Skip to content

Module Documentation

Ryan edited this page Jul 11, 2026 · 4 revisions

Module Documentation

This guide provides detailed documentation for all security modules included in the Linux Security Audit Project, including their capabilities, check categories, standards coverage, and implementation details.

Table of Contents

Security Framework Modules

Additional Framework Modules

Reference

Module Overview

The Linux Security Audit Project includes 16 specialized security modules: Core, CIS, CISA, ENISA, ISO27001, NIST, NSA, STIG, ACSC, CMMC, DistBaseline, EDR, GDPR, HIPAA, PCI-DSS, and SOC2. Each focuses on a different security framework, standard, or compliance requirement.

Module Comparison Matrix

Security Framework Modules

Module v3.5 Checks Focus Area Target Audience
Core 198 Baseline + sudo/user/mount/cron/GRUB/PAM hygiene + attack-surface enumeration All environments
CIS 269 CIS Benchmarks (DIL/Docker/K8s) + Controls v8 IG3 All environments, compliance
CISA 198 CISA CPGs + ZTMM + KEV + Stop Ransomware + SbD + Shields Up Government, critical infrastructure
ENISA 142 ENISA + NIS2 Art 21 + Cyber Resilience Act + DORA European organizations
ISO27001 149 ISO 27001:2022 Annex A + 27017/27018/27701 Compliance, enterprise, cloud
NIST 235 NIST 800-53 R5, CSF 2.0, 800-171, 800-207, 800-161, SSDF 800-218 Government, compliance, enterprise
NSA 193 NSA Guidance + CNSA 2.0 + K8s Hardening + Encrypted DNS + eBPF Defense, high-security
STIG 210 DISA STIGs (V-numbers) + SRG-APP-SRC/WEB/DB/CTR/NET Government, defense, contractors

Additional Framework Modules

Module v3.5 Checks Focus Area Target Audience
ACSC 69 ACSC Essential Eight + ISM + ML2/ML3 maturity Australian government, ML3 environments
CMMC 94 CMMC 2.0 + NIST 800-171 Rev 3 + L3 (800-172) + DFARS Defense industrial base contractors
DistBaseline 90 Distribution Hardening (Ubuntu USG / RHEL / SUSE / Arch) Multi-distro environments
EDR 87 EDR + MITRE ATT&CK + Sigma/YARA + Cloud-Native + Forensics SOC, threat hunting teams
GDPR 75 GDPR Art 32 + ePrivacy + breach notification EU data controllers/processors
HIPAA 114 HIPAA Security Rule + 405(d) HICP + breach notification Healthcare, covered entities
PCI 110 PCI DSS v4.0.1 (Req 1-12 deep coverage) Card-handling environments
SOC2 98 AICPA SOC 2 TSC (CC1-CC9 + Avail/Conf/PI/Privacy) SaaS, service organizations

TOTAL: 16 modules - 2,297 checks (full inventory; runtime count varies by host as conditional checks fire)

Module Selection Guidance

For General Security Assessment:

  • Start with: Core + CIS + DistBaseline
  • Provides fundamental security baseline, industry best practices, and distribution-specific hardening checks

For Compliance Requirements:

  • Financial Services: PCI + SOC2 + ISO27001 + NIST
  • Healthcare (US): HIPAA + ISO27001 + NIST + CIS
  • Government/Federal (US): STIG + NIST + NSA + CMMC
  • Defense Industrial Base: CMMC + STIG + NIST + NSA
  • EU Organizations: GDPR + ENISA + ISO27001 + CIS
  • Australian Government: ACSC + ISO27001 + CIS
  • Critical Infrastructure: CISA + NIST + NSA + STIG
  • Cloud Service Providers: ISO27001 (with 27017/27018) + SOC2 + NIST

For Security Hardening:

  • General Hardening: Core + CIS + NSA + DistBaseline
  • Maximum Security: NSA + STIG + NIST + CMMC
  • Detection & Response: EDR + CISA (ZTMM) + NIST (continuous monitoring)

For Privacy Compliance:

  • EU/Global: GDPR + ISO27701 (via ISO27001 module) + ISO27018
  • Healthcare: HIPAA + GDPR (if EU patients)

Core Module

Overview

Module Name: Core Version: 3.9 File: modules/module_core.py Check Count: 185 Standards: Industry best practices, vendor security guides

Description

The Core module provides fundamental baseline security assessment for Linux systems with intelligent OS detection and distribution-specific optimizations. It forms the foundation for all other security assessments.

Key Features

  • Dynamic OS Detection: Automatically identifies distribution family (Debian, RedHat, SUSE, Arch)
  • Distribution-Specific Checks: Tailored security assessments for Ubuntu, Debian, RHEL, CentOS, Fedora, etc.
  • Package Manager Integration: Native support for APT, YUM, DNF, Zypper, Pacman
  • Baseline Security Focus: Essential security controls applicable to all Linux systems

Check Categories

1. OS Detection & Version Management

  • Operating system identification and classification
  • Distribution version verification
  • Kernel version assessment
  • Architecture detection
  • Package manager identification
  • Init system detection (systemd, sysvinit, upstart)

Example Checks:

- Detect OS family and distribution
- Verify supported OS version
- Check kernel version currency
- Identify package management system

2. Package Management Security

  • Security update availability
  • Package manager configuration
  • Automatic update configuration
  • Repository integrity verification
  • GPG key validation

Distribution-Specific:

  • Debian/Ubuntu: APT security configuration, unattended-upgrades
  • RHEL/CentOS/Fedora: YUM/DNF security settings, automatic updates
  • SUSE: Zypper configuration, update mechanisms
  • Arch: Pacman security settings

Example Checks:

- Security updates available (count and packages)
- Automatic updates enabled
- Package manager GPG verification enabled
- Repository signatures validated

3. Service Management & Hardening

  • Running service inventory
  • Unnecessary service detection
  • Service security configuration
  • Systemd hardening options
  • Legacy service detection

Example Checks:

- List all running services
- Detect unnecessary services (telnet, rsh, etc.)
- Verify service isolation (PrivateTmp, ProtectHome, etc.)
- Check for insecure protocols

4. User & Group Security

  • User account auditing
  • Password policy enforcement
  • Privileged user detection
  • Group membership validation
  • Home directory security
  • Shell restrictions

Example Checks:

- Verify password aging configuration
- Check for users with UID 0 (besides root)
- Audit sudo/wheel group membership
- Verify password complexity requirements
- Check for users without passwords
- Validate home directory permissions (700)

5. Filesystem Security & Permissions

  • Critical file permissions
  • Mount point security options
  • File system integrity
  • SUID/SGID binary audit
  • World-writable file detection

Example Checks:

- Verify /etc/passwd permissions (644)
- Verify /etc/shadow permissions (000 or 400)
- Check /etc/ssh/sshd_config permissions (600)
- Audit SUID/SGID binaries
- Detect world-writable files
- Verify separate partitions (/tmp, /var, /home)

6. Network Configuration Baseline

  • Firewall status and configuration
  • Network parameter hardening
  • Open port detection
  • Network service security
  • IPv4/IPv6 configuration

Example Checks:

- UFW/firewalld status and configuration
- IP forwarding disabled (unless router)
- ICMP redirects disabled
- Source routing disabled
- SYN cookies enabled
- Open listening ports audit

7. Process & Memory Security

  • Running process audit
  • Memory protection mechanisms
  • Core dump configuration
  • Process restrictions
  • Resource limits

Example Checks:

- ASLR (Address Space Layout Randomization) enabled
- Core dumps restricted
- ptrace protection enabled
- Process accounting configured

8. System Updates & Patch Management

  • System update status
  • Reboot required detection
  • Update sources validation
  • Security advisory tracking

Example Checks:

- Count of available security updates
- System reboot required check
- Last update timestamp
- Update notification configuration

9. Security Tools & Monitoring

  • Security software detection
  • Antivirus/anti-malware status
  • Intrusion detection systems
  • File integrity monitoring
  • Log monitoring tools

Example Checks:

- ClamAV or other antivirus installed
- AIDE/Tripwire file integrity monitoring
- Fail2ban intrusion prevention
- rkhunter/chkrootkit rootkit detection
- Auditd system auditing enabled

10. Attack Surface Enumeration (v3.8)

  • External-facing TCP/UDP listener enumeration
  • Legacy/cleartext service binary detection
  • SUID/SGID binary exposure summary
  • World-writable file exposure summary
  • Container runtime socket exposure
  • Kernel module loading lockdown state

These checks use the dedicated CORE - Attack Surface category and feed the attack-surface assessment report (--attack-surface). CORE is the home for cross-cutting exposure enumeration because it is the only non-framework-tied module.

Example Checks:

- CORE-AS-001: External-facing TCP listeners (loopback vs external)
- CORE-AS-003: Legacy/cleartext service binaries (telnet, rsh, ftp, ...)
- CORE-AS-004: SUID/SGID binary exposure count
- CORE-AS-006: Container runtime socket exposure (/var/run/docker.sock)
- CORE-AS-007: Kernel module loading lockdown (kernel.modules_disabled)

Supported Distributions

Debian Family

  • Ubuntu: 18.04 LTS (Bionic), 20.04 LTS (Focal), 22.04 LTS (Jammy), 24.04 LTS (Noble)
  • Debian: 9 (Stretch), 10 (Buster), 11 (Bullseye), 12 (Bookworm)
  • Linux Mint: 19+, 20+, 21+
  • Kali Linux: 2020+

RedHat Family

  • RHEL: 7, 8, 9
  • CentOS: 7, 8 (Stream 8, Stream 9)
  • Fedora: 28+, 35+, 38+
  • Rocky Linux: 8, 9
  • AlmaLinux: 8, 9

Other Distributions

  • SUSE/openSUSE: Leap 15+, Tumbleweed
  • Arch Linux: Rolling release

Example Usage

# Run Core module only
sudo python3 linux_security_audit.py -m Core

# Core + CIS for baseline assessment
sudo python3 linux_security_audit.py -m Core,CIS

Remediation Capabilities

The Core module provides remediation commands for:

  • Enabling firewall (UFW/firewalld)
  • Configuring password policies
  • Setting file permissions
  • Disabling unnecessary services
  • Enabling security updates
  • Configuring network parameters

Extended Coverage

The Core module provides depth across:

  • Per-service systemd hardening: ProtectSystem, ProtectHome, PrivateTmp, NoNewPrivileges, RestrictRealtime, MemoryDenyWriteExecute, RestrictSUIDSGID, LockPersonality directive coverage on sshd, journald, auditd, rsyslog, chrony, cron services
  • Advanced kernel features: Kernel lockdown mode, Integrity Measurement Architecture (IMA), kernel module signing enforcement (sig_enforce), CPU vulnerability mitigations (Meltdown, Spectre v1/v2, MDS, L1TF, SRBDS, TSX async abort), user namespace controls
  • Secure boot chain: UEFI/EFI variables, mokutil Secure Boot state, GRUB password protection (password_pbkdf2)
  • SUSE-specific: snapper btrfs snapshots, AppArmor MAC, zypper repo signing
  • Arch-specific: pacman keyring, SigLevel strict (Required DatabaseRequired), reflector for mirrorlist
  • Container host hardening: cgroup v2 unified hierarchy, Docker daemon hardening (userns-remap, no-new-privileges, icc=false, live-restore)
  • Time security: chrony NTS-authenticated time synchronization
  • Advanced filesystem: btrfs/zfs detection, /tmp on tmpfs (RAM-backed)

CIS Module

Overview

Module Name: CIS Version: 3.9 File: modules/module_cis.py Check Count: 258 Standards: CIS Benchmarks for Linux

Description

Comprehensive implementation of Center for Internet Security (CIS) Benchmarks for Linux systems. Provides detailed compliance checks across all CIS Benchmark sections with OS-aware optimizations.

