-LIN-IDENT-034 | LDAP client/daemon binds over plaintext or with broken cert validation | HIGH | identity | Linux | native |
AUD-LIN-IDENT-035 | Kerberos keytab is world-readable (service principals leak) | HIGH | identity | Linux | native |
AUD-LIN-IDENT-036 | nsswitch.conf uses an unauthenticated source for identity data | HIGH | identity | Linux | native |
AUD-LIN-IDENT-039 | Core identity file modified within the past 7 days | HIGH | identity | Linux | native |
AUD-LIN-IDENT-040 | Root shell history carries attack-signature commands | HIGH | identity | Linux | native |
AUD-LIN-INTEG-001 | /etc/ld.so.preload present (rootkit indicator) | HIGH | integrity | Linux | native |
AUD-LIN-INTEG-002 | SUID/SGID binaries outside the package manager | HIGH | integrity | Linux | native |
AUD-LIN-INTEG-003 | ELF binaries in /tmp, /dev/shm, /var/tmp without a package | HIGH | malware | Linux | native |
AUD-LIN-INTEG-004 | Installed packages differ from their manifest (integrity drift) | HIGH | integrity | Linux | native |
AUD-LIN-INTEG-005 | LD_PRELOAD set in a security-critical daemon process | HIGH | integrity | Linux | native |
AUD-LIN-INTEG-008 | ELF binary disguised with non-executable extension | HIGH | integrity | Linux | native |
AUD-LIN-LOG-003 | Kernel audit subsystem not accepting events or losing events | HIGH | logging | Linux | native |
AUD-LIN-LOG-010 | Audit rules missing kernel module load coverage | HIGH | logging | Linux | native |
AUD-LIN-LOG-017 | Audit rules missing firewall-change coverage | HIGH | logging | Linux | native |
AUD-LIN-LOG-020 | No syslog daemon active (rsyslog / syslog-ng) | HIGH | logging | Linux | native |
AUD-LIN-MALWARE-001 | Listener process running from a deleted binary | HIGH | malware | Linux | native |
AUD-LIN-MALWARE-002 | Hidden PID: directory exists in /proc but not in ps output | HIGH | malware | Linux | native |
AUD-LIN-MALWARE-003 | Shell or text-utility process owns a live network socket | HIGH | malware | Linux | native |
AUD-LIN-MALWARE-004 | Live network connection to a cryptominer pool or miner binary running | HIGH | malware | Linux | native |
AUD-LIN-NET-005 | Memcached reachable without authentication | HIGH | network | Linux | native |
AUD-LIN-NET-006 | IPv6 enabled without ip6tables rules | HIGH | network | Linux | native |
AUD-LIN-NET-007 | Listening socket visible to ss but not netstat (or vice versa) — possible rootkit | HIGH | network | Linux | native |
AUD-LIN-NET-009 | Host firewall absent or INPUT default policy is ACCEPT | HIGH | network | Linux | native |
AUD-LIN-NET-013 | /etc/hosts maps a high-value domain to a non-loopback IP (possible hijack) | HIGH | network | Linux | native |
AUD-LIN-NET-016 | Samba share exposes anonymous / SMB1 / unsigned access | HIGH | network | Linux | native |
AUD-LIN-NET-017 | NFS export has no_root_squash / public host / anon=root | HIGH | network | Linux | native |
AUD-LIN-NET-022 | TLS listener accepts deprecated SSL/TLS protocol versions | HIGH | crypto | Linux | native |
AUD-LIN-NET-023 | TLS listener accepts broken / deprecated cipher suites | HIGH | crypto | Linux | native |
AUD-LIN-NET-024 | TLS certificate uses weak key material or deprecated signature | HIGH | crypto | Linux | native |
AUD-LIN-NET-025 | TLS endpoint vulnerable to named legacy CVE (Heartbleed/POODLE/CRIME/Logjam/BEAST/FREAK/SWEET32/DROWN/Renegotiation) | HIGH | crypto | Linux | native |
AUD-LIN-NET-026 | TLS certificate expired / near expiry / untrusted chain | HIGH | crypto | Linux | native |
AUD-LIN-NET-028 | TLS cert hostname mismatch or SAN-missing | HIGH | crypto | Linux | native |
AUD-LIN-NET-032 | HTTPS page embeds HTTP-served resources (mixed content) | HIGH | crypto | Linux | native |
AUD-LIN-NET-033 | SSH host key uses weak algorithm or weak key size, or has lax permissions | HIGH | crypto | Linux | native |
AUD-LIN-NET-034 | sshd_config accepts weak ciphers / MACs / key-exchange algorithms | HIGH | crypto | Linux | native |
AUD-LIN-NET-037 | APT/RPM GPG keyring contains weak, expired, or DSA keys | HIGH | crypto | Linux | native |
AUD-LIN-NET-038 | Plaintext legacy service listening (telnet/FTP/POP3/IMAP/rsh) | HIGH | crypto | Linux | native |
AUD-LIN-NET-039 | Critical data service has TLS disabled and binds public address | HIGH | crypto | Linux | native |
AUD-LIN-PERSIST-001 | Cron job executes a path writable by non-root | HIGH | persistence | Linux | native |
AUD-LIN-PERSIST-002 | Systemd units execute from /tmp, /home or similar writable dir | HIGH | persistence | Linux | native |
AUD-LIN-PERSIST-003 | Shell init files contain fetch-and-execute patterns | HIGH | persistence | Linux | native |
AUD-LIN-PERSIST-004 | Cron/anacron entry contains attack-signature commands | HIGH | persistence | Linux | native |
AUD-LIN-PERSIST-007 | systemd unit ExecStart points at a writable-scratch path | HIGH | persistence | Linux | native |
AUD-LIN-PERSIST-009 | Unpackaged binary present in systemd generators search path | HIGH | persistence | Linux | native |
AUD-LIN-PERSIST-010 | Boot/init script anomaly (rc.local, init.d custom scripts) | HIGH | persistence | Linux | native |
AUD-LIN-PROBE-001 | sshd runtime algorithms include weak KEX / ciphers / MACs | HIGH | probes | Linux | native |
AUD-LIN-PROBE-002 | sshd version banner within a known-CVE vulnerability window | HIGH | probes | Linux | native |
AUD-LIN-PROBE-007 | DNS server allows zone transfer (AXFR) from arbitrary client | HIGH | probes | Linux | native |
AUD-LIN-PROBE-008 | DNS server is an open recursive resolver | HIGH | probes | Linux | native |
AUD-LIN-PROBE-011 | SMB share list accessible via null session (anonymous enumeration) | HIGH | probes | Linux | native |
AUD-LIN-PROBE-012 | SMB server does not REQUIRE client signing (MITM-vulnerable) | HIGH | probes | Linux | native |
AUD-LIN-PROBE-014 | SMB server permits NTLMv1 authentication | HIGH | probes | Linux | native |
AUD-LIN-PROBE-015 | FTP server accepts anonymous login | HIGH | probes | Linux | native |
AUD-LIN-PROBE-016 | FTP server does not require TLS (plain FTP on :21) | HIGH | probes | Linux | native |
AUD-LIN-PROBE-018 | rsync module readable anonymously (first-level file listing) | HIGH | probes | Linux | native |
AUD-LIN-PROBE-019 | NFS export is world-readable or has no_root_squash | HIGH | probes | Linux | native |
AUD-LIN-PROBE-021 | memcached accepts ASCII stats without authentication | HIGH | probes | Linux | native |
