diff --git a/test/integration/default/serverspec/spec_helper.rb b/test/integration/default/serverspec/spec_helper.rb
new file mode 100644
index 0000000..6b01caf
--- /dev/null
+++ b/test/integration/default/serverspec/spec_helper.rb
@@ -0,0 +1,12 @@
+require 'serverspec'
+require 'pathname'
+
+include Serverspec::Helper::Exec
+include Serverspec::Helper::DetectOS
+
+RSpec.configure do |c|
+  c.before :all do
+    c.os = backend(Serverspec::Commands::Base).check_os
+  end
+end
+
diff --git a/test/integration/default/serverspec/sysctl_spec.rb b/test/integration/default/serverspec/sysctl_spec.rb
new file mode 100644
index 0000000..fff010b
--- /dev/null
+++ b/test/integration/default/serverspec/sysctl_spec.rb
@@ -0,0 +1,187 @@
+require 'spec_helper'
+
+RSpec.configure do |c|
+    c.filter_run_excluding :skipOn => backend(Serverspec::Commands::Base).check_os[:family]
+end
+
+describe 'IP V4 networking' do
+
+    context linux_kernel_parameter('net.ipv4.ip_forward') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.forwarding') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.rp_filter') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.default.rp_filter') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.icmp_ratelimit') do
+       its(:value) { should eq 100 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.icmp_ratemask') do
+       its(:value) { should eq 88089 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.tcp_timestamps') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.eth0.arp_ignore') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.eth0.arp_announce') do
+       its(:value) { should eq 2 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.tcp_rfc1337') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.tcp_syncookies') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.shared_media') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.default.shared_media') do
+       its(:value) { should eq 1 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.accept_source_route') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.default.accept_source_route') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.default.accept_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.accept_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.secure_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.default.secure_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.send_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.send_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv4.conf.all.log_martians') do
+       its(:value) { should eq 1 }
+    end
+
+end
+
+describe 'IP V6 Networking' do
+
+    context linux_kernel_parameter('net.ipv6.conf.all.disable_ipv6') do
+       its(:value) { should eq  1 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.all.forwarding') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.accept_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.all.accept_redirects') do
+       its(:value) { should eq 0 }
+    end
+
+end
+
+describe 'NSA 2.5.3.2.5 Limit Network-Transmitted Configuration' do
+
+    context linux_kernel_parameter('net.ipv6.conf.default.router_solicitations') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.accept_ra_rtr_pref') do
+       its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.accept_ra_pinfo') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.accept_ra_defrtr') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.autoconf') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.dad_transmits') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('net.ipv6.conf.default.max_addresses') do
+        its(:value) { should eq 1 }
+    end
+
+end
+
+describe 'System sysctl' do
+
+    context linux_kernel_parameter('kernel.modules_disabled') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('kernel.sysrq') do
+        its(:value) { should eq 0 }
+    end
+
+    context linux_kernel_parameter('fs.suid_dumpable') do
+        its(:value) { should eq 0 }
+    end
+end
+
+describe 'ExecShield' do
+    %x( cat /proc/cpuinfo  | egrep "^flags" | grep -q ' nx ' )
+    if ($?.exitstatus != 0)
+        context linux_kernel_parameter('kernel.exec-shield') do
+            its(:value) { should eq 1 }
+        end
+    end
+
+    context linux_kernel_parameter('kernel.randomize_va_space') do
+        its(:value) { should eq 2 }
+    end
+end
+
+
diff --git a/test/integration/modules_disabled/serverspec/modules_spec.rb b/test/integration/modules_disabled/serverspec/modules_spec.rb
new file mode 100644
index 0000000..ea31ea4
--- /dev/null
+++ b/test/integration/modules_disabled/serverspec/modules_spec.rb
@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+describe 'preloaded modules' do
+    describe file('/etc/initramfs-tools/modules') do
+        before do
+            if (RSpec.configuration.os[:family] != 'Debian') 
+                pending "initramfs creation not ported to this platform yet"
+            end
+        end
+
+        its(:content) { should match /^ghash-clmulni-intel/ }
+        its(:content) { should match /^aesni-intel/ }
+        its(:content) { should match /^kvm-intel/ }
+    end
+end
diff --git a/test/integration/modules_disabled/serverspec/spec_helper.rb b/test/integration/modules_disabled/serverspec/spec_helper.rb
new file mode 100644
index 0000000..6b01caf
--- /dev/null
+++ b/test/integration/modules_disabled/serverspec/spec_helper.rb
@@ -0,0 +1,12 @@
+require 'serverspec'
+require 'pathname'
+
+include Serverspec::Helper::Exec
+include Serverspec::Helper::DetectOS
+
+RSpec.configure do |c|
+  c.before :all do
+    c.os = backend(Serverspec::Commands::Base).check_os
+  end
+end
+
diff --git a/test/integration/modules_disabled/serverspec/sysctl_spec.rb b/test/integration/modules_disabled/serverspec/sysctl_spec.rb
new file mode 100644
index 0000000..8bedafb
--- /dev/null
+++ b/test/integration/modules_disabled/serverspec/sysctl_spec.rb
@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+describe 'System sysctl' do
+
+    context linux_kernel_parameter('kernel.modules_disabled') do
+        its(:value) { should eq 1 }
+    end
+
+end