Clotho
The Spinner of the Thread
Clotho is a compliance auditing tool that SSHes into remote nodes, collects system evidence, and compares it against a defined baseline. It maps findings to ISO 27002:2022 controls and generates PDF/HTML/JSON reports.
In Greek mythology, Clotho spun the thread of life. This Clotho spins the baseline - the expected state of your systems.
Installation
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Requires pdflatex (texlive) for PDF output.
Usage
# Validate baseline syntax
python clotho.py --validate-only
# Audit all nodes in baseline
python clotho.py
# Audit specific node
python clotho.py --node athena
# Local dry-run (test on this machine)
python clotho.py --local
# Use specific SSH key
python clotho.py --key-file ~/.ssh/id_ed25519
# Run specific controls only
python clotho.py --control 8.20,5.15
# Show file diffs on hash mismatch
python clotho.py --show-diffs
# Compare with previous audit
python clotho.py --compare-with previous
# Show compliance trends
python clotho.py --trend --days 30Key Concepts
Baseline
YAML file defining expected system state - allowed users, open ports, file hashes, running processes.
Controls
ISO 27002:2022 control mappings. Each control defines which collectors to run and what to expect.
Collectors
Modular evidence gatherers: ports, users, files, processes.
Findings
Pass/fail results with evidence. Each finding maps to a control and includes raw command output.
Output
Reports are saved to output/:
| Format | Description |
|---|---|
.pdf | Compiled LaTeX report for stakeholders |
.html | Web-viewable report |
.json | Machine-readable for Lachesis ingestion |
Integration with Lachesis
Clotho's JSON output can be ingested by Lachesis for trend analysis:
curl -X POST http://localhost:6380/api/ingest \
-H "Content-Type: application/json" \
-d @output/audit_20260118.json