-
Notifications
You must be signed in to change notification settings - Fork 2
Changelog
This comprehensive guide covers all aspects of using the Linux Security Audit Project, from basic commands to advanced workflows.
- Command-Line Syntax
- Module Selection
- Output Formats
- Remediation Options
- Advanced Usage Patterns
- Integration Scenarios
- Best Practices
python3 linux_security_audit.py [OPTIONS]| Option | Short | Description | Default |
|---|---|---|---|
--modules |
-m |
Comma-separated list of modules to run | All |
--output-format |
-f |
Output format (HTML/CSV/JSON/XML/Console) | HTML |
--output-path |
-o |
Path for output file | Auto-generated |
--list-modules |
List all available modules and exit | ||
--parallel |
Execute modules in parallel | ||
--workers |
Number of parallel workers | Auto | |
--perf-profile |
Display performance statistics (renamed from --profile in v3.7) |
||
--profile NAME |
NEW v3.7 (expanded v3.9): Apply per-distribution audit profile (generic, rhel9, rhel8, ubuntu24, ubuntu22, debian12, alpine, suse15, kali, mxlinux, mint, zorin, elementary, almalinux, rocky, centos, centosstream, fedora) | none | |
--list-profiles |
NEW v3.7: List all available distribution profiles | ||
--split-reports |
NEW v3.8: Generate a separate report per framework in reports/by-framework/, alongside the combined report |
||
--split-only |
NEW v3.8: Generate only the per-framework reports (skip the combined report) | ||
--attack-surface |
NEW v3.8: Generate an attack-surface assessment report (HTML + JSON) synthesizing exposure across all frameworks | ||
--log-level |
Set logging level (DEBUG/INFO/WARNING/ERROR) | INFO |
|
--log-file |
Custom log file path | Auto (logs/) |
|
--json-log |
Enable JSON-structured log output | ||
--verbose |
-v |
Enable verbose console output | |
--quiet |
-q |
Suppress non-essential console output | |
--remediate |
Interactively remediate failed checks | ||
--remediate-fail |
Remediate only FAIL status issues | ||
--remediate-warning |
Remediate only WARNING status issues | ||
--remediate-info |
Remediate only INFO status issues | ||
--auto-remediate |
Automatically remediate without prompting | ||
--remediation-file |
JSON file with specific issues to remediate | ||
--no-cache |
Disable the per-process helper cache (v3.6) | ||
--baseline |
Path to a prior audit JSON for drift comparison (v3.7) | ||
--rollback-path |
Path to write the generated rollback script (v3.7) | ||
--remediation-bundle |
Apply a predefined remediation bundle (see --list-bundles) (v3.7) |
||
--list-bundles |
List available remediation bundles and exit (v3.7) | ||
--asset-criticality |
Asset criticality 1-10 for risk scoring (v3.7) | 5 |
|
--show-risk-priority |
Show the risk-prioritized findings list (v3.7) | ||
--show-correlations |
Show cross-framework correlations in output (v3.7) | ||
--validate-results |
Run strict result validation in the pipeline (v3.7) | ||
--threshold |
Compliance pass/fail threshold percentage (v3.5) | 70.0 |
Display help information:
python3 linux_security_audit.py --helpList available modules:
python3 linux_security_audit.py --list-modulesThe project includes 16 security framework modules:
| Module | Full Name | Check Count | Description |
|---|---|---|---|
Core |
