20

Some times ago I posted about scc tool, here is a short update with some example reports provided. https://dev.to/melezhik/linux-compliance-checks-with-sparrow-plugin-2160

People can use the plugin to check if their Linux configuration files are security compliant

Sparrow is a Raku automation framework

top 8 comments
sorted by: hot top new old
[-] vk6flab@lemmy.radio 18 points 1 week ago

Compliant with what?

"Security compliant" is a completely meaningless phrase, right up there with "locked door" or "secret code".

[-] fartsparkles@lemmy.world 15 points 1 week ago

Whoever downvoted you probably doesn’t understand what you’re saying. This package doesn’t stipulate as to what regulations, frameworks, standards etc it is checking compliance against.

If it doesn’t say what it’s checking it’s compliant against, how can it determine if you’re compliant to it or not?

ISO 27001? SOC2? CIS Benchmarks? HIPAA? GDPR? NIST CSF? 800-53? PCI DSS? Cyber Essentials? Vendor guidance?

This seems, at best, some general security checks but not mapped to any framework in particular.

The Linux Security Audit Project is far more mature in this regard and maps checks to specific frameworks.

[-] vk6flab@lemmy.radio 4 points 1 week ago

Yeah .. voting around here is interesting from time to time.

On a positive note, I hadn't heard of the Linux Security Audit Project, looks interesting, thank you.

I only briefly skimmed through the readme so I might have missed it, but I wonder how they're able to claim compliance with specific standards.

It was my understanding that it's typically a drawn out expensive process with a certificate to hang on the wall after the fact.

[-] fartsparkles@lemmy.world 4 points 1 week ago

They make it clear it’s an assessment aid rather than a replacement for professional audits.

Ultimately, you need to be accredited by a third party to whatever standard you’re targeting. Linux Security Audit Project just gives you some checks to help review your current posture and start tackling things ahead of the audit.

[-] melezhik@programming.dev 1 points 1 week ago* (last edited 1 week ago)

This seems, at best, some general security checks but not mapped to any framework in particular.

So. Yes. Ssh access should be passwords only, etc. Some common sense. We don’t need standard to that

UPDATE: sorry for the typo, meant passwordless

[-] vk6flab@lemmy.radio 1 points 1 week ago

Ssh access should be passwords only

What are you basing this on?

[-] fartsparkles@lemmy.world 4 points 1 week ago

Definitely not NIST 800-53, PCI-DSS, or ISO 27001; all of which stipulate ssh key management not password-based authentication.

[-] melezhik@programming.dev 1 points 1 week ago

Typo )) sorry , meant password less

this post was submitted on 09 Jul 2026
20 points (91.7% liked)

Linux

14345 readers
461 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS