-
Notifications
You must be signed in to change notification settings - Fork 2
Home
Welcome to the documentation for the Linux Security Audit Project! This wiki provides everything you need to install, configure, use, and extend this security compliance auditing tool.
| Getting Started | Reference | Development |
|---|---|---|
| Quick Start Guide | Framework Reference | Development Guide |
| Usage Guide | Module Documentation | Contributing |
| Installation | Output Reference | Security Policy |
| Examples |
The Linux Security Audit Project is a Python-based security compliance auditing tool that:
- Performs 2,297 automated security checks across 16 compliance frameworks
- Generates reports in multiple formats (HTML, JSON, CSV, XML, Console) with companion JSON metadata
- Provides detailed remediation guidance with commands and severity ratings
- Operates audit-only by default - opt-in remediation modes (
--remediate-fail,--auto-remediate) require explicit confirmation - Compliance scoring - weighted, simple, and severity-adjusted scores with configurable pass/fail thresholds
- Zero external dependencies - pure Python 3.7+ stdlib; no pip, conda, or external HTTP at runtime
- Standalone module execution - any module is fully runnable on its own
- Helper caching layer (v3.6) - per-process cache delivers 5-30x speedup on multi-module audit runs
-
Cross-module correlation (v3.7) -
HostFactsregistry computes 75 derived host facts once, shared across all modules -
Per-distribution profiles (v3.7) -
--profile rhel9,--profile ubuntu24,--profile fedora, etc.; 18 built-in profiles (Debian and RHEL families) with strict input validation - Module Summary tiles + Top Priority Findings (v3.7) - at-a-glance HTML report sections showing health by module and top non-Pass results
-
Parallel execution - configurable worker count via
--parallel --workers N - OS-aware checks - distribution-specific optimizations for Debian, Red Hat, SUSE, and Arch families
- Open source under MIT license
The audit tool covers 16 frameworks split into two groups:
| Module | Framework | Checks |
|---|---|---|
| Core | Foundational Linux Security Baseline (sudo/user/mount/cron/GRUB/PAM hygiene + attack-surface) | 185 |
| CIS | CIS Benchmarks (DIL/Docker/K8s) + Controls v8 IG3 | 258 |
| CISA | CISA CPGs + ZTMM + KEV + Stop Ransomware + SbD + Shields Up | 196 |
| ENISA | ENISA + NIS2 Art 21 + Cyber Resilience Act Annex I + DORA | 142 |
| ISO27001 | ISO/IEC 27001:2022 Annex A + 27017/27018/27701 | 147 |
| NIST | NIST 800-53 R5 / CSF 2.0 / 800-171 / 800-207 / 800-161 / SSDF 800-218 | 234 |
| NSA | NSA Guidance + CNSA 2.0 + K8s Hardening + Encrypted DNS + eBPF | 193 |
| STIG | DISA STIGs (V-numbers) + SRG-APP-SRC/WEB/DB/CTR/NET | 205 |
| Module | Framework | Checks |
|---|---|---|
| ACSC | ACSC Essential Eight + ISM + ML2/ML3 maturity | 69 |
| CMMC | CMMC 2.0 + NIST 800-171 Rev 3 + L3 (800-172) + DFARS | 94 |
| DistBaseline | Distribution Hardening (Ubuntu USG / RHEL / SUSE / Arch) | 90 |
| EDR | EDR + MITRE ATT&CK + Sigma/YARA + Cloud-Native + Forensics | 87 |
| GDPR | GDPR Art 32 + ePrivacy + breach notification | 75 |
| HIPAA | HIPAA Security Rule + 405(d) HICP + breach notification | 114 |
| PCI-DSS | PCI DSS v4.0.1 (Req 1-12 deep coverage) | 110 |
| SOC2 | AICPA SOC 2 TSC (CC1-CC9 + Avail/Conf/PI/Privacy) | 98 |
| TOTAL | 16 frameworks | 2,297 |
Get running in under 5 minutes
Perfect for first-time users. Covers:
- Prerequisites verification
- Installation (Git and manual)
- Running your first audit
- Understanding output
- Common first-run scenarios
- Next steps
Detailed installation instructions including:
- System requirements (Python 3.7+, root/sudo)
- Directory structure verification
- Module discovery testing
Comprehensive usage instructions for all scenarios
Learn how to:
- Use command-line parameters (19 flags)
- Select specific modules
- Configure output formats and logging
- Use parallel execution and profiling
- Implement common use cases (compliance validation, hardening, drift detection)
- Interpret results and compliance scores
- Follow remediation workflow
- Automate and schedule audits
Featured Sections:
Understanding and using audit reports
Detailed guide to:
- HTML reports (18+ interactive features, SVG dashboard, compliance scoring)
