v1.0.1 — aligned to CIS Debian 12 v1.0.0

Harden Linux against
206 CIS-aligned controls.
Undo any of them in one command.

LSS audits your Debian, Ubuntu, or Kali host against the CIS Benchmark, auto-fixes 166 of 206 controls, and journals every change — so a bad hardening pass is one rollback away from reversed. Built for ops who do the work, not the talking.

pip install lss Journaled rollback Cosign-signed releases No telemetry, no agent
root@prod-web-01: ~
$ pip install lss && sudo lss audit ▸ Linux Security Suite v1.0.1 (CIS Debian 12 v1.0.0) ▸ Host: prod-web-01 Kernel: 6.8.0-45-generic Uptime: 14d ▸ Mode: audit (read-only) — no changes will be made 1.1.1 Filesystem modules disabled (cramfs, freevxfs, jffs2, hfs) 1.4.1 Bootloader password set ! 1.5.1 ASLR enabled but kernel.randomize_va_space=1 (recommended: 2) 2.2.4 Avahi daemon installed and active (not required) 3.3.2 Source routing not disabled (net.ipv4.conf.all.accept_source_route) 4.2.1 journald configured to forward to syslog ! 5.2.5 SSH MaxAuthTries = 6 (recommended: ≤ 4) 5.3.4 Password minimum length = 8 (recommended: ≥ 14) 6.1.10 No world-writable files in system paths … 206 controls evaluated Summary 178 pass · 14 warn · 12 fail (score: 87%) Report: /var/log/lss/audit-2026-04-13-1003.html (printable, shareable) Apply remediations now? Run: sudo lss harden --confirm
Built on benchmarks trusted by
CIS Benchmarks NIST 800-53 STIG-compatible OWASP ASVS ISO 27001-aligned
Why it exists

You know what's wrong. You don't have time to fix it.

Six pains that every Linux operator quietly carries. The Suite removes each one.

01

You can't read 800 pages of CIS PDF this weekend.

The Suite encodes 206 CIS-aligned controls and runs them in seconds. Read-only by default — nothing changes until you say so. The audit takes two minutes. The PDFs take two months.

02

Free GitHub hardening scripts have no rollback.

That's why you don't run them on production. Every Suite change writes a reversal entry. lss rollback --last undoes the most recent run, control-by-control, with proof. The killer feature the free scripts skip.

03

Auditors want a document, not your terminal scrollback.

Every run produces a signed HTML/PDF report — control IDs, evidence, before/after diffs, remediation log. Hand it to compliance, your client, or your boss. They'll stop asking.

04

Your last attempt at hardening locked you out.

The Suite shows you the diff before each control and refuses dangerous combinations on the host you're SSH'd in from. Idempotent — re-run a hundred times, get the same state. No surprises at 2 AM.

05

One tool. One binary. One way in.

No agent. No daemon. No phone-home. Single signed binary, verified with cosign before it runs. Outbound network: zero (except the signature check). Audit data stays on your box, forever.

06

Your fleet is bigger than one server.

SSH it, drop it in your Ansible role, bake it into your golden image. JSON output for dashboards, exit codes that mean what they say, profiles you can author for your stack.

How it works

Audit. Harden. Rollback. Report.

From a cold pip install to a hardened, audited, reversible host with a report you can hand to anyone.

01 / INSTALL

pip install lss

Python 3.10+ CLI. Cosign-signed release artifacts — verify with cosign verify-blob before installing.

02 / AUDIT

Read-only first

Scans 206 controls. Shows you exactly what's wrong and why each control matters. Nothing is changed.

03 / HARDEN

Apply, or cherry-pick

Auto-fix for 166 of 206 controls. The remaining 40 stay audit-only by design (bootloader edits, partition changes, firewall default-deny — things that can lock you out or can't be undone if they break). Every applied fix is journaled.

04 / REPORT

Prove it

Printable HTML report with score, evidence, and rollback IDs. Hand it to compliance, your client, or your boss.

Audit report

The artifact your auditor actually wants.

Most hardening tools dump a wall of green checks to your terminal and call it done. The Suite produces a single document — printable, shareable, dated, signed — with every control, its evidence, and the remediation log.

If you're prepping for SOC 2, ISO 27001, or just trying to convince a client you take security seriously, this is the deliverable.