CIS Benchmark Coverage

The module implements CIS Benchmarks organized into six major sections:

Section 1: Initial Setup (40+ checks)

  • 1.1 Filesystem Configuration: Partition schemes, mount options, filesystem types
  • 1.2 Configure Software Updates: Package management and update configuration
  • 1.3 Filesystem Integrity Checking: AIDE configuration and scheduling
  • 1.4 Secure Boot Settings: Boot loader password, permissions
  • 1.5 Additional Process Hardening: Address space randomization, core dumps
  • 1.6 Mandatory Access Control: SELinux/AppArmor configuration

Example Checks:

- Ensure separate partition for /tmp
- Ensure nodev option set on /tmp partition
- Ensure nosuid option set on /tmp partition
- Ensure noexec option set on /tmp partition
- Ensure separate partition for /var
- Ensure separate partition for /var/tmp
- Ensure separate partition for /var/log
- Ensure separate partition for /var/log/audit
- Ensure separate partition for /home
- Ensure AIDE is installed
- Ensure filesystem integrity checked periodically
- Ensure bootloader password is set
- Ensure permissions on bootloader config are configured (400)
- Ensure core dumps are restricted
- Ensure address space layout randomization is enabled

Section 2: Services (35+ checks)

  • 2.1 Time Synchronization: NTP/chrony configuration
  • 2.2 Special Purpose Services: X11, Avahi, CUPS, DHCP, LDAP, NFS, RPC, DNS, FTP, HTTP, IMAP/POP3, Samba, SNMP, rsync
  • 2.3 Service Clients: NIS, rsh, talk, telnet, LDAP clients

Example Checks:

- Ensure time synchronization is in use (systemd-timesyncd/chronyd/ntpd)
- Ensure chrony is configured
- Ensure X Window System is not installed
- Ensure Avahi Server is not installed
- Ensure CUPS is not installed
- Ensure DHCP Server is not installed
- Ensure LDAP server is not installed
- Ensure NFS is not installed
- Ensure DNS Server is not installed
- Ensure FTP Server is not installed
- Ensure HTTP server is not installed
- Ensure IMAP and POP3 server is not installed
- Ensure Samba is not installed
- Ensure HTTP Proxy Server is not installed
- Ensure SNMP Server is not installed
- Ensure rsync service is not installed
- Ensure NIS Client is not installed
- Ensure rsh client is not installed
- Ensure talk client is not installed
- Ensure telnet client is not installed

Section 3: Network Configuration (45+ checks)

  • 3.1 Network Parameters (Host Only): IP forwarding, packet redirects, source routing, ICMP
  • 3.2 Network Parameters (Host and Router): Suspicious packets, TCP SYN cookies
  • 3.3 IPv6 Configuration: IPv6 parameters (if applicable)
  • 3.4 TCP Wrappers: Host allow/deny configuration
  • 3.5 Uncommon Network Protocols: DCCP, SCTP, RDS, TIPC

Example Checks:

- Ensure IP forwarding is disabled
- Ensure packet redirect sending is disabled
- Ensure source routed packets are not accepted
- Ensure ICMP redirects are not accepted
- Ensure secure ICMP redirects are not accepted
- Ensure suspicious packets are logged
- Ensure broadcast ICMP requests are ignored
- Ensure bogus ICMP responses are ignored
- Ensure Reverse Path Filtering is enabled
- Ensure TCP SYN Cookies is enabled
- Ensure IPv6 router advertisements are not accepted
- Ensure IPv6 redirects are not accepted
- Ensure TCP Wrappers is installed
- Ensure /etc/hosts.allow is configured
- Ensure /etc/hosts.deny is configured
- Ensure DCCP is disabled
- Ensure SCTP is disabled
- Ensure RDS is disabled
- Ensure TIPC is disabled

Section 4: Logging and Auditing (40+ checks)

  • 4.1 Configure System Accounting (auditd): Audit system configuration, rules, log management
  • 4.2 Configure Logging: rsyslog/syslog-ng configuration, remote logging, log file permissions

Example Checks:

- Ensure auditd is installed
- Ensure auditd service is enabled
- Ensure auditing for processes that start prior to auditd is enabled
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure system is disabled when audit logs are full
- Ensure audit_backlog_limit is sufficient
- Ensure events that modify date and time are collected
- Ensure events that modify user/group information are collected
- Ensure events that modify the system's network environment are collected
- Ensure events that modify the system's MAC are collected
- Ensure login and logout events are collected
- Ensure session initiation information is collected
- Ensure discretionary access control permission changes are collected
- Ensure unsuccessful unauthorized file access attempts are collected
- Ensure successful file system mounts are collected
- Ensure file deletion events are collected
- Ensure kernel module loading/unloading is collected
- Ensure rsyslog is installed
- Ensure rsyslog service is enabled
- Ensure logging is configured
- Ensure rsyslog is configured to send logs to remote host
- Ensure remote rsyslog messages accepted on designated log hosts
- Ensure all logfiles have appropriate permissions and ownership

Section 5: Access, Authentication, Authorization (50+ checks)

  • 5.1 Configure Cron: Cron daemon, crontab permissions
  • 5.2 SSH Server Configuration: SSH hardening settings
  • 5.3 Configure PAM: Password quality, lockout policies, password reuse
  • 5.4 User Accounts and Environment: Password expiration, default umask, shell timeouts
  • 5.5 Ensure root login restricted: Console restrictions
  • 5.6 Ensure access to su command restricted: Wheel group restriction

Example Checks:

- Ensure cron daemon is enabled
- Ensure permissions on /etc/crontab are configured (600)
- Ensure permissions on /etc/cron.hourly are configured (700)
- Ensure permissions on /etc/cron.daily are configured (700)
- Ensure permissions on /etc/cron.weekly are configured (700)
- Ensure permissions on /etc/cron.monthly are configured (700)
- Ensure permissions on /etc/cron.d are configured (700)
- Ensure at/cron is restricted to authorized users
- Ensure permissions on /etc/ssh/sshd_config are configured (600)
- Ensure SSH Protocol is set to 2
- Ensure SSH LogLevel is appropriate (INFO or VERBOSE)
- Ensure SSH X11 forwarding is disabled
- Ensure SSH MaxAuthTries is set to 4 or less
- Ensure SSH IgnoreRhosts is enabled
- Ensure SSH HostbasedAuthentication is disabled
- Ensure SSH root login is disabled
- Ensure SSH PermitEmptyPasswords is disabled
- Ensure SSH PermitUserEnvironment is disabled
- Ensure only strong ciphers are used
- Ensure only strong MAC algorithms are used
- Ensure only strong Key Exchange algorithms are used
- Ensure SSH Idle Timeout Interval is configured
- Ensure SSH LoginGraceTime is set to one minute or less
- Ensure SSH warning banner is configured
- Ensure password creation requirements are configured
- Ensure lockout for failed password attempts is configured
- Ensure password reuse is limited
- Ensure password hashing algorithm is SHA-512
- Ensure password expiration is 365 days or less
- Ensure minimum days between password changes is 7 or more
- Ensure password expiration warning days is 7 or more
- Ensure inactive password lock is 30 days or less
- Ensure default group for root account is GID 0
- Ensure default user umask is 027 or more restrictive
- Ensure default user shell timeout is 900 seconds or less
- Ensure root login is restricted to system console
- Ensure access to su command is restricted

Section 6: System Maintenance (30+ checks)

  • 6.1 System File Permissions: Permissions on critical files
  • 6.2 User and Group Settings: Password fields, duplicate UIDs/GIDs, user home directories

Example Checks:

- Ensure permissions on /etc/passwd are configured (644)
- Ensure permissions on /etc/shadow are configured (000 or 400)
- Ensure permissions on /etc/group are configured (644)
- Ensure permissions on /etc/gshadow are configured (000 or 400)
- Ensure permissions on /etc/passwd- are configured (600)
- Ensure permissions on /etc/shadow- are configured (000 or 400)
- Ensure permissions on /etc/group- are configured (600)
- Ensure permissions on /etc/gshadow- are configured (000 or 400)
- Ensure no world writable files exist
- Ensure no unowned files or directories exist
- Ensure no ungrouped files or directories exist
- Audit SUID executables
- Audit SGID executables
- Ensure password fields are not empty
- Ensure no legacy "+" entries exist in /etc/passwd
- Ensure no legacy "+" entries exist in /etc/shadow
- Ensure no legacy "+" entries exist in /etc/group
- Ensure root is the only UID 0 account
- Ensure all users' home directories exist
- Ensure users' home directories permissions are 750 or more restrictive
- Ensure users own their home directories
- Ensure users' dot files are not group or world writable
- Ensure no users have .forward files
- Ensure no users have .netrc files
- Ensure users' .netrc Files are not group or world accessible
- Ensure no users have .rhosts files
- Ensure all groups in /etc/passwd exist in /etc/group
- Ensure no duplicate UIDs exist
- Ensure no duplicate GIDs exist
- Ensure no duplicate user names exist
- Ensure no duplicate group names exist

OS-Specific Adaptations

The CIS module automatically adapts checks based on detected OS:

  • Package Managers: APT, YUM, DNF, Zypper-specific commands
  • Mandatory Access Control: SELinux (RedHat) vs AppArmor (Debian)
  • Init Systems: Systemd vs SysVinit commands
  • File Paths: Distribution-specific configuration locations

Example Usage

# Run CIS module only
sudo python3 linux_security_audit.py -m CIS

# CIS compliance report
sudo python3 linux_security_audit.py -m CIS -o cis-compliance-$(date +%Y%m%d).html

Compliance Levels

CIS Benchmarks define two compliance profiles:

  • Level 1: Basic security requirements with minimal impact
  • Level 2: Defense-in-depth security with potential operational impact

This module implements checks from both levels, allowing organizations to assess against their target compliance level.

Extended Coverage

The CIS module provides depth across:

  • CIS 5.2.13-5.2.22 advanced SSH: Ciphers, MACs, KexAlgorithms, HostKeyAlgorithms, LoginGraceTime, MaxAuthTries, MaxStartups, MaxSessions, AllowTcpForwarding, PermitUserEnvironment
  • CIS 5.4.1.x faillock: deny count, unlock_time
  • CIS 5.4.2.x pwquality: minlen, dcredit/ucredit/ocredit/lcredit, minclass, maxrepeat, dictcheck
  • CIS 5.4.3 pam_pwhistory: remember count
  • CIS 5.4.4 ENCRYPT_METHOD: SHA512 / yescrypt
  • CIS 4.1.3.1-4.1.3.20 auditd ruleset: 14 audit categories - time-change, identity, system-locale, MAC-policy, logins, session, perm_mod, access, mount, delete, sudoers, sudo.log, modules, immutable
  • CIS 3.5.2.x nftables: modern firewall installed, service active, default deny
  • CIS 1.1.1.x extended filesystem: cramfs, freevxfs, jffs2, hfs, hfsplus, udf, squashfs disabled
  • CIS 1.10: system-wide crypto policy

Additional Coverage

The CIS module additionally covers Controls 16-18 + IG3 + Benchmark depth:

  • Control 16 Application Software Security: hardening templates, SAST, vetted modules
  • Control 17 IR Management: notification, log preservation, triage tooling
  • Control 18 Penetration Testing: tooling, scheduled re-test cadence
  • CIS Distribution-Independent Linux Benchmark: ASLR, prelink, kptr, inactive lock, critical file permissions
  • CIS Docker Benchmark (conditional): daemon audit, iptables retained
  • CIS Kubernetes Benchmark (conditional): anonymous-auth, kubelet.conf
  • CIS IG3 Advanced: detection layers, supply chain

CISA Module

Overview

Module Name: CISA Version: 3.9 File: modules/module_cisa.py Check Count: 196 Standards: CISA BODs, Emergency Directives, Security Advisories

Description

Implements Cybersecurity and Infrastructure Security Agency (CISA) guidance for protecting critical infrastructure systems. Focuses on practical security measures to defend against active threats.

