tls-audit

What this script does tls-audit runs a read-only audit against a deployed HTTPS endpoint and reports on each item from the Nginx TLS 2026 guide and the nginx-tls config generator: Protocol support — TLS 1.0 and 1.1 should be rejected; TLS 1.2 and 1.3 should be accepted. Certificate — covers the hostname, not expired (and not expiring in the next 21 days), modern key algorithm, complete chain with at least one intermediate, not self-signed. OCSP stapling — the server should be stapling an OCSP response. HSTS — Strict-Transport-Security header present, max-age of at least one year, includeSubDomains directive set, preload flagged if present (informational, not a recommendation). Security headers — X-Content-Type-Options: nosniff and Referrer-Policy present; a Server header that leaks a version number is flagged. It uses only openssl s_client, curl, and standard text tools — no external scanner like testssl.sh required. Designed to run from a machine other than the host being audited, with no privilege. ...

9 min

redis-check

What this script does redis-check is a read-only Bash + redis-cli script that reports on each recommendation from the Redis hardening guide: Network exposure (bind, protected-mode) Authentication (default user state, any ACL user with nopass) Dangerous-command accessibility (FLUSHALL, FLUSHDB, DEBUG, CONFIG, SHUTDOWN) TLS (tls-port vs cleartext port) Resource limits (maxmemory, maxmemory-policy, timeout) Persistence (appendonly) It uses only PING, INFO, CONFIG GET, ACL LIST, and COMMAND DOCS — no writes. If CONFIG has been renamed or disabled (recommended in the guide), the affected checks are skipped with a WARN rather than failing the whole run. ...

7 min

postgres-audit

What this script does postgres-audit is a read-only Bash + psql script that reports on each recommendation from the PostgreSQL hardening guide: Network exposure (listen_addresses) Authentication: password_encryption, pg_hba.conf entries (no trust, no md5, remote rules using hostssl) TLS (ssl, minimum protocol version) Logging defaults (log_connections, log_disconnections, log_hostname, log_statement) Roles and privileges (non-default SUPERUSER, PUBLIC schema CREATE) It issues only SELECT and SHOW queries. Output is colourised in a terminal and plain text in a pipe, so it works cleanly under cron. ...

6 min