Core Security Baseline | 185 | Industry best practices, OS-specific hardening, and attack-surface hygiene |
CIS |
CIS Benchmarks | 258 | Center for Internet Security benchmark + Controls v8 IG3 |
CISA |
CISA Guidance | 196 | CISA CPGs, ZTMM, KEV, Stop Ransomware, Secure by Design |
ENISA |
ENISA Guidelines | 142 | EU Agency for Cybersecurity + NIS2 + Cyber Resilience Act + DORA |
ISO27001 |
ISO/IEC 27001:2022 | 147 | Annex A controls + 27017/27018/27701 |
NIST |
NIST Frameworks | 234 | NIST 800-53 R5, CSF 2.0, 800-171, 800-207, 800-161, SSDF 800-218 |
NSA |
NSA Hardening | 193 | NSA guidance + CNSA 2.0 + K8s hardening + encrypted DNS + eBPF |
STIG |
DISA STIGs | 205 | Defense Information Systems Agency Security Technical Implementation Guides |
ACSC |
ACSC Essential Eight | 69 | Australian Cyber Security Centre Essential 8 + ISM (ML2/ML3) |
CMMC |
CMMC 2.0 | 94 | CMMC 2.0 (L1/L2/L3) + NIST 800-171 Rev 3 + DFARS |
DistBaseline |
Distribution Baselines | 90 | Per-distro hardening (Ubuntu USG / RHEL / SUSE / Arch) |
EDR |
EDR / ATT&CK | 87 | EDR + MITRE ATT&CK + Sigma/YARA + cloud-native + forensics |
GDPR |
GDPR Technical Controls | 75 | GDPR Art 32 + ePrivacy + breach notification |
HIPAA |
HIPAA Security Rule | 114 | HIPAA Security Rule + 405(d) HICP + breach notification |
PCI-DSS |
PCI DSS v4.0.1 | 110 | Payment Card Industry Data Security Standard (Req 1-12) |
SOC2 |
AICPA SOC 2 | 98 | SOC 2 Trust Service Criteria (CC1-CC9 + Availability/Confidentiality/PI/Privacy) |
Module selectors are case-insensitive. The PCI-DSS module can be selected as
PCIDSS, PCI-DSS, or PCI.
sudo python3 linux_security_audit.py
# or explicitly
sudo python3 linux_security_audit.py -m AllUse Case: Comprehensive security assessment Time: 3-5 minutes Checks: 2,297 security checks
# Core baseline security
sudo python3 linux_security_audit.py -m Core
# CIS Benchmarks only
sudo python3 linux_security_audit.py -m CIS
# NIST frameworks only
sudo python3 linux_security_audit.py -m NISTUse Case: Focused assessment on specific framework Time: 20-45 seconds per module Checks: 97-212 per module
# Compliance-focused (CIS, NIST, ISO27001)
sudo python3 linux_security_audit.py -m CIS,NIST,ISO27001
# Government/Critical Infrastructure (STIG, NSA, CISA)
sudo python3 linux_security_audit.py -m STIG,NSA,CISA
# Baseline + Compliance (Core, CIS)
sudo python3 linux_security_audit.py -m Core,CISNote: Module names are case-insensitive. Use commas with no spaces.
sudo python3 linux_security_audit.py -m Core,CISStart with Core and CIS for fundamental security posture.
# Financial/General: ISO27001, NIST, CIS
sudo python3 linux_security_audit.py -m ISO27001,NIST,CIS
# Government/Defense: STIG, NSA, NIST
sudo python3 linux_security_audit.py -m STIG,NSA,NIST
# European Organizations: ISO27001, ENISA, CIS
sudo python3 linux_security_audit.py -m ISO27001,ENISA,CIS# Lightweight daily checks
sudo python3 linux_security_audit.py -m Core,CISA
# Weekly comprehensive
sudo python3 linux_security_audit.py -m AllPer-distribution profiles are filters that exclude inapplicable modules and category prefixes for a specific Linux distribution. Profiles are subtractive only - they never add or modify checks. The default behavior (no --profile flag) runs the full audit unchanged.