CISA Guidance Coverage

Binding Operational Directives (BODs)

  • BOD 18-01: Enhanced Email and Web Security

    • SPF, DMARC, and DKIM implementation
    • Web security headers
    • TLS configuration
  • BOD 19-02: Vulnerability Remediation Requirements

    • Critical vulnerability patching timelines
    • Vulnerability scanning requirements
    • Patch management processes
  • BOD 20-01: Vulnerability Disclosure Policy

    • Security contact availability
    • Vulnerability reporting mechanisms
    • Responsible disclosure practices
  • BOD 22-01: Known Exploited Vulnerabilities (KEV)

    • Remediation of KEV catalog items
    • Tracking actively exploited vulnerabilities
    • Emergency patching procedures
  • BOD 23-01: Asset Visibility and Vulnerability Detection

    • Asset inventory requirements
    • Vulnerability detection capabilities
    • Network segmentation verification

Example Checks:

- Verify vulnerability scanning is configured
- Check for patches to known exploited vulnerabilities
- Ensure security contact information is available
- Verify vulnerability disclosure policy exists
- Check asset inventory is maintained
- Ensure network segmentation is implemented

Emergency Directives

  • Critical vulnerability identification
  • Zero-day threat mitigation
  • Immediate action requirements
  • Emergency patching verification

Example Checks:

- Check for emergency directive compliance
- Verify critical patches applied
- Ensure emergency response procedures exist
- Check for active exploitation indicators

Vulnerability Management

  • Known Exploited Vulnerabilities Catalog
  • Patch management and timelines
  • Vulnerability scanning
  • Configuration management
  • Security baseline enforcement

Example Checks:

- Count unpatched vulnerabilities
- Check patch application timeline compliance
- Verify automated vulnerability scanning
- Ensure security baselines are applied
- Check configuration drift detection

Critical Infrastructure Protection

  • Essential services security
  • Network segmentation
  • Access control hardening
  • Incident response readiness
  • Business continuity planning

Example Checks:

- Verify critical services are isolated
- Check network segmentation implementation
- Ensure least privilege access controls
- Verify incident response procedures exist
- Check backup and recovery capabilities

Security Best Practices

  • Multi-factor authentication (MFA)
  • Least privilege principles
  • Secure configuration baselines
  • Logging and monitoring
  • Backup and recovery

Example Checks:

- Ensure MFA is enabled for privileged accounts
- Verify sudo/wheel group restrictions
- Check secure configuration standards applied
- Ensure logging enabled
- Verify backup procedures are functional
- Check backup encryption and offsite storage

Cloud and Modern Infrastructure

  • Cloud security posture
  • Container security
  • DevSecOps practices
  • API security
  • Identity and access management

Example Checks:

- Check cloud security configuration
- Verify container runtime security
- Ensure DevSecOps pipeline security
- Check API authentication and authorization
- Verify identity federation is secure

Incident Response

  • Detection capabilities
  • Response procedures
  • Recovery planning
  • Communication protocols
  • Forensic readiness

Example Checks:

- Ensure incident detection tools are active
- Verify incident response plan exists
- Check disaster recovery procedures
- Ensure communication channels are established
- Verify forensic logging is enabled

Priority Levels

CISA guidance categorizes findings by priority:

  • Critical: Immediate action required (active exploitation risk)
  • High: Urgent remediation (known vulnerability, not yet exploited)
  • Medium: Important security improvements
  • Low: Best practice recommendations

Example Usage

# Run CISA module only
sudo python3 linux_security_audit.py -m CISA

# Critical infrastructure assessment
sudo python3 linux_security_audit.py -m CISA,NSA,Core

# CISA compliance report
sudo python3 linux_security_audit.py -m CISA -o cisa-compliance-$(date +%Y%m%d).html

Target Audience

  • Federal agencies and departments
  • State, local, tribal, and territorial (SLTT) governments
  • Critical infrastructure operators
  • Defense Industrial Base (DIB) contractors
  • Organizations requiring federal compliance

Extended Coverage

The CISA module provides depth across:

  • CPG v1.0.1 Account Security (2.A-2.H): default passwords, password strength, unique credentials, account lifecycle, privileged separation, network segmentation, failed login detection, phishing-resistant MFA
  • CPG Data Security (2.K-2.N): strong encryption, sensitive data protection, email security, macro defaults
  • CPG Vulnerability Management (2.O-2.S): backups, network topology, HW/SW approval, vulnerability scanning, KEV patching
  • CPG Supply Chain (2.T-2.U): software procurement signing, SBOM tooling
  • CPG Response & Recovery (2.V-2.W): incident reporting, IR plan readiness
  • Zero Trust Maturity Model (ZTMM) v2.0: 5 Pillars (Identity, Devices, Networks, Applications, Data) + cross-cutting (Visibility, Automation, Governance)
  • BOD 22-01: Known Exploited Vulnerabilities patching automation
  • BOD 23-01: Asset visibility tooling
  • Secure by Design: memory-safe languages (Rust/Go), default-secure configs, hardening principles (ASLR + NX)

Additional Coverage

The CISA module additionally covers Secure by Design + KEV + ZTMM + Stop Ransomware:

  • CISA Secure by Design (SbD): 3 principles (customer outcomes, transparency, organizational structure)
  • CISA KEV (Known Exploited Vulnerabilities): auto-patch, scanning
  • CISA ZTMM Pillars 1-5 + Cross-Cutting: identity (MFA), devices (FIM), networks (segmentation), apps/workloads (containers+MAC), data (LUKS), visibility/automation
  • CISA Stop Ransomware: 3-2-1 backup foundation, containment, anti-malware/EDR
  • CISA Shields Up: logging, backup automation

ENISA Module

Overview

Module Name: ENISA Version: 3.9 File: modules/module_enisa.py Check Count: 142 Standards: ENISA Cybersecurity Guidelines, EU Regulations

Description

Implements European Union Agency for Cybersecurity (ENISA) guidelines and recommendations. Provides practical cybersecurity measures aligned with EU standards and GDPR requirements.

ENISA Coverage Areas

1. Baseline Security Measures

  • Essential security controls
  • Risk-based security approach
  • Proportionate security measures
  • Security by design principles

Example Checks:

- Verify baseline security controls implemented
- Check risk assessment procedures exist
- Ensure security measures are proportionate
- Verify secure-by-default configurations

2. Network Security Controls

  • Network segmentation
  • Firewall configuration
  • Intrusion detection/prevention
  • Secure communications
  • VPN and remote access security

Example Checks:

- Ensure firewall is enabled and configured
- Verify network segmentation exists
- Check IDS/IPS deployment
- Ensure encrypted communications (TLS/SSL)
- Verify VPN security configuration

3. System Hardening & Configuration

  • Secure OS configuration
  • Service minimization
  • Patch management
  • Security updates
  • Hardening guidelines implementation

Example Checks:

- Verify unnecessary services are disabled
- Check security patches are current
- Ensure automatic updates configured
- Verify system hardening applied
- Check configuration management

4. Access Control & Identity Management

  • Strong authentication
  • Privileged access management
  • Identity lifecycle management
  • Access reviews
  • Role-based access control (RBAC)

Example Checks:

- Ensure strong password policies
- Verify MFA for privileged accounts
- Check regular access reviews occur
- Ensure RBAC is implemented
- Verify account lifecycle procedures

5. Data Protection & Privacy (GDPR-aligned)

  • Data encryption
  • Data classification
  • Personal data protection
  • Data retention policies
  • Privacy by design

Example Checks:

- Ensure data encryption at rest
- Verify encryption in transit
- Check data classification scheme exists
- Ensure GDPR compliance measures
- Verify data retention policies
- Check personal data handling procedures

6. Logging, Monitoring & Incident Response

  • Logging
  • Security monitoring
  • SIEM integration
  • Incident detection
  • Incident response procedures

Example Checks:

- Ensure logging enabled
- Verify log retention meets requirements
- Check security monitoring active
- Ensure incident response plan exists
- Verify incident reporting procedures

7. Cryptographic Controls

  • Strong cryptography
  • Key management
  • Certificate management
  • Cryptographic standards compliance
  • TLS/SSL configuration

Example Checks:

- Verify strong cryptographic algorithms used
- Check weak ciphers are disabled
- Ensure proper key management
- Verify certificate validation
- Check TLS version and configuration

8. Vulnerability & Patch Management

  • Vulnerability scanning
  • Patch management process
  • Security advisory tracking
  • Vulnerability remediation timelines
  • Configuration management

Example Checks:

- Ensure vulnerability scanning configured
- Verify patch management process exists
- Check security advisories are tracked
- Ensure timely vulnerability remediation
- Verify configuration baselines

9. Secure Development & Operations

  • Secure coding practices
  • Security testing
  • Change management
  • DevSecOps integration
  • Security in SDLC

Example Checks:

- Verify secure development practices
- Check security testing in pipeline
- Ensure change management process
- Verify security in development lifecycle
- Check code review procedures

OS-Specific Adaptations

The ENISA module adapts to both major Linux families:

Debian-based (Ubuntu, Debian, Mint, Kali):

  • APT package management checks
  • AppArmor MAC implementation
  • Debian-specific security configurations
  • Ubuntu security advisories

RedHat-based (RHEL, CentOS, Fedora, Rocky, AlmaLinux):

  • YUM/DNF package management checks
  • SELinux MAC implementation
  • RedHat security advisories
  • Enterprise Linux security configurations

GDPR Alignment

Many ENISA checks align with GDPR requirements:

  • Data protection by design and default
  • Security of processing (Article 32)
  • Personal data breach notification
  • Data protection impact assessments
  • Privacy controls

Example Usage

# Run ENISA module only
sudo python3 linux_security_audit.py -m ENISA

# EU compliance assessment
sudo python3 linux_security_audit.py -m ENISA,ISO27001

# ENISA + GDPR alignment check
sudo python3 linux_security_audit.py -m ENISA -o enisa-gdpr-$(date +%Y%m%d).html

Target Audience

  • European Union organizations
  • EU member state agencies
  • Organizations handling EU citizen data
  • Companies subject to GDPR
  • European critical infrastructure operators

Extended Coverage

The ENISA module covers:

  • NIS2 Directive Article 21.2 - all 10 cybersecurity risk-management measures (a-j): risk analysis, incident handling, business continuity, supply chain security, acquisition security, effectiveness assessment, cyber hygiene, cryptography policies, access control, MFA
  • DORA (Digital Operational Resilience Act) - financial-sector ICT risk Articles 6, 9, 10, 11, 12: ICT risk management framework, identification, protection, detection, response and recovery
  • ENISA Threat Landscape - top threat technical indicators: ransomware, malware, social engineering, data threats, DDoS, disinformation, supply chain attacks
  • EU Cybersecurity Act Article 51 - certification baseline: Basic, Substantial, High assurance levels

Additional Coverage

The ENISA module additionally covers NIS2 + CRA + DORA + Cloud:

  • NIS2 Article 21 (sub-controls): risk analysis, incident handling, business continuity, supply chain, vuln handling, cyber hygiene, cryptography, HR security, MFA
  • EU Cyber Resilience Act Annex I (sub-controls): cybersecurity baseline, no known vulns, security by default, access protection, data integrity, limited processing, minimal attack surface, secure defaults
  • DORA (sub-controls): Art 7 ICT risk mgmt, Art 17 incident reporting
  • Cloud Security (1 sub-control): multi-layer cloud security posture

ISO27001 Module

Overview

Module Name: ISO27001 Version: 3.9 File: modules/module_iso27001.py Check Count: 147 Standards: ISO/IEC 27001:2022, ISO/IEC 27002:2022

Description

Comprehensive assessment of ISO/IEC 27001:2022 Annex A technical controls that can be audited on Linux systems. Focuses on information security management system (ISMS) technical requirements.

ISO 27001:2022 Annex A Coverage

The module implements technical controls from ISO 27001:2022 Annex A:

A.8: Technological Controls

A.8.1 User Endpoint Devices

  • Endpoint security configuration
  • Device management
  • Mobile device security
  • Endpoint protection

Example Checks:

- Ensure endpoint security software installed
- Verify device encryption enabled
- Check endpoint configuration management
- Ensure endpoint monitoring active

A.8.2 Privileged Access Rights

  • Privileged account management
  • Sudo/wheel group restrictions
  • Root access limitations
  • Administrative access logging

Example Checks:

- Ensure privileged access is restricted
- Verify sudo usage is logged
- Check root account restrictions
- Ensure privileged session recording

A.8.3 Information Access Restriction

  • Access control implementation
  • File system permissions
  • Directory access controls
  • Need-to-know enforcement

Example Checks:

- Verify file permissions are restrictive
- Check directory access controls
- Ensure need-to-know principle applied
- Verify access control lists (ACLs)

A.8.4 Access to Source Code

  • Source code repository security
  • Version control access
  • Code review procedures
  • Secure development practices

Example Checks:

- Ensure source code access is controlled
- Verify version control authentication
- Check code repository permissions
- Ensure code review process exists

A.8.5 Secure Authentication

  • Strong authentication requirements
  • Multi-factor authentication
  • Password policies
  • Authentication logging

Example Checks:

- Ensure strong password policy enforced
- Verify MFA for remote access
- Check authentication logging enabled
- Ensure password complexity requirements

A.8.6 Capacity Management

  • Resource monitoring
  • Capacity planning
  • Performance monitoring
  • Resource utilization tracking

Example Checks:

- Ensure resource monitoring configured
- Verify disk space monitoring
- Check capacity alerting configured
- Ensure performance metrics collected

A.8.7 Protection Against Malware

  • Antivirus software
  • Malware detection
  • Signature updates
  • Scanning configuration

Example Checks:

- Ensure antivirus software installed
- Verify malware scanning active
- Check signature update frequency
- Ensure real-time protection enabled

A.8.8 Management of Technical Vulnerabilities

  • Vulnerability scanning
  • Patch management
  • Security advisories
  • Vulnerability remediation

Example Checks:

- Ensure vulnerability scanning configured
- Verify patch management process
- Check security advisory tracking
- Ensure timely vulnerability remediation

A.8.9 Configuration Management

  • Secure baseline configurations
  • Configuration change control
  • Configuration documentation
  • Configuration auditing

Example Checks:

- Ensure configuration baselines exist
- Verify configuration management process
- Check configuration change tracking
- Ensure configuration auditing enabled