AUD-LIN-SVC-001 | PostgreSQL configuration deviates from hardening baseline | HIGH | services | Linux | native |
AUD-LIN-SVC-002 | Redis configuration deviates from hardening baseline | HIGH | services | Linux | native |
AUD-LIN-SVC-003 | MySQL / MariaDB configuration or accounts below hardening baseline | HIGH | services | Linux | native |
AUD-LIN-SVC-004 | MongoDB configuration deviates from hardening baseline | HIGH | services | Linux | native |
AUD-LIN-SVC-005 | Elasticsearch configuration deviates from hardening baseline | HIGH | services | Linux | native |
AUD-LIN-SVC-006 | Mail server (Postfix/Exim4) configuration deviates from hardening baseline | HIGH | services | Linux | native |
AUD-LIN-SVC-007 | Docker daemon or running container weakens host security | HIGH | services | Linux | native |
AUD-LIN-SVC-008 | Kubernetes control-plane or node weakens cluster security | HIGH | services | Linux | native |
AUD-LIN-THREAT-004 | Recent login / active peer is a blocklist.de SSH brute-forcer | HIGH | threat | Linux | native |
AUD-LIN-THREAT-006 | Active peer has high AbuseIPDB confidence score | HIGH | threat | Linux | native |
AUD-LIN-THREAT-009 | Active peer in low-reputation ASN (bulletproof / unrouted / high-abuse hoster) | HIGH | threat | Linux | native |
AUD-LIN-THREAT-012 | Outbound connection to canonical-attacker port (IRC/mining/backdoor) | HIGH | threat | Linux | native |
AUD-LIN-THREAT-013 | resolv.conf uses non-approved or low-reputation DNS servers | HIGH | threat | Linux | native |
AUD-LIN-THREAT-014 | Process with known-malicious name pattern | HIGH | threat | Linux | native |
AUD-LIN-THREAT-016 | Web root contains file with webshell signature | HIGH | threat | Linux | native |
AUD-LIN-WEB-002 | Git repository exposed via web server | HIGH | web | Linux | native |
AUD-LIN-WEB-006 | Backup file accessible via web server (SQL dump, .bak, ~, .swp, tarball) | HIGH | web | Linux | native |
AUD-LIN-WEB-007 | Information-disclosure endpoint reachable (server-status, phpinfo, /metrics, /.env) | HIGH | web | Linux | native |
AUD-WIN-ACL-005 | AD ACL: ReadGMSAPassword granted to non-Tier0 | HIGH | identity | Windows | native |
AUD-WIN-ADCS-009 | ADCS ESC9: certificate template has no_security_extension flag | HIGH | identity | Windows | native |
AUD-WIN-ADCS-010 | ADCS ESC10: weak certificate-account mapping on Domain Controllers | HIGH | identity | Windows | native |
AUD-WIN-CRYPTO-001 | NTLM authentication crypto strength below baseline | HIGH | crypto | Windows | native |
AUD-WIN-CRYPTO-003 | LDAP client signing not required (LDAPClientIntegrity != 2) | HIGH | crypto | Windows | native |
AUD-WIN-CRYPTO-004 | Credential Guard / HVCI / VBS not running | HIGH | crypto | Windows | native |
AUD-WIN-DC-001 | DC hardening: LDAPServerIntegrity not set to Required | HIGH | network | Windows | native |
AUD-WIN-DC-002 | DC hardening: LdapEnforceChannelBinding not Always (2) | HIGH | network | Windows | native |
AUD-WIN-DC-003 | DC hardening: anonymous SAM enumeration enabled | HIGH | identity | Windows | native |
AUD-WIN-DC-004 | DC hardening: server-side SMB signing not required | HIGH | network | Windows | native |
AUD-WIN-DC-005 | DC hardening: NTLMv1 / LM accepted | HIGH | crypto | Windows | native |
AUD-WIN-DC-006 | DC hardening: NullSessionPipes or NullSessionShares non-empty | HIGH | network | Windows | native |
AUD-WIN-DCH-002 | DC hardening: Point-and-Print not restricted to administrators | HIGH | network | Windows | native |
AUD-WIN-DCH-003 | DC hardening: Defender ExclusionPath beyond MS DC baseline | HIGH | threat | Windows | native |
AUD-WIN-DCH-004 | DC hardening: DsrmAdminLogonBehavior allows DSRM admin in normal mode | HIGH | identity | Windows | native |
AUD-WIN-DCH-006 | DC hardening: DC OS below Server 2019 | HIGH | integrity | Windows | native |
AUD-WIN-DCH-007 | DC hardening: latest hotfix older than 30 days | HIGH | integrity | Windows | native |
AUD-WIN-DCH-008 | DC hardening: audit policy critical subcategories not at Success+Failure | HIGH | logging | Windows | native |
AUD-WIN-FH-001 | Forest hygiene: Domain Functional Level below Server 2016 | HIGH | identity | Windows | native |
AUD-WIN-FH-002 | Forest hygiene: Forest Functional Level below Server 2016 | HIGH | identity | Windows | native |
AUD-WIN-FH-003 | Forest hygiene: AD Recycle Bin not enabled | HIGH | identity | Windows | native |
AUD-WIN-FH-005 | Forest hygiene: SYSVOL replication still on FRS (deprecated) | HIGH | identity | Windows | native |
AUD-WIN-FH-006 | Forest hygiene: Default Domain Password Policy below baseline | HIGH | identity | Windows | native |
AUD-WIN-FH-007 | Forest hygiene: dSHeuristics anonymous LDAP bit set | HIGH | identity | Windows | native |
AUD-WIN-IDENT-001 | Built-in Administrator account (RID 500) is enabled | HIGH | identity | Windows | native |
AUD-WIN-IDENT-002 | Built-in Guest account (RID 501) is enabled | HIGH | identity | Windows | native |
AUD-WIN-IDENT-003 | Local password policy deviates from CIS / DISA STIG baseline | HIGH | identity | Windows | native |
AUD-WIN-IDENT-004 | Account lockout policy is below CIS / DISA STIG baseline | HIGH | identity | Windows | native |
AUD-WIN-IDENT-005 | Blank passwords are usable for network logons (LimitBlankPasswordUse=0) | HIGH | identity | Windows | native |
AUD-WIN-IDENT-006 | Anonymous (null-session) restrictions deviate from CIS / DISA STIG | HIGH | identity | Windows | native |
AUD-WIN-IDENT-007 | Local Administrators group membership has hygiene issues | HIGH | identity | Windows | native |
AUD-WIN-IDENT-009 | LSASS / SAM credential storage protection below baseline | HIGH | identity | Windows | native |
AUD-WIN-IDENT-011 | UAC posture below CIS / DISA STIG baseline | HIGH | identity | Windows | native |
AUD-WIN-IDENT-012 | Sensitive User-Rights privileges granted to non-admin principals | HIGH | identity | Windows | native |
AUD-WIN-INTEG-001 | BitLocker not configured / below CIS hardening baseline | HIGH | integrity | Windows | native |
AUD-WIN-INTEG-002 | Boot integrity below baseline (Secure Boot / TPM / ELAM) | HIGH | integrity | Windows | native |
AUD-WIN-INTEG-005 | Patch posture: stale last-update OR pending reboot | HIGH | integrity | Windows | native |
AUD-WIN-KRB-001 | Kerberos: user account with SPN is Kerberoastable | HIGH | identity | Windows | native |
AUD-WIN-KRB-002 | Kerberos: account allows AS-REP roasting (DONT_REQUIRE_PREAUTH) | HIGH | identity | Windows | native |
