-
Notifications
You must be signed in to change notification settings - Fork 2
Troubleshooting Guide
This guide provides solutions to common issues encountered when using the Linux Security Audit Project, including error messages, unexpected behavior, and system-specific problems.
The profile name validation regex is ^[a-z][a-z0-9_-]{0,30}$ and is intentionally strict. Common rejection causes:
-
Uppercase letters - use
rhel9notRHEL9 -
Special characters -
;,&,$,`, newlines, slashes are all rejected - Leading hyphen or digit - must start with a lowercase letter
- Length over 31 chars - bounded to prevent resource exhaustion
Run --list-profiles to see all valid profile names.
This means the profile's exclude_modules list filtered out every module you selected. Either remove the --profile flag or pick different modules with --modules.
This is normal for the generic profile (no exclusions) and for systems that don't have the excluded categories present anyway. Profiles are subtractive, so systems lacking the excluded categories see no change.
The v3.6 cache lifetime is per-process. If you're calling main() repeatedly in a long-running supervisor, call shared_components.module_helpers.clear_caches() between runs to invalidate.
For one-shot CLI invocations (the typical case), the cache is automatically cleared because the process exits after each audit.
- Quick Diagnostic Steps
- Common Issues
- Permission and Privilege Issues
- Module-Specific Issues
- Output and Reporting Issues
- Remediation Issues
- Performance Issues
- OS-Specific Issues
- Getting Additional Help
When encountering issues, start with these basic diagnostic steps:
# Check Python version (requires 3.7+)
python3 --version
# Expected: Python 3.7.0 or higher# Check all module files exist
ls -l modules/module_*.py shared_components/audit_common.py
# Expected: 16 module files in modules/ and audit_common.py in shared_components/# List available modules (no privileges required)
python3 linux_security_audit.py --list-modules
# Run simple test
python3 linux_security_audit.py -m Core -f Console# Run with full error output
python3 linux_security_audit.py -m Core --verbose --log-level DEBUG 2>&1 | tee debug.log
# Check logs/ directory for structured log file
# Review debug.log and log file for specific errorsSymptom:
ImportError: No module named 'linux_security_audit'
ModuleNotFoundError: No module named 'linux_security_audit'
Cause: Module files trying to import from main script but can't find it.
Solutions:
- Ensure all files in same directory:
ls -l linux_security_audit.py module_*.py
# All files should be in same directory- Run from project directory:
cd /path/to/Linux-Security-Audit-Project
python3 linux_security_audit.py- Don't install as package: This is not a pip-installable package, run directly from source.
Symptom:
[Error] Permission denied accessing /etc/shadow
[Error] Permission denied reading /etc/ssh/sshd_config
Multiple checks showing "Error" status
Cause: Running without sufficient privileges.
Solutions:
Option 1: Run with sudo (Recommended):
sudo python3 linux_security_audit.pyOption 2: Accept limited results:
# Run without sudo - some checks will be limited
python3 linux_security_audit.pyThe tool will indicate: [!] Running as: NON-ROOT (Limited)
What to expect:
- File permission checks may fail
- Service status checks may be limited
- Some security checks require root access
- Remediation is not available without root
Symptom:
[!] No modules found. Cannot proceed.
Cause: Module files are missing or not in the expected location.
Solutions:
- Verify module files exist:
ls module_*.pyShould show:
module_cis.py
module_cisa.py
module_core.py
module_enisa.py
module_iso27001.py
module_nist.py
module_nsa.py
module_stig.py
- Re-download missing modules:
# Clone repository again
git clone https://github.com/Sandler73/Linux-Security-Audit-Project.git- Check file permissions:
# Modules must be readable
chmod 644 module_*.pySymptom:
- Script runs for 10+ minutes
- Appears to hang on specific module
- High CPU usage
Causes and Solutions:
Cause 1: Running all modules on first execution
# Solution: Run fewer modules
python3 linux_security_audit.py -m Core,CISCause 2: System has many users/files
# Solution: Expected on large systems
# Wait for completion (typically 5-10 minutes max)Cause 3: Network timeouts
# Solution: System may be trying to resolve hostnames
# Check /etc/hosts and DNS configurationMonitoring progress:
# Run with visible output
python3 linux_security_audit.py -f ConsoleSymptom:
[+] Report generated successfully
[!] Browser did not open automatically
Causes and Solutions:
Cause 1: No graphical environment
# Solution: Manually copy report to local system
scp user@server:/path/to/report.html .
