Fast host-based exposure checks with explainable, context-aware results.
LASS is a lightweight command-line tool that audits your local Linux machine for common security misconfigurations and exposure risks.
- Scan local attack surface — checks listening ports, privilege escalation paths, and hardening gaps
- Identify privilege exposures — flags Docker socket access, SUID binaries, and dangerous group memberships
- Network exposure overview — distinguishes between loopback, LAN-only, and public-facing listeners
- Context-aware severity — adjusts findings based on actual exposure scope, not worst-case assumptions
- Baseline comparison — track changes between scans to catch configuration drift
- Multiple output formats — terminal (default), JSON, Markdown, and HTML reports
LASS is a configuration auditor, not a vulnerability scanner.
- ❌ Not a CVE scanner — does not check for unpatched software vulnerabilities (like Nessus or OpenVAS)
- ❌ Not an exploit tool — performs no exploitation or active attacks
- ❌ Does not modify system state — read-only checks with no changes to files or settings
- ❌ Does not read secret contents — checks permissions and locations, not actual secret values
- ❌ Does not probe the network — all checks are local to the host
Security misconfigurations are a leading cause of breaches. LASS helps you:
- Reduce lateral movement risk — catch privilege escalation paths before attackers do
- Support defense in depth — verify that host-level controls complement network security
- Catch misconfigurations early — integrate into CI/CD or periodic audits
- Explain findings clearly — every result includes context about why it matters and what to do
Run a scan:
lass scanSave results to a file:
lass scan --json -o report.json
lass scan --md -o report.mdLASS Security Report
============================================================
Host: dev-workstation
Date: 2026-02-01T10:30:00
Risk Score: 42/100 (MEDIUM)
Top Contributors:
• containers: 25.0 pts
• firewall: 10.0 pts
• kernel: 3.0 pts
Findings: HIGH:1 MEDIUM:1 LOW:2 INFO:1
Checks: 7 passed, 5 failed, 0 skipped
------------------------------------------------------------
[HIGH]● Docker Socket Access
Check: containers
Found 2 Docker-related privilege issues
• Current user has read/write access to Docker socket
• Current user is member of 'docker' group (root equivalent)
Remediation: Remove user from docker group; use rootless Docker/Podman
[MEDIUM]● [SCOPE=LAN] Firewall Status
Check: firewall
No host firewall active (LAN exposure only)
↓ Downgraded: No public IP detected; LAN exposure only
Remediation: Consider enabling a host firewall for defense in depth
[LOW]◐ [SCOPE=LAN] Listening Ports
Check: ports
Found 8 non-loopback listeners (LAN exposure only)
↓ Downgraded: No public IP detected; LAN exposure only
Remediation: Review services; bind to localhost if external access not needed
[LOW]◐ SSH Configuration
Check: ssh
Found 1 SSH configuration issue (sshd not running)
↓ Downgraded: sshd not running / not listening
Remediation: Edit /etc/ssh/sshd_config and restart sshd
[INFO]● Writable PATH Directories
Check: path
Found 2 dev environment PATH entries (acceptable)
↓ Downgraded: Detected development environment (venv PATH entry)
Confidence: ●=HIGH ◐=MEDIUM ○=LOW
Scope: PUBLIC=internet-facing, LAN=local network, LOCAL=localhost only
Requirements: Python 3.11 or later, Linux (primary), macOS (partial support)
git clone https://github.com/yourusername/lass.git
cd lass
python -m pip install .python -m pip install -e .pipx install .After installation, the lass command will be available in your PATH.
LASS includes 12 security checks. Severity is contextual — it depends on exposure scope, runtime state, and environment detection.
