Pavois: The Open-Source Linux Hardening Scanner That Audits What’s Actually Running, Not Just What’s Configured + Video

Listen to this Post

Featured Image

Introduction:

The gap between what a system’s configuration files say and what the system actually enforces has long been a blind spot in compliance auditing. Traditional scanners like OpenSCAP parse files such as /etc/ssh/sshd_config, but they miss the reality of `Include` directives, drop-in directories, and runtime overrides. Pavois, a new open-source compliance scanner, closes this gap by interrogating the live system state—querying `sshd -T` for effective SSH settings, inspecting `sysctl` values, and validating PAM and firewall rules as they are applied. This approach transforms Linux hardening from a paperwork exercise into a verifiable, actionable security practice.

Learning Objectives:

  • Understand the critical difference between configuration-file auditing and effective-state validation for Linux system hardening.
  • Learn how to deploy Pavois to scan Debian 12, Debian 13, and RHEL 8 systems against CIS, ANSSI BP-028, PCI-DSS, and NIST benchmarks.
  • Master the use of Pavois-generated remediation cookbooks to automatically enforce compliance across multi-distribution fleets.
  1. Why Auditing the Effective State Matters More Than Reading Config Files

Most compliance tools operate on a dangerous assumption: that the contents of `/etc/ssh/sshd_config` represent the actual SSH daemon configuration. This is false. Modern Linux systems use `Include` statements to split configuration across multiple files, and drop-in directories like `/etc/ssh/sshd_config.d/` can override or extend settings without touching the main file. OpenSCAP and similar tools read these files statically, but they cannot guarantee that the running `sshd` process has applied them—especially after a syntax error or a failed reload.

Pavois takes a different path. Instead of parsing files, it executes the same commands that administrators use to verify running services:

  • For SSH: `sshd -T` dumps the effective configuration as the daemon understands it, including all includes and overrides.
  • For kernel parameters: reading `/proc/sys/` directly gives the live `sysctl` values.
  • For PAM: inspecting the effective stack via `pam-auth-update` or parsing the runtime configuration.
  • For firewalls: querying `nft` or `iptables` state instead of guessing from saved rulesets.

This shift from static to dynamic auditing catches misconfigurations that file-based scanners miss. A system might have a perfect `sshd_config` but an `Include` file that disables PermitRootLogin—Pavois will flag it because `sshd -T` reports the effective value. This is not just a theoretical improvement; it is the difference between passing an audit and actually being secure.

  1. The Architecture: One Rule File to Rule Them All

Pavois’s architectural innovation is its unified rule definition. Rather than maintaining separate rule sets for each Linux distribution, the tool uses a single YAML-based rule file that contains:

  • Common fields shared across all operating systems (e.g., rule ID, description, severity, remediation steps).
  • Distribution-specific overrides for CIS numbers, file paths, and expected values.

From this master rule file, Pavois generates two artifacts automatically:

  • Test cookbooks: Scripts that perform the effective-state checks for each OS.
  • Remediation cookbooks: Scripts that apply fixes when a rule fails.

This design means that adding support for a new distribution—such as RHEL 8, which the author recently integrated—requires only declaring the differences, not rewriting the entire audit logic. The result is a coherent, maintainable system where detection, hardening, and reporting all speak the same language.

Example Rule Snippet (Conceptual):

- id: CIS_SSH_001
description: "Ensure SSH PermitRootLogin is set to 'no'"
severity: high
common:
check_command: "sshd -T | grep -i 'permitrootlogin'"
expected_value: "permitrootlogin no"
debian:
cis_number: "5.2.8"
path_override: "/etc/ssh/sshd_config"
rhel:
cis_number: "3.5.1"
path_override: "/etc/ssh/sshd_config.d/50-hardening.conf"

When Pavois scans a Debian 13 system, it uses the Debian-specific CIS number and path; when scanning RHEL 8, it switches to the RHEL values—all from the same source of truth.

