Use case

Linux configuration drift detection with Blackglass

Every fleet drifts. Manual interventions, package updates, automation gaps, and emergency fixes all leave server state diverging from the known-good baseline. Blackglass makes drift visible, measurable, and actionable.

Why configuration drift happens

In practice, Linux servers accumulate unplanned changes for several reasons:

Manual hotfixes — an operator tweaks /etc/ssh/sshd_config during an incident and never reverts the change.
Package upgrades — a kernel or service update overwrites a sysctl or PAM config without a corresponding policy update.
Automation scripts — a one-off Ansible play or shell script touches the host and the change is never codified in your IaC repo.
Configuration management gaps — hosts provisioned before your current tooling era drift silently for months.

The problem is not that drift happens — it is that you only find out about it when something breaks, when a pen-tester reports it, or when an auditor asks for evidence.

How Blackglass detects drift

Baseline snapshot. After a hardening pass or change freeze, you capture an approved baseline in Blackglass — recording the current state of SSH configuration, kernel parameters, open listeners, and service states.
Scheduled or on-demand scans. Blackglass re-collects the same metadata on the schedule you define (hourly, daily, or triggered post-deployment). It compares the live state to the approved baseline.
Severity-classified drift events. Changes are surfaced with a severity level (HIGH / MEDIUM / INFO) based on the field affected. A PermitRootLogin yes change is HIGH; a comment-line change is INFO. You control the noise floor.
Remediation workflow. Each drift event can be acknowledged, assigned an owner, given a due date, and closed with a note. The full history is exportable as an evidence bundle for audits.

What Blackglass tracks

SSH daemon configuration — every directive in sshd_config and active Include fragments.
Kernel parameters — sysctl values relevant to network hardening, randomisation, and exploit mitigation.
Open listener surface — TCP/UDP ports bound at time of scan, compared to baseline to surface new or removed services.
Service states — critical service enable/disable status that should remain stable across deployments.

Blackglass does not copy file contents, application secrets, or private keys into its storage — only the metadata needed to detect meaningful drift.

Sample drift event

HIGH

sshd / PermitRootLogin

baseline: prohibit-password → current: yes

MED

sysctl / net.ipv4.tcp_syncookies

baseline: 1 → current: 0

Related use cases

SSH configuration audit — detailed posture review for sshd_config directives.
Linux hardening monitoring — track your hardening baseline over time.
Guide: How to detect unauthorized Linux config changes

Explore demo Start free trial Full product tour →

14-day trial · up to 10 hosts · no card required