🐧 LinSpec

Lightweight forensic kernel hardening audit tool for Linux security baseline verification.

---

● Etymology & Origin

The name LinSpec is a portmanteau of Linux and Inspection (or Specification).

It was designed to act as the "First Responder" in a security audit. Before deep memory analysis begins, LinSpec inspects the kernel's defensive specifications to determine if the system's "armor" is correctly fastened or if there are gaps that an attacker could exploit.

---

● Overview

LinSpec is a specialized forensic utility designed to audit the security posture of the Linux Kernel in real-time.

It evaluates critical Kernel parameters, hardware mitigations, and system-level protection flags to generate a security baseline report. It serves as the Initial Triage phase in a forensic investigation.

Core Audit Areas:

• Memory Protection: ASLR, NX, and DMA restrictions
• Kernel Hardening: Pointer restrictions, kexec disabled, and dmesg visibility
• CPU Mitigations: Spectre and Meltdown mitigation status
• Network Stack: BPF JIT hardening and SYN Flood protection

---

● The Forensic Ecosystem

LinSpec is the first component of a specialized three-stage forensic workflow:

---

● How It Works

LinSpec interfaces with:

• /proc/sys
• /sys/devices

Steps:

1. Retrieve Kernel parameters
2. Evaluate against a hardened security baseline
3. Validate CPU mitigation status

---

● Example Output

[ 01 ]  MEMORY   >  Address Space Layout Randomization     [+] [   PASS   ]
[ 02 ]  KERNEL   >  Kernel Pointer Restriction             [-] [   VULN   ]
[ 03 ]  SYSTEM   >  Yama Ptrace Scope Protection           [+] [   PASS   ]
[ 04 ]  KERNEL   >  Kernel Log Dmesg Restriction           [+] [   PASS   ]
[ 05 ]  NETWORK  >  BPF JIT Compiler Hardening             [!] [   WARN   ]
[ 06 ]  NETWORK  >  TCP SYN Flood Protection (Cookies)     [+] [   PASS   ]
[ 07 ]  SYSTEM   >  Unprivileged User Namespaces           [!] [   WARN   ]

---

● Project in Action

1 - System Audit Overview. Clean compilation and execution of the forensic engine, performing the initial security baseline triage.

2 - Forensic Validation via Tmux. Cross-referencing LinSpec output with manual inspection of /proc and /sys interfaces to confirm audit accuracy.

---

● Features

• Real-time Kernel auditing
• CPU vulnerability detection
• Minimalist terminal UI
• Pure C99 (no dependencies)
• PASS / WARN / VULN reporting
• Passive inspection

---

● Operational Integrity

• Passive audit (no changes)
• Read-only access
• Stateless execution

---

● Build and Run

# 1. Clone the repository
git clone https://github.com/jeffersoncesarantunes/LinSpec.git

# 2. Enter the directory
cd LinSpec

# 3. Compile the project
make clean && make

# 4. Run with root privileges for full access
sudo ./linspec

---

● Investigation Workflow

1. Entry point analysis (ptrace)
2. KASLR validation
3. CPU trust verification

---

● Repository Structure

├── docs/
│   ├── architecture.md
│   ├── audit_reference.md
│   ├── forensic_methodology.md
│   └── threat_model.md
├── Imagens/
│   ├── linspec1.png
│   └── linspec2.png
├── include/
├── scripts/
├── src/
│   ├── checks.h
│   ├── main.c
│   ├── memory_audit.c
│   └── system_audit.c
├── .gitignore
├── LICENSE
├── Makefile
└── README.md

---

● Tech Stack

• Language: C (C99)
• Data Sources: /proc and /sys interfaces
• Build Tool: GNU Make
• Target Platforms: Linux Kernel 4.x, 5.x, 6.x

---

● Roadmap

• High-performance C99 Core Engine
• Side-channel Vulnerability Detection (Spectre/Meltdown)
• Brutalist-inspired Terminal UI
• Automated Remediation (System Hardening Scripts)
• Structured Output (JSON/CSV Export for Forensics)
• Ecosystem Integration (Pre-acquisition Audit for S.I.R.E.N)

---

● Documentation

---

● License

This project is licensed under the MIT License.