Lightweight kernel hardening audit tool for Linux forensic triage and security baseline verification.
The name LinSpec comes from Linux + Inspection (Specification).
It was designed as a forensic entry-point β a tool that checks whether kernel-level protections are actually enforced before you move on to deeper analysis.
LinSpec audits the Linux kernel's security posture in real time. It pulls critical kernel parameters, hardware mitigation states, and system-level protection flags, then produces a structured security baseline report. Consider it the forensic triage step: surface the weaknesses before diving into memory analysis.
Core Audit Areas:
- Memory Protection: ASLR, NX, and DMA restrictions
- Kernel Hardening: Pointer restrictions, kexec disabled, dmesg visibility
- CPU Mitigations: Spectre and Meltdown status
- Network Stack: BPF JIT hardening and SYN Flood protection
- Real-time kernel auditing
- CPU vulnerability detection
- Forensic Data Export (JSON/CSV)
- Minimalist terminal UI
- Pure C99 (no dependencies)
- PASS / WARN / VULN classification
- Passive inspection (read-only)
- Stateless execution
[ 01 ] MEMORY > Address Space Layout Randomization [+] [ PASS ]
[ 02 ] KERNEL > Kernel Pointer Restriction [-] [ VULN ]
[ 03 ] SYSTEM > Yama Ptrace Scope Protection [+] [ PASS ]
[ 04 ] KERNEL > Kernel Log Dmesg Restriction [+] [ PASS ]
[ 05 ] NETWORK > BPF JIT Compiler Hardening [!] [ WARN ]
[ 06 ] NETWORK > TCP SYN Flood Protection (Cookies) [+] [ PASS ]
[ 07 ] SYSTEM > Unprivileged User Namespaces [!] [ WARN ]
LinSpec reads directly from these kernel interfaces:
/proc/sys/sys/devices
The audit flow is simple:
- Collect kernel security parameters
- Normalize and classify the values
- Compare against a hardened baseline
- Assign PASS / WARN / VULN states
- Export structured forensic reports
# 1. Clone the repository
git clone https://github.com/jeffersoncesarantunes/LinSpec.git
# 2. Enter the directory
cd LinSpec
# 3. Compile the project
make clean && make
# 4. Run with root privileges for full access
sudo ./linspecAfter execution, LinSpec writes out structured artifacts for further analysis:
report.json: Machine-readable data for forensic pipelinesreport.csv: Tabular format for analysis and documentation
The report.json feeds into the larger ecosystem:
- Role: Input source for S.I.R.E.N
- Capability: Enables adaptive memory acquisition
- Benefit: Automates forensic capture decisions
LinSpec is the first stage in a three-stage forensic workflow:
-002B36?style=flat-square&logo=linux&logoColor=white){kind=icon}
-006400?style=flat-square&logo=linux&logoColor=white){kind=icon}
-003366?style=flat-square&logo=linux&logoColor=white){kind=icon}
You can verify the audit output yourself:
1. Check the structured reports:
column -s, -t < report.csv
cat report.json | grep -A 4 "summary"2. Cross-check against the live kernel:
cat /proc/kallsyms | head -n 10
sysctl kernel.unprivileged_userns_clone
sysctl kernel.kexec_load_disabled
cat /proc/cmdline
System Audit Overview -- the forensic engine running a baseline triage.
Data Integrity and Reporting -- terminal output matched against structured reports.
Forensic Kernel Validation -- LinSpec results cross-checked with the live kernel state.
βββ docs/
β βββ architecture.md
β βββ audit_reference.md
β βββ forensic_methodology.md
β βββ threat_model.md
βββ Images/
β βββ linspec1.png
β βββ linspec2.png
β βββ linspec3.png
βββ include/
βββ src/
β βββ checks.h
β βββ main.c
β βββ memory_audit.c
β βββ system_audit.c
βββ report.csv
βββ report.json
βββ LICENSE
βββ Makefile
βββ README.md
- Language: C (C99)
- Data Sources:
/procand/sys - Build Tool: GNU Make
- Target Platforms: Linux Kernel 4.x, 5.x, 6.x
- High-performance C99 Core Engine
- Side-channel Vulnerability Detection (Spectre/Meltdown)
- Brutalist-inspired Terminal UI
- Structured Output (JSON/CSV Export)
- Ecosystem Integration (Pre-acquisition Audit for S.I.R.E.N)
- Automated Remediation (System Hardening)
- K-Scanner Deep Integration
This project is licensed under the MIT License.