AUD-WIN-KRB-004 | Kerberos: Resource-Based Constrained Delegation (RBCD) configured | HIGH | identity | Windows | native |
AUD-WIN-KRB-005 | Kerberos: krbtgt account password not rotated within 180 days | HIGH | identity | Windows | native |
AUD-WIN-KRB-006 | Kerberos: RC4 still allowed on Tier0 / privileged accounts | HIGH | crypto | Windows | native |
AUD-WIN-KRB-007 | Kerberos: krbtgt msDS-SupportedEncryptionTypes is not AES-only | HIGH | crypto | Windows | native |
AUD-WIN-KRB-008 | Kerberos: Domain Admins not protected from delegation abuse | HIGH | identity | Windows | native |
AUD-WIN-KRB-010 | Kerberos: ms-DS-MachineAccountQuota > 0 enables NoPac chain | HIGH | identity | Windows | native |
AUD-WIN-LOG-001 | PowerShell logging incomplete (Module / ScriptBlock / Transcription / PSv2) | HIGH | logging | Windows | native |
AUD-WIN-LOG-002 | Windows audit policy critical subcategories below baseline | HIGH | logging | Windows | native |
AUD-WIN-LOG-004 | Process Creation events missing command-line enrichment | HIGH | logging | Windows | native |
AUD-WIN-LOG-005 | Recent log-tampering events present (1102 / 4719 / 104) | HIGH | forensic | Windows | native |
AUD-WIN-NET-002 | SMB signing not required (client and/or server) | HIGH | network | Windows | native |
AUD-WIN-NET-003 | Name-resolution poisoning surface (LLMNR / NetBT) not disabled | HIGH | network | Windows | native |
AUD-WIN-NET-004 | Windows Defender Firewall posture below baseline | HIGH | network | Windows | native |
AUD-WIN-NET-006 | Hardened UNC Paths for SYSVOL / NETLOGON not configured (domain-joined) | HIGH | network | Windows | native |
AUD-WIN-PERS-002 | Service hardening: unquoted paths or non-admin-writable binaries | HIGH | persistence | Windows | native |
AUD-WIN-PERS-003 | DLL hijacking surface: SafeDllSearchMode and writable PATH directories | HIGH | persistence | Windows | native |
AUD-WIN-PERS-004 | Scheduled tasks: SYSTEM-as-RunAs with user-writable script, or Hidden flag | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-003 | Persistence: HKLM Explorer Run policy off-baseline entries | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-004 | Persistence: HKEY_USERS\.DEFAULT Run / RunOnce off-baseline | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-005 | Persistence: Active Setup StubPath off-baseline | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-006 | Persistence: All Users / Default Startup folder contains off-baseline file | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-007 | Persistence: Winlogon Userinit not baseline | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-009 | Persistence: Winlogon Taskman set | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-011 | Persistence: UserInitMprLogonScript set | HIGH | persistence | Windows | native |
AUD-WIN-PERS-T-014 | Persistence: Time Provider DLL off-baseline | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-008 | Persistence T1546.015: COM hijack — CLSID InProcServer32 off-baseline | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-010 | Persistence T1546.013: PowerShell profile.ps1 present | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-013 | Persistence T1068: known-vulnerable driver loaded (BYOVD) | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-016 | Persistence T1543.003: service ImagePath in user-writable directory | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-020 | Persistence T1543.003: service Failure Command set | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-022 | Persistence T1053.005: task Author / Principal mismatch | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-023 | Persistence T1053.005: task with rare exotic trigger (COM/Boot/SessionStateChange) | HIGH | persistence | Windows | native |
AUD-WIN-PERS-X-024 | Persistence T1053.002: legacy at.exe / .job in C:\Windows\Tasks | HIGH | persistence | Windows | native |
AUD-WIN-PG-001 | Privileged groups: Domain Admins inflation | HIGH | identity | Windows | native |
AUD-WIN-PG-002 | Privileged groups: Enterprise Admins non-empty | HIGH | identity | Windows | native |
AUD-WIN-PG-003 | Privileged groups: Schema Admins non-empty | HIGH | identity | Windows | native |
AUD-WIN-PG-004 | Privileged groups: DnsAdmins has non-Tier0 members | HIGH | identity | Windows | native |
AUD-WIN-PG-007 | LAPS: coverage gap on managed computers | HIGH | identity | Windows | native |
AUD-WIN-PG-008 | LAPS: password attribute readable by non-Tier0 | HIGH | identity | Windows | native |
AUD-WIN-PRIV-006 | Privesc: PowerShell v2 Optional Feature still installed | HIGH | logging | Windows | native |
AUD-WIN-PRIV-008 | Privesc T1562.001: Defender exclusion list excessive (>20 paths) | HIGH | threat | Windows | native |
AUD-WIN-PRIV-009 | Privesc T1003.001: LSASS RunAsPPL not enabled | HIGH | identity | Windows | native |
AUD-WIN-PRIV-010 | Privesc: LocalAccountTokenFilterPolicy = 1 (remote admin token) | HIGH | identity | Windows | native |
AUD-WIN-PRIV-011 | Privesc: UAC ConsentPromptBehaviorAdmin lowered below baseline | HIGH | identity | Windows | native |
AUD-WIN-PRIV-013 | Privesc T1098: built-in Administrator (RID 500) renamed or duplicated | HIGH | identity | Windows | native |
AUD-WIN-PRIV-014 | Privesc T1003: DisableRestrictedAdmin = 0 (RestrictedAdmin allowed) | HIGH | identity | Windows | native |
AUD-WIN-PRIV-015 | Privesc T1574.001: SafeDllSearchMode disabled or CWDIllegalInDllSearch missing | HIGH | persistence | Windows | native |
AUD-WIN-THREAT-002 | Defender cloud protection / sample submission / signatures stale | HIGH | threat | Windows | native |
AUD-WIN-THREAT-003 | Microsoft Defender Tamper Protection is OFF | HIGH | threat | Windows | native |
AUD-WIN-THREAT-004 | Microsoft Defender exclusions include overly-broad / abusable entries | HIGH | threat | Windows | native |
AUD-WIN-THREAT-005 | Microsoft Defender ASR rules not in Block mode | HIGH | threat | Windows | native |
AUD-WIN-THREAT-006 | Defender Network Protection / Controlled Folder Access / PUA below baseline | HIGH | threat | Windows | native |
AUD-WIN-THREAT-007 | System-wide Exploit Protection (DEP/SEHOP/ASLR/CFG) below baseline | HIGH | threat | Windows | native |
AUD-WIN-TR-001 | Trust hygiene: sIDHistory present on user accounts | HIGH | identity | Windows | native |
AUD-WIN-TR-003 | Trust hygiene: forest trust without selective authentication | HIGH | identity | Windows | native |
