The Compliance Operating System — See Everything, Continuously
OpenWatch
The compliance operating system for teams managing Linux infrastructure under STIG, CIS, NIST 800-53, PCI-DSS, and FedRAMP. Continuous visibility into compliance posture — not just what is passing now, but what was passing last Tuesday.
508
Compliance Rules
80+
API Endpoints
5
Frameworks
10 min
Deploy Time
The Problem
Point-in-Time Compliance Is Not Enough
Most compliance tools scan your systems and tell you what is passing today. That is useful, but it is not enough:
The posture decays immediately.
A server that passed STIG on Monday can drift by Wednesday. Without continuous monitoring, you will not know until the next audit.
Historical questions are unanswerable.
"Were we compliant during the assessment window?" requires re-scanning, which only tells you about now, not then.
Exceptions live in spreadsheets.
Approved deviations from policy are tracked in email threads and shared drives, disconnected from the scanning tool.
Drift is invisible.
When a rule that was passing starts failing, no one notices until an assessor finds it.
Evidence is assembled, not generated.
Teams spend days before an audit compiling screenshots and command outputs into binders.
Capabilities
What OpenWatch Does
Continuous Compliance Posture
Scan your fleet on a schedule or let OpenWatch adapt based on host health. Healthy servers scan every 15 minutes, degraded every 5, critical every 2. The posture dashboard updates in real time.
Temporal Compliance Queries
Ask "What was our STIG compliance on February 1st?" and get an answer backed by historical scan data. Compliance posture is not a snapshot; it is a timeline.
Compliance Drift Detection
When a rule that was passing starts failing, OpenWatch raises an alert automatically. Track drift events through acknowledgment to resolution.
Governance and Exception Management
Structured exception workflows: request, approve, reject, time-limit, revoke. All with a full audit trail. No more tracking waivers in spreadsheets.
Audit-Ready Evidence and Exports
Every check captures the exact command, raw output, expected value, and actual value. Export as CSV, JSON, or PDF. Evidence is generated by the scan, not assembled after the fact.
Multi-Framework, Single Scan
One scan maps findings to STIG, CIS, NIST 800-53, PCI-DSS, and FedRAMP simultaneously. The same evidence satisfies multiple assessors.
Architecture
How It All Fits Together
┌─────────────────────────────────────────────────────────────┐
│ You / Your Team │
└──────────────────────────┬──────────────────────────────────┘
│
┌──────────────────────────▼──────────────────────────────────┐
│ OpenWatch UI (React 19 · Material-UI v7) │
│ Dashboard · Posture · Alerts · Exceptions · Reports │
├─────────────────────────────────────────────────────────────┤
│ OpenWatch API (FastAPI · 80+ endpoints) │
│ Auth · RBAC · Scheduling · Audit · Exports │
├────────────────────────┬────────────────────────────────────┤
│ Kensa Engine │ Celery Workers │
│ 508 YAML rules │ Async scanning │
│ 23 remediation types │ Adaptive scheduling │
│ Evidence capture │ Drift detection │
├────────────────────────┴────────────────────────────────────┤
│ PostgreSQL 15 │ Redis 7.4 │
│ All persistent data │ Task queue + cache │
└────────────────────────┴────────────────────────────────────┘
│
SSH (port 22)
│
┌──────────────────────────▼──────────────────────────────────┐
│ Your Linux Servers (RHEL 8/9, Rocky, Alma) │
└─────────────────────────────────────────────────────────────┘Get Started
Deploy in 10 Minutes
Requirements: Docker (or Podman) and 4 GB RAM.
git clone https://github.com/hanalyx/openwatch.git
cd openwatch
./start-openwatch.sh --runtime docker --buildRun Your First Scan
- 1.Add credentials — Settings > System Credentials > add your SSH user/key
- 2.Add a host — Hosts > Add Host > enter IP, select credentials
- 3.Scan — Click the play button on the host card
Results appear in under a minute. OpenWatch ships with 508 built-in Kensa rules — human-readable YAML, not XML — ready to go.
Security
Built for Secure Environments
OpenWatch is built for environments where security is the requirement, not an afterthought.
| Control | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM |
| Authentication | RS256 JWT with Argon2id password hashing |
| Multi-factor auth | TOTP with backup codes |
| FIPS 140-2 | Compliant cryptography (env flag to enable) |
| Authorization | RBAC with 6 roles |
| Audit logging | All auth, authz, and compliance events |
| Rate limiting | 100 req/min per user, 1,000 req/min per IP |
| Transport | TLS 1.2+ with FIPS cipher suites |
| Target security | Agentless — scans over SSH, nothing installed |
API
API-First Design
OpenWatch exposes 80+ REST API endpoints. Everything you can do in the UI, you can automate. Integrate compliance scanning into CI/CD pipelines, SIEM platforms, or custom dashboards.
# Authenticate
TOKEN=$(curl -s -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin"}' | jq -r '.access_token')
# Add a host
HOST_ID=$(curl -s -X POST http://localhost:8000/api/hosts/ \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"hostname":"web-01","ip_address":"192.168.1.10","ssh_port":22}' | jq -r '.id')
# Run a compliance scan
SCAN_ID=$(curl -s -X POST http://localhost:8000/api/scans/aegis \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"host_id\":\"$HOST_ID\",\"framework\":\"cis-rhel9-v2.0.0\"}" | jq -r '.scan_id')
# Get results
curl -s http://localhost:8000/api/scans/$SCAN_ID/results \
-H "Authorization: Bearer $TOKEN" | jq '.compliance_percentage'Comparison
How It Compares
OpenWatch is a compliance platform — it manages the lifecycle of compliance across a fleet, not just the scan itself.
| Feature | OpenWatch | Manual Processes | Point-in-Time Scanners | Enterprise Platforms |
|---|---|---|---|---|
| Multi-host scanning | One click, 100+ hosts | SSH into each server | Script it yourself | Agent or credentialed scan |
| Dashboard and history | Built-in | Spreadsheets | None | Commercial dashboard |
| Temporal compliance | Query any date | Impossible | Not available | Limited |
| Drift detection | Automatic alerts | Manual discovery | Not available | Partial |
| Exception workflows | Structured with audit trail | Spreadsheets and email | Not available | Not available |
| Framework coverage | STIG + CIS + NIST + PCI + FedRAMP | Whatever you check | Per-benchmark profiles | CIS/STIG/PCI |
| Remediation | 23 typed mechanisms with rollback | Run commands by hand | Basic scripts | Not available |
| Evidence model | Structured JSON per check | Screenshots | Varies by tool | PDF reports |
| Setup time | 10 minutes | N/A | Varies | Days + licensing |
| Cost | Free (Community) / Paid (Pro) | Labor | Free - varies | $50K+/year |
CLI Users
Looking for a CLI?
Kensa is the compliance engine underneath OpenWatch — 508 rules, 23 remediation mechanisms, automatic rollback, all over SSH. If you want a CLI that integrates into scripts and pipelines, start with Kensa.
Open Source
GitHub + Community
OpenWatch is open source under AGPLv3 + Managed Service Exception. Free to use, modify, and self-host.