sudo python3 linux_security_audit.py --list-profiles| Profile | Applicable Distros | Excludes |
|---|---|---|
generic |
any | nothing (no-op; useful for explicit pipeline declarations) |
rhel9 |
RHEL 9, AlmaLinux 9, Rocky 9, Oracle Linux 9, CentOS Stream 9 | Snap, Ubuntu Pro, AppArmor (Debian) categories |
rhel8 |
RHEL 8 family | Snap, Ubuntu Pro, AppArmor (Debian) categories |
ubuntu24 |
Ubuntu 24.04 | DNF, RPM, SELinux (RHEL-default) categories |
kali |
Kali Linux | DNF, RPM, SELinux, Ubuntu Pro, Snap categories |
mxlinux |
MX Linux | DNF, RPM, SELinux, Ubuntu Pro, Snap categories |
mint |
Linux Mint | DNF, RPM, SELinux (RHEL-default) categories |
zorin |
Zorin OS | DNF, RPM, SELinux (RHEL-default) categories |
elementary |
elementary OS | DNF, RPM, SELinux (RHEL-default) categories |
almalinux |
AlmaLinux 8/9 | Snap, Ubuntu Pro, AppArmor (Debian), APT categories |
rocky |
Rocky Linux 8/9 | Snap, Ubuntu Pro, AppArmor (Debian), APT categories |
centos |
CentOS Linux 7/8 (EOL) | Snap, Ubuntu Pro, AppArmor (Debian), APT categories |
centosstream |
CentOS Stream 9/10 | Snap, Ubuntu Pro, AppArmor (Debian), APT categories |
fedora |
Fedora (current) | Snap, Ubuntu Pro, AppArmor (Debian), APT categories |
ubuntu22 |
Ubuntu 22.04 | DNF, RPM, SELinux (RHEL-default) categories |
debian12 |
Debian 12 | DNF, RPM, Snap, Ubuntu Pro, SELinux (RHEL-default) categories |
alpine |
Alpine Linux | DNF, RPM, Snap, Ubuntu Pro categories |
suse15 |
SLES 15, openSUSE Leap 15 | Snap, Ubuntu Pro, DNF, SELinux (RHEL-default) categories |
# Run audit with RHEL-9 profile (filters Debian/Ubuntu-specific noise)
sudo python3 linux_security_audit.py --profile rhel9
# Combine with module selection
sudo python3 linux_security_audit.py --modules CIS,STIG --profile ubuntu24
# Combine with parallel execution
sudo python3 linux_security_audit.py --parallel --profile debian12
# Inspect what a profile filters
sudo python3 linux_security_audit.py --list-profilesProfile names are validated against the regex ^[a-z][a-z0-9_-]{0,30}$ - injection attempts (--profile "rhel9; rm -rf /"), path traversal (--profile "../etc/passwd"), and unknown profile names are explicitly rejected with exit code 2. All profile data is hardcoded in shared_components/profiles.py; no external file loads, no eval, no JSON/YAML parsing is performed on user input.
When you audit many frameworks at once, the combined report is comprehensive but can become long and hard for a single audience to digest. The --split-reports flag generates one focused report per framework in reports/by-framework/, alongside the combined all-in-one report.
# Combined report PLUS one report per framework
sudo python3 linux_security_audit.py --modules CIS,STIG,PCIDSS,HIPAA --split-reports
# Only the per-framework reports (skip the combined one)
sudo python3 linux_security_audit.py --modules CIS,STIG,PCIDSS,HIPAA --split-only
# Works for any output format
sudo python3 linux_security_audit.py -f JSON --split-reportsEach split report contains only that framework's findings, with its own executive dashboard, compliance score, and remediation guidance - so the PCI-DSS team receives a PCI-DSS report, the HIPAA team receives a HIPAA report, and so on. Files are named <FRAMEWORK>-Audit-<host>-<timestamp>.<ext>.
If only a single framework is selected, no split is performed (the combined report already is that framework's report).
The --attack-surface flag generates a separate assessment-based report that re-frames the audit findings around exposure rather than standards conformance. Where the compliance report answers "are we compliant with framework X?", the attack-surface report answers "where is this host exposed, and how badly?".
# Generate the attack-surface report alongside the normal report
sudo python3 linux_security_audit.py --attack-surface
# Combine with framework selection and split reports
sudo python3 linux_security_audit.py --modules CORE,CIS,STIG,NIST --attack-surface --split-reportsThe report synthesizes exposure-relevant findings from every selected framework plus the host-facts registry into ten attack-surface domains:
- Network Exposure - listeners, firewall posture, exposed services
- Authentication & Access - SSH, PAM, MFA, password policy
- Privilege & Escalation - sudo, SUID/SGID, capabilities
- Filesystem Exposure - world-writable files, permissions, mounts
- Service & Daemon Surface - running and legacy/cleartext services
- Kernel & Boot Surface - kernel hardening, module policy, boot integrity
- Container & Orchestration - Docker socket, Kubernetes exposure
- Credential & Secret Exposure - keys and secrets at rest
- Cryptographic Posture - FIPS, TLS, cipher strength
- Detection & Response - audit/logging/FIM coverage (low coverage raises effective exposure because intrusions go unnoticed)
Each domain receives a severity-weighted exposure score (0-100, higher = more exposed) and rating (Minimal -> Low -> Moderate -> Elevated -> High), plus its top contributing findings. An overall exposure score and a cross-domain "Top Exposure Findings" table head the report. Output is written to reports/Attack-Surface-<host>-<timestamp>.html and .json.