A.8.10-A.8.13 Data Protection and Backup

  • Data encryption
  • Backup procedures
  • Backup encryption
  • Backup testing
  • Data deletion procedures

Example Checks:

- Ensure data encryption at rest
- Verify regular backups configured
- Check backup encryption enabled
- Ensure backup testing occurs
- Verify secure data deletion procedures

A.8.14-A.8.17 System Reliability and Monitoring

  • Redundancy implementation
  • System monitoring
  • Availability controls
  • Clock synchronization

Example Checks:

- Ensure critical services redundant
- Verify system monitoring active
- Check availability controls implemented
- Ensure time synchronization configured

A.8.18-A.8.24 Network and Cryptographic Security

  • Network controls
  • Network segmentation
  • Firewall configuration
  • Cryptographic controls
  • Key management

Example Checks:

- Ensure network segmentation implemented
- Verify firewall properly configured
- Check strong cryptography used
- Ensure proper key management
- Verify TLS/SSL configuration

A.8.25-A.8.34 Secure Development (where applicable)

  • Secure coding practices
  • Security in SDLC
  • Security testing
  • Change management

Example Checks:

- Verify secure development practices
- Check security testing in pipeline
- Ensure proper change management
- Verify code review procedures

Complementary Standards

The ISO27001 module also references:

  • ISO/IEC 27002:2022: Code of practice for information security controls
  • NIST SP 800-53: Complementary technical guidance
  • CIS Controls: Implementation alignment

Example Usage

# Run ISO27001 module only
sudo python3 linux_security_audit.py -m ISO27001

# ISMS technical assessment
sudo python3 linux_security_audit.py -m ISO27001,NIST

# ISO27001 compliance report
sudo python3 linux_security_audit.py -m ISO27001 -o iso27001-compliance-$(date +%Y%m%d).html

Target Audience

  • Organizations seeking ISO 27001 certification
  • Information security management system (ISMS) implementations
  • Compliance and audit requirements
  • Enterprise security programs
  • Financial services, healthcare, and regulated industries

Extended Coverage

The ISO27001 module provides depth across:

  • ISO 27001:2022 Annex A.8.27-A.8.34: secure system architecture, secure coding (SAST tooling), security testing in dev/acceptance, environment separation, change management, audit protection (immutable audit logs)
  • ISO/IEC 27017:2015 cloud-specific: CLD.6.3.1 (shared roles - cloud agent detection), CLD.8.1.5 (asset removal - secure deletion tools), CLD.9.5.1 (virtual segregation - container runtime), CLD.12.1.5 (administrator security), CLD.12.4.5 (cloud monitoring), CLD.13.1.4 (network management)
  • ISO/IEC 27018:2019 PII processor: A.4.1 (geographic location), A.10.1 (breach detection), A.11.2 (restoration of personal data)
  • ISO/IEC 27701:2019 Privacy Information Management System (PIMS): 7.4 (privacy by design and default), 7.5 (pseudonymization libraries), 8.4 (erasure capability)

Additional Coverage

The ISO27001 module additionally covers depth across ISO/IEC 27001:2022 Annex A controls including new 2022 controls:

  • Organizational (A.5): A.5.7 threat intelligence, A.5.23 cloud services, A.5.30 ICT readiness for business continuity
  • Technological (A.8): A.8.7 anti-malware, A.8.8 vulnerability mgmt, A.8.10 information deletion, A.8.11 data masking, A.8.12 DLP, A.8.16 monitoring, A.8.20/A.8.22 network segregation, A.8.25/A.8.28 secure development, A.8.31 environment separation, A.8.32 change management

NIST Module

Overview

Module Name: NIST Version: 3.9 File: modules/module_nist.py Check Count: 234 Standards: NIST 800-53 Rev 5, NIST CSF 2.0, NIST 800-171 Rev 2

Description

Comprehensive audit of National Institute of Standards and Technology (NIST) security controls and frameworks. Implements controls from multiple NIST publications with focus on technical implementation.

NIST Framework Coverage

NIST 800-53 Rev 5 Control Families

Access Control (AC)

  • Account management
  • Access enforcement
  • Least privilege
  • Remote access controls
  • Session management

Example Checks:

- Ensure account management procedures exist
- Verify least privilege implementation
- Check remote access restrictions
- Ensure session timeouts configured
- Verify access control enforcement

Audit and Accountability (AU)

  • Audit logging
  • Audit review and analysis
  • Audit record retention
  • Response to audit processing failures
  • Time stamps

Example Checks:

- Ensure comprehensive audit logging
- Verify audit log review process
- Check audit retention policy
- Ensure audit failure response configured
- Verify time synchronization for logs

Configuration Management (CM)

  • Baseline configurations
  • Configuration change control
  • Security configuration settings
  • Software inventory
  • System component inventory

Example Checks:

- Ensure configuration baselines documented
- Verify change control process exists
- Check secure configuration applied
- Ensure software inventory maintained
- Verify system component tracking

Identification and Authentication (IA)

  • User identification
  • Device identification
  • Authenticator management
  • Credential management
  • Multi-factor authentication

Example Checks:

- Ensure unique user identification
- Verify device authentication
- Check authenticator security
- Ensure MFA for privileged access
- Verify credential lifecycle management

Incident Response (IR)

  • Incident handling
  • Incident monitoring
  • Incident reporting
  • Incident response testing
  • Information spillage response

Example Checks:

- Ensure incident response plan exists
- Verify incident monitoring capability
- Check incident reporting procedures
- Ensure incident response testing
- Verify information spillage procedures

System and Communications Protection (SC)

  • Application partitioning
  • Communications protection
  • Cryptographic protection
  • Network security
  • Secure communications

Example Checks:

- Ensure application isolation
- Verify encrypted communications
- Check cryptographic implementation
- Ensure network segmentation
- Verify secure protocol usage

System and Information Integrity (SI)

  • Flaw remediation
  • Malicious code protection
  • Information system monitoring
  • Security alerts and advisories
  • Software integrity

Example Checks:

- Ensure timely flaw remediation
- Verify malware protection active
- Check system monitoring enabled
- Ensure security alert subscriptions
- Verify software integrity checks

Additional Control Families:

  • Contingency Planning (CP)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)

NIST Cybersecurity Framework 2.0 (CSF)

Govern (GV) - Organizational cybersecurity governance

  • Policies and procedures
  • Risk management strategy
  • Roles and responsibilities
  • Oversight and accountability

Example Checks:

- Ensure security policies documented
- Verify risk management process
- Check defined security roles
- Ensure governance oversight

Identify (ID) - Asset management and risk assessment

  • Asset management
  • Business environment understanding
  • Governance context
  • Risk assessment
  • Risk management strategy

Example Checks:

- Ensure asset inventory maintained
- Verify asset classification
- Check business impact analysis
- Ensure risk assessment process
- Verify risk treatment plans

Protect (PR) - Access control, data security, platform security

  • Identity management and access control
  • Awareness and training
  • Data security
  • Information protection
  • Protective technology

Example Checks:

- Ensure access control implementation
- Verify security awareness training
- Check data protection measures
- Ensure information protection
- Verify protective technologies deployed

Detect (DE) - Continuous monitoring and adverse event detection

  • Anomalies and events detection
  • Security continuous monitoring
  • Detection processes

Example Checks:

- Ensure anomaly detection configured
- Verify continuous monitoring active
- Check detection process effectiveness
- Ensure security event correlation

Respond (RS) - Incident response, communications, mitigation

  • Response planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements

Example Checks:

- Ensure response plan exists
- Verify communication procedures
- Check incident analysis capability
- Ensure mitigation strategies
- Verify lessons learned process

Recover (RC) - Recovery planning and improvements

  • Recovery planning
  • Improvements
  • Communications

Example Checks:

- Ensure recovery plan exists
- Verify recovery testing
- Check recovery improvement process
- Ensure recovery communications

NIST 800-171 Rev 2

Protection of Controlled Unclassified Information (CUI):

  • 14 requirement families
  • 110 security requirements
  • Focus on protecting federal information
  • Mandatory for defense contractors

Example Checks:

- Ensure access control requirements met
- Verify audit and accountability
- Check configuration management
- Ensure identification and authentication
- Verify incident response capability
- Ensure maintenance procedures
- Check media protection
- Verify personnel security
- Ensure physical protection measures
- Check risk assessment process
- Verify security assessment procedures
- Ensure system integrity
- Check communications protection

OS-Specific Adaptations

The NIST module adapts controls based on detected OS, ensuring practical implementation across distributions.

Example Usage

# Run NIST module only
sudo python3 linux_security_audit.py -m NIST

# Federal compliance assessment
sudo python3 linux_security_audit.py -m NIST,STIG

# NIST CSF assessment
sudo python3 linux_security_audit.py -m NIST -o nist-csf-$(date +%Y%m%d).html

Target Audience

  • Federal agencies and contractors
  • Defense Industrial Base (DIB)
  • Organizations handling CUI
  • FedRAMP compliance requirements
  • General enterprise security programs

Extended Coverage

The NIST module provides depth across:

  • NIST SP 800-207 Zero Trust Architecture (ZTA) - all 7 tenets: resource enumeration, encrypted communication (TLS 1.2+ with SECLEVEL), per-session access, dynamic policy enforcement, integrity monitoring, dynamic auth (MFA), continuous monitoring layers (auditd, rsyslog, journald)
  • NIST SP 800-161 Supply Chain Risk Management: SR-3 (supply chain controls - package signing), SR-4 (provenance/SBOM tools), SR-9 (tamper resistance - FIM), SR-11 (component authenticity - package logs)
  • NIST CSF 2.0 Govern function: GV.OC (organizational context - auditd baseline), GV.RM (risk management scanners), GV.SC (supply chain signature verification), GV.PO (policy enforcement - PAM modules)
  • NIST 800-53 R5 PE family: PE-3 (USB / physical access - USBGuard, usb-storage blacklist), PE-6 (mount/removable-media audit)
  • NIST 800-53 R5 PM family: PM-5 (system inventory - package managers), PM-12 (insider threat - comprehensive auditd ruleset)
  • NIST SP 800-171 Rev 3 advanced: 3.13.8 (PFS KexAlgorithms), 3.13.11 (FIPS-validated crypto), 3.14.1 (flaw remediation automation), 3.14.6 (firewall ingress/egress), 3.14.7 (auditd unauthorized-use detection)
  • NIST AU extended: AU-3(1) audit rules with arch context, AU-7 audit reduction tools, AU-9(2) remote audit storage, AU-12 audit record coverage
  • NIST CM extended: CM-2(2) CM automation (Ansible/Puppet/Salt/Chef), CM-5 access restrictions for change (sudoers perms), CM-7(2) execution prevention (allowlisting/MAC)

Additional Coverage

The NIST module additionally covers depth across underrepresented control families:

  • CA Assessment, Authorization, Continuous Monitoring (4 sub-controls): CA-7 monitoring tools, CA-2 assessment tools, CA-5 POA&M, CA-9 internal connections
  • CP Contingency Planning (5 sub-controls): CP-9 backup tools, encrypted backup, scheduled backup automation, CP-10 recovery tools, CP-10(4) snapshot capability
  • MA Maintenance (3 sub-controls): MA-2 audit trail, MA-3 tool inventory, MA-4 nonlocal maintenance hardening
  • MP Media Protection (3 sub-controls): MP-2 USB authorization, MP-6 sanitization tooling, MP-7 mount option restrictions
  • RA Risk Assessment (3 sub-controls): RA-5 vuln tools, scheduled scans, RA-10 threat-hunting tooling (osquery/Falco/Sysmon)
  • SA System Acquisition (3 sub-controls): SA-3 SDLC tools, SA-11 developer security testing (SAST), SA-15/SA-22 supply chain security
  • PT PII Processing (1 sub-control): PT-3 PII protection layers
  • CSF 2.0 DETECT/RESPOND/RECOVER (5 subcategories): DE.CM-1, DE.CM-3, RS.RP-1, RS.CO-2, RC.RP-1
  • SSDF 800-218 (4 practices): PO trusted build, PS.1 provenance, PW.7/PW.8 review tools, RV.1 vulnerability identification

NSA Module

Overview

Module Name: NSA Version: 3.9 File: modules/module_nsa.py Check Count: 193 Standards: NSA Cybersecurity Guidance, SELinux

Description

Implements National Security Agency (NSA) cybersecurity guidance and advanced security hardening measures. Focuses on defense-grade security controls and technologies developed by NSA.

