A patched box is not a vulnerable box
TheAuditor's live-host scanner reads operational context — backported kernels, ufw rules, container limits, nginx redirects — so its findings are accurate instead of noisy. And it never drops a result silently.
A security scanner that flags a server you already patched is not being cautious. It is wrong — and every false alarm it raises trains you to ignore the next one, including the real one.
Most host scanners compare what they see against a static table and stop there. A kernel
version below an upstream fix? Flag it. A firewall chain with an ACCEPT policy? Flag it.
A container with no CpuShares? Flag it. Each of those is correct in a vacuum and wrong on
a real, well-run server.
aud full reads your code. aud host scan reads the machine it runs on — nearly thirty
live probes across SSH, listening sockets, the firewall (ufw, nftables, iptables), Docker,
nginx, the kernel, pending package upgrades, and TLS certificates. Reading the live system
instead of a config file in isolation is the whole point: it lets the scanner see the
context that decides whether a finding is actually real.
Context-aware, not context-blind
The difference shows up the moment a check would otherwise cry wolf:
| What a naive scanner sees | What the host scanner also reads | Result |
|---|---|---|
| Kernel below the upstream fix | Distro backports + pending security upgrades | Patched kernel → LOW with an advisory; an un-applied kernel security upgrade → CRITICAL |
filter/INPUT policy is ACCEPT | ufw is actively filtering inbound | Not flagged — ufw owns the inbound path |
Container has no CpuShares | NanoCpus or CpuQuota is set | Not flagged — any one of the three is a real CPU limit |
| A container bind-mount | It’s /var/run/docker.sock | CRITICAL — that is effectively root on the host |
The kernel case is the one that bites everyone. On Ubuntu, Debian, RHEL, CentOS, Rocky, AlmaLinux, Fedora, Oracle Linux, and Amazon Linux, security fixes are backported into the same kernel version string you already run — so the upstream version number tells you nothing about whether you’re exposed. The host scanner treats a backported, up-to-date kernel as a low-severity advisory, and reserves CRITICAL for the case that actually warrants it: a kernel security upgrade sitting un-applied in your package manager. It re-levels the finding to match reality. It does not suppress it — a genuine exposure stays visible.
It reads nginx the way nginx works
A server block that returns 301 https://… from inside a location is redirecting, even
though the redirect isn’t declared at the server level — so it isn’t flagged as serving
plaintext. A block whose only job is to reject (return 444) serves no content, so it isn’t
held to header requirements. Real content servers are held to the full bar — HSTS,
X-Content-Type-Options, X-Frame-Options, a referrer policy — and TLS certificates are
checked on a clock: expired is CRITICAL, within fourteen days is HIGH, within thirty is
MEDIUM.
It never skips silently
The quiet failure mode of any scanner is the result it drops without telling you — the table it queried but never analyzed, the items it counted but never checked. A clean report you can’t trust is worse than an honest error.
Every rule in TheAuditor runs under a fidelity contract: it must account for everything it scans. If a rule pulls a set of items and then reports on none of them, that is not a clean pass — it is a hard failure that stops the run and names itself. A zero-item scan of an empty surface is fine. A scan that found your containers and reported on none of them is not allowed to look green.
Where it stands
This is in TheAuditor 5.0.0. The engine is pre-launch — we’re packaging the compiled binary with its SQLCipher-encrypted analysis database and re-running the adversarial scans against the artifact before we ship. No date promise; we ship when those come back clean.
The host scanner is the same engine that traces taint across your code — see how it pairs with Warden in the agent stack, and why we hold our own findings to an independent yardstick with BenchProctor.
Get launch updates — we only email when there’s something real to share.
Was this useful?