AUD-WIN-TR-004 | Trust hygiene: trust enctype includes RC4 or excludes AES | HIGH | crypto | Windows | native |
AUD-WIN-TR-005 | Trust hygiene: outbound forest trust without TGT-delegation block | HIGH | identity | Windows | native |
AUD-LIN-DATA-004 | Session telemetry files (wtmp/btmp/lastlog) missing or with wrong perms | MEDIUM | data | Linux | native |
AUD-LIN-DATA-005 | pam_lastlog not enabled in /etc/pam.d/sshd or /etc/pam.d/login | MEDIUM | data | Linux | native |
AUD-LIN-DATA-006 | No account-lockout module (pam_faillock / pam_tally2) in auth stack | MEDIUM | data | Linux | native |
AUD-LIN-DATA-008 | Data mount (/home, /var, /opt, /srv, /mnt/data) not on LUKS | MEDIUM | data | Linux | native |
AUD-LIN-DATA-009 | LUKS cipher or KDF below modern baseline | MEDIUM | data | Linux | native |
AUD-LIN-DATA-012 | No backup tool installed (borg/restic/duplicity/bacula/rclone) | MEDIUM | data | Linux | native |
AUD-LIN-DATA-013 | Backup tool installed but not scheduled | MEDIUM | data | Linux | native |
AUD-LIN-DATA-017 | Backup integrity check not run in last 90 days | MEDIUM | data | Linux | native |
AUD-LIN-DATA-023 | SSH private key in user's ~/.ssh without passphrase | MEDIUM | data | Linux | native |
AUD-LIN-FORENSIC-006 | SSH authorized_keys file modified within the past 7 days | MEDIUM | forensic | Linux | native |
AUD-LIN-FS-001 | Sensitive mount point missing nodev / nosuid / noexec | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-008 | Files or directories with unowned (no user/group) UID/GID | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-015 | /etc/login.defs policy too permissive (password aging, encrypt method, login retries) | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-017 | Kernel/fs sysctl deviates from CIS hardening baseline | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-018 | GRUB bootloader without password protection | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-028 | Core dumps not fully disabled (limits.conf + suid_dumpable) | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-030 | /var/crash directory is group/world-writable or not root-owned | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-035 | No File Integrity Monitoring (AIDE / tripwire / samhain) installed | MEDIUM | filesystem | Linux | native |
AUD-LIN-FS-036 | SELinux / AppArmor not enforcing (permissive or disabled) | MEDIUM | filesystem | Linux | native |
AUD-LIN-IDENT-009 | Password aging policy violations per-account | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-010 | /etc/login.defs defaults off the CIS baseline | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-012 | Default umask permits group/world write | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-013 | pam_pwquality not enforcing the CIS baseline | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-019 | Sudo credential cache lifetime violates CIS baseline | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-025 | SSH GSSAPI/Kerberos enabled without proper hardening | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-026 | Account has SSH authorized_keys but hasn't logged in in 90+ days | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-033 | Git credential helper = store (plaintext on disk) | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-037 | Account has interactive shell but has never been logged in (> 30 days old) | MEDIUM | identity | Linux | native |
AUD-LIN-IDENT-038 | SSH authentication failure spike from a single source IP (last 24h) | MEDIUM | identity | Linux | native |
AUD-LIN-INTEG-006 | Regular file with deliberately anomalous timestamp (epoch / Y2K / future) | MEDIUM | integrity | Linux | native |
AUD-LIN-INTEG-007 | Filename uses Unicode bidi control or homoglyph (name-spoof technique) | MEDIUM | integrity | Linux | native |
AUD-LIN-LOG-001 | auditd not present, not running, or has no rules loaded | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-002 | Syslog has no remote forwarding configured | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-004 | auditd.conf not hardened to CIS recommendations | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-005 | Audit rules not set to immutable (-e 2) | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-007 | Audit rules missing identity-file watches (passwd/shadow/group/sudoers) | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-008 | Audit rules missing privilege-escalation coverage (setuid/setgid + security dir) | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-009 | Audit rules missing execve syscall coverage | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-011 | Audit rules missing file-delete coverage (unlink/rename) | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-013 | Audit rules missing time-change coverage | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-014 | Audit rules missing network-config coverage | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-015 | Audit rules missing MAC-policy coverage (SELinux / AppArmor) | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-016 | Audit rules missing session-event coverage (utmp/wtmp/btmp/lastlog) | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-018 | Audit rules missing sysctl-change coverage | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-019 | Audit rules missing cron-change coverage | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-022 | rsyslog remote forwarding not using TLS | MEDIUM | logging | Linux | native |
AUD-LIN-LOG-023 | systemd-journal not persistent (volatile storage) | MEDIUM | logging | Linux | native |
AUD-LIN-MALWARE-005 | Running process executes from a deleted binary | MEDIUM | malware | Linux | native |
AUD-LIN-NET-008 | Public-address network listener inventory | MEDIUM | network | Linux | native |
AUD-LIN-NET-011 | Kernel sysctl deviates from network / hardening baseline | MEDIUM | network | Linux | native |
AUD-LIN-NET-012 | /etc/resolv.conf points at an unrecognised public DNS server | MEDIUM | network | Linux | native |
AUD-LIN-NET-015 | VPN client stack configured or active | MEDIUM | network | Linux | native |
AUD-LIN-NET-018 | IP forwarding enabled on non-router host | MEDIUM | network | Linux | native |
AUD-LIN-NET-019 | IPv6 enabled without matching firewall coverage | MEDIUM | network | Linux | native |
