Skip to content
Ryan edited this page Jul 11, 2026 · 7 revisions

Linux Security Audit Project - Wiki

Welcome to the documentation for the Linux Security Audit Project! This wiki provides everything you need to install, configure, use, and extend this security compliance auditing tool.

Quick Links

Getting Started Reference Development
Quick Start Guide Framework Reference Development Guide
Usage Guide Module Documentation Contributing
Installation Output Reference Security Policy
Examples

What Is This Tool?

The Linux Security Audit Project is a comprehensive Python-based security compliance auditing tool that:

  • Performs 2,297 automated security checks across 16 compliance frameworks
  • Generates reports in multiple formats (HTML, JSON, CSV, XML, Console) with companion JSON metadata
  • Provides detailed remediation guidance with commands and severity ratings
  • Operates audit-only by default - opt-in remediation modes (--remediate-fail, --auto-remediate) require explicit confirmation
  • Compliance scoring - weighted, simple, and severity-adjusted scores with configurable pass/fail thresholds
  • Zero external dependencies - pure Python 3.7+ stdlib; no pip, conda, or external HTTP at runtime
  • Standalone module execution - any module is fully runnable on its own
  • Helper caching layer (v3.6) - per-process cache delivers 5-30x speedup on multi-module audit runs
  • Cross-module correlation (v3.7) - HostFacts registry computes 75 derived host facts once, shared across all modules
  • Per-distribution profiles (v3.7) - --profile rhel9, --profile ubuntu24, --profile fedora, etc.; 18 built-in profiles (Debian and RHEL families) with strict input validation
  • Module Summary tiles + Top Priority Findings (v3.7) - at-a-glance HTML report sections showing health by module and top non-Pass results
  • Parallel execution - configurable worker count via --parallel --workers N
  • OS-aware checks - distribution-specific optimizations for Debian, Red Hat, SUSE, and Arch families
  • Open source under MIT license

Supported Frameworks

The audit tool covers 16 frameworks split into two groups:

Original Core Frameworks (v2.0 baseline + v3.3 expansion)

Module Framework Checks
Core Foundational Linux Security Baseline (sudo/user/mount/cron/GRUB/PAM hygiene + attack-surface) 185
CIS CIS Benchmarks (DIL/Docker/K8s) + Controls v8 IG3 258
CISA CISA CPGs + ZTMM + KEV + Stop Ransomware + SbD + Shields Up 196
ENISA ENISA + NIS2 Art 21 + Cyber Resilience Act Annex I + DORA 142
ISO27001 ISO/IEC 27001:2022 Annex A + 27017/27018/27701 147
NIST NIST 800-53 R5 / CSF 2.0 / 800-171 / 800-207 / 800-161 / SSDF 800-218 234
NSA NSA Guidance + CNSA 2.0 + K8s Hardening + Encrypted DNS + eBPF 193
STIG DISA STIGs (V-numbers) + SRG-APP-SRC/WEB/DB/CTR/NET 205

Phase 3 Expansion Modules (v3.0+)

Module Framework Checks
ACSC ACSC Essential Eight + ISM + ML2/ML3 maturity 69
CMMC CMMC 2.0 + NIST 800-171 Rev 3 + L3 (800-172) + DFARS 94
DistBaseline Distribution Hardening (Ubuntu USG / RHEL / SUSE / Arch) 90
EDR EDR + MITRE ATT&CK + Sigma/YARA + Cloud-Native + Forensics 87
GDPR GDPR Art 32 + ePrivacy + breach notification 75
HIPAA HIPAA Security Rule + 405(d) HICP + breach notification 114
PCI-DSS PCI DSS v4.0.1 (Req 1-12 deep coverage) 110
SOC2 AICPA SOC 2 TSC (CC1-CC9 + Avail/Conf/PI/Privacy) 98

| TOTAL | 16 frameworks | 2,297 |


Documentation Sections

Getting Started

Get running in under 5 minutes

Perfect for first-time users. Covers:

  • Prerequisites verification
  • Installation (Git and manual)
  • Running your first audit
  • Understanding output
  • Common first-run scenarios
  • Next steps

Detailed installation instructions including:

  • System requirements (Python 3.7+, root/sudo)
  • Directory structure verification
  • Module discovery testing