The CORE module contributes dedicated attack-surface enumeration checks (category CORE - Attack Surface): external-facing TCP/UDP listeners, legacy/cleartext service binaries, SUID/SGID and world-writable exposure summaries, container-socket exposure, and kernel-module lockdown state. CORE is the right home for these because it is the only non-framework-tied module.
Note: The attack-surface score is an assessment aid, not a compliance score. It is derived from the same findings shown in the compliance report, reorganized by exposure.
Interactive browser-based report with rich features.
sudo python3 linux_security_audit.py -f HTML
# or
sudo python3 linux_security_audit.py # HTML is defaultFeatures:
- Interactive filtering by status and module
- Sortable columns (click headers)
- Full-text search across all fields
- Dark/Light theme toggle
- Export selected issues to JSON
- Inline remediation commands
- Statistics dashboard
File Naming: Security-Audit-Report-YYYYMMDD-HHMMSS.html
Use Cases:
- Manual security reviews
- Management reporting
- Compliance documentation
- Interactive issue exploration
Example with Custom Path:
sudo python3 linux_security_audit.py -f HTML -o /var/reports/audit-$(date +%Y%m%d).htmlComma-separated values for spreadsheet analysis.
sudo python3 linux_security_audit.py -f CSV -o security-audit.csvStructure:
Module,Category,Status,Message,Details,Remediation,Timestamp
Core,Password Policy,Pass,Password aging is configured,...
Core,SSH Security,Fail,Root login is enabled,...Use Cases:
- Excel/Google Sheets analysis
- Data trending and graphing
- Custom reporting workflows
- Historical comparisons
Example for Tracking:
# Monthly security trends
sudo python3 linux_security_audit.py -f CSV -o /var/reports/$(date +%Y%m)-audit.csvStructured data format for automation and APIs.
sudo python3 linux_security_audit.py -f JSON -o security-audit.jsonStructure:
{
"execution_info": {
"hostname": "server01",
"os_version": "Linux 5.15.0",
"scan_date": "2025-01-07 14:30:22",
"duration": "0:03:45",
"modules_run": ["Core", "CIS", "NIST"],
"total_checks": 512,
"pass_count": 387,
"fail_count": 89,
"warning_count": 32,
"info_count": 4,
"error_count": 0
},
"results": [
{
"module": "Core",
"category": "SSH Security",
"status": "Fail",
"message": "Root login is enabled",
"details": "SSH configuration allows direct root login",
"remediation": "sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd",
"timestamp": "2025-01-07 14:30:25"
}
]
}Use Cases:
- SIEM integration
- Automation workflows
- API consumption
- Selective remediation (via --remediation-file)
- Custom analysis scripts
Example for SIEM:
# Daily feed for SIEM
sudo python3 linux_security_audit.py -f JSON -o /var/siem/feeds/security-$(hostname)-$(date +%Y%m%d).jsonExtensible Markup Language for enterprise tools.
sudo python3 linux_security_audit.py -f XML -o security-audit.xmlStructure:
<?xml version="1.0" encoding="UTF-8"?>
<security_audit>
<execution_info>
<hostname>server01</hostname>
<os_version>Linux 5.15.0</os_version>
<scan_date>2025-01-07 14:30:22</scan_date>
<total_checks>512</total_checks>
<pass_count>387</pass_count>
<fail_count>89</fail_count>
</execution_info>
<results>
<result>
<module>Core</module>
<category>SSH Security</category>
<status>Fail</status>
<message>Root login is enabled</message>
</result>
</results>
</security_audit>Use Cases:
- Enterprise security tools (Splunk, QRadar)
- GRC platforms
- Configuration management systems
- Legacy system integration
Example for Enterprise SIEM:
sudo python3 linux_security_audit.py -f XML -o /mnt/nfs/siem-intake/$(hostname)-audit.xmlDirect terminal output without file creation.