AUD-LIN-NET-020 | Docker bypasses host firewall (ufw / firewalld) | MEDIUM | network | Linux | native |
AUD-LIN-NET-021 | fail2ban absent / inactive / without SSH jail on Internet-exposed host | MEDIUM | network | Linux | native |
AUD-LIN-NET-027 | TLS certificate exceeds 398-day validity, wildcards, or missing must-staple | MEDIUM | crypto | Linux | native |
AUD-LIN-NET-030 | HTTPS endpoint missing or weak Strict-Transport-Security header | MEDIUM | crypto | Linux | native |
AUD-LIN-NET-035 | sshd advertises RSA-SHA1 signature algorithm (ssh-rsa) | MEDIUM | crypto | Linux | native |
AUD-LIN-NET-036 | Local CA certificate added to system trust store | MEDIUM | crypto | Linux | native |
AUD-LIN-PERSIST-005 | at(1) scheduler queue holds pending jobs | MEDIUM | persistence | Linux | native |
AUD-LIN-PERSIST-006 | Cron/anacron file modified within the past 7 days | MEDIUM | persistence | Linux | native |
AUD-LIN-PERSIST-008 | Per-user systemd unit file present in a home directory | MEDIUM | persistence | Linux | native |
AUD-LIN-PERSIST-011 | Shell init file modified within the past 7 days | MEDIUM | persistence | Linux | native |
AUD-LIN-PROBE-005 | SMTP :25 accepts mail transactions without STARTTLS | MEDIUM | probes | Linux | native |
AUD-LIN-PROBE-006 | SMTP offers AUTH PLAIN / LOGIN before STARTTLS (cleartext credential risk) | MEDIUM | probes | Linux | native |
AUD-LIN-PROBE-009 | DNS server responds to ANY query with large amplified response | MEDIUM | probes | Linux | native |
AUD-LIN-PROBE-010 | DNS resolver does not validate DNSSEC responses | MEDIUM | probes | Linux | native |
AUD-LIN-PROBE-017 | rsync daemon on :873 lists modules anonymously | MEDIUM | probes | Linux | native |
AUD-LIN-SYSD-001 | Admin-installed root service missing systemd sandboxing | MEDIUM | services | Linux | native |
AUD-LIN-THREAT-003 | Active peer in FireHOL Level 1 aggregated blocklist | MEDIUM | threat | Linux | native |
AUD-LIN-THREAT-007 | Active peer classified malicious by GreyNoise Community | MEDIUM | threat | Linux | native |
AUD-LIN-THREAT-011 | DNS queries match DGA / beacon patterns in recent journal | MEDIUM | threat | Linux | native |
AUD-LIN-THREAT-015 | Suspicious / unexpected eBPF program loaded | MEDIUM | threat | Linux | native |
AUD-LIN-THREAT-017 | System binary in /usr/bin /usr/sbin modified recently without package provenance | MEDIUM | threat | Linux | native |
AUD-LIN-WEB-001 | Web server returns an auto-generated directory listing | MEDIUM | web | Linux | native |
AUD-LIN-WEB-004 | Web server missing core security headers | MEDIUM | web | Linux | native |
AUD-LIN-WEB-008 | Admin panel reachable (phpMyAdmin, wp-admin, Grafana, Jenkins, /console) | MEDIUM | web | Linux | native |
AUD-LIN-WEB-009 | Cookie flags or CORS policy weak on a reachable endpoint | MEDIUM | web | Linux | native |
AUD-LIN-WEB-010 | Error page leaks server version, path, or framework internals | MEDIUM | web | Linux | native |
AUD-WIN-CRYPTO-002 | NTLM outbound restriction / inbound audit not configured | MEDIUM | crypto | Windows | native |
AUD-WIN-DC-007 | DC hardening: LDAP simple-bind audit not enabled | MEDIUM | logging | Windows | native |
AUD-WIN-DCH-009 | DC hardening: NTLM inbound not restricted or audited | MEDIUM | network | Windows | native |
AUD-WIN-FH-004 | Forest hygiene: tombstone lifetime below 180 days | MEDIUM | identity | Windows | native |
AUD-WIN-IDENT-008 | Local Administrator-group member appears dormant or stale | MEDIUM | identity | Windows | native |
AUD-WIN-IDENT-010 | Cached domain credential surface above CIS L2 baseline | MEDIUM | identity | Windows | native |
AUD-WIN-INTEG-003 | Kernel DMA Protection enumeration policy not set to Block all | MEDIUM | integrity | Windows | native |
AUD-WIN-INTEG-004 | Application Control (WDAC / Smart App Control) not enforced | MEDIUM | integrity | Windows | native |
AUD-WIN-INTEG-006 | AutoPlay / AutoRun not disabled (USB privesc surface) | MEDIUM | integrity | Windows | native |
AUD-WIN-LOG-003 | Event Log channels below minimum size / unsafe retention mode | MEDIUM | logging | Windows | native |
AUD-WIN-LOG-006 | Sysmon not installed / not configured | MEDIUM | logging | Windows | native |
AUD-WIN-NET-005 | WPAD service not disabled (proxy-poisoning surface) | MEDIUM | network | Windows | native |
AUD-WIN-PERS-T-001 | Persistence: HKLM Run / Wow6432Node Run off-baseline entries | MEDIUM | persistence | Windows | native |
AUD-WIN-PERS-T-002 | Persistence: HKLM RunOnce / RunOnceEx off-baseline entries | MEDIUM | persistence | Windows | native |
AUD-WIN-PERS-X-019 | Persistence T1543.003: service registry key created within 30 days | MEDIUM | persistence | Windows | native |
AUD-WIN-PG-005 | Privileged groups: Operators groups populated | MEDIUM | identity | Windows | native |
AUD-LIN-DATA-002 | Critical logs missing append-only (chattr +a) attribute | LOW | data | Linux | native |
AUD-LIN-DATA-003 | Log rotation gaps — most recent rotated log is old | LOW | data | Linux | native |
AUD-LIN-DATA-010 | LUKS keyslots inventory (advisory) | LOW | data | Linux | native |
AUD-LIN-DATA-011 | Hibernation enabled AND swap unencrypted — memory-to-disk leak | LOW | data | Linux | native |
AUD-LIN-FS-002 | CIS-required mountpoint not on a separate partition | LOW | filesystem | Linux | native |
AUD-LIN-FS-003 | /proc not mounted with hidepid=2 (unprivileged users enumerate all processes) | LOW | filesystem | Linux | native |
AUD-LIN-FS-012 | Critical identity files lack immutable attribute (chattr +i) | LOW | filesystem | Linux | native |
AUD-LIN-FS-014 | Default umask for new users is too permissive (>022) | LOW | filesystem | Linux | native |
AUD-LIN-FS-019 | Kernel cmdline missing CPU mitigations / hardening flags | LOW | filesystem | Linux | native |
AUD-LIN-FS-021 | UEFI Secure Boot disabled | LOW | filesystem | Linux | native |
AUD-LIN-FS-022 | Kernel lockdown LSM not active (state=none) | LOW | filesystem | Linux | native |
AUD-LIN-FS-023 | Legacy filesystem kernel modules not blacklisted (cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf) | LOW | filesystem | Linux | native |
AUD-LIN-FS-024 | Rare net-protocol kernel modules not blacklisted (dccp, rds, sctp, tipc) | LOW | filesystem | Linux | native |
AUD-LIN-FS-025 | USB-storage / firewire / thunderbolt kernel modules enabled | LOW | filesystem | Linux | native |
AUD-LIN-FS-026 | Kernel accepts unsigned modules (module signing not enforced) | LOW | filesystem | Linux | native |
