XYZ

Current version: 0.2.4 (23 March 2024) [src]

xyz is a security tool to check a system for common configuration faults that could cause sensitive information or interfaces to be exposed, such SSH private keys or GPG secret keys without passphrases, or service accounts without a password.

The tool can be run unattended from a cron job to generate a system-wide report which can be delivered by email or detected by a monitoring system such as Zabbix.

Many of the 150+ checks are derived from recommendations in Center for Internet Security benchmark documents, though since xyz is intended for use on multiple operating systems - various GNU/Linux distributions, FreeBSD, and OpenBSD - these checks are derived from standard recommendations rather than equivalent to them. xyz is not associated with or endorsed by CIS or any other organisation.

xyz is intended as a risk reduction tool to limit accidental exposure: ideally it should first be run before a server is placed into a production environment, and run regularly thereafter to check that mistakes have not crept in during day-to-day maintenance. It does not look for indicators of compromise and should not be run after an incident. A compromised server should be deleted and rebuilt, and xyz run on the rebuilt system as part of hardening before deployment.

This tool is built to be lightweight. It complements more in-depth tools such as OpenSCAP rather than attempting to replace them.

User-defined check and fix actions can be added. By packaging and deploying your own check, fix, and hook functions, embodying your estate's configuration policies, xyz can be extended to serve as a configuration policy compliance tool.

This software is distributed under the terms of the GNU General Public License version 3 or later.

To install xyz, follow these steps:

wget https://www.ivarch.com/programs/sources/xyz-0.2.4.tar.gz
tar xzf xyz-0.2.4.tar.gz
cd xyz-0.2.4
sh ./configure
make
sudo make install

Comments, bug reports, and patches can be sent using the Issue tracker, or through the Contact Form.

News

0.2.4 - 23 March 2024

0.2.1 - 18 March 2024

0.2.0 - 17 March 2024

This release extends XYZ to include over 100 more checks, and includes new options which will assist with future work to add unit tests into the build process.

0.1.0 - 6 March 2024

This release extends XYZ to incorporate dozens of new checks, derived from over 50 CIS recommendations, on top of its original checks for unprotected SSH and GPG private keys. It also adds a more fine-grained exceptions mechanism to allow special cases to be permitted, and a more human-readable (and optionally colourised) report format.

0.0.1 - 1 March 2024