- JSON reports (machine-readable, automation-friendly, companion metadata)
- CSV reports (spreadsheet-compatible, tracking)
- XML reports (SIEM integration)
- Console output (real-time progress with compliance scores)
- Report locations and naming (
reports/andlogs/directories) - Parsing and integration examples
Real-world execution examples
For each of the 16 modules:
- Full module description and coverage areas
- Console output from test system execution
- HTML report preview and feature demonstration
Detailed information about each security framework
Documentation on: Security Frameworks:
- Core: Baseline security, OS detection, distribution-specific guidance
- CIS: Benchmark sections 1-6, scored recommendations, implementation groups
- CISA: CPG v1.0.1, ZTMM v2.0, BOD 22-01/23-01, KEV
- ENISA: EU NIS2 Article 21, DORA, EU-CSA, ENISA Threat Landscape
- ISO 27001: Annex A controls (incl. A.8.27-A.8.34) + 27017/27018/27701
- NIST: 800-53 R5, CSF 2.0, 800-171, 800-207 (Zero Trust), 800-161 (SCRM)
- NSA: SELinux/MAC, FIPS 140-3, kernel hardening, CSfC, NSA CSAs
- STIG: V-numbers (RHEL 9, Ubuntu 22.04), GPOS SRG, Container SRG
Additional Frameworks:
- ACSC: Australian Essential 8 ML1-3 + ISM
- CMMC: DoD CMMC 2.0 (L1, L2, L3) + DFARS 7012/7019/7020
- DistBaseline: Per-distro hardening (Debian, RHEL, SUSE, Arch)
- EDR: MITRE ATT&CK technique coverage, EDR product detection
- GDPR: EU GDPR Articles (5, 17, 25, 30, 32, 33, 44)
- HIPAA: 45 CFR Part 164 (164.308-414)
- PCI-DSS: PCI DSS v4.0.1 (12 Requirements)
- SOC2: AICPA Trust Services Criteria (CC1-9, A1, C1, PI, P)
Each section includes framework overview, organization background, specific standards referenced, check categories, resources, and applicability guidance.
Deep dive into each security module
For each of the 16 modules:
- Module overview and purpose
- Check categories and count
- Key checks performed
- Control/requirement mappings
- Usage examples (standalone and integrated)
- When to use the module
Solve common issues quickly
Comprehensive troubleshooting for:
- Execution Issues: Script won't run, module not found
- Permission Errors: Access denied, root/sudo privileges
- Module Errors: Individual module failures
- Output Issues: Reports not generating, format problems
- Performance Problems: Slow execution, caching issues
- Results Interpretation: Understanding findings and compliance scores
Quick answers to common questions
Organized by topic: general, installation, execution, results, remediation, integration, troubleshooting, security, and compliance.
For developers and contributors
Complete guide covering:
- Development environment setup
- Project architecture (orchestrator, modules, shared components)
- Creating new modules with shared caching API
- Adding new checks with result format
- Testing on multiple distributions
- Code style and conventions
- Debugging techniques
- Performance optimization
How to contribute to the project
Ways to contribute: bugs, features, documentation, code, testing, translations. Development workflow, module checklist, and coding standards.
Responsible disclosure and security practices
Supported versions, vulnerability reporting, security considerations, and report security guidance.
- Quick Start Guide - Get up and running
- Usage Guide - Learn basic usage
- FAQ - Find answers to common questions
- Module Documentation - Understand what each module checks
- Output Reference - Master report analysis
- Examples - See real-world output
- Troubleshooting - Solve issues
- Framework Reference - Understand compliance frameworks
- Usage Guide - Compliance scenarios
- Module Documentation - Framework-specific checks
- Examples - Sample audit output for evidence
- Development Guide - Set up dev environment
- Contributing - Contribution process
- Security Policy - Security practices
- README.md - Project overview and quick start
- CHANGELOG.md - Version history and release notes
- LICENSE.md - MIT License with supplementary terms
- CONTRIBUTING.md - Contribution guidelines
- SECURITY.md - Security policy
Framework Documentation:
Python & Linux Resources:
- ** GitHub Discussions** - Ask questions, share tips
- ** GitHub Issues** - Report bugs, request features
- ** Wiki** - Complete documentation (you are here!)