AUD-LIN-FS-029 | systemd-coredump configured to store cores on disk | LOW | filesystem | Linux | native |
AUD-LIN-FS-031 | kdump target directory insecure or kdump mis-configured | LOW | filesystem | Linux | native |
AUD-LIN-FS-032 | NTP configured without authentication (NTS) | LOW | filesystem | Linux | native |
AUD-LIN-FS-033 | NTP configured with fewer than 3 servers (no fault tolerance) | LOW | filesystem | Linux | native |
AUD-LIN-FS-034 | systemd-timesyncd relies only on FallbackNTP (no explicit NTP= primary servers) | LOW | filesystem | Linux | native |
AUD-LIN-FS-037 | /boot directory has lax permissions | LOW | filesystem | Linux | native |
AUD-LIN-FS-039 | Swap on unencrypted block device (memory leak on disk) | LOW | filesystem | Linux | native |
AUD-LIN-FS-041 | /etc/security/limits.conf missing nproc / nofile caps (DoS surface) | LOW | filesystem | Linux | native |
AUD-LIN-FS-044 | initramfs image has lax permissions | LOW | filesystem | Linux | native |
AUD-LIN-FS-045 | Recent modifications to /etc (post-compromise detection) | LOW | filesystem | Linux | native |
AUD-LIN-FS-046 | /proc missing nosuid / nodev mount options | LOW | filesystem | Linux | native |
AUD-LIN-FS-047 | Additional hardening sysctl knobs beyond network + kernel/fs | LOW | filesystem | Linux | native |
AUD-LIN-LOG-006 | Audit rules not loaded or critically sparse (<20) | LOW | logging | Linux | native |
AUD-LIN-LOG-012 | Audit rules missing mount/umount coverage | LOW | logging | Linux | native |
AUD-LIN-LOG-021 | rsyslog config has syntax errors (rsyslogd -N1 non-zero) | LOW | logging | Linux | native |
AUD-LIN-LOG-024 | journald retention policy not explicitly set | LOW | logging | Linux | native |
AUD-LIN-LOG-025 | systemd-journal Forward Secure Sealing (FSS) not enabled | LOW | logging | Linux | native |
AUD-LIN-LOG-026 | logrotate timer inactive or config has errors | LOW | logging | Linux | native |
AUD-LIN-LOG-027 | auditd events not forwarded to SIEM (audispd-plugins / laurel inactive) | LOW | logging | Linux | native |
AUD-LIN-LOG-028 | systemd-journal-upload not configured or inactive | LOW | logging | Linux | native |
AUD-LIN-NET-010 | No rate-limit rules detected on Internet-reachable host | LOW | network | Linux | native |
AUD-LIN-NET-014 | Wireless or Bluetooth stack active on server host | LOW | network | Linux | native |
AUD-LIN-NET-029 | Domain serving TLS has no DNS CAA record | LOW | crypto | Linux | native |
AUD-LIN-NET-031 | TLS endpoint does not staple OCSP responses | LOW | crypto | Linux | native |
AUD-LIN-PROBE-003 | SSH banner leaks distro / OpenSSH version (pre-auth info disclosure) | LOW | probes | Linux | native |
AUD-LIN-THREAT-005 | Active peer or recent login is a TOR exit node | LOW | threat | Linux | native |
AUD-LIN-THREAT-008 | Embedded threat feeds are stale | LOW | threat | Linux | native |
AUD-LIN-THREAT-010 | Active peer in country outside operator's business geography | LOW | threat | Linux | native |
CFG-DOCKER-001 | Docker daemon listens on TCP without TLS | CRITICAL | hardening | Linux | config |
CFG-MYSQL-001 | MySQL binds to 0.0.0.0 (publicly reachable) | CRITICAL | hardening | Linux | config |
CFG-PG-001 | PostgreSQL listens on all interfaces | CRITICAL | hardening | Linux | config |
CFG-REDIS-001 | Redis listens on 0.0.0.0 without password | CRITICAL | hardening | Linux | config |
CFG-SSH-002 | SSH allows password authentication | CRITICAL | hardening | Linux | config |
CHAIN-DB-EXPOSED-WEAK-AUTH | Database exposed publicly with weak auth mechanism | CRITICAL | chain | Linux | chain |
CHAIN-DOCKER-SOCKET | Docker socket mount + privileged container = host root | CRITICAL | chain | Linux | chain |
CHAIN-KEV-EXPOSED | Internet-exposed service with KEV vulnerability | CRITICAL | chain | Linux | chain |
CHAIN-ROOT-PASS-SSH | Direct root SSH + no lockout → trivial compromise | CRITICAL | chain | Linux | chain |
CHAIN-SSH-KEY-LEAK | SSH private key found + key reused across hosts | CRITICAL | chain | Linux | chain |
CFG-APACHE-001 | Apache allows legacy TLS protocols | HIGH | hardening | Linux | config |
CFG-APACHE-002 | Apache allows weak SSL ciphers | HIGH | hardening | Linux | config |
CFG-APACHE-007 | Apache FollowSymLinks without SymLinksIfOwnerMatch | HIGH | hardening | Linux | config |
CFG-APACHE-012 | Apache HTTP methods include PUT/DELETE without WebDAV configuration | HIGH | hardening | Linux | config |
CFG-CADDY-001 | Caddy admin API exposed beyond localhost | HIGH | hardening | Linux | config |
CFG-CRON-002 | Cron job downloads and executes remote script | HIGH | hardening | Linux | config |
CFG-CRONTAB-001 | System crontab runs scripts from /tmp or /var/tmp | HIGH | hardening | Linux | config |
CFG-DOCKER-002 | Docker userns-remap not enabled | HIGH | hardening | Linux | config |
CFG-DOCKER-007 | Docker compose runs privileged containers | HIGH | hardening | Linux | config |
CFG-DOCKER-008 | Docker compose mounts host docker.sock | HIGH | hardening | Linux | config |
CFG-ENV-001 | Environment file contains secrets | HIGH | hardening | Linux | config |
CFG-K8S-001 | Kubernetes Pod without securityContext | HIGH | hardening | Linux | config |
CFG-K8S-002 | Kubernetes Pod with privileged: true | HIGH | hardening | Linux | config |
CFG-K8S-003 | Kubernetes Pod with hostNetwork: true | HIGH | hardening | Linux | config |
CFG-K8S-004 | Kubernetes Pod with hostPID: true | HIGH | hardening | Linux | config |
CFG-K8S-005 | Kubernetes Pod mounts host filesystem | HIGH | hardening | Linux | config |
CFG-MYSQL-002 | MySQL local_infile enabled | HIGH | hardening | Linux | config |
CFG-MYSQL-003 | MySQL skip-grant-tables mode | HIGH | hardening | Linux | config |
CFG-NGINX-001 | Nginx uses legacy TLS protocols (TLSv1.0/1.1) | HIGH | hardening | Linux | config |
CFG-NGINX-002 | Nginx allows weak SSL ciphers | HIGH | hardening | Linux | config |
CFG-NGINX-009 | Nginx SSL session ticket keys may leak PFS | HIGH | hardening | Linux | config |
CFG-PAM-001 | PAM password quality enforcement missing | HIGH | hardening | Linux | config |
CFG-PG-002 | pg_hba allows trust authentication | HIGH | hardening | Linux | config |
CFG-PG-003 | pg_hba uses MD5 password auth | HIGH | hardening | Linux | config |
CFG-PG-004 | pg_hba allows 0.0.0.0/0 (world-accessible) | HIGH | hardening | Linux | config |
CFG-REDIS-002 | Redis protected-mode disabled | HIGH | hardening | Linux | config |