  • Per-control pass/warn/fail with rationale
  • Before/after diffs of every change applied
  • Rollback IDs for every modified setting
  • Signed digest at the bottom — tamper-evident
Hardening Audit Report

prod-web-01 — Debian 12.5

2026-04-13 10:03:22
Suite v1.0.1
178
Pass
14
Warn
12
Fail
87%
Score
IDControlStatus
1.1.1Filesystem modules disabledPASS
1.5.1kernel.randomize_va_spaceWARN
2.2.4Avahi daemon removedFAIL
3.3.2Source routing disabledFAIL
5.2.5SSH MaxAuthTries ≤ 4WARN
5.3.4Password minlen ≥ 14FAIL
Who builds it

Built by an operator, not a marketing team.

Not a pivot from a sales platform or a side project from a content agency. Built because we needed it and the existing options didn't cut it.

Every consulting engagement starts the same way — pull a CIS PDF, write the same hardening notes for the third time that month, hand the client a document they won't read. LSS is the artifact we wished existed: an honest tool that does the work, shows you what it did, and lets you take it back if it broke something.

1024 automated tests passing on every commit. 206 CIS-aligned controls evaluated against the Debian 12 v1.0.0 benchmark. Releases signed with Sigstore cosign.

Engineering principles
  • No telemetry. Ever.
  • Every subprocess call uses argv lists — zero shell=True, enforced by test.
  • Reversible by design. Not optional.
  • Cosign-signed releases. Verify before installing.
  • pip install, no daemon, no agent, no phone-home.
  • Mtime safety check prevents rollback from overwriting your manual edits.
Pricing

Audit free. Buy once to harden.

The audit is free forever — see exactly where your box stands. Pay once to unlock one-command hardening and rollback. An optional $49/yr keeps your control set current; nothing is a forced subscription.

Free
Audit — see where you stand
Read-only. Scans all 206 controls and hands you the report. Changes nothing.
$0
free forever · no card required
  • Full audit across 206 CIS controls
  • HTML & JSON reports
  • Debian / Ubuntu / Kali
  • Read-only — safe on production
  • harden + rollback unlock below
Get the free audit
Personal
Your own machines
Your personal servers, VPS, or homelab. Non-commercial use.
$149
one-time · personal use · 12 months of updates, then $49/yr
  • Everything in Free, plus:
  • harden · rollback — fix 166 controls, undo any of them
  • HTML & PDF reports
  • Signed control updates — 12 months
  • Personal, non-commercial license
Get Personal — $149
FAQ

The questions you were going to ask anyway.

How is this different from Lynis or the open-source CIS scripts on GitHub?+
Lynis audits but doesn't remediate. The popular GitHub CIS scripts apply changes but have no rollback, no report, and no update channel — when something breaks at 2 AM, you're on your own. The Suite is the integrated tool: audit + remediation + reversible journal + signed updates + a report you can show an auditor. We respect those projects; we just made the thing they aren't trying to be.
What if a hardening change breaks my server?+
Every applied change writes a reversal entry. sudo lss rollback --last undoes the most recent run. sudo lss rollback --control 5.3.4 undoes a single control. You can also restore to any previous timestamp. We test against fresh installs of every supported distro before each release.
Which distributions are supported?+
v1.0.1 targets Debian 12, Ubuntu 22.04/24.04, and Kali rolling as primary. RHEL/Rocky/Alma 9 have partial support with full parity planned in v1.1. If you need a distro we don't support yet, the Commercial tier includes a custom profile authoring guide.
Is this safe to run on a production server?+
The audit command is read-only — it changes nothing. The harden command requires --confirm and shows you a diff before each control. We recommend a staging run first, but yes — the Suite is built to be production-safe, and the rollback layer is what makes that promise real.
Do you collect any telemetry?+
No telemetry, ever. Audit data, hostnames, control results, and reports never leave your box. The free audit makes no network calls at all. The only call LSS ever makes is license validation: activating your key checks once with Lemon Squeezy, then it caches and works offline — re-validating at most every couple of weeks when it's online.
What does a license actually cover?+
After purchase you activate your key once per host — sudo lss license activate <key> — a single online check that then caches, so the tool keeps working offline. Personal covers your own machines; Commercial covers client & production hosts with no limit. audit and rollback never need a key: you can always see your posture, and always undo a hardening pass, for free.

Audit your server.
Harden what's safe to harden.
Undo anything that breaks.

One pip install. One command. Journaled rollback. Run it on your server before you finish your coffee.

Get the Suite — from $149 Watch the 90-second demo →
30-day refund · buy once, own it · 12 months of updates, then $49/yr · source-available