sudo python3 linux_security_audit.py -f ConsoleFeatures:
- Color-coded status (Pass=Green, Fail=Red, Warning=Yellow)
- Real-time display as checks execute
- Suitable for quick checks and terminal-only environments
- Can be redirected to text files
Use Cases:
- Quick security checks
- SSH sessions without file transfer
- Logging to text files via redirection
- Automated scripts with parsed output
Example with Redirection:
# Save console output to text file
sudo python3 linux_security_audit.py -f Console > audit-$(date +%Y%m%d).txt 2>&1Remediation allows you to automatically or interactively apply security fixes based on audit findings. All remediation requires root privileges.
Important Safety Notes:
- Always review remediation commands before applying
- Test in non-production environments first
- Have backups of critical configurations
- Document changes made during remediation
- Consider maintenance windows for production systems
Review and approve each fix individually with detailed information.
sudo python3 linux_security_audit.py --remediateWorkflow:
- Script performs full audit
- Presents each remediable issue one at a time
- Shows: Module, Category, Status, Message, Details, Remediation Command
- Prompts:
[y]es, [n]o, [s]kip remaining, [q]uit - Executes approved remediations
- Displays results for each action
Example Interaction:
====================================================================================================
Issue 1 of 156
====================================================================================================
Module: Core
Category: SSH Security
Status: Fail
Message: Root login is enabled
Details: SSH configuration allows direct root login (security risk)
Remediation Command:
sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd
Apply this remediation? [y]es, [n]o, [s]kip remaining, [q]uit: y
[+] Executing remediation...
[+] Remediation successful
Continue? Press Enter...
Use Cases:
- First-time remediations
- Learning remediation commands
- Selective manual approval
- High-security environments requiring human review
Remediate only issues with specific status levels.
Critical security issues only:
sudo python3 linux_security_audit.py --remediate-failUse Cases:
- Focus on critical vulnerabilities
- Quick security wins
- Pre-production hardening
- Compliance requirement fixes
Best practice violations:
sudo python3 linux_security_audit.py --remediate-warningUse Cases:
- Post-critical remediation
- Configuration optimization
- Security posture improvement
- Non-urgent hardening
Informational recommendations:
sudo python3 linux_security_audit.py --remediate-infoUse Cases:
- Optional security enhancements
- Future-proofing configurations
- Documentation and awareness
Automatically apply fixes without prompting for each issue.
sudo python3 linux_security_audit.py --auto-remediateWorkflow:
- Script performs full audit
- Identifies all remediable issues
- Displays summary of actions to be taken
- Prompts for final confirmation
- Executes all remediations automatically
- Displays summary of results
Example:
====================================================================================================
AUTOMATED REMEDIATION SUMMARY
====================================================================================================
Total Issues: 156
FAIL: 89 issues
WARNING: 52 issues
INFO: 15 issues
This will automatically execute 156 remediation commands.
[!] WARNING: This is an automated process. Ensure you understand the impact.
[!] Consider backing up critical configurations before proceeding.
Proceed with automated remediation? [yes/no]: yes
[*] Executing remediations...
[+] 1/156: Core - SSH Security: Root login disabled
[+] 2/156: Core - Firewall: UFW enabled and configured
[+] 3/156: CIS - Password Policy: Password aging configured
...
[+] 156/156: NIST - Audit Logging: Auditd configuration updated
====================================================================================================
REMEDIATION COMPLETE
====================================================================================================
Successful: 145 (93%)
Failed: 11 (7%)
Duration: 0:02:15
====================================================================================================
Use Cases:
- Pre-configured environments
- Automated deployment pipelines
- Bulk system hardening
- Emergency security responses
Safety: Includes final confirmation prompt before executing.
Focus automated remediation on specific status levels:
# Auto-fix only critical FAIL issues
sudo python3 linux_security_audit.py --remediate-fail --auto-remediate
# Auto-fix only WARNING best practices
sudo python3 linux_security_audit.py --remediate-warning --auto-remediateUse Cases:
- Staged remediation approach (FAIL first, then WARNING, then INFO)
- Risk-based prioritization
- Minimizing system changes
The most precise remediation method - fix only specific issues selected from the HTML report.
