Parrot Booty Protection is a production-ready security control platform that enforces operator sovereignty over Linux hardening. Built with defense-in-depth principles and zero-tolerance for autonomous configuration changes, it provides automated scanning, professional reporting, real-time monitoring, and a local web control plane.
Traditional security tools make changes without asking. PBP enforces operator authority:
- π‘οΈ Operator Sovereignty - No autonomous configuration changes, ever
- π Policy-Driven - Single source of truth for all security decisions
- π Integrity Monitoring - Protected files watched continuously
β οΈ Alert Framework - Instant notification of violations- π₯οΈ Control Plane - Local web dashboard (no cloud dependencies)
- π Rollback Capability - Every change is reversible
- π Risk Quantification - Know your security posture with numerical scores
- π Professional Reports - PDF/HTML reports for compliance
PBP is not a script collection. It's a security control platform.
PBP provides 7 independent security modules, each with full lifecycle management:
| Module | Purpose | Technology | Risk Mitigation |
|---|---|---|---|
| β° TIME | NTS-authenticated time sync | chrony + NTS | Prevents time-based attacks, ensures certificate validity |
| π DNS | Encrypted DNS queries | systemd-resolved + DoT | Blocks DNS hijacking, surveillance, cache poisoning |
| π‘οΈ NETWORK | Stateful firewall | nftables | Default-deny policy, connection tracking, egress filtering |
| π¦ CONTAINER | Rootless container security | Podman + seccomp | Prevents privilege escalation, container breakouts |
| π AUDIT | System activity monitoring | auditd | Detects unauthorized changes, tracks privileged commands |
| π ROOTKIT | Malware detection | rkhunter + chkrootkit | Identifies rootkits, hidden processes, file tampering |
| π RECON | Network exposure validation | nmap | Maps attack surface, detects misconfigurations |
Each module includes:
- β Installation automation
- β Configuration management
- β Health monitoring
- β Security scanning
- β Rollback capability
# Clone repository
git clone https://github.com/cyclonite69/parrot-booty-protection.git
cd parrot-booty-protection
# Install PBP
sudo bash scripts/install.sh
# Install control system (operator sovereignty)
sudo bash scripts/install_control.sh
# Install reporting dependencies (PDF generation)
sudo bash scripts/install_reporting_deps.sh# Start control plane
pbp control start
# Access: http://localhost:7777
# List available modules
pbp list
# Enable core security modules
sudo pbp enable time # NTS time synchronization
sudo pbp enable dns # Unbound DNS with DoH/DoT
sudo pbp enable network # Firewall
# Run security scan
sudo pbp scan
# View system status
pbp status
# Check integrity
pbp integrity
# View alerts
pbp alerts
# Launch interactive dashboard
pbp dashboard# Integrity monitoring (continuous)
sudo systemctl enable --now pbp-integrity.service
# Daily security scans
sudo systemctl enable --now pbp-scan-daily.timer
# Weekly deep audits (rootkit + audit)
sudo systemctl enable --now pbp-audit-weekly.timer
# Check timer status
systemctl list-timers pbp-*PBP includes a universal reporting engine that generates professional PDF and JSON reports from all security scanners.
# Run scanner and generate report
sudo rkhunter --check > /tmp/rkhunter.txt
sudo pbp-report rkhunter /tmp/rkhunter.txt
# Output: /var/log/pbp/reports/<timestamp>/
# βββ raw/rkhunter.txt
# βββ json/rkhunter.json
# βββ html/rkhunter.html
# βββ pdf/rkhunter.pdf
# βββ checksums/rkhunter.*.sha256Comprehensive system validation in one command:
sudo pbp bughuntValidates:
- β Configuration integrity
- β Firewall rules (duplicates, policies)
- β Service health
- β NTS time synchronization
- β DNS hardening (DoT, DNSSEC)
- β Container privileges
- β Open ports
- β File permissions
Generates:
master-report.json- Machine-readable findingsmaster-report.html- Human-readable reportmaster-report.pdf- Professional PDF for compliance
Real-time security monitoring in your terminal:
pbp dashboardFeatures:
- π Module status (enabled/installed/uninstalled)
- β€οΈ Health checks per module
- π Latest risk score
- β‘ Quick actions (scan/reports/health)
PBP quantifies your security posture with weighted risk scores:
| Severity | Weight | Examples |
|---|---|---|
| CRITICAL | 10 points | Rootkit detected, firewall disabled, DNS failing |
| HIGH | 5 points | Unencrypted DNS, privileged containers, insecure services |
| MEDIUM | 2 points | Many open ports, missing audit rules, outdated scanners |
| LOW | 1 point | IPv6 disabled, large logs, minor misconfigurations |
Risk Bands:
- 0-20: π’ SECURE - System is well-hardened
- 21-50: π‘ MODERATE - Some issues need attention
- 51-100: π ELEVATED - Significant vulnerabilities present
- 100+: π΄ CRITICAL - Immediate action required
pbp list # List all modules
pbp enable <module> # Enable a module (requires approval)
pbp disable <module> # Disable a module (requires approval)
pbp rollback <module> # Revert to previous configurationpbp scan # Scan all enabled modules
pbp scan <module> # Scan specific module
