Documentation
Everything you need to install, run, and operate the Secbuildon agent.
Install
Run this on the server you want to protect:
curl -fsSL https://secbuildon.technova-ks.com/install.sh | sudo bash
If you already have a license key, use the personalized command shown after subscribing instead — it activates the agent automatically:
curl -fsSL "https://secbuildon.technova-ks.com/install.sh?key=SBLD-XXXX-XXXX-XXXX-XXXX" | sudo bash
No subscription? Run the agent fully standalone, no license or backend required:
sudo secbuildon init --local-only
Command reference
| Command | What it does | Key flags |
|---|---|---|
secbuildon scan |
Run every check once and print findings. | --json · --check <name> (run just one check) |
secbuildon status |
Health summary and open-finding counts. | — |
secbuildon report |
Historical findings over time (new / persisting / resolved). | --since <duration> (default 24h) · --severity <level> · --format text|json|markdown |
secbuildon init |
Configure the agent: activate a license and/or set up alerting. | --license-key SBLD-... · --server <url> · --local-only · --webhook <url> · --smtp-host/-port/-user/-pass/-to · --enable-cve |
secbuildon install |
Install and start the agent as a 24/7 service (requires root). Uses systemd where available, falls back to a supervised background process otherwise. | — |
secbuildon uninstall |
Stop and remove the service. | — |
secbuildon agent |
Run the daemon loop directly in the foreground — this is what the installed service actually runs. | --once (single scan+heartbeat pass, then exit) |
secbuildon version |
Print the installed version. | — |
secbuildon completion |
Generate a shell autocompletion script (bash/zsh/fish/powershell). | — |
Every command supports --help for its full flag list, e.g. secbuildon scan --help.
What it checks
- SSH hardening — root login, empty passwords, password auth, protocol version, X11 forwarding, missing user/group allowlists.
- Firewall — whether ufw/firewalld/nftables/iptables is active.
- Pending updates — especially security updates, via apt or dnf.
- Listening ports — risky services (databases, FTP, Telnet, etc.) exposed on all interfaces.
- File integrity — drift on critical files (
/etc/passwd,sshd_config,sudoers, key binaries, ...). - Unexpected artifacts — unusual SUID binaries, world-writable files, cron/user tampering.
- Auth log activity — brute-force patterns and suspicious logins.
- Known CVEs — optional, via
--enable-cve(makes outbound calls to OSV.dev).
Automatic remediation
Where it's safe to do so, the agent doesn't just report a problem — it fixes it, automatically, the moment it's detected. No confirmation step; this is designed to run unattended on a server you don't babysit.
| Check | What gets auto-fixed |
|---|---|
| Firewall | ufw enable / starts firewalld |
| Artifacts | Removes the setuid bit from unexpected SUID binaries |
| Packages | Applies pending security updates — only the specific packages already flagged, never a blanket upgrade |
| SSH | Corrects hardening directives (root login, empty passwords, password auth, protocol, X11 forwarding) |
Every fix is logged twice — a preview of exactly what it's about to do, and the outcome — to a durable
audit trail at /var/lib/secbuildon/autofix-log.jsonl. The SSH fix specifically validates the
new config (sshd -t) before restarting, then confirms sshd is genuinely back up and accepting
connections before declaring success — automatically reverting to the previous config if it isn't,
so a bad change can't lock you out of a remote box.
Findings that can't be safely automated (like "no SSH allowlist configured" — the agent can't guess which users you want to allow) are reported with a suggested fix, but left for you to apply.
The credential-privacy guarantee
Secbuildon needs root to read some system files, but every file read goes through a single guarded
function that outright refuses /etc/shadow, /etc/gshadow, SSH private keys,
.env files, ~/.aws/credentials, and /proc/*/environ. Findings can
only carry sanitized metadata (paths, hashes, counts, config values) — never raw file contents — and the
data format sent to the backend has no field that could even hold file contents.
Uninstalling
sudo secbuildon uninstall sudo rm /usr/local/bin/secbuildon sudo rm -rf /etc/secbuildon /var/lib/secbuildon
Support
Questions or issues: support@secbuildon.example.