Kensa documentation

kensa and kensa-rules installed from signed packages, the verification keys imported, and kensa --version printing kensa 0.5.2. From there, 02-quickstart is the next…

This chapter takes one host from "never scanned" to "remediated and rolled back" in four commands: detect what the host can do, check its compliance read-only, remediate…

Kensa is a compliance engine, but its core is not the rules. It's the transaction: the four-phase Kensa operation (capture, apply, validate, commit or roll back). Every…

Two commands do the work: kensa check reads a host and reports compliance without touching it, and kensa remediate applies the failing rules as atomic transactions. They…

Every kensa remediate writes what it did to a durable transaction log (SQLite). That log is what makes a remediation reversible, what crash recovery replays, and what…

A rule is a single, framework-independent statement of desired system state. It carries its own check logic, its remediation, its framework cross-references, and one or…

This chapter is for programs that embed Kensa (notably OpenWatch) rather than run the CLI, consuming its api/pkg/kensa Go surfaces. The division of labor: Kensa is to a…

Common failure modes, what they look like, and how to clear them. Each section names the condition first so you can match it to what you are seeing, then the remedy.…

This chapter documents every kensa command and flag. It is the exhaustive counterpart to the task-focused chapters: for how to scan and remediate, see…

A mechanism is the named action a rule's remediation runs to change a host, such as sysctlset, serviceenabled, or filecontent. You set it in a rule's remediation block.…

Notable user-visible changes to Kensa, by release — added, changed, fixed, and security updates.