# Open locally in browserCause 2: No default browser configured
# Solution: Open manually
firefox Security-Audit-Report-*.html
# or
google-chrome Security-Audit-Report-*.htmlCause 3: Running via SSH
# Solution: Use X11 forwarding
ssh -X user@server
python3 linux_security_audit.py
# Or copy report locally (preferred)Symptom:
[Error] Command 'auditctl' not found
[Error] Command 'sestatus' not found
Cause: Required security tools not installed.
Solutions:
For auditd:
# Debian/Ubuntu
sudo apt-get install auditd
# RHEL/CentOS/Fedora
sudo yum install auditFor SELinux tools:
# RHEL/CentOS/Fedora
sudo yum install policycoreutils
# Ubuntu (AppArmor is default)
sudo apt-get install apparmor-utilsNote: These are expected on systems without these tools installed. The tool will mark these as "Error" status which is informational.
Symptom:
[sudo] password for user:
[sudo] password for user:
[sudo] password for user:
Cause: Running with sudo python3 and checks are calling sudo again.
Solution:
Remove sudo from remediation commands when already running as root:
# Run as root directly
sudo python3 linux_security_audit.py
# Remediation commands will work without nested sudoSymptom:
[Error] Operation not permitted
[Error] Cannot modify /sys/...
Cause: SELinux, AppArmor, or kernel restrictions.
Solutions:
Check SELinux status:
sestatus
# If enforcing and causing issues:
sudo setenforce 0 # TemporaryCheck AppArmor status:
sudo aa-status
# If AppArmor is blocking:
sudo aa-complain /path/to/scriptSome operations require reboot: Kernel parameter changes often require reboot to take effect.
Symptom:
- Fixed permissions during remediation
- After reboot, permissions revert
Cause: System has file permission management (systemd-tmpfiles, configuration management).
Solution:
Make changes persistent:
# For systemd-managed files
sudo systemctl edit service-name
# For configuration management
# Update Ansible/Puppet/Chef configurationsIssue: Package manager detection fails
Symptom:
[Error] Core - Package Management: Unknown package manager
Solution:
# Verify package manager
which apt yum dnf zypper pacman
# If multiple package managers exist, Core module uses first foundIssue: OS detection incorrect
Symptom:
[Warning] OS family detection uncertain
Solution:
# Check /etc/os-release
cat /etc/os-release
# Manually verify distribution
lsb_release -aIssue: Many CIS checks fail on minimal installation
Symptom:
CIS module shows 100+ failures
Most failures related to "not installed"
Cause: CIS Benchmarks assume certain packages/configurations.
Solution:
This is expected behavior:
- Minimal installations lack many CIS-recommended components
- Review failures and install required packages
- Prioritize CAT I (critical) findings
Issue: Partition checks fail
Symptom:
[Fail] CIS - Filesystem: Separate /tmp partition not found
[Fail] CIS - Filesystem: Separate /var partition not found
Cause: System doesn't have separate partitions.
Solution:
Option 1: Accept the finding (common on cloud/virtual systems)
Option 2: Implement during next OS installation
Option 3: Use bind mounts (partial mitigation):
# Create separate filesystem for /tmp
sudo mkdir /tmp_new
sudo mount -t tmpfs -o size=1G,nodev,nosuid,noexec tmpfs /tmp_newIssue: SELinux checks fail on non-RHEL systems
Symptom:
[Error] NSA - SELinux: SELinux not found
[Error] STIG - MAC: Mandatory Access Control not enabled
Cause: SELinux is RHEL-family specific.
Solution:
For Debian/Ubuntu: Use AppArmor checks instead
# Check AppArmor status
sudo aa-status
# These systems use AppArmor, not SELinux
# This is expected and correctIssue: FIPS mode checks fail
Symptom:
[Fail] NSA - Cryptography: FIPS mode not enabled
Cause: FIPS mode not enabled (expected for non-government systems).
Solution:
For government/DoD systems: Enable FIPS mode:
# RHEL/CentOS
sudo fips-mode-setup --enable
sudo rebootFor commercial systems: FIPS mode is not required, finding can be ignored.
Issue: KEV catalog checks report many vulnerabilities
Symptom:
[Fail] CISA - Vulnerability Management: 50+ KEV vulnerabilities found
Cause: System has unpatched known exploited vulnerabilities.
