390+ checks Β· 42 sections Β· Pure Bash Β· AI-friendly remediation prompts Optimized for Fedora/RHEL Β· Tested on Ubuntu/Debian Β· Best-effort on Arch/openSUSE/Mint/Pop!_OS
Quick Start Β· What it Checks Β· AI Fixes Β· Comparison Β· Discussions
curl -fsSL https://github.com/NexusOne23/noid-privacy-linux/raw/main/noid-privacy-linux.sh -o noid-privacy-linux.sh
sudo bash noid-privacy-linux.sh --ai390+ privacy & security checks. Zero dependencies. The --ai flag generates a ready-to-paste prompt β hand it to ChatGPT, Claude, or Gemini to fix every finding automatically.
This tool is read-only. It does not modify your system. No files changed, no configs touched, no services restarted.
πͺ Running Windows too? NoID Privacy for Windows hardens 630+ settings with full Backup β Apply β Verify β Restore. One-time purchase, no subscription.
NoID is a hardening posture audit β it verifies your defense foundation is properly applied. The score reflects configuration state, not compromise resistance.
| β This tool does | β This tool does not |
|---|---|
| Verify hardening recipes are applied | Replace an Intrusion Detection System |
| Detect privacy misconfigurations | Scan for active rootkits (use AIDE/IMA/chkrootkit) |
| Report drift from secure baselines | Find vulnerabilities (use OSV/Lynis-CVE) |
| Generate AI-ready remediation prompts | Perform penetration testing (use OpenVAS/Nessus) |
| Audit 42 desktop-specific surfaces | Behavioral / memory-only malware detection |
A 98% score means hardening recipes are well-applied β not that the system is unhackable. Defense in depth requires complementary layers:
- Layer 1 β Configuration Hardening (this tool)
- Layer 2 β Integrity Detection (AIDE, IMA, chkrootkit)
- Layer 3 β Behavioral Monitoring (auditd, EDR)
Configuration is the foundation. The other layers detect what hardening cannot prevent.
Most Linux security tools were built for servers. They check SSH configs and firewall rules β but ignore your browser leaking DNS queries, apps phoning home, or the webcam accessible to every process.
NoID Privacy for Linux audits both privacy and security on Linux desktops:
| Server Tools (Lynis, CIS) | NoID Privacy for Linux | |
|---|---|---|
| Kernel hardening | β | β |
| Firewall & SSH | β | β |
| Browser privacy | β | β |
| App telemetry | β | β |
| DNS leak testing | β | β |
| VPN kill-switch | β | β |
| Webcam & Bluetooth | β | β |
| AI-powered fixes | β | β |
This is what sets NoID Privacy for Linux apart:
sudo bash noid-privacy-linux.sh --aiThe --ai flag generates a structured prompt at the end of the scan containing all your findings. Copy it. Paste it into ChatGPT, Claude, or Gemini. The AI will explain each finding, provide exact commands to fix it, and prioritize by severity.
Audit β AI β Fixed. What used to take hours takes minutes.
# AI-ready prompt (recommended)
sudo bash noid-privacy-linux.sh --ai
# Plain text for manual review
sudo bash noid-privacy-linux.sh --no-color > report.txt
# Machine-readable JSON for scripts/dashboards
sudo bash noid-privacy-linux.sh --jsonNo other Linux audit tool generates an AI remediation prompt. The
--aiflag is our USP.
