Linbean is a single-file Bash auditor for Linux privilege-escalation risk review. It inventories common local escalation surfaces, ranks findings by severity, and emits text, JSON, or Markdown reports.
It is built for authorized defensive assessments. Default mode is read-only except for optional report output under /tmp. Active checks are opt-in with --active.
git clone https://github.com/kernelstub/linbean.git
cd linbean
chmod +x linbean.shRun directly:
curl -fsSL https://raw.githubusercontent.com/kernelstub/linbean/main/linbean.sh | bashLocal checkout:
./linbean.sh
./linbean.sh --fast
./linbean.sh --markdown --output /tmp/linbean-report.md
./linbean.sh --json --output /tmp/linbean-report.json
./linbean.sh --active- Sudo, doas, pkexec, polkit, PAM, and account policy
- SUID, SGID, Linux capabilities, writable privileged paths, and PATH risks
- Cron, systemd units, timers, startup files, logrotate, and backup paths
- SSH, shell history metadata, environment indicators, and credential-store metadata
- Containers, mounts, network listeners, firewall posture, and cloud/virtualization hints
- Kernel hardening, LSM posture, installed tooling, package/version hints, ACLs, and attributes
Linbean supports:
- Human-readable terminal output
- Valid JSON with
--json - Markdown with
--markdown - Report writing under
/tmpwith--output
See docs/USAGE.md for full usage.