- ** Star the repository** - Show support and get notifications
- ** Watch releases** - Get notified of new versions
- ** Follow the project** - Stay informed of updates
We welcome contributions! Ways to help:
- Report bugs
- Suggest features
- Improve documentation
- Submit bug fixes
- Add new modules or checks
- Test on different Linux distributions
See Contributing Guidelines or the Development Guide to get started.
# Run all checks with HTML output
sudo python3 linux_security_audit.py
# Run specific modules
sudo python3 linux_security_audit.py -m STIG,NIST,CIS
# Parallel execution with profiling
sudo python3 linux_security_audit.py --parallel --workers 4 --perf-profile
# JSON output for automation
sudo python3 linux_security_audit.py -f JSON -o "/opt/audits/report.json" --quiet
# Verbose mode for troubleshooting
sudo python3 linux_security_audit.py --verbose --log-level DEBUG| Use Case | Recommended Modules |
|---|---|
| Federal/DoD Systems | STIG, NIST, CISA |
| EU Compliance | ENISA, ISO27001 |
| Enterprise Best Practices | CIS, Core |
| Critical Infrastructure | CISA, NSA |
| Quick Assessment | Core |
| Comprehensive Audit | All modules |
| Status | Symbol | Meaning | Action |
|---|---|---|---|
| Pass | Compliant | None | |
| Fail | Security issue | Fix immediately | |
| Warning | Potential issue | Review | |
| Info | i | Informational | Note |
| Error | Check failed | Investigate |
See CHANGELOG.md for complete version history.
Current Version: 3.9 (Cross-framework remediation consistency via the canonical remediation registry, PCI-DSS module rename, compliance-scoring fix, attack-surface assessment report, per-framework split reports, OS-aware remediation library, cross-module correlation, 18 distribution profiles; all 16 modules run end-to-end with 0 errors and 0 aborts)
- Shared components library with intelligent caching
- Parallel module execution
- Complete HTML report (18+ features)
- Compliance scoring (3 methods)
- Structured logging
- OS-aware checks across 4 distribution families
- 2,297 security checks across 16 frameworks
- v3.0 advanced pipeline (correlation, risk scoring, baseline compare, rollback)
- Home (you are here)
- Quick Start Guide
- Usage Guide
- FAQ
- Use the search (top right) to find specific topics
- Sidebar navigation (right side) provides quick access to all pages
- Links are color-coded: Blue for internal wiki pages, purple for external resources
- Code blocks have copy button for easy use
- Most pages have a Table of Contents at the top for quick navigation
Thank you for using the Linux Security Audit Project. This project is maintained by Sandler73.
Questions? Issues? Ideas? We'd love to hear from you:
If this tool helps you, please:
- Star the repository
- Share with colleagues
- Contribute back
Made with for the cybersecurity community
Linux Security Audit Project - Version 3.9 - MIT License Last Updated: April 2026 Maintained By: Sandler73 Project Status: Active Development
Linux Security Audit Project - Version 3.9 - MIT License
Repository - Releases - Issues - Pull Requests
Changelog - Contributing - Security Policy - License
Frameworks: Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG - ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Coverage: 16 Modules - 2,297 Automated Security Checks - 5 Native Output Formats - Zero External Dependencies
This documentation reflects Linux Security Audit Project v3.9 (cross-framework remediation consistency via the canonical remediation registry, PCI-DSS module rename, compliance-scoring fix, attack-surface assessment, per-framework split reports, cross-module correlation, 18 distribution profiles, rollup metrics, OS-aware remediation library). For older versions, see the release tags.
Version 3.9 - 16 modules - 2,297 checks
Original modules (v2.0 baseline + v3.3 expansion)
Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG
New modules (v3.0+ Phase 3)
ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Output Formats
HTML - JSON - CSV - XML - Console
Status Values
Pass - Fail - Warning - Info - Error
Severity Levels
Critical - High - Medium - Low - Informational