🛡️ NoID Privacy for Linux

Hardening Posture Audit for Linux Desktops

420+ checks · 42 sections · Pure Bash · AI-friendly remediation prompts Optimized for Fedora/RHEL · Tested on Ubuntu/Debian · Best-effort on Arch/openSUSE/Mint/Pop!_OS

Quick Start · What it Checks · AI Fixes · Comparison · Discussions

---

⚡ Quick Start

curl -fsSL https://github.com/NexusOne23/noid-privacy-linux/raw/main/noid-privacy-linux.sh -o noid-privacy-linux.sh
sudo bash noid-privacy-linux.sh --ai

420+ privacy & security checks. Zero dependencies. The --ai flag generates a ready-to-paste prompt — hand it to ChatGPT, Claude, or Gemini for step-by-step fix suggestions for each finding (you review and apply — the audit itself never touches your system).

This tool is read-only. It does not modify your system. No files changed, no configs touched, no services restarted.

🪟 Running Windows too? The free open-source NoID Privacy engine hardens 630+ settings (GPL-3.0, PowerShell) — or get the NoID Privacy Pro GUI for one-click Backup → Apply → Verify → Restore (one-time purchase, no subscription).

---

🎯 Scope — What this IS / NOT

NoID Privacy is a hardening posture audit — it verifies your defense foundation is properly applied. The score reflects configuration state, not compromise resistance.

✅ This tool does	❌ This tool does not
Verify hardening recipes are applied	Replace an Intrusion Detection System
Detect privacy misconfigurations	Scan for active rootkits (use AIDE/IMA/chkrootkit)
Report drift from secure baselines	Find vulnerabilities (use OSV/Lynis-CVE)
Generate AI remediation prompts	Perform penetration testing (use OpenVAS/Nessus)
Audit 42 desktop-specific surfaces	Behavioral / memory-only malware detection

A 98% score means hardening recipes are well-applied — not that the system is unhackable. Defense in depth requires complementary layers:

• Layer 1 ✅ Configuration Hardening (this tool)
• Layer 2 ➕ Integrity Detection (AIDE, IMA, chkrootkit)
• Layer 3 ➕ Behavioral Monitoring (auditd, EDR)

Configuration is the foundation. The other layers detect what hardening cannot prevent.

---

🤔 Why This Exists

Most Linux security tools were built for servers. They check SSH configs and firewall rules — but ignore your browser leaking DNS queries, apps phoning home, or the webcam accessible to every process.

NoID Privacy for Linux audits both privacy and security on Linux desktops:

	Server Tools (Lynis, CIS)	NoID Privacy for Linux
Kernel hardening	✅	✅
Firewall & SSH	✅	✅
Browser privacy	❌	✅
App telemetry	❌	✅
DNS leak testing	❌	✅
VPN kill-switch	❌	✅
Webcam & Bluetooth	❌	✅
AI-assisted fix prompts	❌	✅

---

🤖 Fix with AI

This is what sets NoID Privacy for Linux apart:

sudo bash noid-privacy-linux.sh --ai

The --ai flag generates a structured prompt at the end of the scan containing all your findings. Copy it. Paste it into ChatGPT, Claude, or Gemini. The AI can explain each finding, suggest commands to fix it, and prioritize by severity.

Audit → AI → Fixed. What used to take hours takes minutes.

# AI remediation prompt (recommended)
sudo bash noid-privacy-linux.sh --ai

# Plain text for manual review
sudo bash noid-privacy-linux.sh --no-color > report.txt

# Machine-readable JSON for scripts/dashboards
sudo bash noid-privacy-linux.sh --json

Unlike Lynis, CIS, or privacy.sexy, NoID Privacy's --ai flag compiles the full findings list into a ready-to-paste remediation prompt — the feature that sets it apart.

---

📋 What it Checks

🛡️ Security (Sections 01–34)

Category	Examples
Kernel & Boot	Secure Boot, kernel lockdown, LUKS encryption, UEFI, sysctl hardening
Firewall & Network	iptables/nftables rules, default policies, open ports, VPN, kill-switch, DNS leaks
SSH & Auth	Key-only auth, root login, password aging, PAM, sudo group
Encryption	LUKS cipher strength, key size, swap encryption, entropy, certificate store
MAC & Integrity	SELinux/AppArmor (auto-detected), rootkit scans, AIDE/Tripwire, package verification
Updates & Packages	Security patches, auto-updates, repo integrity, GPG verification (dnf/apt/pacman/zypper)
Advanced	Fail2Ban, USB Guard, containers, systemd sandboxing, kernel modules

🔒 Privacy & Desktop (Sections 35–42)