Using the Tool

Comprehensive usage instructions for all scenarios

Learn how to:

  • Use command-line parameters (19 flags)
  • Select specific modules
  • Configure output formats and logging
  • Use parallel execution and profiling
  • Implement common use cases (compliance validation, hardening, drift detection)
  • Interpret results and compliance scores
  • Follow remediation workflow
  • Automate and schedule audits

Featured Sections:

Understanding and using audit reports

Detailed guide to:

  • HTML reports (18+ interactive features, SVG dashboard, compliance scoring)
  • JSON reports (machine-readable, automation-friendly, companion metadata)
  • CSV reports (spreadsheet-compatible, tracking)
  • XML reports (SIEM integration)
  • Console output (real-time progress with compliance scores)
  • Report locations and naming (reports/ and logs/ directories)
  • Parsing and integration examples

Real-world execution examples

For each of the 16 modules:

  • Full module description and coverage areas
  • Console output from test system execution
  • HTML report preview and feature demonstration

Framework Information

Detailed information about each security framework

Comprehensive documentation on: Original Core Frameworks:

  • Core: Baseline security, OS detection, distribution-specific guidance
  • CIS: Benchmark sections 1-6, scored recommendations, implementation groups
  • CISA: CPG v1.0.1, ZTMM v2.0, BOD 22-01/23-01, KEV
  • ENISA: EU NIS2 Article 21, DORA, EU-CSA, ENISA Threat Landscape
  • ISO 27001: Annex A controls (incl. A.8.27-A.8.34) + 27017/27018/27701
  • NIST: 800-53 R5, CSF 2.0, 800-171, 800-207 (Zero Trust), 800-161 (SCRM)
  • NSA: SELinux/MAC, FIPS 140-3, kernel hardening, CSfC, NSA CSAs
  • STIG: V-numbers (RHEL 9, Ubuntu 22.04), GPOS SRG, Container SRG

Phase 3 Expansion Frameworks:

  • ACSC: Australian Essential 8 ML1-3 + ISM
  • CMMC: DoD CMMC 2.0 (L1, L2, L3) + DFARS 7012/7019/7020
  • DistBaseline: Per-distro hardening (Debian, RHEL, SUSE, Arch)
  • EDR: MITRE ATT&CK technique coverage, EDR product detection
  • GDPR: EU GDPR Articles (5, 17, 25, 30, 32, 33, 44)
  • HIPAA: 45 CFR Part 164 (164.308-414)
  • PCI-DSS: PCI DSS v4.0.1 (12 Requirements)
  • SOC2: AICPA Trust Services Criteria (CC1-9, A1, C1, PI, P)

Each section includes framework overview, organization background, specific standards referenced, check categories, resources, and applicability guidance.

Deep dive into each security module

For each of the 16 modules:

  • Module overview and purpose
  • Check categories and count
  • Key checks performed
  • Control/requirement mappings
  • Usage examples (standalone and integrated)
  • When to use the module

Troubleshooting & Support

Solve common issues quickly

Comprehensive troubleshooting for:

  • Execution Issues: Script won't run, module not found
  • Permission Errors: Access denied, root/sudo privileges
  • Module Errors: Individual module failures
  • Output Issues: Reports not generating, format problems
  • Performance Problems: Slow execution, caching issues
  • Results Interpretation: Understanding findings and compliance scores

Quick answers to common questions

Organized by topic: general, installation, execution, results, remediation, integration, troubleshooting, security, and compliance.


Development & Contributing

For developers and contributors

Complete guide covering:

  • Development environment setup
  • Project architecture (orchestrator, modules, shared components)
  • Creating new modules with shared caching API
  • Adding new checks with result format
  • Testing on multiple distributions
  • Code style and conventions
  • Debugging techniques
  • Performance optimization

How to contribute to the project

Ways to contribute: bugs, features, documentation, code, testing, translations. Development workflow, module checklist, and coding standards.

Responsible disclosure and security practices

Supported versions, vulnerability reporting, security considerations, and report security guidance.