| Category | Examples |
|---|---|
| Kernel & Boot | Secure Boot, kernel lockdown, LUKS encryption, UEFI, sysctl hardening |
| Firewall & Network | iptables/nftables rules, default policies, open ports, VPN, kill-switch, DNS leaks |
| SSH & Auth | Key-only auth, root login, password aging, PAM, sudo group |
| Encryption | LUKS cipher strength, key size, swap encryption, entropy, certificate store |
| MAC & Integrity | SELinux/AppArmor (auto-detected), rootkit scans, AIDE/Tripwire, package verification |
| Updates & Packages | Security patches, auto-updates, repo integrity, GPG verification (dnf/apt/pacman/zypper) |
| Advanced | Fail2Ban, USB Guard, containers, systemd sandboxing, kernel modules |
| Category | Examples |
|---|---|
| Browser Privacy | Firefox telemetry, WebRTC leaks, DNS-over-HTTPS, tracking protection, Chrome warning |
| App Telemetry | GNOME telemetry, crash reporters, Flatpak sandbox escapes, Snap telemetry |
| Network Privacy | MAC randomization, mDNS, LLMNR, hostname privacy, IPv6 privacy extensions |
| Data Privacy | Recent file tracking, thumbnail caches, core dumps, bash history, journald retention |
| Session Security | Screen lock, idle detection, auto-login, lock-on-suspend, VNC/RDP |
| Webcam & Audio | Device permissions, microphone, PipeWire remote access, screen sharing |
| Bluetooth | Discoverability, pairable mode, active without usage |
| Keyring & Secrets | Password manager, GNOME Keyring auto-unlock, SSH agent timeout, plaintext secrets |
π Full Check Reference β β all 42 sections with descriptions
$ sudo bash noid-privacy-linux.sh --ai
NoID Privacy for Linux v3.6.0 β Hardening Posture Audit for Linux Desktops
YYYY-MM-DD HH:MM:SS | mydesktop | 6.19.x-200.fc43.x86_64
Arch: x86_64 | Distro: Fedora Linux 43 (Workstation Edition)
Checks: 390+ across 42 sections
βββ [01/42] KERNEL & BOOT INTEGRITY βββ
β
PASS Secure Boot: ENABLED
β
PASS Kernel Lockdown: integrity
β
PASS LUKS encryption active
βββ [05/42] VPN & NETWORK βββ
β
PASS VPN interface proton0: active
β
PASS Default route via VPN
β
PASS IPv6: disabled/minimal
βββ [35/42] BROWSER PRIVACY βββ
β
PASS Firefox telemetry disabled
β
PASS WebRTC disabled β no IP leak
β οΈ WARN google-chrome installed β Google telemetry risk
βββ SUMMARY βββ
Total checks: 460 (298 pass, 0 fail, 5 warn, 157 info)
Hardening posture is your defense foundation β the layer
attackers must defeat first. Complement with:
β AIDE / IMA β file & kernel integrity
β auditd β behavioral monitoring
β chkrootkit β known-malware scanner
HARDENING POSTURE SCORE: 98% π° FULLY HARDENED
Score formula: PASSΓ100 / (PASS + FAILΓ2 + WARN)
Exit codes: 0 = clean Β· 1 = FAIL present Β· 2 = WARN-only Β· 130/143 = interrupted
| Flag | Description |
|---|---|
--ai |
Generate AI-ready fix prompt with all findings |
--json |
Machine-readable JSON output |
--no-color |
Disable colored output (for piping/logging) |
--skip SECTION |
Skip specific sections (repeatable) |
--help |
Show all available options and skip keywords |
44 skip keywords available β run --help for the full list.
| Feature | NoID Privacy for Linux | Lynis | privacy.sexy | CIS Benchmark |
|---|---|---|---|---|
| Focus | Privacy + Security for desktops | Server compliance | Script generator | Server compliance |
| Tests | 390+ | 480+ | N/A | varies |
| Browser privacy | β | β | β | |
| App telemetry | β | β | β | β |
| DNS / VPN / MAC | β | β | β | β |
| Webcam / Bluetooth | β | β | β | β |
| AI-ready output | β | β | β | β |
| JSON output | β | β | N/A | β |
| Kernel & firewall | β | β | β | |
| Zero compiled dependencies | β | β | β | β |
| Desktop-focused | β | β | β | β |
| Modifies system | β | β | β | β |
Lynis (15k β, since 2007) β Gold standard for server compliance. Doesn't cover browser privacy, telemetry, webcams, or desktop-specific concerns.
privacy.sexy (5k β) β Script generator for Windows/macOS/Linux. Modifies your system directly without auditing first.