pbp status # Show system status
pbp health # Run health checks
pbp bughunt # Comprehensive validationpbp control start # Start web control plane
pbp control stop # Stop web control plane
pbp integrity # Check file integrity
pbp alerts # View security alerts
pbp dashboard # Launch TUI dashboardpbp reports # List all reports
pbp report <id> # View specific report
pbp report <id> html # Open HTML report in browser
pbp compare <id1> <id2> # Compare two reports
pbp-report <scanner> <file> # Generate report from scanner outputβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PBP Core Engine β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β State β β Registry β β Health β β
β β Management β β & Discovery β β Checks β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Backup & β β Rollback β β Logging β β
β β Restore β β System β β & Audit β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ
β β β
βββββββββΌβββββββββ βββββββββΌβββββββββ ββββββββΌββββββββ
β Security β β Reporting β β TUI β
β Modules β β Engine β β Dashboard β
β β β β β β
β β’ time β β β’ PDF Gen β β β’ Real-time β
β β’ dns β β β’ HTML Gen β β β’ Health β
β β’ network β β β’ Parsers β β β’ Actions β
β β’ container β β β’ Bug Hunt β β β
β β’ audit β β β β β
β β’ rootkit β β β β β
β β’ recon β β β β β
ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββ
UNINSTALLED β install β INSTALLED β enable β ENABLED
β β
βββββββββ rollback βββββ
/opt/pbp/ # Installation root
βββ bin/
β βββ pbp # Main CLI
β βββ pbp-dashboard # TUI dashboard
β βββ pbp-report # Report generator
βββ core/
β βββ engine.sh # Orchestration engine
β βββ state.sh # State management
β βββ registry.sh # Module discovery
β βββ lib/ # Core libraries
βββ modules/
β βββ time/ # NTS time sync
β βββ dns/ # Encrypted DNS
β βββ network/ # nftables firewall
β βββ container/ # Podman hardening
β βββ audit/ # auditd monitoring
β βββ rootkit/ # Malware detection
β βββ recon/ # Network scanning
βββ reporting/
β βββ engine.sh # Report engine
β βββ parsers/ # Scanner parsers
β βββ templates/ # HTML templates
βββ bughunt/
β βββ bughunt.sh # System validator
βββ config/
βββ pbp.conf # Global configuration
/var/lib/pbp/ # State and backups
βββ state/
β βββ modules.state # Module status (JSON)
β βββ backups/ # Config snapshots
βββ data/
/var/log/pbp/ # Logs and reports
βββ audit.log # Action trail
βββ actions.jsonl # Structured logs
βββ reports/
βββ json/ # JSON reports
βββ html/ # HTML reports
βββ pdf/ # PDF reports
βββ checksums/ # SHA256 hashes
- Input Validation - All user input sanitized and validated
- Output Escaping - HTML reports XSS-safe via Python escaping
- Privilege Separation - Root only when necessary, immediate drop
- Fail-Safe Defaults - Reject unknown, block on errors
- Audit Trail - Complete logging of all actions
- Immutable Reports -
chattr +iafter generation - Integrity Verification - SHA256 checksums for all reports
Every configuration change includes:
- Pre-change backup with checksums
- Post-change health verification
- Automatic rollback on failure
- Manual rollback capability
- Reports:
600permissions (root-only) - Directories:
700permissions - State files:
600permissions - No world-readable security data
- Control Restoration - Operator sovereignty system
- Quick Start Guide - Get started in 5 minutes
- Reporting System - Report generation guide
- Security Audit - Security assessment findings
- Phase Documentation - Complete implementation phases
# Validate core engine
bash tests/validate_core.sh
# Generate test report
bash tests/test_report.sh
# Run demo
bash demo.shContributions welcome! Please follow the module template structure:
modules/your_module/
βββ manifest.json # Metadata and config
βββ install.sh # Package installation
βββ enable.sh # Activation logic
βββ disable.sh # Deactivation logic
βββ scan.sh # Security scanning
βββ health.sh # Health checks
- Total Files: 85+
- Lines of Code: ~6,400 (focused, minimal)
- Security Modules: 7 fully implemented
- Hook Scripts: 35 (5 per module)
- Core Libraries: 9
- CLI Commands: 13
- Systemd Units: 4
- Test Coverage: Core + Modules validated
- Documentation: 2,000+ lines
- Automated hardening of Parrot OS workstations
- Compliance reporting (CIS, NIST)
- Security posture monitoring
- Incident response preparation
- One-command security deployment
- Automated daily/weekly scans
- Professional PDF reports for management
- Safe rollback on issues
- Harden attack platforms
- Validate security controls
- Generate compliance evidence
- Monitor container security
- Infrastructure-as-code security
- CI/CD security validation
- Automated compliance checks
- Security metrics tracking
- Web dashboard (localhost:8080)
- Policy profiles (home/privacy/pentest/paranoid)
- Email alerting
- Baseline tracking & trending
- SIEM integration (Splunk/ELK)
- Multi-host management
- Compliance mapping (CIS/NIST/PCI-DSS)
- Module marketplace
MIT License - See LICENSE for details
Built with security best practices from:
"May your booty be guarded and your lines be encrypted." π¦π΄ββ οΈ
Made with β€οΈ for the security community