Mission

Sarge v0.6: Windows Hardening, Backup & Rollback, Drift Detection, and Integration Tests

Sarge v0.6: Windows Hardening, Backup & Rollback, Drift Detection, and Integration Tests

Know what attackers see before they do. See a sample Radar scan report →

Sarge started as a Linux-only NIST 800-53 gap analysis tool for OpenClaw deployments. Three months and thirteen releases later, it runs on three platforms, backs up your config before touching anything, and can tell you when your baseline drifts. Here's what shipped between v0.3 and v0.6.

Windows Hardening Support

This was the big one. Sarge now has breadth-first detection and recommendations across all six NIST 800-53 control families on Windows. That's Access Control, Audit, Configuration Management, Identification & Authentication, System & Communications Protection, and System & Information Integrity.

The Windows assessment runs as a read-only PowerShell script. It probes your enterprise context automatically. Domain-joined or AAD-joined? Intune-enrolled or standalone? AppLocker, WDAC, Defender status? Sarge captures all of it and maps findings to specific 800-53 controls with concrete remediation steps.

If you pass --inspect-policy, Sarge goes deeper. On AAD-joined hosts, it queries Intune MDM CSP to see what's actually enforced by your management platform. On AD-joined hosts, it checks GPO via gpresult. Controls that your MDM or GPO already enforce get marked as ENFORCED-EXTERNALLY instead of FAIL. That matters because a FAIL on a domain-joined machine that's already covered by Group Policy is noise, not signal.

# Run the Windows assessment
pwsh assessment/assess.ps1

# Include managed-policy overlay
pwsh assessment/assess.ps1 --inspect-policy

Every finding on a domain-joined host that could be overridden by GPO says so. No false alarms.

Cross-Platform Backup and Rollback

Before Sarge hardens anything, it now captures a snapshot so you can undo the changes. This landed for all three platforms.

Ubuntu gets the deepest support. Sarge probes for Btrfs/ZFS snapshots, timeshift, and LVM thin snapshots in that order. Regardless of which block-level tool is available, it also captures a file-level backup of every /etc/ path that hardening touches, plus UFW state, audit rules, enabled services, and installed packages. A generated rollback.sh script reverses everything.

macOS captures an APFS local snapshot via tmutil, with optional Time Machine backup. File-level captures cover /etc/pam.d/, SSH config, sudoers, firewall state, and security policy status. The APFS snapshot is your heavy-lift fallback if granular rollback doesn't fully restore things.

Windows creates a System Restore checkpoint and exports registry policy hives, local security policy via secedit, audit policy via auditpol, service states, and scheduled tasks. If System Protection is disabled, Sarge fails loud. It will not silently proceed without a safety net.

The principle is simple: a misapplied security control should never leave a host in an unrecoverable state.

Host-Only Mode

Sarge was built for hosts running AI agents. But sometimes you want a clean NIST 800-53 baseline without the agent-runtime findings. Maybe you're scanning a workstation that runs an OpenClaw agent but you only care about the OS posture right now. Maybe you're evaluating a server that doesn't run agents at all.

Pass --host-only and Sarge excludes all agent-scoped findings. Not SKIP. Excluded entirely. The report header tells you which mode was used.

# Linux/macOS
./assessment/assess.sh --host-only

# Windows
pwsh assessment/assess.ps1 --host-only

This makes Sarge useful as a standalone baseline tool, not just an agent-safety check.

Drift Detection

Hardening is a point-in-time activity. What happens a week later when someone changes a firewall rule? Or a package update overwrites an SSH config?

Sarge's drift detection answers that. Run snapshot.sh to capture your current security baseline after hardening. Later, run compare.sh to diff the current state against that snapshot. Any changes are flagged as drift. You can automate this on a schedule with drift-cron.sh, which runs the comparison and notifies you through your configured OpenClaw channel when something moves.

# Capture your baseline
./drift/snapshot.sh

# Check for drift later
./drift/compare.sh

# Or automate it
# (add drift-cron.sh to your crontab)

Drift detection runs on Ubuntu and macOS today. It's read-only. No sudo required.

Integration Tests You Can Run

We ship tests. Not just our CI tests. Tests you can run in your environment to verify Sarge works correctly on your system.

On Windows, the Pester test suite covers the assessment and backup/rollback flows with mocked cmdlets. Run them locally:

Invoke-Pester -Path tests/Pester

On Linux, integration smoke tests validate the backup and rollback round-trip:

bash tests/integration/backup-ubuntu-smoke.sh

If a test fails in your environment, that's a finding we want to know about. Open an issue.

What's Next

Windows hardening scripts (Phase 2) are the next milestone. They're gated on the backup work that just shipped. Now that every platform has a pre-hardening safety net, we can start writing the scripts that actually change Windows configuration with confidence that you can undo them.

macOS hardening modules for firewall and SSH already landed. Native logging policy and additional modules are tracked in GitHub issues.

The goal hasn't changed: if you run an AI agent, you should be able to verify the host it runs on meets a documented security baseline. And if hardening changes something you didn't expect, you should be able to roll it back.


Focus Forward. We've Got Your Six.

Explore Sarge on GitHub. Clone it, run it, open issues.

Frequently Asked Questions

What platforms does Sarge support?

Sarge runs on Ubuntu 22.04/24.04 LTS, macOS, and Windows. Ubuntu has full gap analysis, hardening, drift detection, and backup/rollback. macOS has gap analysis, drift detection, backup/rollback, and firewall/SSH hardening modules. Windows has breadth-first detection and recommendations across all six NIST 800-53 families, plus AAD/MDM and AD-GPO policy inspection, with pre-hardening backup and rollback.

Does Sarge modify my system without asking?

No. Gap analysis is completely read-only. Hardening scripts prompt you at each step. And starting in v0.4, Sarge captures a pre-hardening backup before making any changes, so you can roll back to your previous state if anything regresses.

What is host-only mode in Sarge?

Host-only mode runs the NIST 800-53 baseline scan without including agent-runtime-specific findings. If you're running Sarge on a workstation that hosts an AI agent but you only want to evaluate the OS baseline, pass --host-only to get a clean compliance report without agent-overlay results.

How does Sarge's drift detection work?

Run snapshot.sh to capture your current security baseline after hardening. Later, run compare.sh to diff the current state against that snapshot. Any changes are flagged as drift. You can automate this with drift-cron.sh, which runs the comparison on a schedule and notifies you through your configured channel when something changes.

Find out what's exposed. Radar scans your external attack surface and shows you exactly what needs fixing. See a sample report →