audit

opnDossier audit¶

Run security audit and compliance checks on OPNsense configurations.

Synopsis¶

The 'audit' command runs security audit and compliance checks on one or more OPNsense config.xml files. It produces a report with compliance findings, security recommendations, and risk assessments based on the selected audit mode and compliance plugins.

AUDIT MODES: Select the audit perspective using the --mode flag:

blue  - Defensive audit with security findings and recommendations (default)
red   - Attacker-focused recon report highlighting attack surfaces
        (experimental — analysis methods are placeholder stubs)

COMPLIANCE PLUGINS (blue mode only): Select compliance checks with --plugins (requires --mode blue):

stig      - Security Technical Implementation Guide
sans      - SANS Firewall Baseline
firewall  - Firewall Configuration Analysis

Omit --plugins to run every available plugin. The flag is rejected with red mode.

CONTROL FILTERING (blue mode only): Use --failures-only to hide PASS rows in plugin result tables. Applies only to markdown output; JSON/YAML consumers must filter client-side.

OUTPUT FORMATS: Select the report encoding with --format:

markdown  - Standard markdown report (default)
json      - JSON format for programmatic access
yaml      - YAML format for configuration management
text      - Plain text output (markdown without formatting)
html      - Self-contained HTML report for web viewing

MULTI-FILE RUNS: Pass multiple input files to audit them concurrently. --output is rejected in multi-file mode; each report is auto-named -audit..

RELATED: convert - Render configuration without compliance checks validate - Structural validation (no audit) sanitize - Redact secrets before sharing audit output

opnDossier audit [file ...] [flags]

Examples¶

  # Run a blue team audit with all compliance plugins (default)
  opnDossier audit config.xml

  # Blue team defensive audit with specific plugins
  opnDossier audit config.xml --plugins stig,sans

  # Red team attack surface analysis (experimental)
  opnDossier audit config.xml --mode red

  # Export audit report as JSON
  opnDossier audit config.xml --format json -o audit-report.json

  # Multi-file audit (reports auto-named config1-audit.md, config2-audit.md)
  opnDossier audit config1.xml config2.xml --mode blue

  # Comprehensive blue team audit with all compliance checks
  opnDossier audit config.xml --mode blue --comprehensive --plugins stig,sans,firewall

  # Show only failing controls in blue mode markdown output
  opnDossier audit config.xml --mode blue --failures-only

  # Redact sensitive fields from audit output
  opnDossier audit config.xml --redact

Options¶

      --mode string         Audit mode (blue|red) (default "blue")
      --plugins strings     Compliance plugins to run (stig,sans,firewall)
      --plugin-dir string   Directory containing third-party .so compliance plugins (does not affect built-in stig/sans/firewall). Plugins run with full process privileges; signatures are not verified. Do not point at untrusted-writable directories. Linux/macOS/FreeBSD only; no-op on Windows. See GOTCHAS §2.5 and docs/user-guide/commands/audit.md § Third-Party Plugin Security.
      --failures-only       Show only failing controls in blue mode plugin results tables
  -f, --format string       Output format for audit report (markdown, json, yaml, text, html) (default "markdown")
  -o, --output string       Output file path for saving audit report (default: print to console)
      --force               Force overwrite existing files without prompting for confirmation
      --include-tunables    Include all system tunables in report output (markdown, text, HTML only; JSON/YAML always include all tunables)
      --section strings     Specific sections to include in output (comma-separated, e.g., system,network,firewall)
      --wrap int            Text wrap width in characters (-1 = auto-detect terminal width, 0 = no wrapping, recommended: 80-120) (default -1)
      --no-wrap             Disable text wrapping (alias for --wrap 0)
      --comprehensive       Generate comprehensive detailed reports with full configuration analysis
      --redact              Redact sensitive fields (passwords, keys, community strings) in output
  -h, --help                help for audit

Options inherited from parent commands¶

      --color string         Color output mode (auto, always, never) (default "auto")
      --config string        Configuration file path (default: $HOME/.opnDossier.yaml)
      --debug                Enable debug-level logging (all messages, for troubleshooting)
      --device-type string   Force device type (supported: opnsense, pfsense). Bypasses auto-detection.
      --minimal              Minimal output mode (suppresses progress and verbose messages)
      --no-progress          Disable progress indicators
  -q, --quiet                Suppress all output except errors and critical messages
      --timestamps           Include timestamps in log output
  -v, --verbose              Enable info-level logging (warnings, errors, and informational messages)