Linux integrity monitoring without scraping secrets off the host
Blackglass standardizes how you capture approved SSH and listener baselines, run drift scans on demand or on schedule, and export auditor-ready evidence — with workspace isolation per organisation and role-based access baked in from the start.
A single view of all managed hosts — scan state, drift event counts, and SSH posture score for every server in your workspace.
Live host list with online/offline status and last-scan timestamp.
Per-host drift event count, broken down by severity (HIGH / MEDIUM / INFO).
SSH posture summary: passing, warning, and failing directive checks.
Risk-score ordering so the highest-risk hosts surface first.
Click through to any host for the full detail view.
02
Host detail view
Everything Blackglass knows about a single host: baseline metadata, open drift events, SSH configuration, listeners, and service states — in one place.
Active baseline with capture timestamp and capturing operator.
Open drift events with before/after values and severity classification.
Effective SSH configuration (resolved across all Include fragments via sshd -T).
Open TCP/UDP listener list compared to the approved baseline.
When a scan finds a configuration value that differs from the approved baseline, Blackglass creates a drift event with severity, field, before/after values, and a remediation workflow.
Severity: HIGH (security-critical directives), MEDIUM (hardening-relevant), INFO (cosmetic/expected).
Field-level diff: shows exactly which directive changed and the old vs. new value.
Assign owner, set due date, add notes, and close with a resolution record.
Filter by severity, host, status (open / acknowledged / closed), and date range.
Webhook notifications for new HIGH and MEDIUM events to Slack, email, or any HTTP endpoint.
Export a structured, dated evidence bundle for a host or the whole fleet — useful for auditors, internal security reviews, and compliance questionnaires.
Bundle includes: baseline snapshot, all drift events in scope, remediation records, and exporter metadata.
Operator notes and acknowledgements are included inline for chain-of-custody.
Export format is structured for readability by non-technical reviewers.
Scoped exports: per-host, per-environment, or full-workspace.
Audit log covers every export event (who exported, when, what scope).
Five roles with distinct permissions — from read-only external auditors to workspace owners. Viewers and guest auditors are always unlimited on paid plans.
Owner: full workspace control, billing, member management.
Admin: manage members, baselines, and settings.
Operator: run scans, capture baselines, manage drift events.
Viewer: read-only access to all workspace data — unlimited on paid plans.
Guest auditor: scoped read access for external reviewers — unlimited on paid plans.
All role checks enforced server-side; cannot be bypassed from the browser.
Collector model
Blackglass uses an agentless SSH collection model for most deployments. For hosts not reachable over SSH from the control plane (NAT-ed internal hosts, air-gapped segments), a push-ingest agent can be deployed on the host itself.
Agentless (pull): Blackglass connects over SSH using a dedicated least-privilege collector user. No root access required.
Agent (push): For hosts that cannot be reached from the outside, a lightweight agent sends scan results to the Blackglass ingest API over HTTPS.
No secrets harvested: The collector gathers configuration metadata — SSH directives, sysctl values, open listeners, service states. It does not read application configuration, environment variables, or private keys.