NSA Guidance Coverage

1. SELinux/Mandatory Access Control (MAC)

  • SELinux status and configuration
  • Policy enforcement
  • Context management
  • Boolean settings
  • AVC denial analysis

Example Checks:

- Ensure SELinux is installed
- Verify SELinux is enabled
- Check SELinux mode (enforcing)
- Ensure SELinux policy is targeted or strict
- Verify SELinux booleans configured securely
- Check for SELinux AVC denials
- Ensure SELinux context on critical files

2. Network Security Hardening

  • Network stack hardening
  • Protocol security
  • Firewall configuration
  • Network isolation
  • Secure remote access

Example Checks:

- Ensure IP forwarding disabled
- Verify ICMP redirects disabled
- Check SYN cookies enabled
- Ensure source routing disabled
- Verify reverse path filtering enabled
- Check TCP timestamps disabled
- Ensure IPv6 configured securely

3. Kernel Security Configuration

  • Kernel parameters hardening
  • Kernel module controls
  • Memory protection
  • Process isolation
  • Kernel lockdown

Example Checks:

- Ensure kernel address space randomization
- Verify kernel pointer restrictions
- Check core dump restrictions
- Ensure kernel module loading restricted
- Verify kernel lockdown mode
- Check kptr_restrict configured
- Ensure dmesg restriction

4. System Hardening & Configuration

  • Secure boot configuration
  • System service hardening
  • File system security
  • Mount point hardening
  • Bootloader security

Example Checks:

- Ensure secure boot enabled
- Verify bootloader password set
- Check unnecessary services disabled
- Ensure mount options secure (nodev, nosuid, noexec)
- Verify /tmp mounted securely
- Check /var/log partition exists

5. Cryptographic Standards & Implementation

  • FIPS 140-2/140-3 compliance
  • Strong cryptographic algorithms
  • TLS/SSL configuration
  • SSH cryptographic settings
  • Certificate validation

Example Checks:

- Ensure FIPS mode enabled (if applicable)
- Verify strong crypto algorithms used
- Check weak ciphers disabled
- Ensure TLS 1.2+ required
- Verify SSH strong key exchange
- Check certificate validation enabled

6. Service & Application Security

  • Service isolation
  • Application sandboxing
  • Container security
  • Service hardening
  • Application whitelisting

Example Checks:

- Ensure services run with minimal privileges
- Verify service isolation (systemd sandboxing)
- Check application sandboxing (AppArmor/SELinux)
- Ensure container runtime secured
- Verify application firewall active

Key NSA Publications Covered

  • Security-Enhanced Linux (SELinux): NSA's mandatory access control system
  • Linux Hardening Guidance: System hardening recommendations
  • Cybersecurity Technical Reports: Threat-specific guidance
  • System and Communications Protection Profile (SCPP): Defense-grade security
  • Commercial Solutions for Classified (CSfC): Classified information protection

Defense-in-Depth Strategies

The NSA module implements layered security controls:

  1. Perimeter Security: Firewall, network hardening
  2. Host Security: System hardening, MAC enforcement
  3. Application Security: Service isolation, sandboxing
  4. Data Security: Encryption, access controls
  5. Monitoring: Logging, auditing, intrusion detection

Example Usage

# Run NSA module only
sudo python3 linux_security_audit.py -m NSA

# Maximum security assessment
sudo python3 linux_security_audit.py -m NSA,STIG

# Defense-grade hardening check
sudo python3 linux_security_audit.py -m NSA -o nsa-hardening-$(date +%Y%m%d).html

Target Audience

  • Defense and intelligence agencies
  • National security systems
  • Classified information systems
  • High-security environments
  • Critical infrastructure (defense sector)
  • Defense contractors requiring NSA compliance

Extended Coverage

The NSA module provides depth across:

  • SELinux boolean enforcement (~20 booleans): should-be-off booleans (allow_execheap, allow_execmem, allow_execmod, allow_execstack, ftpd_, httpd_, ssh_chroot_rw_homedirs, secure_mode_insmod, etc.) and should-be-on booleans (deny_execmem, deny_ptrace, fips_mode). Conditional on SELinux enforcing mode.
  • FIPS 140-3 depth: kernel /proc/sys/crypto/fips_enabled, OpenSSL FIPS provider, system-wide crypto-policies set to FIPS, kernel keyring tools (keyutils)
  • Kernel hardening: lockdown mode (integrity/confidentiality), Integrity Measurement Architecture (IMA), module signing enforcement (sig_enforce), full ASLR (randomize_va_space=2), Yama ptrace_scope, KASLR not disabled, CPU vulnerability mitigations (Meltdown, Spectre v1/v2, MDS, L1TF)
  • Network protocol restrictions: IPv6 status, dccp/sctp/rds/tipc blacklisted, ICMP redirects disabled (accept and send), source routing disabled, log_martians enabled
  • NSA Cybersecurity Advisories (CSAs): Web Shell defense (WAF presence), Host firewall, Privileged Access (SSH root restriction), Living-off-the-Land detection (auditd execve), Auth Logging
  • Commercial Solutions for Classified (CSfC): defense-in-depth (MAC + FIPS layers), audit requirements

Additional Coverage

The NSA module additionally covers modern NSA guidance areas:

  • CNSA 2.0 Quantum-Resistant Cryptography Readiness (sub-controls): OpenSSL 3.x, SSH AES-256, SSH SHA-384/512 MACs, asymmetric host key strength
  • NSA Kubernetes Hardening Guide V1.2 (conditional): anonymous-auth disabled, readOnlyPort disabled, audit rules
  • NSA Encrypted DNS Implementation: DoT/DNSSEC posture, resolv.conf
  • NSA VPN Configuration Guidance (1-2): VPN tooling, IKEv2 IPsec
  • NSA Memory Safety: ASLR full, KASLR, glibc hardening, sanitizers
  • NSA eBPF Security: unprivileged BPF, JIT hardening, eBPF LSM
  • NSA Software Supply Chain: SBOM, signing, package verification
  • NSA Secure/Measured Boot: UEFI Secure Boot, TPM 2.0
  • NSA Active Monitoring: SIEM forwarders, continuous monitoring

STIG Module

Overview

Module Name: STIG Version: 3.9 File: modules/module_stig.py Check Count: 205 Standards: DISA STIGs, DoD 8500 series

Description

Comprehensive implementation of Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). Provides detailed compliance checks for Department of Defense (DoD) security requirements.

DISA STIG Coverage

Access Control (AC)

  • Account management
  • Access enforcement
  • Separation of duties
  • Least privilege
  • Session controls

Example Checks:

- Ensure account management documented
- Verify access control implementation
- Check separation of duties enforced
- Ensure least privilege applied
- Verify session timeout configured
- Check concurrent session limits

Audit and Accountability (AU)

  • Audit generation
  • Audit record content
  • Audit storage capacity
  • Response to audit failures
  • Audit reduction and reporting

Example Checks:

- Ensure audit system enabled (auditd)
- Verify audit records contain required content
- Check audit storage capacity configured
- Ensure response to audit failures
- Verify audit log protection
- Check audit review process exists

Identification and Authentication (IA)

  • User identification
  • Device identification
  • Authenticator management
  • Multi-factor authentication
  • Password requirements

Example Checks:

- Ensure unique user identification
- Verify password complexity requirements
- Check password reuse restrictions
- Ensure MFA for privileged access
- Verify account lockout policy
- Check credential lifetime limits

System and Information Integrity (SI)

  • Flaw remediation
  • Malicious code protection
  • System monitoring
  • Security alerts
  • Software integrity verification

Example Checks:

- Ensure timely flaw remediation
- Verify antivirus software installed and active
- Check system monitoring enabled
- Ensure security alert subscriptions
- Verify file integrity monitoring (AIDE)
- Check software signature verification

Configuration Management (CM)

  • Baseline configuration
  • Configuration change control
  • Security configuration settings
  • Least functionality
  • User-installed software

Example Checks:

- Ensure baseline configuration documented
- Verify configuration change control
- Check security settings enforced
- Ensure unnecessary services disabled
- Verify user software installation restricted

System and Communications Protection (SC)

  • Application partitioning
  • Information flow enforcement
  • Network security
  • Cryptographic protection
  • Session termination

Example Checks:

- Ensure application isolation
- Verify network segmentation
- Check firewall configuration
- Ensure encrypted communications
- Verify automatic session termination

STIG Severity Categories

CAT I (High/Critical):

  • Vulnerabilities that allow attacker to compromise confidentiality, integrity, or availability
  • Immediate remediation required
  • Highest priority

Example CAT I Findings:

- Root login via SSH enabled
- No account lockout policy
- Passwords stored in clear text
- Critical patches missing
- Default passwords in use

CAT II (Medium):

  • Vulnerabilities that could result in compromise of confidentiality, integrity, or availability
  • Remediation required within 30 days

Example CAT II Findings:

- Weak password policy
- Insufficient audit logging
- Unnecessary services running
- Missing security updates
- Weak encryption algorithms

CAT III (Low):

  • Vulnerabilities that degrade security measures
  • Remediation required within 90 days

Example CAT III Findings:

- Security banner not configured
- Incomplete documentation
- Informational system messages
- Minor configuration deviations

Key STIG Publications Covered

  • Red Hat Enterprise Linux (RHEL) STIG: RHEL-specific requirements
  • Ubuntu Linux STIG: Ubuntu-specific requirements
  • General Purpose Operating System STIG: Common Linux requirements
  • Application Security and Development STIG: Application-level security
  • DISA Security Requirements Guide (SRG): Overarching security requirements

STIG Finding Classification

Open: Non-compliant with STIG requirement (requires remediation) Not a Finding: Compliant with STIG requirement Not Applicable: STIG requirement does not apply to this system Not Reviewed: STIG requirement not yet checked

Example Usage

# Run STIG module only
sudo python3 linux_security_audit.py -m STIG

# DoD compliance assessment
sudo python3 linux_security_audit.py -m STIG,NSA

# STIG compliance report
sudo python3 linux_security_audit.py -m STIG -o stig-compliance-$(date +%Y%m%d).html

Target Audience

  • Department of Defense (DoD) systems
  • Defense contractors
  • Federal agencies requiring STIG compliance
  • Systems processing classified information
  • National security systems
  • Defense Industrial Base (DIB)

Extended Coverage

The STIG module provides depth across:

  • RHEL 9 STIG additional V-numbers: V-258003 (PrintLastLog), V-258006 (GSSAPIAuthentication), V-258007 (KerberosAuthentication), V-258028/9 (gpgcheck, localpkg_gpgcheck), V-258034/5 (dmesg_restrict, kptr_restrict), V-258049/50 (protected_hardlinks/symlinks), V-258054 (ICMP echo broadcasts)
  • Ubuntu 22.04 STIG additional V-numbers: V-260469 (wireless adapters), V-260473 (APT GPG keyring), V-260491 (unattended-upgrades), V-260507 (AppArmor), V-260511 (suid_dumpable)
  • General Purpose Operating System SRG (GPOS): SRG-OS-000023 (banner), SRG-OS-000033 (FIPS), SRG-OS-000037 (auid filtering), SRG-OS-000062 (privileged audit), SRG-OS-000080 (GRUB password), SRG-OS-000363 (FIM), SRG-OS-000437 (systemd), SRG-OS-000470 (failed logon audit)
  • Container Platform SRG: SRG-APP-000033-CTR (non-root UID), SRG-APP-000516-CTR (Docker daemon hardening), Kubernetes STIG indicators (kubelet detection)
  • Additional V-numbers: V-230373 (inactive account lock <= 35 days), V-230376 (no empty passwords), V-230380 (LUKS disk encryption), V-230388 (UID 0 uniqueness)

Additional Coverage

The STIG module additionally covers DISA SRG coverage areas including:

  • SRG-APP-SRC Application Security: SAST tools, cryptographic key management, application directory audit
  • SRG-APP-WEB Web Server (conditional on nginx/Apache): server token hiding, TLS strict, HSTS header
  • SRG-APP-DB Database (conditional on PostgreSQL/MySQL): pg_hba.conf trust auth absent, MySQL bind-address restrictive, MySQL TLS
  • SRG-APP-CTR Container (conditional on docker/podman): Docker audit rules, rootless capability, image scanning
  • SRG-NET Network Device: default-deny, anti-spoofing (rp_filter), source-route blocking
  • Additional V-numbers: V-258134 SSH KexAlgorithms, V-258153 audit.log mode, V-258109 banners, V-260567 (Ubuntu) apt HTTPS

ACSC Module

Overview

File: modules/module_acsc.py Version: 3.9 Total Checks: 69 Focus: Australian Cyber Security Centre Essential 8 + Information Security Manual (ISM) Severity Distribution: Critical, High, Medium, Low, Informational

Description

The ACSC module audits Linux systems against Australian Cyber Security Centre guidance, focusing on the Essential Eight (E8) Maturity Model levels 1-3 and the Information Security Manual (ISM) controls for Australian Government and critical infrastructure systems.

