Compliance as Code — Scan, Remediate, Rollback

Kensa

508 rules. 23 remediation mechanisms. 7 frameworks. Automatic rollback. No agent. Scan RHEL compliance over SSH, remediate failures with typed mechanisms, and roll back automatically on failure.

Install Kensa View on GitHub

508

Rules

Remediation Mechanisms

Frameworks

95%+

CIS Coverage

Quick Install

Get Started in Seconds

Install Kensa

pip install git+https://github.com/Hanalyx/kensa.git

Requires Python 3.10+ and SSH access to target hosts.

Try It

Try It in 5 Minutes

Step 1 — Scan a host

Scan

kensa check --sudo -h 192.168.1.10 -u admin -r rules/

Step 2 — Dry-run remediation

Dry Run

kensa remediate --sudo -h 192.168.1.10 -u admin -r rules/ --dry-run

Step 3 — Remediate with automatic rollback

Remediate

kensa remediate --sudo -h 192.168.1.10 -u admin -r rules/ --rollback-on-failure

One scan covers all frameworks

STIGCISNIST 800-53PCI-DSSFedRAMPISO 27001SRG

Differentiators

What Makes Kensa Different

Scan + Remediate + Rollback

23 typed, declarative remediation mechanisms with automatic rollback. Before any change Kensa captures the current state. If a step fails, all completed steps are reversed automatically. Your system is never left half-remediated.

One Rule, All Frameworks

A single rule maps to CIS, STIG, NIST 800-53, PCI-DSS, FedRAMP, ISO 27001, and SRG simultaneously. Run one scan, satisfy all assessors. No duplicate content, no framework-specific rule repos.

Evidence Auditors Actually Trust

Every check captures structured, machine-verifiable JSON evidence with the exact command, stdout, expected vs. actual, and timestamps. Hand your auditor a JSON file they can independently verify.

YAML Rules, Not XML

Human-readable YAML rules designed to be read, reviewed, and modified by the engineers who manage the systems. Fully Git-friendly — diff, review, and version your compliance policy.

Adapts to Each Host Automatically

22 runtime probes detect host capabilities — sshd drop-in directories, authselect, crypto policies, FIPS mode, SELinux, and more. Kensa selects the correct implementation variant for each host.

No Agent Required

Pure SSH. No daemon running on targets, no client packages to install, no ports to open. Works with existing SSH keys or password auth. Up to 50 concurrent sessions for fleet-scale scanning.

Structured Evidence

Evidence Auditors Can Verify

Every check produces structured JSON. Your auditor sees the exact command, the system response, and whether it matched the expected value.

evidence.json

{
  "rule_id": "ssh-disable-root-login",
  "passed": true,
  "evidence": {
    "method": "config_value",
    "command": "grep -E '^\\s*PermitRootLogin' /etc/ssh/sshd_config",
    "stdout": "PermitRootLogin no\n",
    "exit_code": 0,
    "expected": "no",
    "actual": "no",
    "timestamp": "2025-02-09T12:00:00Z"
  },
  "frameworks": {
    "cis_rhel9_v2": "5.1.20",
    "stig_rhel9_v2r7": "V-257947",
    "nist_800_53": "AC-6(2), AC-17(2)"
  }
}

Coverage

Framework Coverage

Framework	Mapping ID	Controls	Coverage
CIS RHEL 9 v2.0.0	cis-rhel9-v2.0.0	271	95%+
STIG RHEL 9 V2R7	stig-rhel9-v2r7	338	75%+
NIST 800-53 R5	nist-800-53-r5	87	Complete
PCI-DSS v4.0	pci-dss-v4.0	45	Complete
FedRAMP Moderate	fedramp-moderate	87	Complete
CIS RHEL 8 v4.0.0	cis-rhel8-v4.0.0	120	~80%
STIG RHEL 8 V2R6	stig-rhel8-v2r6	116	~70%

Comparison

How It Compares

Feature	Kensa	Manual Checks	Ansible Lockdown	Point-in-Time Scanners
Architecture	Canonical rules, capability-gated	N/A	Per-OS per-framework repos	Per-benchmark content
Remediation	23 typed mechanisms	Run commands by hand	Ansible tasks	Basic scripts or none
Rollback	Automatic	None	None	None
Rule Format	YAML	N/A	Ansible YAML	Varies (XCCDF/OVAL, Ruby DSL)
Frameworks per Rule	All simultaneously	Whatever you check	One repo per framework+OS	One profile per scan
Evidence	Structured JSON per check	Screenshots	Unstructured logs	Varies by tool
Agent Required	No (SSH)	No	No (SSH + Ansible)	Varies
OS Adaptation	22 capability probes	N/A	Version-specific repos	Version-specific content

Commands

CLI Reference

Detect host capabilities

kensa detect --sudo -h 192.168.1.10 -u admin

Check all rules

kensa check --sudo -h 192.168.1.10 -u admin -r rules/

Check a specific framework

kensa check --sudo -h 192.168.1.10 -u admin -r rules/ -f cis-rhel9-v2.0.0

Inventory scan (parallel)

kensa check --sudo -i inventory.yml -r rules/ -w 10

JSON output with evidence

kensa check --sudo -h 192.168.1.10 -u admin -r rules/ -o evidence:results.json

Dry-run remediation

kensa remediate --sudo -h 192.168.1.10 -u admin -r rules/ --dry-run

Remediate with rollback

kensa remediate --sudo -h 192.168.1.10 -u admin -r rules/ --rollback-on-failure

Look up a rule

kensa info V-257947

Framework coverage

kensa coverage -f cis-rhel9-v2.0.0

Drift comparison

kensa diff session-001 session-002

Outputs

Output Formats

Format	Flag	Use Case
Terminal	(default)	Color-coded pass/fail with summary
JSON	-o json:results.json	Automation, SIEM integration
CSV	-o csv:results.csv	Spreadsheet workflows
PDF	-o pdf:report.pdf	Stakeholder reports
Evidence	-o evidence:evidence.json	Full evidence export with host context

Multiple outputs can be generated in a single run:

kensa check --sudo -h host -u admin -r rules/ \
  -o json:results.json -o csv:results.csv -o evidence:evidence.json

Platform

Need a Dashboard?

Kensa is the compliance engine. OpenWatch is the compliance operating system — a web platform with a dashboard, multi-host orchestration, temporal compliance queries, governance workflows, and audit reporting.

Deploy OpenWatch

Open Source

Built in the Open

Kensa is source-available under the Business Source License 1.1. Free for individuals and organizations under $5M annual revenue. Converts to Apache 2.0 on January 1, 2029.

GitHub Repository Discussions Issue Tracker