Category	Examples
Browser Privacy	Firefox telemetry, WebRTC leaks, DNS-over-HTTPS, tracking protection, Chrome warning
App Telemetry	GNOME telemetry, crash reporters, Flatpak sandbox escapes, Snap telemetry
Network Privacy	MAC randomization, mDNS, LLMNR, hostname privacy, IPv6 privacy extensions
Data Privacy	Recent file tracking, thumbnail caches, core dumps, bash history, journald retention
Session Security	Screen lock, idle detection, auto-login, lock-on-suspend, VNC/RDP
Webcam & Audio	Device permissions, microphone, PipeWire remote access, screen sharing
Bluetooth	Discoverability, pairable mode, active without usage
Keyring & Secrets	Password manager, GNOME Keyring auto-unlock, SSH agent timeout, plaintext secrets

📖 Full Check Reference → — all 42 sections with descriptions

---

📸 Sample Output

$ sudo bash noid-privacy-linux.sh --ai

  NoID Privacy for Linux v3.7.0 — Hardening Posture Audit
  YYYY-MM-DD HH:MM:SS | mydesktop | 6.19.x-200.fc43.x86_64
  Arch: x86_64 | Distro: Fedora Linux 43 (Workstation Edition)
  Checks: 420+ across 42 sections (actual count: see summary)

━━━ [01/42] KERNEL & BOOT INTEGRITY ━━━
  ✅ PASS  Secure Boot: ENABLED
  ✅ PASS  Kernel Lockdown: integrity
  ✅ PASS  LUKS encryption active

━━━ [05/42] VPN & NETWORK ━━━
  ✅ PASS  VPN interface wg0: active
  ✅ PASS  Default route via VPN
  ✅ PASS  IPv6: disabled/minimal

━━━ [35/42] BROWSER PRIVACY ━━━
  ✅ PASS  Firefox telemetry disabled
  ✅ PASS  WebRTC disabled — no IP leak
  ⚠️  WARN  google-chrome installed — vendor telemetry/tracking risk

━━━ SUMMARY ━━━
  Total checks:      420 (293 pass, 0 fail, 5 warn, 122 info)

  Hardening posture is your defense foundation — the layer
  attackers must defeat first. Complement with:
    ✓ AIDE / IMA   — file & kernel integrity
    ✓ auditd       — behavioral monitoring
    ✓ chkrootkit   — known-malware scanner

  Score formula:     PASS×100 / (PASS + FAIL×2 + WARN)
  HARDENING POSTURE SCORE:    98% 🏰 FULLY HARDENED

Exit codes: 0 = clean · 1 = FAIL present · 2 = WARN-only · 130/143 = interrupted

---

⚙️ Options

Flag	Description
--ai	Generate AI remediation prompt with all findings
--json	Machine-readable JSON output
--no-color	Disable colored output (for piping/logging)
--verbose, -v	Show every individual PASS (boot params, sysctl) instead of aggregated summaries
--offline	Fully offline audit — skip all sections that make network requests
--skip SECTION	Skip specific sections (repeatable)
--cis-l1 / --cis-l2 / --stig	Append a CIS RHEL 9 / DISA STIG coverage report at the end
--help	Show all available options and skip keywords

44 skip keywords available — run --help for the full list.

---

📊 Comparison

Feature	NoID Privacy for Linux	Lynis	privacy.sexy	CIS Benchmark
Focus	Privacy + Security for desktops	Server compliance	Script generator	Server compliance
Tests	420+	hundreds	N/A	varies
Browser privacy	✅	❌	⚠️ Partial	❌
App telemetry	✅	❌	✅	❌
DNS / VPN / MAC	✅	❌	❌	❌
Webcam / Bluetooth	✅	❌	❌	❌
AI remediation prompt	✅	❌	❌	❌
JSON output	✅	✅	N/A	❌
Kernel & firewall	✅	✅	⚠️ Partial	✅
Zero compiled dependencies	✅	✅	❌	❌
Desktop-focused	✅	❌	✅	❌
Modifies system	❌	❌	✅	❌

Lynis (15k ⭐, since 2007) — Gold standard for server compliance. Doesn't cover browser privacy, telemetry, webcams, or desktop-specific concerns.

privacy.sexy (5k ⭐) — Script generator for Windows/macOS/Linux. Modifies your system directly without auditing first.