| Check | What It Looks For | Typical Severity |
|---|---|---|
containers |
Docker socket access, docker group membership | HIGH (root equivalent) |
firewall |
Host firewall status (ufw, firewalld, nftables, iptables) | MEDIUM–HIGH (depends on exposure) |
ports |
Non-loopback listening TCP/UDP ports | LOW–MEDIUM (depends on exposure) |
ssh |
SSH server configuration (root login, password auth, weak algorithms) | LOW–HIGH (depends on sshd state) |
kernel |
Kernel hardening parameters (ASLR, sysctl settings) | LOW–MEDIUM |
suid |
SUID/SGID binaries outside expected locations | MEDIUM–HIGH |
secrets |
Exposed credentials in common locations | MEDIUM–HIGH |
permissions |
Permissions on sensitive files (~/.ssh, /etc/shadow) | LOW–MEDIUM |
users |
Users with UID 0, empty passwords, login shells | MEDIUM–HIGH |
path |
World-writable or user-writable directories in PATH | INFO–MEDIUM |
cron |
User-writable cron directories, suspicious cron entries | LOW–MEDIUM |
processes |
Processes running as root, suspicious process patterns | LOW–HIGH |
Run lass explain <check> for detailed information about any check.
The risk score aggregates findings weighted by severity and confidence:
- 0–24: LOW — minimal exposure detected
- 25–64: MEDIUM — some issues worth reviewing
- 65–100: HIGH — significant exposures requiring attention
Scores are capped per category to prevent a single area from dominating. A machine with many LOW findings won't artificially inflate to HIGH.
Each finding includes a confidence indicator:
- ● HIGH — strong evidence; low false-positive likelihood
- ◐ MEDIUM — reasonable evidence; verify before acting
- ○ LOW — heuristic-based; may require manual review
Network-related findings include exposure scope:
- LOCAL — bound to loopback only (127.0.0.1, ::1)
- LAN — bound to private IP ranges (not internet-routable)
- PUBLIC — bound to a public IP or detected public exposure
- UNKNOWN — scope could not be determined
A finding's severity is adjusted based on scope. For example, an open port on a LAN-only machine is less urgent than the same port on a public-facing server.
Category caps limit how much any single check contributes. If you have one HIGH finding worth 25 points but no other issues, the final score stays in MEDIUM range. This prevents a single specialized risk from overshadowing the overall posture. Review HIGH findings regardless of total score.
These are the most actionable findings. A HIGH-severity, HIGH-confidence finding with PUBLIC exposure represents a clear, verified risk.
If you see "Current user is member of 'docker' group," understand that this grants effective root access. Any user in the docker group can mount the host filesystem and escalate privileges. This is intentional Docker behavior, not a bug — but it's a significant privilege that should be granted deliberately.
"No firewall detected" is HIGH on a public-facing server but MEDIUM on a LAN-only development machine behind a NAT router. LASS attempts to detect this context automatically. If your machine has only private IPs, firewall findings are downgraded accordingly.
A service listening on 0.0.0.0 is reachable from the network, but "the network" might just be your home LAN. LASS labels these with exposure scope so you can prioritize appropriately. Binding to 127.0.0.1 when external access isn't needed is still good practice.
SSH config warnings are downgraded when sshd isn't running or listening. If you're not running an SSH server, PasswordAuthentication settings are informational, not urgent.
LASS is designed to be safe to run:
- No secret contents read — checks file permissions and existence, not contents
- No system modifications — purely read-only operations
- No network probing — all checks are local; no external connections
- Safe subprocess handling — timeouts prevent hangs; errors are caught gracefully
- No data exfiltration — results stay local unless you explicitly export them
LASS uses heuristics and has inherent limitations:
- False positives are possible — some findings may not apply to your specific setup
- Some checks need root — running as non-root limits visibility (e.g., reading some /proc entries)
- Distribution differences — paths and defaults vary across distros; some checks may not apply everywhere
- Exposure scope is inferred — based on IP addresses and routing; NAT and VPNs can affect accuracy
- Point-in-time snapshot — reflects state at scan time; doesn't monitor continuously
- macOS support is partial — Linux is the primary target; some checks may skip or behave differently on macOS
Planned improvements (not yet implemented):
- SELinux / AppArmor status checks
- Optional CVE/package vulnerability integration (disabled by default)
- Improved macOS support
- Systemd service hardening analysis
- Remote scan mode (SSH-based)
Contributions are welcome. Please see CONTRIBUTING.md for guidelines on:
- Reporting bugs and suggesting features
- Submitting pull requests
- Adding new checks
- Code style and testing requirements
MIT License. See LICENSE for details.
LASS draws inspiration from tools like Lynis, linux-exploit-suggester, and various CIS benchmarks. It aims to be simpler, faster, and more context-aware for everyday use.