Key Features

  • Essential Eight Maturity Levels 1-3 coverage
  • Application control / allowlisting indicators (E8.1)
  • Patch applications (E8.2)
  • Configure Microsoft Office macro settings (E8.3 - host-side OS indicators)
  • User application hardening (E8.4)
  • Restrict administrative privileges (E8.5)
  • Patch operating systems (E8.6)
  • Multi-factor authentication (E8.7)
  • Regular backups (E8.8)
  • ISM technical controls subset

Check Categories

E8.1 - Application Control:

  • AppArmor / SELinux / fapolicyd enforcing modes
  • Kernel module signing enforcement

E8.2 - Patch Applications / E8.3 - Patch OS:

  • unattended-upgrades / dnf-automatic / yum-cron presence and active state
  • Package manager auto-update timer status

E8.5 - User Application Hardening:

  • LibreOffice macro settings detection
  • Browser hardening indicators

E8.6 - Restrict Admin Privileges:

  • sudo configuration audit
  • SSH PermitRootLogin
  • PAM faillock / pam_wheel su restriction

E8.7 - Multi-Factor Authentication:

  • pam_google_authenticator, pam_yubico, pam_oath, pam_duo, pam_u2f detection

E8.8 - Regular Backups:

  • rsync / borg / restic / duplicity binaries
  • Scheduled backup cron jobs

Example Usage

# Run ACSC module standalone
sudo python3 modules/module_acsc.py

# Run as part of an audit
sudo python3 linux_security_audit.py --modules acsc

Target Audience

  • Australian Government agencies
  • Australian critical infrastructure operators
  • Organizations subject to ACSC ISM requirements
  • Defense contractors operating in Australia
  • E8 Maturity Level 1-3 environments

Additional Coverage

The ACSC module additionally covers Essential Eight ML3 maturity depth and ISM advanced topics:

  • Essential Eight ML3 (sub-controls): cryptographic application verification (signature + fapolicyd/AppArmor), admin restriction (NOPASSWD audit, timestamp_timeout), phishing-resistant MFA (FIDO/U2F/FIDO2 detection), automated patching, browser policies
  • ISM cryptographic algorithm conformance (AACA) (sub-controls): SSH KexAlgorithms, Ciphers, MACs strict allowlist; FIPS 140-3 mode
  • ISM network segmentation (sub-controls): interface inventory, reverse-path filtering, ICMP redirect rejection, IPv6 audit
  • ISM logging centralization (sub-controls): rsyslog/syslog-ng/ journal-upload remote forwarding, audit retention capacity, fail-safe actions
  • ISM account separation (sub-controls): UID 0 uniqueness, admin group membership audit, SUID/SGID inventory
  • ISM email hardening (sub-controls): Postfix outbound + inbound TLS
  • ISM incident response readiness (sub-controls): forensic tool availability, journald persistent forensic readiness, packet capture

CMMC Module

Overview

File: modules/module_cmmc.py Version: 3.9 Total Checks: 94 Focus: DoD Cybersecurity Maturity Model Certification (CMMC) 2.0 + DFARS Severity Distribution: Critical, High, Medium, Low

Description

The CMMC module evaluates Linux systems against the DoD Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, including all three levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Coverage includes NIST SP 800-171 Rev 2 (CMMC L2) and NIST SP 800-172 (CMMC L3 enhancements), plus DFARS 252.204-7012, 7019, and 7020 requirements.

Key Features

  • CMMC 2.0 Level 1: 17 basic safeguarding requirements (FAR 52.204-21)
  • CMMC 2.0 Level 2: 110 NIST SP 800-171 Rev 2 practices
  • CMMC 2.0 Level 3: NIST SP 800-172 Enhanced Security Requirements
  • DFARS 252.204-7012 (CUI safeguarding), 7019, 7020 indicators
  • Enhanced practices: penetration testing capability, threat hunting, advanced persistent threat (APT) detection

Check Categories

Level 1 - Basic Safeguarding (17 practices):

  • AC.1.001-AC.1.004 (Access Control)
  • IA.1.076-IA.1.077 (Identification & Authentication)
  • MP.1.118 (Media Protection)
  • PE.1.131-PE.1.134 (Physical Protection)
  • SC.1.175-SC.1.176 (System & Communications Protection)
  • SI.1.210-SI.1.213 (System & Information Integrity)

Level 2 - Advanced (110 practices):

  • All NIST SP 800-171 Rev 2 controls
  • 14 control families: AC, AT, AU, CA, CM, IA, IR, MA, MP, PE, PS, RA, SC, SI

Level 3 - Expert (NIST 800-172 enhanced):

  • Penetration resistance and testing
  • Damage limitation
  • Cyber resiliency
  • Threat hunting capability indicators

DFARS Compliance:

  • 252.204-7012 - CUI safeguarding indicators
  • 252.204-7019 - SPRS (Supplier Performance Risk System)
  • 252.204-7020 - NIST SP 800-171 DoD Assessment

Example Usage

# Run CMMC module standalone
sudo python3 modules/module_cmmc.py

# Run as part of an audit with comprehensive context
sudo python3 linux_security_audit.py --modules cmmc,nist,stig

Target Audience

  • Defense Industrial Base (DIB) contractors
  • DoD prime and subcontractors handling Controlled Unclassified Information (CUI)
  • Federal Acquisition Regulation (FAR) compliance scope
  • Organizations preparing for CMMC certification (L1, L2, L3)

Additional Coverage

The CMMC module additionally covers NIST SP 800-171 Rev 3 and Level 3 (NIST SP 800-172) depth:

  • NIST SP 800-171 Rev 3 (May 2024) updates: 03.05.07 password length, 03.13.11 FIPS 140-3 keys, 03.14.01 flaw remediation, 03.13.08 transit crypto
  • Level 3 (NIST SP 800-172) enhancements: 3.1.3e concurrent sessions, 3.4.1e architecture diversity, 3.13.4e DLP, 3.14.6e SIEM, 3.6.1e SOC
  • CUI handling: 03.13.16 cryptographic protection at rest, 03.08.03 media sanitization, 03.08.04 marking capability (MAC)
  • Assessment readiness: evidence tooling, SPRS scoring evidence
  • DFARS additional: 252.204-7012 ICTRS, 252.204-7020 continuous assessment
  • ESP/CSP readiness: FedRAMP Moderate crypto baseline

DistBaseline Module

Overview

File: modules/module_distbaseline.py Version: 3.9 Total Checks: 90 (distro-conditional) Focus: Distribution-specific hardening baselines and best practices Severity Distribution: Critical, High, Medium, Low, Informational

Description

The DistBaseline module performs distribution-aware hardening checks tailored to the specific Linux distribution family detected on the host. It covers Debian/Ubuntu, RHEL/Fedora/Rocky/Alma, SUSE/openSUSE, and Arch families with checks specific to each distribution's recommended hardening practices.

Key Features

  • Automatic OS family detection via /etc/os-release
  • Per-distro hardening checks (only relevant checks fire)
  • Mount option enforcement (nodev, nosuid, noexec on appropriate paths)
  • systemd unit hardening (ProtectSystem, ProtectHome, PrivateTmp, NoNewPrivileges)
  • Boot security (UEFI Secure Boot, GRUB password)
  • Crypto policies (system-wide policy alignment)
  • Kernel features (lockdown, IMA, sig_enforce)
  • Time synchronization with NTS authentication
  • Account security (login.defs depth, pam stack depth)
  • Audit dispatcher (audisp-remote configuration)
  • Per-distro extended checks

Check Categories

Mount Options:

  • /tmp, /var, /var/tmp, /var/log, /home, /dev/shm with nodev, nosuid, noexec
  • /boot mount options
  • Read-only root filesystem indicators

systemd Unit Hardening (per-service):

  • ProtectSystem (full or strict)
  • ProtectHome (yes, read-only, tmpfs)
  • PrivateTmp (yes)
  • NoNewPrivileges (yes)
  • RestrictRealtime (yes)
  • MemoryDenyWriteExecute (yes)
  • RestrictSUIDSGID (yes)
  • LockPersonality (yes)

Boot Security:

  • UEFI Secure Boot status (mokutil --sb-state)
  • GRUB password protection (password_pbkdf2)
  • Initrd integrity

Crypto Policies:

  • /etc/crypto-policies/config (RHEL family)
  • update-crypto-policies state
  • OpenSSL system_default_sect minimum protocol

Kernel Features:

  • Kernel lockdown mode
  • IMA (Integrity Measurement Architecture)
  • Module signature enforcement
  • Yama ptrace_scope
  • Kernel ASLR / KASLR

Per-Distro Extended:

  • Debian/Ubuntu: unattended-upgrades, ufw, AppArmor profiles count
  • RHEL family: SELinux booleans, dnf-automatic, firewalld zones
  • SUSE: zypper repos, snapper, AppArmor
  • Arch: pacman keyring, SigLevel, reflector

Example Usage

# Run distribution baseline
sudo python3 modules/module_distbaseline.py

# Run as part of an audit
sudo python3 linux_security_audit.py --modules distbaseline,core,cis

Target Audience

  • Multi-distribution Linux environments
  • DevOps engineers managing heterogeneous fleets
  • Configuration management baseline development
  • Distribution-specific compliance verification

Additional Coverage

The DistBaseline module additionally covers advanced distribution-specific and cross-distribution coverage (firing conditionally by distribution and installed features):

  • Ubuntu Pro features (Ubuntu only): pro/ua client, subscription attachment, Livepatch (kernel hot-patching), ESM Infra/Apps (10-year extended security), USG (Ubuntu Security Guide hardening), realtime kernel
  • RHEL Insights / subscription-manager (RHEL family only): subscription-manager presence and attachment, insights-client (proactive vulnerability advisor), RHUI cloud detection
  • Snap / Flatpak confinement: snap inventory, sensitive interface grants (home, system-files, raw-usb, removable-media, block-devices), flatpak inventory, host-filesystem override detection
  • journald discipline: persistent storage, compression, SystemMaxUse retention limit, ForwardToSyslog for centralized logging, Forward Secure Sealing (FSS) for tamper detection
  • Disk integrity: fstrim.timer for SSDs, btrfs/ZFS scrub timers, swap encryption (LUKS or /dev/mapper)
  • System integrity markers: machine-id consistency, /etc/cron.allow allowlist preference, /etc/at.allow allowlist, cron file permissions
  • Advanced firewall depth: nftables tables/chains/rules count, default-drop policy, firewalld zone audit (drop/block preferred)
  • kdump and panic_on_oops: kdump.service status, kernel.panic_on_oops, kernel.panic timeout
  • LSM advanced: active LSM list from /sys/kernel/security/lsm, eBPF LSM, IMA appraisal mode (ima_appraise= cmdline), file capabilities audit (setcap binaries inventory)

EDR Module

Overview

File: modules/module_edr.py Version: 3.9 Total Checks: 87 Focus: Endpoint Detection & Response indicators and MITRE ATT&CK technique coverage Severity Distribution: Critical, High, Medium, Low

Description

The EDR module evaluates the host's Endpoint Detection and Response posture, including detection of EDR products and indicators of detection capability for common MITRE ATT&CK techniques. It assesses persistence detection, process injection visibility, network behavior monitoring, container runtime visibility, anti-forensics resilience, and process accounting.