3. Step-by-Step: Deploying Pavois on Debian 12

This guide walks through installing and running Pavois on a Debian 12 system.

Prerequisites:

  • Debian 12 (Bookworm) with root or sudo access.
  • Git and Python 3.11+ installed.

Step 1: Clone the Repository

git clone https://github.com/your-org/pavois.git
cd pavois

Step 2: Install Dependencies

pip install -r requirements.txt

Step 3: Run a Scan

python pavois.py --os debian12 --profile cis --output report.html

This command executes all 800 rules mapped to the CIS benchmark, generates a structured report with scores, severities, and remediation steps.

Step 4: Generate Remediation Cookbooks

python pavois.py --os debian12 --generate-remediation --output remediate.sh

This produces a shell script that applies fixes for all failed rules. Review the script before execution.

Step 5: Apply Remediations

sudo bash remediate.sh

Step 6: Verify Compliance

python pavois.py --os debian12 --profile cis --output verified_report.html

The second scan should show a significantly improved compliance score.

4. Extending Pavois to RHEL 8 and Beyond

The author’s recent work on RHEL 8 validates the architectural bet. Adding a new OS required minimal changes: defining RHEL-specific paths, CIS numbers, and expected values in the shared rule file. The test and remediation cookbooks were generated automatically, producing a consistent experience across distributions.

To add RHEL 9 support:

  1. Copy the RHEL 8 overrides and adjust for version-specific differences.
  2. Update the rule file with new CIS numbers (RHEL 9 uses CIS v2.0.0).
  3. Run the generator to produce the new cookbooks.

4. Test on a RHEL 9 VM.

This approach scales to Rocky Linux and AlmaLinux with equal ease, as they are binary-compatible with RHEL.

Command to Scan RHEL 8:

python pavois.py --os rhel8 --profile anssi --output rhel8_audit.json

Command to Generate Ansible Remediation Playbook:

python pavois.py --os rhel8 --generate-ansible --output remediate.yml

This produces an Ansible playbook that can be integrated into CI/CD pipelines or configuration management workflows.

5. Understanding the 800-Rule Baseline

Pavois ships with a baseline of 800 hardening rules mapped to multiple frameworks:

  • CIS Benchmarks: The de facto standard for system hardening, covering SSH, kernel parameters, filesystem permissions, and user accounts.
  • ANSSI BP-028: The French national agency’s best-practice guide, with specific requirements for government and critical infrastructure.
  • PCI-DSS: Payment Card Industry Data Security Standard requirements for systems handling cardholder data.
  • NIST SP 800-53: The U.S. federal standard for security and privacy controls.

Each rule includes a severity rating (critical, high, medium, low) and a clear remediation description. The report organizes findings by chapter, making it easy to map results to specific compliance requirements.

Example Rule: Kernel Parameter for IP Spoofing Protection

 Check effective value
sysctl net.ipv4.conf.all.rp_filter

Expected: 1
 Remediation: echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf && sysctl -w net.ipv4.conf.all.rp_filter=1

Pavois automates this check across all interfaces, ensuring the kernel is actually enforcing the setting.

6. Integrating Pavois into CI/CD Pipelines

For DevSecOps teams, Pavois can be embedded into CI/CD pipelines to enforce compliance before deployment. The tool generates machine-readable reports (JSON, SARIF) that can be ingested by security dashboards or fail builds when critical rules are violated.

GitHub Actions Example:

- name: Run Pavois Compliance Scan
run: |
python pavois.py --os ubuntu22 --profile cis --output sarif --format sarif
- name: Upload SARIF to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: pavois.sarif

Jenkins Pipeline Snippet:

stage('Compliance Scan') {
steps {
sh 'python pavois.py --os rhel8 --profile nist --output report.json'
archiveArtifacts artifacts: 'report.json'
}
}

This integration ensures that every build is checked against the same hardening baseline, catching regressions before they reach production.

