{{Header}}
{{Title|title=
System Audit
}}
{{#seo:
|description=Verifying the system is configured as intended
|image=Systemcheck1234640.png
}}
{{audit_mininav}}
[[File:Systemcheck1234640.png|thumb|200px]]
{{intro|
Verifying the system is configured as intended
}}

= General Overview =
The issues discussed on this page are the same for any operating system and are [[unspecific|unspecific to {{project_name_long}}]].

= The Challenge of System Audits =
Performing system audits is beyond the reach of non-technical users. It requires a deep understanding of source code, the ability to utilize specialized analysis tools, and the expertise to interpret complex outputs. This level of proficiency is typically found in sysadmins or individuals with similar technical backgrounds.

Much like how a non-specialist cannot perform heart surgery, even a doctor outside of that field lacks the skills to do so. There’s no shame in this limitation. It simply reflects the specialized knowledge required for such a task. Similarly, expecting a non-technical user to conduct a system audit is unrealistic.

= Limitations of Automated Tools =
There are no automated tools for end users with sufficient usability to be truly informative. Rather than providing insights, existing tools often lead to more questions and cause confusion. In general, this is related to the current state of development for security-focused operating systems. See:
* [https://forums.whonix.org/t/the-problem-with-security-guides-and-how-we-can-fix-it/8563 The Problem with Security Guides and How We Can Fix It]
* [https://forums.whonix.org/t/fixing-the-desktop-linux-security-model/9172 Fixing the Desktop Linux Security Model]
* [[Linux User Experience versus Commercial Operating Systems]]

= systemcheck and {{project_name_short}} =
For system checks, [[systemcheck]] is available on the {{project_name_short}} platform.

Even when system check tools exist, the thoroughness of checks performed by the software is a relevant question. An all-encompassing, automated testing suite for all functionality and security features remains a distant implementation goal.

= Certification and Audit Tools =
Some certification/audit tools exist, but they have poor usability. See: [[Dev/certification|Certification and Audits]].

Related: [[Security Reviews and Feedback]]

= Trust and Expertise =
Non-technical users lack foundations. They cannot inspect architecture, threat models, or source code.

Realistically, users can only [[Trust]] that software works as described and intended, develop skills to undertake audits, and/or pay someone to perform that task.

{{quotation
|quote=
The problem is, if you are a non-technical person, all of us can tell you our solution is the best. At the end of the day, you have no means of judging yourself because you don't understand the technology, architecture. You just only judge whether I speak more fluently, or maybe Devin speaks more fluently, maybe he is a nicer guy because he does more jokes, or maybe I have bad looks or maybe, you are somehow, I don't know, I am feeling, what I'm trying to say is just sorry, you don't have means if you don't understand technology to judge.
|context=Security researcher and Qubes founder, Joanna Rutkowska - [https://www.youtube.com/watch?v=Nol8kKoB-co LoganCIJ16: Future of OS] at 58:34 (at 58 minutes and 34 seconds)
}}

{{quotation
|quote=34% of the posts provided by highly reputable so-called trusted users were insecure.
|context=[https://arxiv.org/abs/1901.01327 How Reliable is the Crowdsourced Knowledge of Security Implementation?]
}}

{{quotation
|quote=3. Managing devs generally requires understanding what's going on. Unless you're ready to hire a CTO with a track record, a non-technical person can't do that.
|context=[https://news.ycombinator.com/item?id=34595418 I have a very high level of scepticism towards non-technical founders without deep pockets]
}}

{{quotation
|quote=We found that technical participants had more complete mental models of hacking and security than non-technical end users.
|context=[https://www.usenix.org/system/files/soups2021-baig.pdf Replication: Effects of Media on the Mental Models of Technical Users]
}}

{{quotation
|quote=Fulton’s study confirms that non-technical end users often turn to fictional media and its tropes to fill gaps in their technical knowledge. Participants often did not have enough technical knowledge to accurately evaluate a scene and would turn to existing tropes to justify realism;
}}

{{quotation
|quote=for example, many found technical jargon to be a sign of realism.
}}

{{quotation
|quote=Detectability: non-technical end users believed that they would be able to recognize if a system was being hacked or if they encountered an unsafe situation online; the attack would be apparent to the user who could then take steps to mitigate the issue. Technical users believed that malware could cause pop-ups on the screen, but many believed that this was distinct from hacking. Hackers, they believed, would want to be stealthy so that they remain undetected.
}}

{{quotation
|quote=No Code Review Skills: They can't assess code quality, security vulnerabilities, or maintainability because they've never learned to read code properly.
|context=[https://www.finalroundai.com/blog/ai-vibe-coding-destroying-junior-developers-careers How AI Vibe Coding Is Destroying Junior Developers' Careers]
}}

See also [[Malware_and_Firmware_Trojans#Finding_Vulnerabilities|Finding Vulnerabilities]] and [[Malware_and_Firmware_Trojans#Valid_Compromise_Indicators_versus_Invalid_Compromise_Indicators|Valid Compromise Indicators versus Invalid Compromise Indicators]].

= Related =
* [[systemcheck]]
* [[Security Reviews and Feedback]]
* [[Dev/certification|Certification and Audits]]

{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]