| Requirement | Details |
|---|---|
| OS | Fedora 39+, Ubuntu 22.04+, Debian 12+, RHEL 9+, Arch Linux, openSUSE, Mint, Pop!_OS |
| Shell | Bash 4+ |
| Privileges | Root (sudo) for full system access |
| Dependencies | None |
# One-liner
curl -fsSL https://github.com/NexusOne23/noid-privacy-linux/raw/main/noid-privacy-linux.sh -o noid-privacy-linux.sh
sudo bash noid-privacy-linux.sh --ai
# Or clone
git clone https://github.com/NexusOne23/noid-privacy-linux.git
cd noid-privacy-linux
sudo bash noid-privacy-linux.sh --aiUse NoID Privacy for Linux in your CI/CD pipeline to enforce privacy & security baselines:
- name: Hardening Posture Audit
# SECURITY: Pin to specific version, never @main (supply chain risk)
uses: NexusOne23/noid-privacy-linux@v3.6.0
id: audit
with:
min-score: '70' # Fail if score < 70%| Input | Default | Description |
|---|---|---|
min-score |
0 |
Minimum score to pass (0 = never fail). Canonical name since v3.5.0. |
fail-threshold |
'' |
DEPRECATED alias for min-score. Will be removed in v4.0. |
ai |
false |
Generate AI remediation prompt in summary |
skip |
'' |
Comma-separated sections to skip |
args |
'' |
Additional arguments for the script |
| Output | Description |
|---|---|
score |
Hardening posture score (0-100) |
total |
Total checks performed |
pass / fail / warn / info |
Check counts by severity |
json |
Full JSON output |
name: Security Gate
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.2.2
- uses: NexusOne23/noid-privacy-linux@v3.6.0 # Pin to version, not @main
with:
min-score: '70'Results appear as a rich GitHub Actions Summary with score, findings table, and optional AI fix prompt.
π See .github/workflows/example-noid-audit.yml for a full example.
- Privacy-conscious developers β Know what your desktop is leaking
- Power users β A second pair of eyes on your hardening
- Team leads β Baseline audit for your team's workstations
- Linux newcomers β Clear findings with AI-guided fixes
- Security consultants β Quick desktop audit with professional output
- Server admins β Lynis
- Enterprise compliance (CIS/STIG) β OpenSCAP
- Automated remediation β privacy.sexy
- Windows β NoID Privacy PRO β 630+ settings, full hardening framework
| Platform | Link |
|---|---|
| π Website | NoID-Privacy.com β All platforms, pricing, and documentation |
| πͺ Windows | NoID Privacy PRO β 630+ settings, 7 modules, Backup β Apply β Verify β Restore |
| π§ Linux | You're here! |
| π± Android | NoID Privacy on Google Play β 81 checks, 10 categories, permission audit, Chrome hardening, anti-theft |
No telemetry, no analytics, no phone-home. This tool does not collect or transmit any data about you or your system. One file, pure Bash β read every line yourself.
β οΈ Default-mode network requests: Three sections issue requests to third parties to test for connectivity/DNS/VPN leaks:
- Section 5 (vpn):
curl detectportal.firefox.com(Mozilla),curl ifconfig.me(Cloudflare-fronted)- Section 5 (netleaks):
dig whoami.akamai.net(Akamai)- Section 22 (interfaces):
dig google.com(Google)For a fully offline audit that makes zero outbound requests, use:
sudo bash noid-privacy-linux.sh --skip vpn --skip interfaces --skip netleaksThe leak tests themselves require these third-party endpoints to function β there's no way to test "does my IP leak?" without contacting an external service.
| Issue | Solution |
|---|---|
Requires root error |
Run with sudo bash noid-privacy-linux.sh |
| False positive on a check | Open an issue with your distro and the finding |
| DNS leak test fails/hangs | Skip it: --skip netleaks. Requires dig and curl. |
| Score seems too low | Check if --skip sections are relevant to your setup. Desktop-only checks may warn on servers. |
| Script hangs on Bluetooth | Known bluetoothctl timeout issue. Skip: --skip btprivacy |
| Missing checks for my distro | Fedora/RHEL, Ubuntu/Debian, Arch, and openSUSE are fully supported. Other distros may show more info results. |
Contributions welcome β new checks, bug fixes, distro support.
- Contributing Guide β Code architecture, style, testing
- Bug Reports β Found a false positive?
- Feature Requests
- Discussions
- Security Policy β Report vulnerabilities privately
GPL v3.0 β Free for personal and commercial use. Derivatives must also be GPL v3.0.
For commercial licensing without GPL requirements, open a Discussion.
β Star this repo if it's useful β helps others find the project.
NoID Privacy for Linux β Know your system. Harden your privacy.