Common Tasks

First-Time Users

  1. Quick Start Guide - Get up and running
  2. Usage Guide - Learn basic usage
  3. FAQ - Find answers to common questions

Regular Users

  1. Module Documentation - Understand what each module checks
  2. Output Reference - Master report analysis
  3. Examples - See real-world output
  4. Troubleshooting - Solve issues

Compliance & Audit

  1. Framework Reference - Understand compliance frameworks
  2. Usage Guide - Compliance scenarios
  3. Module Documentation - Framework-specific checks
  4. Examples - Sample audit output for evidence

Developers & Contributors

  1. Development Guide - Set up dev environment
  2. Contributing - Contribution process
  3. Security Policy - Security practices

Additional Resources

Project Files

External Resources

Framework Documentation:

Python & Linux Resources:


Community & Support

Get Help

Stay Updated

  • ** Star the repository** - Show support and get notifications
  • ** Watch releases** - Get notified of new versions
  • ** Follow the project** - Stay informed of updates

Contribute

We welcome contributions! Ways to help:

  • Report bugs
  • Suggest features
  • Improve documentation
  • Submit bug fixes
  • Add new modules or checks
  • Test on different Linux distributions

See Contributing Guidelines or the Development Guide to get started.


Quick Reference

Command Examples

# Run all checks with HTML output
sudo python3 linux_security_audit.py

# Run specific modules
sudo python3 linux_security_audit.py -m STIG,NIST,CIS

# Parallel execution with profiling
sudo python3 linux_security_audit.py --parallel --workers 4 --perf-profile

# JSON output for automation
sudo python3 linux_security_audit.py -f JSON -o "/opt/audits/report.json" --quiet

# Verbose mode for troubleshooting
sudo python3 linux_security_audit.py --verbose --log-level DEBUG

Module Selection Guide

Use Case Recommended Modules
Federal/DoD Systems STIG, NIST, CISA
EU Compliance ENISA, ISO27001
Enterprise Best Practices CIS, Core
Critical Infrastructure CISA, NSA
Quick Assessment Core
Comprehensive Audit All modules

Status Level Quick Reference

Status Symbol Meaning Action
Pass Compliant None
Fail Security issue Fix immediately
Warning Potential issue Review
Info i Informational Note
Error Check failed Investigate

Recent Updates

See CHANGELOG.md for complete version history.

Current Version: 3.9 (Cross-framework remediation consistency via the canonical remediation registry, PCI-DSS module rename, compliance-scoring fix, attack-surface assessment report, per-framework split reports, OS-aware remediation library, cross-module correlation, 18 distribution profiles; all 16 modules run end-to-end with 0 errors and 0 aborts)

  • Shared components library with intelligent caching
  • Parallel module execution
  • Complete HTML report (18+ features)
  • Compliance scoring (3 methods)
  • Structured logging
  • OS-aware checks across 4 distribution families
  • 2,297 security checks across 16 frameworks
  • v3.0 advanced pipeline (correlation, risk scoring, baseline compare, rollback)

Documentation Index

Core Documentation

Reference Documentation

Development Documentation

Operations


Tips for Using This Wiki

  • Use the search (top right) to find specific topics
  • Sidebar navigation (right side) provides quick access to all pages
  • Links are color-coded: Blue for internal wiki pages, purple for external resources
  • Code blocks have copy button for easy use
  • Most pages have a Table of Contents at the top for quick navigation

Thank You!

Thank you for using the Linux Security Audit Project! This tool is maintained by volunteers and supported by the security community.

Questions? Issues? Ideas? We'd love to hear from you:

If this tool helps you, please:

  • Star the repository
  • Share with colleagues
  • Contribute back

Made with for the cybersecurity community

Back to GitHub Repository


Linux Security Audit Project - Version 3.9 - MIT License Last Updated: April 2026 Maintained By: Sandler73 Project Status: Active Development

Linux Security Audit

Version 3.9 - 16 modules - 2,297 checks


Getting Started


Reference


Architecture


Operations


Release Information


Quick Reference

Original modules (v2.0 baseline + v3.3 expansion)

Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG

New modules (v3.0+ Phase 3)

ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2

Output Formats

HTML - JSON - CSV - XML - Console

Status Values

Pass - Fail - Warning - Info - Error

Severity Levels

Critical - High - Medium - Low - Informational


External Links

Clone this wiki locally