Key Features

  • EDR product presence detection (Microsoft Defender, CrowdStrike, SentinelOne, Falco, Wazuh, osquery)
  • MITRE ATT&CK technique coverage (T1543, T1547, T1053, T1546, T1070, T1562)
  • auditd ruleset depth assessment for ATT&CK detection
  • eBPF and LSM (Linux Security Module) capability detection
  • Persistence detection indicators
  • Process accounting (BSD process accounting, psacct)
  • Anti-forensics resilience (immutable audit logs, tamper detection)

Check Categories

EDR Product Detection:

  • Microsoft Defender for Endpoint (mdatp)
  • CrowdStrike Falcon (falconctl)
  • SentinelOne (sentinelctl)
  • Falco runtime security
  • Wazuh agent
  • osquery / Fleet

MITRE ATT&CK Technique Coverage:

  • T1543 - Persistence: Create or Modify System Process
  • T1547 - Persistence: Boot or Logon Autostart Execution
  • T1053 - Persistence: Scheduled Task/Job
  • T1546 - Persistence: Event Triggered Execution
  • T1070 - Defense Evasion: Indicator Removal
  • T1562 - Defense Evasion: Impair Defenses

Process Visibility:

  • BSD Process Accounting (acct/psacct)
  • auditd execve coverage
  • ptrace_scope restrictions

Container Runtime Visibility:

  • Docker / Podman / containerd presence
  • Container security tooling (Falco rules)
  • Kubernetes audit log presence

Memory Protection:

  • ASLR full mode
  • W^X enforcement (NX bit)
  • Stack canaries
  • Yama ptrace_scope

Network Behavior Monitoring:

  • Suricata / Snort / Zeek presence
  • iptables / nftables logging rules
  • Network namespace visibility

Example Usage

# Run EDR module standalone
sudo python3 modules/module_edr.py

# Pair with auditd checks
sudo python3 linux_security_audit.py --modules edr,nist,nsa

Target Audience

  • Security Operations Center (SOC) teams
  • Threat hunting teams
  • Incident response practitioners
  • Organizations evaluating detection coverage gaps
  • Defenders measuring ATT&CK technique coverage

Additional Coverage

The EDR module additionally covers detection-as-code, forensics tooling, and modern EDR coverage:

  • Detection-as-code: YARA, Sigma, detection engines active
  • Cloud-native EDR (conditional): AWS Inspector/SSM, Azure Monitor, GCP Ops, Datadog, Wiz
  • Container runtime EDR (conditional): Falco rules, Tetragon, Tracee
  • Endpoint forensics: Velociraptor, GRR, plaso, Volatility, AVML, LiME
  • Network traffic analysis: Zeek, Arkime, Suricata, Snort, ntopng
  • Honeypots/decoys: Cowrie, OpenCanary, Honeyd, T-Pot, canary tokens
  • EDR anti-tamper (1-2): services enabled, config audit
  • MITRE ATT&CK coverage: T1003, T1059, T1098, T1543, T1547, T1562, T1070
  • Live response: triage tooling, memory acquisition

GDPR Module

Overview

File: modules/module_gdpr.py Version: 3.9 Total Checks: 75 Focus: EU General Data Protection Regulation technical controls Severity Distribution: Critical, High, Medium, Low, Informational

Description

The GDPR module audits the host for technical and organizational measures required by the EU General Data Protection Regulation (Regulation (EU) 2016/679). It maps Linux/host-level controls to specific GDPR articles, focusing on Articles 5, 17, 25, 30, 32, 33, and 44.

Key Features

  • Article 5 - Principles relating to processing of personal data
  • Article 17 - Right to erasure ("right to be forgotten")
  • Article 25 - Data protection by design and by default
  • Article 30 - Records of processing activities
  • Article 32 - Security of processing
  • Article 33 - Notification of personal data breach
  • Article 44 - General principle for international transfers

Check Categories

Article 5 - Data Minimization:

  • /tmp, /var/tmp, /var/log retention controls
  • Log rotation (logrotate.conf)
  • systemd-journald retention (MaxRetentionSec)

Article 17 - Right to Erasure:

  • Secure deletion tools (shred, wipe, blkdiscard)
  • Filesystem TRIM/discard support
  • Cryptographic erasure capability (LUKS slot zeroing)

Article 25 - Data Protection by Design:

  • Default-restrictive permissions on sensitive directories
  • Encryption-at-rest (LUKS detection)
  • Encryption-in-transit (OpenSSL TLS 1.2+ minimum)
  • Privacy-default file permissions

Article 30 - Records of Processing:

  • auditd active and rule depth
  • Package transaction logs (dpkg.log, dnf.log)
  • Log forwarding to centralized SIEM

Article 32 - Security of Processing:

  • Pseudonymization libraries (libsodium, openssl, gpg)
  • TLS 1.2+ minimum
  • Confidentiality, integrity, availability indicators
  • Resilience indicators (backups, redundancy)

Article 33 - Breach Notification:

  • Log forwarding for breach detection
  • IR-readiness indicators (auditd, rsyslog remote)

Article 44 - International Transfers:

  • Geographic indicators (timezone)
  • Strong encryption for transfers
  • VPN tools (WireGuard, OpenVPN, strongSwan)

Example Usage

# Run GDPR module standalone
sudo python3 modules/module_gdpr.py

# Run with related compliance modules
sudo python3 linux_security_audit.py --modules gdpr,iso27001,enisa

Target Audience

  • EU data controllers and processors
  • Organizations subject to GDPR (EU residents' data)
  • Privacy officers and Data Protection Officers (DPOs)
  • Cloud providers serving EU customers

Additional Coverage

The GDPR module additionally covers article technical depth:

  • Article 5(1)(e) Storage limitation (sub-controls): logrotate, systemd-tmpfiles-clean.timer, auditd retention configuration
  • Article 17 Right to erasure (sub-controls): secure-delete tooling (shred, srm, scrub), swap encryption, fstrim.timer for SSD trim
  • Article 20 Portability (sub-controls): export tooling (jq, csvkit, xmlstarlet, pandoc), DB clients
  • Article 25(2) Privacy by default (sub-controls): network default- deny, minimal external services, default UMASK 027/077
  • Article 32 Crypto depth (sub-controls): CSPRNG (urandom + poolsize + rngd/haveged), password hash strength, pseudonymization tooling (openssl, gpg, age, minisign)
  • Article 33 Breach detection (sub-controls): SIEM forwarding for 72-hour notification, real-time alerting, time accuracy, evidence preservation
  • Articles 15-22 Data subject rights (sub-controls): subject communication capability, activity-log query tools (Art 15 requests)
  • Article 35 DPIA indicators (1 sub-control): high-risk processing markers (public web/DB, video, geolocation, orchestration)

HIPAA Module

Overview

File: modules/module_hipaa.py Version: 3.9 Total Checks: 114 Focus: US Health Insurance Portability and Accountability Act Security Rule (45 CFR Part 164) Severity Distribution: Critical, High, Medium, Low

Description

The HIPAA module audits Linux systems against the HIPAA Security Rule technical and administrative safeguards specified in 45 CFR Part 164. It covers all major sections: 164.308 (Administrative), 164.310 (Physical), 164.312 (Technical Safeguards), 164.314 (Organizational), 164.316 (Documentation), and 164.402-414 (Breach Notification Rule).

Key Features

  • 45 CFR 164.308 - Administrative Safeguards (workforce security, access management, information access management)
  • 45 CFR 164.310 - Physical Safeguards (facility access controls, workstation security, device and media controls)
  • 45 CFR 164.312 - Technical Safeguards (access control, audit controls, integrity controls, person authentication, transmission security)
  • 45 CFR 164.314 - Organizational Requirements (BAAs)
  • 45 CFR 164.316 - Documentation Requirements (policies, procedures)
  • 45 CFR 164.402-414 - Breach Notification Rule indicators

Check Categories

164.308 Administrative Safeguards:

  • Workforce security (account lifecycle, INACTIVE)
  • Access establishment and modification
  • Audit controls (auditd active, ruleset depth)
  • Authentication mechanisms (PAM, MFA)
  • Workforce sanctions (faillock)
  • Information access management (least privilege)

164.310 Physical Safeguards:

  • Facility security plan indicators (USBGuard, usb-storage blacklist)
  • Workstation security (screen locking, idle timeout)
  • Device and media controls (encryption-at-rest, secure deletion)

164.312 Technical Safeguards:

  • Unique user identification (no shared accounts, UID 0 uniqueness)
  • Emergency access procedures
  • Automatic logoff (SSH ClientAliveInterval, screen idle timeout)
  • Encryption and decryption (LUKS, TLS 1.2+)
  • Audit controls (auditd, immutable logs)
  • Integrity controls (FIM: AIDE, Tripwire)
  • Person authentication (MFA modules)
  • Transmission security (TLS, SSH cipher strength)

164.314 Organizational:

  • Business Associate Agreements (technical implementation indicators)

164.316 Documentation:

  • Policy and procedure documentation indicators
  • 6-year retention indicators (logrotate retention)

Breach Notification Rule:

  • Log forwarding for breach detection
  • Time synchronization for accurate breach timeline
  • Audit trail preservation

Example Usage

# Run HIPAA module standalone
sudo python3 modules/module_hipaa.py

# Healthcare compliance bundle
sudo python3 linux_security_audit.py --modules hipaa,nist,iso27001,cis

Target Audience

  • Healthcare providers (Covered Entities)
  • Health plans and clearinghouses
  • Business Associates handling Protected Health Information (PHI)
  • Healthcare IT and security teams
  • Health-tech companies subject to HIPAA

Additional Coverage

The HIPAA module additionally covers depth across the Security Rule technical safeguards and breach notification readiness:

  • 164.312(a)(2)(i) Unique user identification (sub-controls): generic account detection, UID uniqueness, UID_MIN >= 1000
  • 164.312(a)(2)(iii) Automatic logoff (sub-controls): shell TMOUT, SSH ClientAlive, desktop screen lock
  • 164.312(a)(2)(iv) Encryption (sub-controls): FIPS 140-3, crypto policies, CA bundle freshness, SSH host key types
  • 164.312(b) Audit controls (sub-controls): per-user audit, log access tracking, immutable ruleset, journald discipline
  • 164.312(c)(2) Integrity authentication (sub-controls): FIM databases, package verification, kernel-level integrity (dm-verity, IMA)
  • 164.312(d) Authentication depth (sub-controls): MFA enforcement, pubkey-only SSH, account lockout
  • 164.312(e) Transmission security (sub-controls): IPsec/WireGuard, nginx TLS, Apache TLS
  • 164.402-410 Breach notification readiness (sub-controls): audit retention capacity, email alerting, user identification, time sync
  • 164.308(a)(1) Risk analysis (sub-controls): vulnerability scanners, activity review tooling

PCI-DSS Module

Overview

File: modules/module_pci.py Version: 3.9 Total Checks: 110 Focus: PCI DSS v4.0.1 (Payment Card Industry Data Security Standard) Severity Distribution: Critical, High, Medium, Low

Description

The PCI module audits Linux systems against PCI DSS v4.0, the data security standard for organizations that handle cardholder data. It covers all 12 PCI DSS requirements with technical controls applicable at the host level, emphasizing the network, system, and authentication requirements relevant to in-scope systems.

Key Features

  • All 12 PCI DSS v4.0 requirements covered
  • Network security (Req 1, 2)
  • Cardholder data protection (Req 3, 4)
  • Vulnerability management (Req 5, 6)
  • Access control (Req 7, 8, 9)
  • Monitoring and testing (Req 10, 11)
  • Information security policy (Req 12)

Check Categories

Req 1 - Network Security Controls:

  • Firewall service (ufw, firewalld, nftables)
  • Default deny policies
  • Network segmentation indicators
  • Inbound/outbound rules audit

Req 2 - Secure Configurations:

  • Default password verification (no empty passwords)
  • Industry-accepted hardening (CIS-aligned configs)
  • Disabled unnecessary services
  • Secure shell (SSH) configuration

Req 3 - Protect Stored Account Data:

  • LUKS encryption-at-rest
  • Strong cryptography (FIPS-validated)
  • Cryptographic key management

Req 4 - Protect with Strong Cryptography in Transit:

  • TLS 1.2+ minimum (OpenSSL system policy)
  • Cipher suite restrictions
  • SSH cipher/MAC/KEX hardening

Req 5 - Protect from Malicious Software:

  • ClamAV / EDR product detection
  • Anti-malware definitions update mechanism
  • Periodic scanning indicators

Req 6 - Develop and Maintain Secure Systems:

  • Patch management automation
  • Vulnerability scanning tools
  • Change management (auditd, package logs)

Req 7 - Restrict Access by Business Need-to-Know:

  • Least privilege (sudo configuration)
  • Access control mechanisms (PAM, SELinux/AppArmor)
  • Default deny

Req 8 - Identify Users and Authenticate Access:

  • Unique user IDs (no shared accounts)
  • Strong authentication (MFA, password complexity)
  • Account lockout (faillock)
  • Password aging

Req 9 - Restrict Physical Access:

  • USB device control (USBGuard, usb-storage blacklist)
  • Mount audit rules

Req 10 - Log and Monitor Access:

  • auditd active with comprehensive ruleset
  • Log forwarding to centralized server (PCI 10.5.3 - off-system)
  • Time synchronization (PCI 10.6 - NTP/chrony)
  • Log retention (PCI 10.7 - 1 year minimum)

Req 11 - Test Security of Systems:

  • Vulnerability scanners installed
  • File integrity monitoring (FIM)
  • IDS/IPS presence

Req 12 - Information Security Policy:

  • Policy documentation indicators
  • Incident response readiness

Example Usage

# Run PCI module standalone
sudo python3 modules/module_pci.py

# In-scope systems compliance bundle
sudo python3 linux_security_audit.py --modules pci,cis,nist,stig

Target Audience

  • Merchants accepting payment cards
  • Payment service providers
  • Service providers handling cardholder data
  • E-commerce platforms
  • POS system operators
  • Organizations preparing for PCI DSS assessment (SAQ or QSA)

