Skip to main content

Prerequisites

  • Python 3.10+ on the machine running Kensa (the control host)
  • SSH access to target hosts (key-based or password)
  • Sudo privileges on target hosts for privileged checks (most compliance rules require root access)
Kensa runs entirely from the control host over SSH. Nothing is installed on target systems.

Installation

pip install git+https://github.com/Hanalyx/kensa.git
For PDF report support:
pip install "git+https://github.com/Hanalyx/kensa.git#egg=kensa[pdf]"
Verify installation: 
kensa --version

SSH setup

Kensa needs SSH access to target hosts. Most compliance checks require root privileges. Configure passwordless sudo for the SSH user: 
# On the target host, grant passwordless sudo:
echo "admin ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/kensa

Your first scan

1

Detect host capabilities

kensa detect -h 192.168.1.10 -u admin --sudo
This probes the target and reports its platform (e.g., RHEL 9.3) and detected capabilities (authselect, crypto policies, sshd_config.d support, etc.). Use this to verify connectivity before running checks.
2

Run compliance checks

kensa check -h 192.168.1.10 -u admin --sudo
Each rule produces a result:
StatusMeaning
PASSHost meets the compliance requirement
FAILHost does not meet the requirement — remediation available
SKIPRule does not apply to this host
ERRORCheck could not complete
The summary line shows totals:
508 rules: 312 pass, 142 fail, 48 skip, 6 error (45.2s)
3

Generate structured output

# JSON output
kensa check -h 192.168.1.10 -u admin --sudo -o json:results.json

# CSV for spreadsheets
kensa check -h 192.168.1.10 -u admin --sudo -o csv:results.csv

# Multiple formats in one run
kensa check -h 192.168.1.10 -u admin --sudo \
  -o json:results.json -o csv:results.csv

# Evidence export (full command output for auditor verification)
kensa check -h 192.168.1.10 -u admin --sudo -o evidence:evidence.json

Filtering rules

You rarely need to run all 508 rules. Kensa provides several ways to focus your scan: 
# By framework
kensa check -h 192.168.1.10 -u admin --sudo -f cis-rhel9-v2.0.0

# By specific control
kensa check -h 192.168.1.10 -u admin --sudo --control cis-rhel9-v2.0.0:5.1.12

# By severity
kensa check -h 192.168.1.10 -u admin --sudo -s high -s critical

# By category
kensa check -h 192.168.1.10 -u admin --sudo -c access-control

Scanning multiple hosts

Use an inventory file to scan multiple hosts in parallel:
hosts.ini
[webservers]
web1.example.com
web2.example.com

[databases]
db1.example.com ansible_user=dbadmin

# Scan all hosts, 4 in parallel
kensa check -i hosts.ini --sudo -w 4

# Scan only the webservers group
kensa check -i hosts.ini --sudo -l webservers

Next steps

Remediation

Fix failures with automatic rollback safety.

Configuration

Customize variables and per-host overrides.

Output formats

JSON, CSV, PDF, and evidence exports.

Auditor guide

How to interpret and verify compliance evidence.

Changelog

See what changed in each release.