CFG-REDIS-003 | Redis without requirepass | HIGH | hardening | Linux | config |
CFG-SSH-001 | SSH permits root login with password | HIGH | hardening | Linux | config |
CFG-SSH-003 | SSH allows empty passwords | HIGH | hardening | Linux | config |
CFG-SUDOERS-001 | sudoers allows NOPASSWD for ALL commands | HIGH | hardening | Linux | config |
CFG-SUDOERS-002 | sudoers.d contains NOPASSWD wildcards | HIGH | hardening | Linux | config |
CFG-UFW-002 | UFW disabled | HIGH | hardening | Linux | config |
CHAIN-LEGACY-AUTH | Password auth + no rate limit + no 2FA | HIGH | chain | Linux | chain |
CHAIN-SSH-BRUTE | SSH brute-force → account takeover | HIGH | chain | Linux | chain |
CHAIN-SUDO-NOPASSWD-WEB | Web user has NOPASSWD sudo — RCE becomes root | HIGH | chain | Linux | chain |
CHAIN-TLS-WEAK-HSTS-NONE | Weak TLS + no HSTS = MITM downgrade viable | HIGH | chain | Linux | chain |
CHAIN-WEAK-POLICY-PII | Weak password policy on system that stores PII | HIGH | chain | Linux | chain |
CHAIN-WRITABLE-CRON | World-writable cron-invoked script = persistence | HIGH | chain | Linux | chain |
CFG-APACHE-003 | Apache ServerTokens leaks version | IMPORTANT | hardening | Linux | config |
CFG-APACHE-004 | Apache ServerSignature on | IMPORTANT | hardening | Linux | config |
CFG-APACHE-005 | Apache directory listing enabled (Options Indexes) | IMPORTANT | hardening | Linux | config |
CFG-APACHE-006 | Apache TRACE method enabled | IMPORTANT | hardening | Linux | config |
CFG-APACHE-011 | Apache runs as root (User root) | IMPORTANT | hardening | Linux | config |
CFG-CADDY-002 | Caddy missing HSTS header | IMPORTANT | hardening | Linux | config |
CFG-CADDY-007 | Caddy missing CSP header | IMPORTANT | hardening | Linux | config |
CFG-CRON-005 | /etc/cron.allow missing — any user can install cron jobs | IMPORTANT | hardening | Linux | config |
CFG-DOCKER-003 | Docker live-restore disabled | IMPORTANT | hardening | Linux | config |
CFG-DOCKER-004 | Docker icc=true (default) — inter-container communication | IMPORTANT | hardening | Linux | config |
CFG-DOCKER-006 | Docker log-driver leaves containers unlogged | IMPORTANT | hardening | Linux | config |
CFG-DOCKER-009 | Docker compose uses host network | IMPORTANT | hardening | Linux | config |
CFG-DOCKER-010 | Docker compose uses pid=host | IMPORTANT | hardening | Linux | config |
CFG-IPT-001 | iptables config has ACCEPT policy on INPUT | IMPORTANT | hardening | Linux | config |
CFG-K8S-006 | Kubernetes Pod runs as root | IMPORTANT | hardening | Linux | config |
CFG-K8S-007 | Kubernetes Pod without resource limits | IMPORTANT | hardening | Linux | config |
CFG-K8S-009 | Kubernetes ServiceAccount auto-mounted | IMPORTANT | hardening | Linux | config |
CFG-K8S-010 | Kubernetes Pod uses :latest image tag | IMPORTANT | hardening | Linux | config |
CFG-LOGIN-001 | Password max age too long or unset | IMPORTANT | hardening | Linux | config |
CFG-LOGIN-003 | Weak password hashing algorithm | IMPORTANT | hardening | Linux | config |
CFG-MYSQL-004 | MySQL skip-networking off + no bind restriction | IMPORTANT | hardening | Linux | config |
CFG-MYSQL-005 | MySQL ssl not explicitly enabled | IMPORTANT | hardening | Linux | config |
CFG-MYSQL-007 | MySQL validate_password plugin not configured | IMPORTANT | hardening | Linux | config |
CFG-MYSQL-009 | MySQL old_passwords hash algorithm | IMPORTANT | hardening | Linux | config |
CFG-NGINX-003 | Nginx server_tokens enabled (version leak) | IMPORTANT | hardening | Linux | config |
CFG-NGINX-004 | Nginx missing HSTS header | IMPORTANT | hardening | Linux | config |
CFG-NGINX-008 | Nginx autoindex enabled (directory listing) | IMPORTANT | hardening | Linux | config |
CFG-NGINX-011 | Nginx access_log disabled globally | IMPORTANT | hardening | Linux | config |
CFG-NGINX-014 | Nginx listens on 0.0.0.0 for status/stub endpoint | IMPORTANT | hardening | Linux | config |
CFG-NGINX-015 | Nginx ssl_prefer_server_ciphers not set | IMPORTANT | hardening | Linux | config |
CFG-NGINX-018 | Nginx location allows .git / .env / backup file access | IMPORTANT | hardening | Linux | config |
CFG-PAM-002 | PAM does not enforce strong password hashing | IMPORTANT | hardening | Linux | config |
CFG-PAM-003 | PAM allows empty passwords via nullok | IMPORTANT | hardening | Linux | config |
CFG-PAM-004 | PAM account lockout missing | IMPORTANT | hardening | Linux | config |
CFG-PAM-008 | PAM password policy not enforced for root | IMPORTANT | hardening | Linux | config |
CFG-PG-005 | Postgres SSL disabled | IMPORTANT | hardening | Linux | config |
CFG-PG-006 | Postgres password_encryption weaker than scram-sha-256 | IMPORTANT | hardening | Linux | config |
CFG-PG-008 | Postgres log_connections / log_disconnections off | IMPORTANT | hardening | Linux | config |
CFG-PG-009 | Postgres log_disconnections off | IMPORTANT | hardening | Linux | config |
CFG-PG-012 | Postgres ssl_min_protocol_version below TLSv1.2 | IMPORTANT | hardening | Linux | config |
CFG-PG-014 | Postgres port is default 5432 and listening publicly | IMPORTANT | hardening | Linux | config |
CFG-PG-015 | Postgres row_security disabled globally | IMPORTANT | hardening | Linux | config |
CFG-REDIS-004 | Redis dangerous commands not renamed | IMPORTANT | hardening | Linux | config |
CFG-REDIS-007 | Redis uses weak ACL or no ACL | IMPORTANT | hardening | Linux | config |
CFG-SSH-004 | SSH MaxAuthTries too permissive | IMPORTANT | hardening | Linux | config |
CFG-SSH-005 | SSH LoginGraceTime too long | IMPORTANT | hardening | Linux | config |
CFG-SSH-006 | SSH uses weak ciphers | IMPORTANT | hardening | Linux | config |
CFG-SSH-007 | SSH uses weak MACs | IMPORTANT | hardening | Linux | config |
CFG-SSH-008 | SSH X11 forwarding enabled | IMPORTANT | hardening | Linux | config |
CFG-SSH-010 | SSH protocol 1 enabled | IMPORTANT | hardening | Linux | config |
CFG-SSH-011 | SSH ClientAliveInterval not set | IMPORTANT | hardening | Linux | config |
CFG-SSH-013 | SSH uses weak KexAlgorithms | IMPORTANT | hardening | Linux | config |
CFG-SSH-014 | SSH MaxSessions too high | IMPORTANT | hardening | Linux | config |
CFG-SSH-016 | SSH HostbasedAuthentication enabled | IMPORTANT | hardening | Linux | config |
CFG-SSH-019 | SSH allows non-approved users | IMPORTANT | hardening | Linux | config |
CFG-SUDOERS-003 | sudoers allows !authenticate globally | IMPORTANT | hardening | Linux | config |