Additional Coverage

The PCI-DSS module additionally covers depth across PCI DSS v4.0.1 sub-requirements:

  • Req 2.2 System component configuration standards (7 sub-controls): CM tooling indicator, vendor default account lockdown, primary function service count, risky/unnecessary services audit, cleartext-protocol listener detection, kernel hardening sysctls, SSH Protocol 2 enforcement
  • Req 3.5/3.6/3.7 PAN protection and key management (5 sub-controls): PAN unreadable layers, strong hash availability, hardware key protection (TPM/HSM), key management procedures, key generation entropy, key file directory permissions
  • Req 5.2/5.3 Anti-malware deployment and operation (5 sub-controls): vendor product detection (ClamAV, MS Defender, CrowdStrike, SentinelOne, Sophos, ESET, Trend Micro), signature freshness, mechanism active, periodic scans, user-disable protection
  • Req 7.2/7.3 Access definition and enforcement (5 sub-controls): access control system layers, least privilege (sudo grant audit), account inactivity, no nullok, network default-deny
  • Req 8.3/8.4/8.6 Strong authentication, MFA, application credentials (7 sub-controls): no null auth, SHA-2 hashes, password reuse, complexity

    =12, aging <=90d, MFA detection (6 PAM modules), system account lockdown, hardcoded credential detection

  • Req 10.2/10.3/10.6 Audit log content, integrity, time sync (12 sub-controls): per PCI 10.2.1.1-10.2.1.7 event types (user access, admin actions, audit log access, failed login, IAM changes, audit system events, system object changes), audit log permissions, FIM on audit logs, time sync active, authoritative servers, NTS authentication
  • Req 11.4/11.5/11.6 IDS/IPS, change detection, vuln testing (5 sub-controls): vulnerability scanners (5 tools), IDS/IPS deployed (6 products), egress monitoring, FIM scheduled execution, WAF/web tier tamper detection

SOC2 Module

Overview

File: modules/module_soc2.py Version: 3.9 Total Checks: 98 Focus: SOC 2 Trust Services Criteria (TSP Section 100) Severity Distribution: Critical, High, Medium, Low, Informational

Description

The SOC2 module audits Linux systems against the AICPA Trust Services Criteria used in SOC 2 Type II audits. It covers all five trust principles: Security (Common Criteria CC1-CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI), and Privacy (P).

Key Features

  • Common Criteria (Security): CC1 through CC9
  • Availability principle (A1)
  • Confidentiality principle (C1)
  • Processing Integrity principle (PI)
  • Privacy principle (P)

Check Categories

CC1 - Control Environment:

  • Documented security policies (PAM stack depth)
  • Account management (login.defs, INACTIVE)
  • Workforce sanctions (faillock)

CC2 - Communication and Information:

  • Logging infrastructure (auditd, rsyslog)
  • Documentation indicators (banner, AUP)

CC3 - Risk Assessment:

  • Vulnerability scanning tools
  • Risk identification mechanisms

CC4 - Monitoring Activities:

  • Continuous monitoring (auditd, FIM)
  • Security event monitoring
  • Log forwarding (SIEM integration)

CC5 - Control Activities:

  • Access controls (sudo, PAM)
  • Configuration management (CM tools)
  • Separation of duties indicators

CC6 - Logical and Physical Access Controls:

  • Authentication (MFA, password policy)
  • Authorization (sudo, group memberships)
  • USB / removable media controls

CC7 - System Operations:

  • Anomaly detection (auditd anomaly rules)
  • Incident response readiness
  • Backup/recovery tools

CC8 - Change Management:

  • Package transaction logs
  • auditd configuration changes
  • Configuration management agents

CC9 - Risk Mitigation:

  • Risk reduction tools (firewall, AV, FIM)
  • Vendor management indicators

A1 - Availability:

  • Backup tools and scheduled jobs
  • Time synchronization
  • Resource monitoring (memory, disk)

C1 - Confidentiality:

  • Encryption at rest (LUKS)
  • Encryption in transit (TLS 1.2+)
  • Access controls on sensitive data

PI - Processing Integrity:

  • File integrity monitoring (AIDE, Tripwire)
  • Audit trail integrity (immutable logs)
  • Time synchronization for transaction integrity

P - Privacy:

  • Encryption capabilities
  • Secure deletion tools
  • Privacy-default permissions

Example Usage

# Run SOC2 module standalone
sudo python3 modules/module_soc2.py

# SaaS compliance bundle
sudo python3 linux_security_audit.py --modules soc2,iso27001,nist

Target Audience

  • Software as a Service (SaaS) providers
  • Cloud service providers
  • Service organizations subject to SOC 2 Type II
  • Vendors supplying services to SOC 2-mandated customers
  • Organizations seeking SOC 2 attestation

Module Architecture

Common Module Structure

All security modules follow a consistent architecture:

#!/usr/bin/env python3
"""
module_name.py
Module Description
Version: X.X

SYNOPSIS:
    Brief description

DESCRIPTION:
    Detailed description of module capabilities

USAGE:
    Usage examples

NOTES:
    Version, standards, references
"""

import os
import sys
from pathlib import Path
from typing import List, Dict, Any
from linux_security_audit import AuditResult

MODULE_NAME = "MODULE"
MODULE_VERSION = "X.X"

# OS Detection (if needed)
class OSInfo:
    # OS detection logic

# Utility Functions
def run_command(cmd: str) -> tuple:
    # Command execution wrapper

def check_file_exists(path: str) -> bool:
    # File existence check

# Check Functions
def check_category_name(shared_data: Dict[str, Any]) -> List[AuditResult]:
    """
    Check description

    Args:
        shared_data: Shared data from main script

    Returns:
        List of AuditResult objects
    """
    results = []

    # Perform checks
    # Create AuditResult objects
    # Append to results list

    return results

# Main Module Entry Point
def run_module(shared_data: Dict[str, Any]) -> List[AuditResult]:
    """
    Main module execution function

    Args:
        shared_data: Shared data from main script

    Returns:
        List of all AuditResult objects
    """
    results = []

    # Call check functions
    results.extend(check_category_1(shared_data))
    results.extend(check_category_2(shared_data))
    # etc.

    return results

# Standalone Testing
if __name__ == "__main__":
    # Test module independently
    test_data = {
        "hostname": socket.gethostname(),
        "is_root": os.geteuid() == 0
    }

    results = run_module(test_data)

    # Display results
    for result in results:
        print(f"[{result.status}] {result.category}: {result.message}")

AuditResult Object

Every check returns an AuditResult object with the following fields:

@dataclass
class AuditResult:
    module: str          # Module name (Core, CIS, NIST, etc.)
    category: str        # Check category
    status: str          # Pass, Fail, Warning, Info, Error
    message: str         # Brief description
    details: str = ""    # Detailed explanation
    remediation: str = "" # Fix command(s)
    timestamp: str       # Execution timestamp

Module Discovery

Modules are discovered dynamically by the main orchestrator:

  1. Scan Directory: Look for module_*.py files
  2. Import Modules: Dynamically import discovered modules
  3. Validate Interface: Verify run_module() function exists
  4. Execute Modules: Call run_module() with shared data

Shared Data Dictionary

All modules receive a shared_data dictionary containing:

{
    "hostname": str,          # System hostname
    "os_version": str,        # OS version string
    "scan_date": datetime,    # Scan start time
    "is_root": bool,          # Running as root?
    "script_path": Path       # Script directory path
}

Error Handling

Modules implement comprehensive error handling:

try:
    # Perform check
    result = AuditResult(
        module=MODULE_NAME,
        category="Category Name",
        status="Pass",
        message="Check description",
        details="Detailed information"
    )
except PermissionError:
    result = AuditResult(
        module=MODULE_NAME,
        category="Category Name",
        status="Error",
        message="Check description",
        details="Permission denied - requires root access"
    )
except FileNotFoundError:
    result = AuditResult(
        module=MODULE_NAME,
        category="Category Name",
        status="Error",
        message="Check description",
        details="Required file not found"
    )
except Exception as e:
    result = AuditResult(
        module=MODULE_NAME,
        category="Category Name",
        status="Error",
        message="Check description",
        details=f"Unexpected error: {str(e)}"
    )

Creating Custom Modules

Module Development Process

  1. Create Module File: modules/module_custom.py in the modules/ directory
  2. Implement Required Interface: run_module(shared_data) function
  3. Define Check Functions: Individual security checks
  4. Return AuditResult Objects: Properly formatted results
  5. Test Standalone: Run module independently
  6. Test Integrated: Run with main orchestrator

Minimal Module Template

#!/usr/bin/env python3
"""
module_custom.py
Custom Security Module
Version: 1.0

SYNOPSIS:
    Custom security checks for specific requirements

DESCRIPTION:
    Detailed description of what this module checks

USAGE:
    python3 linux_security_audit.py --modules CUSTOM

NOTES:
    Version: 1.0
    Custom module template
"""

import os
import sys
from pathlib import Path
from typing import List, Dict, Any

# Import AuditResult from main script
sys.path.insert(0, str(Path(__file__).parent))
from linux_security_audit import AuditResult

MODULE_NAME = "CUSTOM"
MODULE_VERSION = "1.0"

def check_example(shared_data: Dict[str, Any]) -> List[AuditResult]:
    """Example security check"""
    results = []

    try:
        # Perform your check
        check_passed = True  # Your logic here

        if check_passed:
            result = AuditResult(
                module=MODULE_NAME,
                category="Example Category",
                status="Pass",
                message="Check passed successfully",
                details="Detailed information about the check",
                remediation=""
            )
        else:
            result = AuditResult(
                module=MODULE_NAME,
                category="Example Category",
                status="Fail",
                message="Check failed",
                details="Explanation of what failed",
                remediation="command to fix the issue"
            )

        results.append(result)

    except Exception as e:
        result = AuditResult(
            module=MODULE_NAME,
            category="Example Category",
            status="Error",
            message="Check could not be completed",
            details=f"Error: {str(e)}"
        )
        results.append(result)

    return results

def run_module(shared_data: Dict[str, Any]) -> List[AuditResult]:
    """
    Main module entry point - REQUIRED

    Args:
        shared_data: Dictionary with hostname, os_version, is_root, etc.

    Returns:
        List of AuditResult objects
    """
    results = []

    # Call your check functions
    results.extend(check_example(shared_data))
    # Add more checks...

    return results

# Standalone testing
if __name__ == "__main__":
    import socket

    test_data = {
        "hostname": socket.gethostname(),
        "is_root": os.geteuid() == 0
    }

    results = run_module(test_data)

    print(f"\n{MODULE_NAME} Module Test Results:")
    print("=" * 60)
    for result in results:
        print(f"[{result.status}] {result.category}: {result.message}")
    print(f"\nTotal Checks: {len(results)}")

Best Practices for Module Development

  1. Follow Naming Convention: modules/module_name.py where name is lowercase
  2. Implement run_module(): Required function signature
  3. Return AuditResult Objects: Consistent data structure
  4. Handle Errors Gracefully: Use try/except blocks
  5. Provide Remediation: Include fix commands when applicable
  6. Document Thoroughly: Synopsis, description, usage, notes
  7. Test Independently: Verify module works standalone
  8. OS-Aware Checks: Adapt to different distributions when needed
  9. Privilege Awareness: Handle both root and non-root execution
  10. Consistent Status Values: Use Pass, Fail, Warning, Info, Error

Testing Your Module

# Test module independently
python3 module_custom.py

# Test with main orchestrator
python3 linux_security_audit.py --modules CUSTOM

# Test with other modules
python3 linux_security_audit.py --modules Core,CUSTOM

# Full integration test
sudo python3 linux_security_audit.py --modules All

Additional Resources


<- Back to Output Reference | Home | Next: Framework Reference ->

Additional Coverage

The SOC 2 module additionally covers Trust Service Criteria depth:

  • Common Criteria (CC1-CC9): documentation, communication, risk identification + change assessment, logical access + MFA + lockout + MAC + FIM, anomaly detection + monitoring + SIEM + IR + recovery, change management, risk mitigation
  • Additional Criteria: A1.2/A1.3 availability, C1.1/C1.2 confidentiality, PI1.1 processing integrity, P3.1/P5.1 privacy

Linux Security Audit

Version 3.9 - 16 modules - 2,297 checks


Getting Started


Reference


Architecture


Operations


Release Information


Quick Reference

Original modules (v2.0 baseline + v3.3 expansion)

Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG

New modules (v3.0+ Phase 3)

ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2

Output Formats

HTML - JSON - CSV - XML - Console

Status Values

Pass - Fail - Warning - Info - Error

Severity Levels

Critical - High - Medium - Low - Informational


External Links

Clone this wiki locally