Workflow:
- Run Initial Audit:
sudo python3 linux_security_audit.py-
Review HTML Report:
- Open the generated HTML report in browser
- Review each finding
- Use checkboxes to select specific issues to remediate
- Click "Export Selected" button
-
Save JSON File:
- Browser downloads file:
Selected-Report-YYYYMMDD-HHMMSS.json - Contains only your selected issues
- Browser downloads file:
-
Run Selective Remediation:
sudo python3 linux_security_audit.py --auto-remediate --remediation-file Selected-Report-20250107-143022.jsonExample JSON Structure (exported selection):
{
"execution_info": {
"hostname": "server01",
"scan_date": "2025-01-07 14:30:22"
},
"results": [
{
"module": "Core",
"category": "SSH Security",
"status": "Fail",
"message": "Root login is enabled",
"remediation": "sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd"
}
]
}Use Cases:
- Surgical precision in remediation
- Change management requirements
- Testing specific fixes
- Phased remediation approach
- Multiple administrators dividing work
Benefits:
- Complete control over what gets fixed
- Visual review of each issue before selection
- Documentation of intentional changes
- Repeatable remediation sets
Establish security baseline and track changes over time.
# Initial baseline
sudo python3 linux_security_audit.py -f JSON -o /var/security/baseline.json
# Weekly audits
sudo python3 linux_security_audit.py -f JSON -o /var/security/audit-$(date +%Y%m%d).json
# Compare results
# Use custom scripts or tools to diff JSON filesDocument security improvements.
# Before remediation
sudo python3 linux_security_audit.py -o audit-before.html
# Apply fixes
sudo python3 linux_security_audit.py --remediate-fail --auto-remediate
# After remediation
sudo python3 linux_security_audit.py -o audit-after.html
# Compare statistics in both reportsAudit multiple systems centrally.
# On each system (via SSH or automation)
ssh user@server1 "sudo python3 /opt/security-audit/linux_security_audit.py -f JSON -o /tmp/audit.json"
scp user@server1:/tmp/audit.json ./server1-audit-$(date +%Y%m%d).json
# Repeat for all systems, then consolidate resultsFocus on specific compliance requirements.
# PCI-DSS focus
sudo python3 linux_security_audit.py -m CIS,NIST,Core -o pci-audit-$(date +%Y%m%d).html
# HIPAA focus
sudo python3 linux_security_audit.py -m NIST,ISO27001,Core -o hipaa-audit-$(date +%Y%m%d).html
# FedRAMP focus
sudo python3 linux_security_audit.py -m NIST,STIG,NSA -o fedramp-audit-$(date +%Y%m%d).htmlSet up regular security monitoring.
Cron Example (/etc/cron.d/security-audit):
# Daily audit at 2 AM
0 2 * * * root /usr/bin/python3 /opt/security-audit/linux_security_audit.py -f JSON -o /var/log/security/audit-$(date +\%Y\%m\%d).json >> /var/log/security/audit.log 2>&1
# Weekly comprehensive HTML report on Sundays at 3 AM
0 3 * * 0 root /usr/bin/python3 /opt/security-audit/linux_security_audit.py -o /var/reports/weekly-audit-$(date +\%Y\%m\%d).html >> /var/log/security/audit.log 2>&1Systemd Timer Example:
Service file (/etc/systemd/system/security-audit.service):
[Unit]
Description=Linux Security Audit
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/python3 /opt/security-audit/linux_security_audit.py -f JSON -o /var/log/security/audit-$(date +%%Y%%m%%d).json
StandardOutput=journal
StandardError=journalTimer file (/etc/systemd/system/security-audit.timer):
[Unit]
Description=Daily Security Audit Timer
Requires=security-audit.service
[Timer]
OnCalendar=daily
OnCalendar=02:00
Persistent=true
[Install]
WantedBy=timers.targetEnable timer:
sudo systemctl daemon-reload
sudo systemctl enable security-audit.timer
sudo systemctl start security-audit.timerIntegrate into CI/CD pipelines.