CFG-SYSCTL-001 | Kernel ASLR not fully enabled | IMPORTANT | hardening | Linux | config |
CFG-SYSCTL-002 | Kernel pointers leak via /proc | IMPORTANT | hardening | Linux | config |
CFG-SYSCTL-012 | dmesg readable by unprivileged users | IMPORTANT | hardening | Linux | config |
CFG-SYSCTL-013 | Unprivileged eBPF allowed | IMPORTANT | hardening | Linux | config |
CFG-SYSCTL-014 | kexec runtime replacement allowed | IMPORTANT | hardening | Linux | config |
CFG-UFW-001 | UFW default incoming policy is allow | IMPORTANT | hardening | Linux | config |
CFG-APACHE-008 | Apache missing HSTS header | MEDIUM | hardening | Linux | config |
CFG-APACHE-009 | Apache missing X-Frame-Options | MEDIUM | hardening | Linux | config |
CFG-APACHE-010 | Apache missing X-Content-Type-Options | MEDIUM | hardening | Linux | config |
CFG-CADDY-003 | Caddy missing X-Frame-Options / clickjacking defense | MEDIUM | hardening | Linux | config |
CFG-CADDY-004 | Caddy missing X-Content-Type-Options | MEDIUM | hardening | Linux | config |
CFG-CADDY-005 | Caddy TLS config allows legacy protocols | MEDIUM | hardening | Linux | config |
CFG-CADDY-006 | Caddy access log disabled | MEDIUM | hardening | Linux | config |
CFG-CRON-003 | Cron job uses shell with relative path | MEDIUM | hardening | Linux | config |
CFG-CRON-004 | Cron PATH includes current directory | MEDIUM | hardening | Linux | config |
CFG-DOCKER-005 | Docker disable-legacy-registry not set | MEDIUM | hardening | Linux | config |
CFG-DOCKER-011 | Docker default bridge not isolated | MEDIUM | hardening | Linux | config |
CFG-DOCKER-012 | Docker no-new-privileges not set on containers | MEDIUM | hardening | Linux | config |
CFG-HOSTS-001 | /etc/hosts has unexpected remote IPs | MEDIUM | hardening | Linux | config |
CFG-K8S-008 | Kubernetes Pod without readOnlyRootFilesystem | MEDIUM | hardening | Linux | config |
CFG-LOGIN-002 | Password min age not enforced | MEDIUM | hardening | Linux | config |
CFG-LOGIN-004 | SHA_CRYPT rounds below 65536 (only relevant when ENCRYPT_METHOD=SHA512) | MEDIUM | hardening | Linux | config |
CFG-LOGIN-005 | Default UMASK too permissive | MEDIUM | hardening | Linux | config |
CFG-MYSQL-006 | MySQL log_error points to a world-readable location | MEDIUM | hardening | Linux | config |
CFG-MYSQL-008 | MySQL general_log enabled (performance + privacy) | MEDIUM | hardening | Linux | config |
CFG-MYSQL-010 | MySQL secure_file_priv empty (arbitrary filesystem access) | MEDIUM | hardening | Linux | config |
CFG-NGINX-005 | Nginx missing X-Frame-Options | MEDIUM | hardening | Linux | config |
CFG-NGINX-006 | Nginx missing X-Content-Type-Options | MEDIUM | hardening | Linux | config |
CFG-NGINX-007 | Nginx missing Content-Security-Policy header | MEDIUM | hardening | Linux | config |
CFG-NGINX-010 | Nginx client_max_body_size very large or default | MEDIUM | hardening | Linux | config |
CFG-NGINX-012 | Nginx OCSP stapling not enabled | MEDIUM | hardening | Linux | config |
CFG-NGINX-013 | Nginx keepalive_timeout very long | MEDIUM | hardening | Linux | config |
CFG-NGINX-016 | Nginx missing Referrer-Policy | MEDIUM | hardening | Linux | config |
CFG-PAM-005 | PAM password reuse history not enforced | MEDIUM | hardening | Linux | config |
CFG-PAM-006 | PAM pwquality minclass not enforced | MEDIUM | hardening | Linux | config |
CFG-PAM-007 | PAM pwquality minlen too short | MEDIUM | hardening | Linux | config |
CFG-PAM-009 | PAM doesn't enforce difok | MEDIUM | hardening | Linux | config |
CFG-PG-007 | Postgres logging disabled or minimal | MEDIUM | hardening | Linux | config |
CFG-PG-010 | Postgres statement_timeout unlimited | MEDIUM | hardening | Linux | config |
CFG-PG-011 | Postgres log_line_prefix missing %h (host) or %u (user) | MEDIUM | hardening | Linux | config |
CFG-PG-013 | Postgres shared_preload_libraries misses pg_stat_statements | MEDIUM | hardening | Linux | config |
CFG-REDIS-005 | Redis uses default port 6379 | MEDIUM | hardening | Linux | config |
CFG-REDIS-008 | Redis logs to stdout without rotation | MEDIUM | hardening | Linux | config |
CFG-RESOLV-001 | /etc/resolv.conf uses unknown DNS server | MEDIUM | hardening | Linux | config |
CFG-SSH-009 | SSH AllowTcpForwarding enabled | MEDIUM | hardening | Linux | config |
CFG-SSH-015 | SSH UsePAM off | MEDIUM | hardening | Linux | config |
CFG-SSH-017 | SSH IgnoreRhosts no | MEDIUM | hardening | Linux | config |
CFG-SSH-018 | SSH banner not set | MEDIUM | hardening | Linux | config |
CFG-SSH-020 | SSH PermitUserEnvironment yes | MEDIUM | hardening | Linux | config |
CFG-SUDOERS-004 | sudoers missing log_input/log_output | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-003 | TCP SYN cookies disabled | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-004 | ICMP redirects accepted | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-005 | IP source routing accepted | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-006 | Core dumps not disabled for SUID binaries | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-007 | Reverse path filtering disabled | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-008 | IP forwarding enabled on non-router | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-009 | Martian packets not logged | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-010 | ICMP echo broadcasts allowed | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-011 | TCP timestamps enabled (uptime leak) | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-015 | ptrace unrestricted for sibling processes | MEDIUM | hardening | Linux | config |
CFG-SYSCTL-016 | Hardlink/symlink protections disabled | MEDIUM | hardening | Linux | config |
CFG-UFW-003 | UFW logging disabled | MEDIUM | hardening | Linux | config |
CFG-UFW-004 | UFW IPv6 disabled | MEDIUM | hardening | Linux | config |
CFG-CADDY-008 | Caddy header reveals unnecessary Server info | LOW | hardening | Linux | config |
CFG-CRON-001 | No cron jobs found in /etc/crontab — verify systemd-timers cover periodic tasks | LOW | hardening | Linux | config |
CFG-NGINX-017 | Nginx missing Permissions-Policy | LOW | hardening | Linux | config |
CFG-PAM-010 | PAM gecoscheck disabled | LOW | hardening | Linux | config |
CFG-REDIS-006 | Redis AOF persistence disabled (data-integrity, not security) | LOW | hardening | Linux | config |
CFG-SSH-012 | SSH listens on default port 22 (operational note) | LOW | hardening | Linux | config |