Fast one-shot sweep for Linux incident response. Drop the binary on a host, run it once, and collect actionable leads from the kernel, procfs, bpffs, systemd, cron, sockets, and more.
cargo build --release.target/release/ghostscan to the target host.sudo ./ghostscan.bpftool, nft, ss, journalctl, auditctl) expand coverage; when missing, the output explains what was skipped.OK, or an error string.0; treat the log itself as the verdict.kallsyms to surface hidden modules.ftrace hooks on critical kernel paths.modprobe helper tamper: flags helper paths that point to tmp, missing, or writable binaries.kfunc targets./proc/net to expose hidden sockets./proc task lists to expose hidden PIDs./proc.core_pattern/core_pipe_limit for piped handlers to tmp/deleted paths./proc vs BPF.ld.so.preload tamper: inspects ld.so.preload for unexpected entries.authorized_keys options and forced commands./, /proc, or container roots.LD_PRELOAD: notes processes still using deleted or writable preload libraries.LD_AUDIT daemons: finds daemons configured with LD_AUDIT despite lacking TTYs./etc/scripts.d provenance: warns on executable scripts from tmp or non-root owners.cargo fmt && cargo check.src/scanners/ and expose pub fn run() -> ScanOutcome before being registered in SCANNERS inside src/main.rs.MIT
$ claude mcp add ghostscan \
-- python -m otcore.mcp_server <graph>