7. Comparison with OpenSCAP and Lynis

Pavois is not the first compliance scanner, but it addresses specific shortcomings of existing tools:

  • OpenSCAP: Relies heavily on OVAL definitions and static file parsing. It can be slow, complex to customize, and prone to false positives when configurations use `Include` or drop-in directories. Pavois’s effective-state checks eliminate these issues.
  • Lynis: A battle-tested auditing tool that performs effective-state checks for many items. However, Lynis does not generate remediation cookbooks automatically, and its rule set is not mapped to multiple compliance frameworks in a structured, machine-readable format. Pavois combines the strengths of Lynis (effective-state auditing) with the structured compliance reporting of OpenSCAP.

Pavois also avoids the infinite-loop bugs that plague some OpenSCAP remediation scripts, applying fixes cleanly without unintended side effects.

What Undercode Say:

  • Key Takeaway 1: The shift from file-based to effective-state auditing is a paradigm change that catches real misconfigurations, not just paperwork errors. This is especially critical for SSH, PAM, and kernel parameters where drop-in directories and runtime overrides are common.
  • Key Takeaway 2: Pavois’s single-rule-file architecture is a masterstroke for multi-distribution environments. Adding RHEL 8 validated that the approach scales without exponential maintenance overhead. The automatic generation of test and remediation cookbooks ensures consistency and reduces human error.

Analysis: The Linux hardening space has been stagnant for years, with tools like OpenSCAP and Lynis dominating but each having significant flaws. Pavois enters as a fresh alternative that combines the best of both: effective-state checks (like Lynis) and structured compliance mapping with automated remediation (like OpenSCAP, but better). The author’s decision to build a unified rule file is particularly clever—it turns OS diversity from a liability into a feature. For organizations running mixed Debian and RHEL fleets, Pavois could be the first tool that truly works out of the box without massive customization. The 800-rule baseline covering CIS, ANSSI, PCI-DSS, and NIST makes it enterprise-ready from day one. The next steps—adding RHEL 9, Rocky, and Alma—will only strengthen its position as a universal hardening solution. If the project gains traction, it could become the de facto standard for Linux compliance in DevSecOps pipelines.

Prediction:

  • +1 Pavois is positioned to disrupt the Linux compliance market by offering a lightweight, accurate, and multi-framework alternative to heavyweight tools like OpenSCAP. Its CI/CD-friendly design will appeal to DevSecOps teams seeking shift-left security.
  • +1 The unified rule file architecture lowers the barrier to entry for new distributions, meaning Pavois could quickly gain support for Alpine, SUSE, and other enterprise Linux variants, expanding its addressable market.
  • +1 As organizations increasingly adopt infrastructure-as-code and immutable systems, the ability to audit effective state becomes more valuable—Pavois aligns perfectly with this trend.
  • -1 The tool is new and lacks the extensive community and third-party integrations that OpenSCAP and Lynis have built over years. Adoption may be slow until proven in large-scale production environments.
  • -1 Without a commercial backing or a clear monetization path, Pavois risks becoming a hobby project rather than a sustainably maintained enterprise tool. The author’s open-to-work status suggests this is a portfolio piece, not a funded initiative.
  • +1 However, the author’s fractional DevSecOps lead experience indicates deep domain knowledge, and the tool’s technical quality is evident. If they can build a community around it, Pavois could become a significant player.
  • +1 The automatic remediation cookbook generation is a killer feature that reduces the operational burden of hardening, making compliance more achievable for overstretched security teams.
  • -1 The 800-rule baseline may be overwhelming for smaller organizations. A tiered approach (e.g., essential, standard, strict) would improve usability.
  • +1 Integration with popular CI/CD platforms (GitHub Actions, GitLab CI, Jenkins) is already possible via SARIF output, which positions Pavois well for the DevSecOps workflow.
  • +1 If the author adds container image scanning and Kubernetes pod security policy checks, Pavois could expand into the container security space, where effective-state auditing is even more critical.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Stephanerobert1 Openscap – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky