Skip to content

kastelldev/kastell

v1.12.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

automation cli coolify devops digitalocean docker
+10 more
dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth rbac deps

Summary

AI summary

Added audit --explain inline explanations and expanded lock hardening to 19 steps with 413 audit checks.

Full changelog

v1.12.0 — Lock Advanced + Audit Explain

Deep lock hardening (19 steps, 413 audit checks) with audit --explain inline explanations.

Added

  • audit --explain — Inline "Why:" + fix explanation for each failing check in CLI and MCP
  • Lock: auditd CIS L2 rules — Deep audit rules (time-change, network-change, kernel-module) in 50-kastell-deep.rules
  • Lock: sysctl deep tuning — 21 kernel hardening settings (dmesg_restrict, kptr_restrict, bpf_jit_harden, rp_filter, ASLR)
  • Lock: pwquality — CIS L1 password policy (minlen=14, complexity classes), non-fatal with graceful skip
  • Lock: SSH cipher blacklist — Weak ciphers/MACs/KEX removed with sshd -t validation and automatic rollback
  • Lock: Docker runtime hardening — daemon.json merge with platform-aware guards and reload-not-restart
  • Lock 19-step hardening — Expanded from 16 to 19 steps
  • Audit 413 checks — 4 new checks (BPF JIT, audit time/network/module rules)

Fixed

  • jq injection prevention (stdin pipe instead of shell interpolation)
  • SSH sed tab pattern for cipher/MAC/KEX directives

Install

npm install -g [email protected]
# or
npx [email protected]

Full changelog: https://github.com/kastelldev/kastell/blob/main/CHANGELOG.md

Security Fixes

  • Prevented jq injection by using stdin pipe instead of shell interpolation
  • Fixed SSH sed tab pattern for cipher/MAC/KEX directives
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

Sign up free

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →

Related context

Beta — feedback welcome: [email protected]