Some times ago I posted about scc tool, here is a short update with some example reports provided. https://dev.to/melezhik/linux-compliance-checks-with-sparrow-plugin-2160
People can use the plugin to check if their Linux configuration files are security compliant
Sparrow is a Raku automation framework
Compliant with what?
“Security compliant” is a completely meaningless phrase, right up there with “locked door” or “secret code”.
Whoever downvoted you probably doesn’t understand what you’re saying. This package doesn’t stipulate as to what regulations, frameworks, standards etc it is checking compliance against.
If it doesn’t say what it’s checking it’s compliant against, how can it determine if you’re compliant to it or not?
ISO 27001? SOC2? CIS Benchmarks? HIPAA? GDPR? NIST CSF? 800-53? PCI DSS? Cyber Essentials? Vendor guidance?
This seems, at best, some general security checks but not mapped to any framework in particular.
The Linux Security Audit Project is far more mature in this regard and maps checks to specific frameworks.
Yeah … voting around here is interesting from time to time.
On a positive note, I hadn’t heard of the Linux Security Audit Project, looks interesting, thank you.
I only briefly skimmed through the readme so I might have missed it, but I wonder how they’re able to claim compliance with specific standards.
It was my understanding that it’s typically a drawn out expensive process with a certificate to hang on the wall after the fact.
They make it clear it’s an assessment aid rather than a replacement for professional audits.
Ultimately, you need to be accredited by a third party to whatever standard you’re targeting. Linux Security Audit Project just gives you some checks to help review your current posture and start tackling things ahead of the audit.
This seems, at best, some general security checks but not mapped to any framework in particular.
So. Yes. Ssh access should be passwords only, etc. Some common sense. We don’t need standard to that
UPDATE: sorry for the typo, meant passwordless
Ssh access should be passwords only
What are you basing this on?
Definitely not NIST 800-53, PCI-DSS, or ISO 27001; all of which stipulate ssh key management not password-based authentication.
Typo )) sorry , meant password less