# In deployment script
#!/bin/bash
# Deploy application
deploy_application.sh
# Run security audit
sudo python3 /opt/security-audit/linux_security_audit.py -m Core,CIS -f JSON -o /tmp/post-deploy-audit.json
# Parse results
FAIL_COUNT=$(jq '.execution_info.fail_count' /tmp/post-deploy-audit.json)
# Fail pipeline if critical issues found
if [ "$FAIL_COUNT" -gt 10 ]; then
echo "Security audit failed with $FAIL_COUNT critical issues"
exit 1
fi
echo "Security audit passed with $FAIL_COUNT issues (acceptable threshold)"Rapid assessment during security incidents.
# Quick critical systems check
sudo python3 linux_security_audit.py -m Core,NSA,CISA -f Console | tee emergency-audit-$(date +%Y%m%d-%H%M%S).txt
# Immediate remediation of critical issues
sudo python3 linux_security_audit.py -m Core,NSA --remediate-fail --auto-remediate# Generate XML for SIEM ingestion
sudo python3 linux_security_audit.py -f XML -o /var/siem-feeds/security-audit-$(hostname)-$(date +%Y%m%d).xml
# Or JSON for modern SIEMs
sudo python3 linux_security_audit.py -f JSON -o /var/siem-feeds/security-audit-$(hostname)-$(date +%Y%m%d).jsonAnsible Playbook Example:
---
- name: Run Linux Security Audit
hosts: all
become: yes
tasks:
- name: Copy audit script
copy:
src: /path/to/linux_security_audit.py
dest: /tmp/linux_security_audit.py
mode: '0755'
- name: Copy security modules
copy:
src: "{{ item }}"
dest: /tmp/
with_fileglob:
- /path/to/module_*.py
- name: Run security audit
command: python3 /tmp/linux_security_audit.py -f JSON -o /tmp/audit.json
register: audit_result
- name: Fetch audit results
fetch:
src: /tmp/audit.json
dest: ./audit-results/{{ inventory_hostname }}-audit.json
flat: yes# Generate audit and parse failures
sudo python3 linux_security_audit.py -f JSON -o /tmp/audit.json
# Create tickets for each FAIL status issue
python3 - <<EOF
import json
import requests
with open('/tmp/audit.json') as f:
data = json.load(f)
for result in data['results']:
if result['status'] == 'Fail':
ticket = {
'title': f"{result['module']} - {result['category']}: {result['message']}",
'description': result['details'],
'priority': 'High',
'remediation': result['remediation']
}
# Post to ticketing API
requests.post('https://ticketing.example.com/api/tickets', json=ticket)
EOF# Generate compliance-focused reports
sudo python3 linux_security_audit.py -m CIS,NIST,ISO27001 -f CSV -o compliance-$(date +%Y%m%d).csv
# Upload to GRC platform via API or file transfer
curl -X POST -F "file=@compliance-$(date +%Y%m%d).csv" https://grc-platform.example.com/api/upload- Test in Non-Production First: Always test on development/staging systems before production
- Schedule Appropriately: Run during maintenance windows or low-usage periods
- Communicate: Inform relevant teams before running audits
- Backup Configurations: Back up critical config files before remediation
- Review Modules: Select appropriate modules for your environment and compliance needs
- Monitor Progress: Watch for errors or unexpected behavior
- Review Results: Don't blindly accept all findings - validate in your context
- Document Changes: Keep logs of all remediations applied
- Test After Remediation: Verify system functionality after applying fixes
- Staged Approach: Fix critical issues first, then warnings, then informational
- Consistent Naming: Use consistent filename conventions
- Centralized Storage: Store reports in a central, backed-up location
- Access Controls: Protect reports (contain security information)
- Retention Policy: Define how long to keep audit reports
- Regular Reviews: Schedule periodic review of audit trends
- Read First: Always read remediation commands before executing
- Understand Impact: Know what the remediation will change
- Test Individually: Test critical remediations one at a time
- Have Rollback Plan: Know how to undo changes if needed
- Document Everything: Keep detailed logs of what was changed and why
- Trend Analysis: Track metrics over time to measure improvement
- Adjust Baselines: Update expectations as security posture improves
- Learn Patterns: Understand recurring issues and address root causes
- Automate Where Safe: Automate known-safe remediations over time
- Share Knowledge: Document lessons learned and share with team
| Scenario | Command | Frequency | Output |
|---|---|---|---|
| Initial Security Baseline | sudo python3 linux_security_audit.py -m Core,CIS |
