Open Source Linux Security Toolkit

Harden your servers.
Stay compliant.

Automated CIS, STIG, and PCI-DSS hardening across Ubuntu, Debian, RHEL, Rocky, and Amazon Linux. Dry-run everything. Roll back anything. Report in JSON, HTML, or Markdown.

Get Started View on GitHub →
Go 1.22+ CGO_ENABLED=0 MIT License CIS Benchmarks No root? Dry-run
hardbox — audit
user@server:~$ sudo hardbox audit --profile cis-level1 --format json
13
Hardening Modules
100+
Security Checks
5
Distro Families
3
Built-in Profiles
MIT
License
Features

Everything you need to harden at scale

hardbox removes the guesswork from Linux hardening. Audit, plan, apply, and roll back — all from a single binary with zero dependencies.

🛡️
Modular Architecture
Enable or disable any module independently. Each module is isolated, testable, and distro-aware. Mix and match profiles at will.
sshkernelfirewall+10
🔄
Dry-run + Rollback
Preview every exact change before it's applied. Every session creates a snapshot. Revert any module or the entire session in one command.
--dry-runrollback listrollback apply
📊
Structured Reports
JSON, HTML, and Markdown output. Machine-readable for SIEM integration. Human-readable for compliance reviews and audit trails.
--format json--format html--format markdown
🖥️
Modern TUI
Interactive terminal UI built with Bubble Tea. Navigate modules, configure profiles, and apply hardening without memorizing any flags.
Bubble TeaLipglossinteractive
⚙️
CI/CD Headless Mode
Unattended runs via YAML config and --non-interactive flag. Drop it into Ansible, Terraform, cloud-init, or GitHub Actions.
--non-interactive--configHARDBOX_PROFILE
🐧
Distro-Aware Engine
A single binary handles Ubuntu, Debian, RHEL, Rocky Linux, AlmaLinux, and Amazon Linux. Each module adapts to the host's package manager and init system.
UbuntuRHELDebianRocky
Hardening Modules

13 modules. 100+ checks. Zero gaps.

Every module implements the same interface — Audit, Plan, Apply, Rollback — and ships with table-driven unit tests and compliance references.

ssh17 checks
kernel12 checks
firewall8 checks
users14 checks
filesystem11 checks
network9 checks
crypto7 checks
auditd10 checks
logging7 checks
mac6 checks
containers9 checks
services5 checks
updates6 checks
CIS Benchmarks L1 CIS Benchmarks L2 ✦ roadmap DoD STIG ✦ roadmap PCI-DSS v4.0 ✦ roadmap HIPAA Security ✦ roadmap NIST 800-53 ✦ roadmap ISO 27001 ✦ roadmap
Installation

Up and running in 30 seconds

A single statically-linked binary. No runtime dependencies. No CGO. Runs on any Linux x86_64 or ARM64 server.

curl -fsSL https://raw.githubusercontent.com/jackby03/hardbox/main/install.sh | sudo bash
1Downloads the latest release binary for your architecture
2Installs to /usr/local/bin/hardbox
3Run sudo hardbox audit --profile cis-level1 to verify
Compliance Profiles

Start with a profile. Customize from there.

Profiles define which modules run, which checks are enforced, and what severity thresholds trigger CI failures.

✓ Available in v0.1
ProfileFrameworkBest ForStatus
cis-level1CIS Benchmarks L1Minimum baseline● Shipped
productionhardbox curatedCloud production● Shipped
developmenthardbox curatedDev/staging● Shipped
◌ Roadmap
ProfileFrameworkTarget
cis-level2CIS Benchmarks L2v0.2
stigDoD STIGv0.2
pci-dssPCI-DSS v4.0v0.2
hipaaHIPAA Security Rulev0.3
nist-800-53NIST SP 800-53 Rev.5v0.3
iso27001ISO/IEC 27001:2022v0.3

Ready to harden your fleet?

hardbox is open source, MIT licensed, and built for production. Start hardening today.

Install hardbox Star on GitHub ★