1
4
Fork
You've already forked xyz
0
A security tool to check for common configuration faults that could cause sensitive information or interfaces to be exposed, such as SSH private keys or GPG secret keys without passphrases, or service accounts without a password. https://ivarch.com/p/xyz
  • Shell 98.3%
  • Makefile 1.4%
  • M4 0.3%
2026年07月13日 20:44:38 +01:00
docs More clarity about which kernels the lkm_available_* checks apply to ( #11 ). 2026年07月13日 20:44:38 +01:00
src More clarity about which kernels the lkm_available_* checks apply to ( #11 ). 2026年07月13日 20:44:38 +01:00
.gitignore Ignore "configure~". 2024年03月06日 22:19:52 +00:00
configure.ac Version bump, and set release date. 2026年07月06日 21:13:43 +01:00
Makefile.am Remove the build-package and release scripts, and instead use docs/release.cf with the external foss-release.sh script. 2026年07月06日 21:26:24 +01:00
README.md Update the copyright years. 2026年07月05日 00:11:38 +01:00
settings.sh.in Update the copyright years. 2026年07月05日 00:11:38 +01:00

Introduction

The xyz security tool checks a system for common configuration faults that could cause sensitive information or interfaces to be exposed, such as SSH private keys or GPG secret keys without passphrases, or service accounts without a password.

It can be run unattended from a cron job to generate a system-wide report which can be delivered by email or detected by a monitoring system such as Zabbix.

Many of the 150+ checks are derived from recommendations in Center for Internet Security benchmark documents, though since xyz is intended for use on multiple operating systems - various GNU/Linux distributions, FreeBSD, and OpenBSD - these checks are derived from standard recommendations rather than equivalent to them. xyz is not associated with or endorsed by CIS or any other organisation.

Use xyz as a risk reduction tool to limit accidental exposure: run it first before a server is placed into a production environment, and then run it regularly thereafter to check that mistakes have not crept in during day-to-day maintenance. It does not look for indicators of compromise and should not be run after an incident. A compromised server should be deleted and rebuilt, and xyz run on the rebuilt system as part of hardening before deployment.

This tool is built to be lightweight. It complements more in-depth tools such as OpenSCAP rather than attempting to replace them.

User-defined check and fix actions can be added. By packaging and deploying your own check, fix, and hook functions, embodying your estate's configuration policies, xyz can be extended to serve as a configuration policy compliance tool. For example, regular xyz checks could be run to ensure that configuration changes made by other tools such as Ansible or Puppet have had the desired effect and have not introduced regressions.

Documentation

A manual page is included in this distribution ("man xyz"). Before installation, it is in "docs/xyz.8".

Changes are listed in "docs/NEWS.md".

Developers and translators, please see "docs/DEVELOPERS.md".

Installation

See "docs/INSTALL" for more about the configure script.

The typical process for a system-wide install is:

sh ./configure --prefix=/usr
make
sudo make install

This requires Make ("sudo apt install make" on Debian or Ubuntu systems).

If this is not a packaged release, the configure script is not included. It is generated with the GNU build system tools (autoconf, aclocal, automake). On Debian or Ubuntu, run "sudo apt install automake". Once those tools are in place, call "autoreconf -is" to generate the configure script, and run it as described above.

Copyright, bug reporting, and acknowledgements

Copyright (C) 2024-2026 Andrew Wood.

License GPLv3+: GNU GPL version 3 or later https://www.gnu.org/licenses/gpl-3.0.html.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License, version 3, in "docs/COPYING". If not, see https://www.gnu.org/licenses/gpl-3.0.html.

Please report bugs or request features via the issue tracker linked from the home page.

The xyz home page is at:

https://ivarch.com/p/xyz

The latest version can always be found here.