---

📥 Installation

Requirement	Details
OS	Fedora 39+, Ubuntu 22.04+, Debian 12+, RHEL 9+, Arch Linux, openSUSE, Mint, Pop!_OS
Shell	Bash 4.3+
Privileges	Root (sudo) for full system access
Dependencies	None

# One-liner
curl -fsSL https://github.com/NexusOne23/noid-privacy-linux/raw/main/noid-privacy-linux.sh -o noid-privacy-linux.sh
sudo bash noid-privacy-linux.sh --ai

# Or clone
git clone https://github.com/NexusOne23/noid-privacy-linux.git
cd noid-privacy-linux
sudo bash noid-privacy-linux.sh --ai

---

🚀 GitHub Action

Use NoID Privacy for Linux in your CI/CD pipeline to enforce privacy & security baselines:

- name: Hardening Posture Audit
  # SECURITY: Pin to specific version, never @main (supply chain risk)
  uses: NexusOne23/noid-privacy-linux@v3.7.0
  id: audit
  with:
    min-score: '70'   # Fail if score < 70%

Inputs

Input	Default	Description
min-score	0	Minimum score to pass (0 = never fail).
fail-threshold	''	DEPRECATED alias for min-score. Use min-score in new workflows.
ai	false	Generate AI remediation prompt in summary
skip	''	Comma-separated sections to skip
args	''	Additional arguments for the script

Outputs

Output	Description
score	Hardening posture score (0-100)
total	Total checks performed
pass / fail / warn / info	Check counts by severity
json	Full JSON output

Example: Fail PR if score drops

name: Security Gate
on: [pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3 — pin to full SHA for supply-chain safety
      - uses: NexusOne23/noid-privacy-linux@v3.7.0  # Pin to version, not @main
        with:
          min-score: '70'

Results appear as a rich GitHub Actions Summary with score, findings table, and optional AI fix prompt.

📖 See .github/workflows/example-noid-audit.yml for a full example.

---

✅ Perfect For

• Privacy-conscious developers — Know what your desktop is leaking
• Power users — A second pair of eyes on your hardening
• Team leads — Baseline audit for your team's workstations
• Linux newcomers — Clear findings with AI-guided fix suggestions
• Security consultants — Quick desktop audit with professional output

❌ Not For

• Server admins → Lynis
• Enterprise compliance (CIS/STIG) → OpenSCAP
• Automated remediation → privacy.sexy
• Windows → NoID Privacy (free engine, 630+ settings) or NoID Privacy Pro (commercial GUI)

---

🔗 The NoID Privacy Ecosystem

Platform	Link
🌐 Website	NoID-Privacy.com — All platforms, pricing, and documentation
🪟 Windows	NoID Privacy — open-source PowerShell engine (630+ settings, 7 modules, BAVR, GPL-3.0); commercial NoID Privacy Pro GUI wraps the engine
🐧 Linux	You're here!
📱 Android	NoID Privacy on Google Play — 87 checks, 10 categories, permission audit, Chrome hardening, anti-theft

---

🔒 Privacy Promise

No telemetry, no analytics, no phone-home. This tool does not collect or transmit any data about you or your system. One file, pure Bash — read every line yourself.

⚠️ Default-mode network requests: Three sections issue requests to third parties to test for connectivity/DNS/VPN leaks:

• Section 5 (vpn): connectivity via ICMP ping 1.1.1.1 (Cloudflare) / 9.9.9.9 (Quad9), HTTP fallback curl cp.cloudflare.com/generate_204 (Cloudflare); plus pings to common LAN gateway addresses (local network only) for the kill-switch test
• Section 5 (netleaks): dig whoami.akamai.net (Akamai) + curl ifconfig.me (public-IP echo service)
• Section 22 (interfaces): dig . NS — a DNS root-server query through your configured resolver (no third-party domain)

For a fully offline audit that makes zero outbound requests, use:

sudo bash noid-privacy-linux.sh --offline
# equivalent to: --skip vpn --skip interfaces --skip netleaks

The leak tests themselves require these third-party endpoints to function — there's no way to test "does my IP leak?" without contacting an external service.

---

🔧 Troubleshooting

Issue	Solution
Requires root error	Run with sudo bash noid-privacy-linux.sh
False positive on a check	Open an issue with your distro and the finding
DNS leak test fails/hangs	Skip it: --skip netleaks. Requires dig and curl.
Score seems too low	Check if --skip sections are relevant to your setup. Desktop-only checks may warn on servers.
Script hangs on Bluetooth	Known bluetoothctl timeout issue. Skip: --skip btprivacy
Missing checks for my distro	Fedora/RHEL optimized; Ubuntu/Debian tested; Arch/openSUSE/Mint/Pop!_OS best-effort. Other distros may show more info results.

---

🤝 Contributing

Contributions welcome — new checks, bug fixes, distro support.

• Contributing Guide — Code architecture, style, testing
• Bug Reports — Found a false positive?
• Feature Requests
• Discussions
• Security Policy — Report vulnerabilities privately

---

📜 License

GPL v3.0 — Free for personal and commercial use. Derivatives must also be GPL v3.0.

For commercial licensing without GPL requirements, open a Discussion.

Full License →

---

⭐ Star this repo if it's useful — helps others find the project.

NoID Privacy for Linux — Know your system. Harden your privacy.

420+ checks · 42 sections · AI-friendly remediation · zero dependencies · read-only