Home/Resources/Agents/Configuration Baseline Scanner
Endpoint & Integrity

Configuration Baseline Scanner

Signs the secure baseline on first run, then catches every drift away from it on every cadence.

Covered practices · NIST SP 800-171 Rev 2
3.4.1Baseline configurationsPrimary3.4.2Security configuration settingsPrimary3.4.6Least functionalityPrimary3.4.7Restrict nonessential servicesPrimary3.13.1Boundary protection
12
Kernel hardening sysctls audited per scan

The problem

Configuration drift is universal. Systems get patched and a service comes back enabled. An admin makes a one-off change and forgets to revert it. A software install adds a port, a scheduled task, a SUID binary. The system that passed a baseline review six months ago does not pass one today, and nobody knew until the assessor ran their own scan and produced the diff the contractor should have caught months earlier.

3.4.1 requires baseline configurations be established and maintained. 3.4.6 requires least functionality. 3.4.7 requires nonessential services be disabled. None of those are achievable without an actual baseline to drift from, and the contractor either has one or does not. The contractor without one fails 3.4.1 by definition before any other CM-family check runs.

The high-impact findings cluster around services that should not be running on a CUI host at all. Telnet still appears. Print Spooler runs on non-print servers, opening the PrintNightmare vector. Remote Registry, IIS, FTP Publishing all show up routinely, all visible to assessors, all preventable, all routinely found in first-scan reports across the industry.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.4.1Baseline configurations

Captures and verifies the signed baseline snapshot. Drift detection produces evidence the baseline is being maintained, not just declared.

Read in NIST 800-171 r2
NIST 3.4.2Security configuration settings

Audits firewall, SELinux/AppArmor, kernel sysctls, and the security-relevant settings that constitute the secure configuration of the host.

Read in NIST 800-171 r2
NIST 3.4.6Least functionality

Detects nonessential services and unused capabilities. Every running service is in scope for review under least-functionality requirements.

Read in NIST 800-171 r2
NIST 3.4.7Restrict nonessential services

Specifically flags Telnet, rsh, tftp, Remote Registry, Print Spooler on non-print servers, and other services that should be disabled by default.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.13.1Boundary protection

Host firewall posture is the host-level enforcement of boundary protection,default-allow is a 3.13.1 finding.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Captures running services via systemctl list-units, host firewall posture via iptables -L -n / nft list ruleset / firewalld status, kernel hardening sysctls (kernel.randomize_va_space, net.ipv4.conf.all.accept_redirects, fs.suid_dumpable, and nine more), SELinux/AppArmor enforcement state, and USB control via /etc/modprobe.d/ blacklists. On --baseline flag, snapshots packages, services, ports, firewall rules hash, scheduled tasks, and SUID binaries to /etc/tolerance/baseline.json signed with HMAC-SHA256 keyed to hardware identifiers.

Windows

Reads HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy for Domain, Private, and Public profiles. Checks AppLocker (HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2) and WDAC policy files in System32\CodeIntegrity. Verifies USBSTOR\Start = 4 for USB blocking and AutoRun policies in NoDriveTypeAutoRun. Audits Telnet, RemoteRegistry, Spooler, W3SVC, MSFTPSVC, and TftpSvc service state in a single registry pass.

macOS

Checks application firewall via defaults read /Library/Preferences/com.apple.alf globalstate and Gatekeeper via spctl --status. Verifies SIP via csrutil status, where disabled SIP is automatically CRITICAL on macOS because root can modify protected system files unchecked.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    Telnet, rsh, or rlogin service running
    Plaintext remote access service active. Not configurable to be safe,must be disabled. 3.4.7 violation, also 3.13.8.
  • CRITICAL
    SELinux disabled on RHEL system
    Mandatory access control is off. Process confinement, file labeling, and policy enforcement are all unavailable.
  • CRITICAL
    macOS SIP disabled
    System Integrity Protection is off. Root can modify protected system files,kernel-level hardening is bypassed.
  • HIGH
    Host firewall disabled or default-allow
    Firewall not running, or INPUT/FORWARD policy is ACCEPT, or Windows profile EnableFirewall=0. Host has no boundary protection.
  • HIGH
    Print Spooler running on non-print server
    PrintNightmare attack surface. Spooler should be disabled on every server that does not specifically need it.
  • HIGH
    kernel.randomize_va_space ≠ 2
    ASLR is reduced or disabled. Memory corruption exploits become significantly easier,a hardening regression.
  • MEDIUM
    Baseline drift detected
    New service, port, scheduled task, or SUID binary appeared since the last baseline. Configuration management did not approve this change.
SPRS impact

Configuration findings span four 5-point controls in the CM family alone (3.4.1, 3.4.2, 3.4.6, 3.4.7) plus 3.13.1 (5 points) for firewall failures. A CRITICAL Telnet finding is a near-automatic 5-point loss. SELinux disabled is 5 points on 3.4.2. Drift findings on 3.4.1 are typically smaller per-finding but accumulate fast across a fleet, and a contractor whose baseline drifts on every system loses points repeatedly across every assessment cycle. Catching the drift on the day it happens is the difference.

How it hooks into the platform

The platform takes a signed baseline snapshot of each host on first discovery and re-diffs on its own cadence; you never invoke either step. You configure whether snapshots and diffs stay on-prem or sync up. The signed baseline file is the SSP's 3.4.1 configuration baseline artifact, dated and tied to specific hardware. Drift findings populate the configuration management section as current state versus baseline state across 3.4.1, 3.4.2, 3.4.6, and 3.4.7. POA&M items capture per-host drift with the diff. Each re-diff produces ongoing CM evidence rather than a one-time document.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Captures and verifies a signed baseline plus drift diff in one round-trip
  • Reads live kernel firewall state, never trusts the configuration file alone
  • Distinguishes services enabled-at-boot from services currently running
  • Compares both sysctl config files and live /proc/sys values per host
  • Detects both blacklist and install /bin/false USB module-blocking idioms
  • Signs the baseline file with HMAC-SHA256 and detects tamper on every read
  • Suppresses platform-irrelevant checks so cross-platform fleets stay clean
Other agents in Endpoint & Integrity
Endpoint & Integrity

Vulnerability Scanner

Air-gap-friendly CVE correlation that catches a CISA KEV match without a single packet leaving the contractor's network.

Endpoint & Integrity

Endpoint Protection Auditor

Confirms the EDR is not just installed but actively scanning, current, and unable to be disabled by malware mid-execution.

Endpoint & Integrity

File Integrity Monitor

Cryptographic proof a host has not been tampered with since the last scan, on a cadence the assessor cannot dispute.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →