ivarch.com: XYZ

Current version: 0.2.25 (2 October 2025) [src]

Downloads

xyz-0.2.25.tar.gz [sig]

132K

Information & Links

The xyz security tool checks a system for common configuration faults that could cause sensitive information or interfaces to be exposed, such as SSH private keys or GPG secret keys without passphrases, or service accounts without a password.

It can be run unattended from a cron job to generate a system-wide report which can be delivered by email or detected by a monitoring system such as Zabbix.

Many of the 150+ checks are derived from recommendations in Center for Internet Security benchmark documents, though since xyz is intended for use on multiple operating systems - various GNU/Linux distributions, FreeBSD, and OpenBSD - these checks are derived from standard recommendations rather than equivalent to them. xyz is not associated with or endorsed by CIS or any other organisation.

Use xyz as a risk reduction tool to limit accidental exposure: run it first before a server is placed into a production environment, and then run it regularly thereafter to check that mistakes have not crept in during day-to-day maintenance. It does not look for indicators of compromise and should not be run after an incident. A compromised server should be deleted and rebuilt, and xyz run on the rebuilt system as part of hardening before deployment.

This tool is built to be lightweight. It complements more in-depth tools such as OpenSCAP rather than attempting to replace them.

User-defined check and fix actions can be added. By packaging and deploying your own check, fix, and hook functions, embodying your estate's configuration policies, xyz can be extended to serve as a configuration policy compliance tool. For example, regular xyz checks could be run to ensure that configuration changes made by other tools such as Ansible or Puppet have had the desired effect and have not introduced regressions.

This software is distributed under the terms of the GNU General Public License version 3 or later.

Source code: xyz-0.2.25.tar.gz [signature]
Manual for XYZ
Git repository (at Codeberg)
Issue tracker (at Codeberg)

Releases are signed with the signing key.

How to verify the signature of a download

Each release has an associated signature file. This is generated from the source archive using the private counterpart of the public signing key. Checking the signature using the public key allows you to confirm that the archive was signed by the author.

# Download the release's source archive
curl -O https://ivarch.com/s/xyz-0.2.25.tar.gz
# Download the release's signature file
curl -O https://ivarch.com/s/xyz-0.2.25.tar.gz.txt
# Use GnuPG to verify the signature
gpg --verify xyz-0.2.25.tar.gz.txt xyz-0.2.25.tar.gz

If you have installed the public signing key in your keyring, you will see confirmation like this:

gpg: Signature made Thu 02 Oct 2025 22:50:04 BST
gpg:                using RSA key D8FF44A79CC8A61EF694FA7EB883E01314DA8E84
gpg:                issuer "andrew.wood@ivarch.com"
gpg: Good signature from "Andrew Wood <andrew.wood@ivarch.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D8FF 44A7 9CC8 A61E F694  FA7E B883 E013 14DA 8E84

To install xyz, follow these steps:

curl -O https://ivarch.com/s/xyz-0.2.25.tar.gz
tar xzf xyz-0.2.25.tar.gz
cd xyz-0.2.25
sh ./configure
make
sudo make install

Comments, bug reports, and patches can be sent using the Issue tracker, or through the Contact Form.

News

0.2.25 - 2 October 2025

fix: seed the random number generator for the random startup delay
fix: accept a parameter to “reformat” naming a file to read instead of stdin
fix: correct faulty handling of “exception-add” values starting with “-” (#7)

0.2.22 - 30 March 2025

feature: new check fs_path_integrity
feature: new utility functions fsOtherCanWrite, fsGroupOrOtherCanWrite, and fsGroupAndOtherCanWrite

0.2.20 - 9 February 2025

feature: new –json option for the “reformat” and “info” actions (#6)
fix: add the prerequisites to the sched_root_atjobs check
fix: correct “fmt” invocation for reformatting on BSD systems
fix: adjust scheduler config paths on BSD systems

0.2.16 - 2 February 2025

feature: checks for crontab and “at” job settings and queued jobs (#2)
feature: checks for processes running unlinked binaries or libraries, or anonymous files (#4), (#5)
feature: extended check prerequisites to permit test commands
fix: corrected bug in detection of disabled kernel modules
fix: allowed stricter permissions on the audit log directory
cleanup: added “make analyse” using “shellcheck” and addressed the warnings it produced

0.2.10 - 26 December 2024

feature: new –until option so that ignore and exception-add entries can be given an expiry time
feature: new –delay option to add a random startup delay when running from cron
feature: checks for unnecessary Linux kernel modules, derived from CIS Debian 12 benchmark section 1.1.1
feature: new variables kernelName, kernelRelease, and startStamp
feature: new info action, to show information about the system
fix: correct the parsing of “–option=VALUE” option syntax

0.2.4 - 23 March 2024

feature: checks for configuration files in user home directories, derived from CIS Debian 12 benchmark section 7.2.10
feature: added new variable osIsRhelDescendant
fix: adjusted “accounts with GID 0” check to make allowances for RHEL descendants

0.2.1 - 18 March 2024

fix: corrected an installer bug which creates the hooks and extensions directories in the wrong place

0.2.0 - 17 March 2024

This release extends XYZ to include over 100 more checks, and includes new options which will assist with future work to add unit tests into the build process.

checks for password, shadow, group file permissions derived from CIS Debian 12 benchmark section 7.1
renamed acct_shadow_permission to rights_etcshadow_permissions for consistency
checks for SSH host private and public key permissions
checks for audit log and config permissions derived from CIS Debian 12 benchmark section 6.4.4
checks for listening network ports that are reachable from elsewhere
new utility functions fsHasExecutePermissions, fsGroupOrOtherCanRead, and fsOtherCanRead
new options -R, -C, -E, -H to assist with future tests

0.1.0 - 6 March 2024

This release extends XYZ to incorporate dozens of new checks, derived from over 50 CIS recommendations, on top of its original checks for unprotected SSH and GPG private keys. It also adds a more fine-grained exceptions mechanism to allow special cases to be permitted, and a more human-readable (and optionally colourised) report format.

new reformat action to reformat fault reports for human eyes
new exceptions mechanism to exclude specific results such as allowed private key files
80 checks now defined, derived from over 50 CIS benchmark recommendations
filesystem checks derived from CIS Debian 12 benchmark section 1.1.2
information leak checks derived from CIS Debian 12 benchmark section 1.6
file permissions checks derived from CIS Debian 12 benchmark section 2.4.1, 5.1, and others
user account checks derived from CIS Debian 12 benchmark sections 5.4.2, 7.2, and others

0.0.1 - 1 March 2024

package and manual created
extensions framework built
detection of unprotected SSH private keys
detection of unprotected GPG secret keys
detection of /tmp permission and ownership issues
detection of duplicate root accounts
detection of system and guest accounts with usable passwords
detection of user accounts with no home directory
detection of user accounts with world writable home directory
detection of root account with empty password

This project is Free Software. Support the Free Software Foundation.