LSS audits your Debian, Ubuntu, or Kali host against the CIS Benchmark, auto-fixes 166 of 206 controls, and journals every change — so a bad hardening pass is one rollback away from reversed. Built for ops who do the work, not the talking.
Six pains that every Linux operator quietly carries. The Suite removes each one.
The Suite encodes 206 CIS-aligned controls and runs them in seconds. Read-only by default — nothing changes until you say so. The audit takes two minutes. The PDFs take two months.
That's why you don't run them on production. Every Suite change writes a reversal entry. lss rollback --last undoes the most recent run, control-by-control, with proof. The killer feature the free scripts skip.
Every run produces a signed HTML/PDF report — control IDs, evidence, before/after diffs, remediation log. Hand it to compliance, your client, or your boss. They'll stop asking.
The Suite shows you the diff before each control and refuses dangerous combinations on the host you're SSH'd in from. Idempotent — re-run a hundred times, get the same state. No surprises at 2 AM.
No agent. No daemon. No phone-home. Single signed binary, verified with cosign before it runs. Outbound network: zero (except the signature check). Audit data stays on your box, forever.
SSH it, drop it in your Ansible role, bake it into your golden image. JSON output for dashboards, exit codes that mean what they say, profiles you can author for your stack.
From a cold pip install to a hardened, audited, reversible host with a report you can hand to anyone.
Python 3.10+ CLI. Cosign-signed release artifacts — verify with cosign verify-blob before installing.
Scans 206 controls. Shows you exactly what's wrong and why each control matters. Nothing is changed.
Auto-fix for 166 of 206 controls. The remaining 40 stay audit-only by design (bootloader edits, partition changes, firewall default-deny — things that can lock you out or can't be undone if they break). Every applied fix is journaled.
Printable HTML report with score, evidence, and rollback IDs. Hand it to compliance, your client, or your boss.
Most hardening tools dump a wall of green checks to your terminal and call it done. The Suite produces a single document — printable, shareable, dated, signed — with every control, its evidence, and the remediation log.
If you're prepping for SOC 2, ISO 27001, or just trying to convince a client you take security seriously, this is the deliverable.
| ID | Control | Status |
|---|---|---|
| 1.1.1 | Filesystem modules disabled | PASS |
| 1.5.1 | kernel.randomize_va_space | WARN |
| 2.2.4 | Avahi daemon removed | FAIL |
| 3.3.2 | Source routing disabled | FAIL |
| 5.2.5 | SSH MaxAuthTries ≤ 4 | WARN |
| 5.3.4 | Password minlen ≥ 14 | FAIL |
Not a pivot from a sales platform or a side project from a content agency. Built because we needed it and the existing options didn't cut it.
Every consulting engagement starts the same way — pull a CIS PDF, write the same hardening notes for the third time that month, hand the client a document they won't read. LSS is the artifact we wished existed: an honest tool that does the work, shows you what it did, and lets you take it back if it broke something.
1024 automated tests passing on every commit. 206 CIS-aligned controls evaluated against the Debian 12 v1.0.0 benchmark. Releases signed with Sigstore cosign.
shell=True, enforced by test.The audit is free forever — see exactly where your box stands. Pay once to unlock one-command hardening and rollback. An optional $49/yr keeps your control set current; nothing is a forced subscription.
audit across 206 CIS controlsharden + rollback unlock belowharden · rollback — fix 166 controls, undo any of themsudo lss rollback --last undoes the most recent run. sudo lss rollback --control 5.3.4 undoes a single control. You can also restore to any previous timestamp. We test against fresh installs of every supported distro before each release.--confirm and shows you a diff before each control. We recommend a staging run first, but yes — the Suite is built to be production-safe, and the rollback layer is what makes that promise real.audit makes no network calls at all. The only call LSS ever makes is license validation: activating your key checks once with Lemon Squeezy, then it caches and works offline — re-validating at most every couple of weeks when it's online.sudo lss license activate <key> — a single online check that then caches, so the tool keeps working offline. Personal covers your own machines; Commercial covers client & production hosts with no limit. audit and rollback never need a key: you can always see your posture, and always undo a hardening pass, for free.One pip install. One command. Journaled rollback. Run it on your server before you finish your coffee.