Once | HTML |
| Daily Monitoring | sudo python3 linux_security_audit.py -f JSON |
Daily (cron) | JSON |
| Weekly Compliance | sudo python3 linux_security_audit.py -m CIS,NIST,ISO27001 |
Weekly | HTML |
| Pre-Deployment Check | sudo python3 linux_security_audit.py -m Core,NSA |
Per-deployment | JSON/Console |
| Emergency Assessment | sudo python3 linux_security_audit.py -m Core,NSA -f Console |
As-needed | Console |
| SIEM Feed | sudo python3 linux_security_audit.py -f XML |
Daily | XML |
| Change Management |
sudo python3 linux_security_audit.py -o before.html + remediate + -o after.html
|
Per-change | HTML |
- Detailed Module Information: Module Documentation
- Output Format Details: Output Reference
- Framework Standards: Framework Reference
- Common Issues: Troubleshooting Guide
- Questions: FAQ
The v3.0 release adds nine new CLI flags that activate enhanced pipeline phases without changing existing behaviour. All v3 flags are optional; running without them produces the same output as v2.0.
Compare the current audit against a previously saved baseline JSON file. Produces a drift report classifying each finding as new failure, resolved, regression, improvement, etc.
# Generate the baseline
sudo python3 linux_security_audit.py -f JSON -o baseline-202604.json
# Later, compare
sudo python3 linux_security_audit.py --baseline baseline-202604.jsonGenerate a bash rollback script during remediation. Captures pre-modification state for sysctl, file content/permissions, services, and kernel modules. Run the generated script to undo all changes.
sudo python3 linux_security_audit.py --remediate-fail --rollback-path /var/lib/audit/rollback.shApply a named remediation bundle. Bundles group related fixes so you can apply a coherent set with one command. Run --list-bundles to see all available bundles.
sudo python3 linux_security_audit.py --remediation-bundle HardenSSH --auto-remediateSet the asset criticality for risk priority scoring. Higher values mean a finding on this system contributes more to the priority score. Default is 5.
# High-value production system
sudo python3 linux_security_audit.py --asset-criticality 9 --show-risk-priority
# Isolated build agent
sudo python3 linux_security_audit.py --asset-criticality 3 --show-risk-priorityDisplay risk priority scores (1-100) for each Fail/Warning finding, ranked highest first. Combines severity, exploitability, exposure, and asset criticality.
Display cross-framework control correlations for each result. Shows how a single finding maps to identifiers in CIS, NIST, STIG, ISO 27001, NSA, CISA, ENISA, PCI DSS, HIPAA, etc.
Run strict result validation. Reports any defects in module output (missing severity, malformed cross-references, control characters in messages).
List all available remediation bundles with their descriptions, included topics, prerequisites, and impact profiles. Exits without running an audit.
python3 linux_security_audit.py --list-bundlesSet the compliance score pass/fail threshold. Default is 70.0. Three scoring methods are computed: simple (pass percentage), weighted (severity-weighted), and severity-adjusted (weight x status credit).
sudo python3 linux_security_audit.py --threshold 85Linux Security Audit Project - Version 3.9 - MIT License
Repository - Releases - Issues - Pull Requests
Changelog - Contributing - Security Policy - License
Frameworks: Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG - ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Coverage: 16 Modules - 2,297 Automated Security Checks - 5 Native Output Formats - Zero External Dependencies
This documentation reflects Linux Security Audit Project v3.9 (cross-framework remediation consistency via the canonical remediation registry, PCI-DSS module rename, compliance-scoring fix, attack-surface assessment, per-framework split reports, cross-module correlation, 18 distribution profiles, rollup metrics, OS-aware remediation library). For older versions, see the release tags.
Version 3.9 - 16 modules - 2,297 checks
Original modules (v2.0 baseline + v3.3 expansion)
Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG
New modules (v3.0+ Phase 3)
ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Output Formats
HTML - JSON - CSV - XML - Console
Status Values
Pass - Fail - Warning - Info - Error
Severity Levels
Critical - High - Medium - Low - Informational