How Sarge Works

What Sarge Does

Sarge is an open-source NIST 800-53 hardening and configuration drift-detection toolkit, purpose-built for OpenClaw deployments. It runs as a read-only assessment on each host — no sudo required, no network calls, no telemetry. Reports are written locally so you stay in control of your own posture data.

Sarge is a deployment-layer companion to OpenClaw's built-in security stack (ClawHub policy enforcement and the openclaw security audit CLI plus VirusTotal scanning). Where OpenClaw covers the application and runtime layers, Sarge extends coverage to the OS and system layer — auditd, account hygiene, service hardening, patch state, kernel parameters, and the rest of the things a NIST 800-53 auditor will eventually ask about.

Why Drift Detection Matters in Regulated Environments

Configuration drift is silent. A chmod, a service enable, an emergency package install — none of these trigger an alarm, but each can quietly break a control your auditor said you had in place. The first time anyone notices is usually during the next assessment, months after the change.

For regulated environments — FedRAMP, CMMC, FISMA, HIPAA — continuous monitoring of configuration controls isn't optional. NIST 800-53 itself requires it under control CA-7 (Continuous Monitoring), which calls for ongoing assessment of security controls and the security state of the system, not just point-in-time audits.

Manual periodic audits are point-in-time and miss everything between scans. Automated drift detection catches changes the day they happen, gives you a clean before/after diff, and lets your team triage what's a legitimate config change versus what's a signal something has gone wrong on the host.

NIST Documentation

NIST SP 800-53 Rev 5 (Update 1) — Final Publication
NIST SP 800-53 Control Catalog Browser (Release Search)

The Six NIST Control Families Sarge Covers

Sarge groups its checks by NIST 800-53 control family so findings map directly to the language your auditor speaks: