Lightweight kernel hardening audit tool for Linux forensic triage and security baseline verification.
LinSpec derives from Linux + Inspection (Specification).
The tool was conceptualized as a forensic entry-point, evaluating whether kernel-level protections are correctly enforced before deeper analysis begins.
LinSpec is a specialized forensic utility designed to audit the security posture of the Linux Kernel in real-time.
It evaluates critical kernel parameters, hardware mitigations, and system-level protection flags to generate a structured security baseline report. It operates as the forensic triage phase, identifying weaknesses before deeper memory analysis.
Core Audit Areas:
- Memory Protection:
ASLR,NX, andDMArestrictions - Kernel Hardening: Pointer restrictions,
kexecdisabled, anddmesgvisibility - CPU Mitigations: Spectre and Meltdown status
- Network Stack: BPF JIT hardening and SYN Flood protection
- Real-time kernel auditing
- CPU vulnerability detection
- Forensic Data Export (JSON/CSV)
- Minimalist terminal UI
- Pure C99 (no dependencies)
- PASS / WARN / VULN classification
- Passive inspection (read-only)
- Stateless execution
[ 01 ] MEMORY > Address Space Layout Randomization [+] [ PASS ]
[ 02 ] KERNEL > Kernel Pointer Restriction [-] [ VULN ]
[ 03 ] SYSTEM > Yama Ptrace Scope Protection [+] [ PASS ]
[ 04 ] KERNEL > Kernel Log Dmesg Restriction [+] [ PASS ]
[ 05 ] NETWORK > BPF JIT Compiler Hardening [!] [ WARN ]
[ 06 ] NETWORK > TCP SYN Flood Protection (Cookies) [+] [ PASS ]
[ 07 ] SYSTEM > Unprivileged User Namespaces [!] [ WARN ]
LinSpec interfaces directly with:
/proc/sys/sys/devices
Audit flow:
- Collect kernel security parameters
- Normalize and classify values
- Compare against a hardened baseline
- Assign PASS / WARN / VULN states
- Export structured forensic reports
# 1. Clone the repository
git clone https://github.com/jeffersoncesarantunes/LinSpec.git
# 2. Enter the directory
cd LinSpec
# 3. Compile the project
make clean && make
# 4. Run with root privileges for full access
sudo ./linspecAfter execution, LinSpec generates structured artifacts for external analysis:
report.json: Machine-readable data for forensic pipelinesreport.csv: Tabular format for analysis and documentation
The generated report.json acts as a telemetry layer for the ecosystem:
- Role: Input source for S.I.R.E.N
- Capability: Enables adaptive memory acquisition
- Benefit: Automates forensic capture decisions
LinSpec is the first component of a three-stage forensic workflow:
-002B36?style=flat-square&logo=linux&logoColor=white){kind=icon}
-006400?style=flat-square&logo=linux&logoColor=white){kind=icon}
-003366?style=flat-square&logo=linux&logoColor=white){kind=icon}
To confirm audit accuracy:
1. Verifying Structured Reports:
column -s, -t < report.csv
cat report.json | grep -A 4 "summary"2. Verifying Kernel Constraints:
cat /proc/kallsyms | head -n 10
sysctl kernel.unprivileged_userns_clone
sysctl kernel.kexec_load_disabled
cat /proc/cmdline
1 - System Audit Overview. Execution of the forensic engine performing baseline triage.
2 - Data Integrity & Reporting. Validation between terminal output and structured reports.
3 - Forensic Kernel Validation. Cross-checking LinSpec results with live kernel state.
โโโ docs/
โ โโโ architecture.md
โ โโโ audit_reference.md
โ โโโ forensic_methodology.md
โ โโโ threat_model.md
โโโ Imagens/
โ โโโ linspec1.png
โ โโโ linspec2.png
โ โโโ linspec3.png
โโโ include/
โโโ src/
โ โโโ checks.h
โ โโโ main.c
โ โโโ memory_audit.c
โ โโโ system_audit.c
โโโ report.csv
โโโ report.json
โโโ LICENSE
โโโ Makefile
โโโ README.md
- Language: C (C99)
- Data Sources:
/procand/sys - Build Tool: GNU Make
- Target Platforms: Linux Kernel 4.x, 5.x, 6.x
- High-performance C99 Core Engine
- Side-channel Vulnerability Detection (Spectre/Meltdown)
- Brutalist-inspired Terminal UI
- Structured Output (JSON/CSV Export)
- Ecosystem Integration (Pre-acquisition Audit for S.I.R.E.N)
- Automated Remediation (System Hardening)
- K-Scanner Deep Integration
This project is licensed under the MIT License.