Solution:
Critical - Patch immediately:
# Update system
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # RHEL/CentOSThis is a serious security issue - KEV catalog contains actively exploited vulnerabilities.
Symptom:
- HTML file opens but shows no content
- Report displays incorrectly
- JavaScript errors in browser console
Causes and Solutions:
Cause 1: Incomplete file write
# Check file size
ls -lh Security-Audit-Report-*.html
# Should be > 100KB for full report
# If < 10KB, file write was interruptedSolution: Re-run audit
sudo python3 linux_security_audit.pyCause 2: Browser compatibility
# Try different browser
firefox report.html
google-chrome report.htmlCause 3: File corruption
# Check file integrity
file Security-Audit-Report-*.html
# Should show: "HTML document, UTF-8 Unicode text"Symptom:
- Commas in wrong places
- Data in wrong columns
- Special characters display incorrectly
Solutions:
Excel import wizard:
- Open Excel
- File -> Import -> CSV
- Select UTF-8 encoding
- Choose comma as delimiter
- Import
Use LibreOffice Calc:
# Better CSV handling than Excel
libreoffice --calc report.csvSymptom:
json.decoder.JSONDecodeError: Expecting value: line 1 column 1Solutions:
Validate JSON:
# Check if valid JSON
python3 -m json.tool report.json
# Or use jq
jq . report.jsonCheck file encoding:
file report.json
# Should show: "JSON data, UTF-8 Unicode text"Re-generate:
sudo python3 linux_security_audit.py -f JSON -o new-report.jsonSymptom:
- XML parser rejects file
- SIEM won't ingest XML
Solutions:
Validate XML:
xmllint report.xml
# Or with Python
python3 -c "import xml.etree.ElementTree as ET; ET.parse('report.xml')"Check for special characters:
# XML requires entity escaping
# The tool should handle this, but verify
grep -E '[<>&"]' report.xmlSymptom:
[!] Remediation failed: command not found: systemctl
Cause: System doesn't have the required command.
Solutions:
Check init system:
# For systemd systems
which systemctl
# For SysVinit systems
which serviceModify remediation command:
# SysVinit alternative
sudo service sshd restartSymptom:
- Service won't start after remediation
- System becomes unreachable
- SSH connection drops
Prevention:
Always test in non-production first:
# Test on development system
sudo python3 linux_security_audit.py --remediateReview remediation commands before executing:
# Run audit first
sudo python3 linux_security_audit.py
# Review HTML report
# Manually apply critical changes one at a timeBackup configurations:
# Before remediation
sudo cp -r /etc/ssh /etc/ssh.backup
sudo cp /etc/sysctl.conf /etc/sysctl.conf.backupRecovery:
If SSH is still accessible:
# Restore backup
sudo cp -r /etc/ssh.backup /etc/ssh
sudo systemctl restart sshdIf SSH is broken:
# Connect via console (physical or virtual)
# Restore backup configurations
# Restart servicesSymptom:
[!] Some changes require system reboot to take effect
Expected for:
- Kernel parameter changes (
sysctl) - SELinux mode changes
- Some PAM configuration changes
Solution:
Schedule reboot:
# Check what requires reboot
needs-restarting -r # RHEL/CentOS
cat /var/run/reboot-required # Ubuntu/Debian
# Schedule reboot
sudo shutdown -r +30 "System reboot for security updates"Symptom:
[*] Executing remediation 45/156...
[!] Remediation stopped
Causes:
Cause 1: Command timeout
- Long-running commands may timeout
- Default timeout: 30 seconds
Cause 2: Fatal error
- One remediation command failed critically
- Script stopped to prevent further issues
Solution:
Review last successful remediation:
# Check which remediation was last
# Review its effect
# Manually complete remaining remediationsSymptom:
# Memory usage > 500MB
top -p $(pgrep -f linux_security_audit)Causes and Solutions:
Cause 1: Large system (1000+ users, many files)
- Expected behavior
- Memory usage proportional to system size
Cause 2: All modules running simultaneously
# Solution: Run modules individually
python3 linux_security_audit.py -m Core
python3 linux_security_audit.py -m CIS
# etc.Cause 3: Very large output files
# Solution: Use Console format for testing
python3 linux_security_audit.py -f ConsoleSymptom:
- Script stops progressing
- Last message shows specific module/check
- Ctrl+C doesn't work immediately
Solution:
Identify hanging check:
# Run in verbose mode (if available)
# Or trace with strace
sudo strace -f -t python3 linux_security_audit.pyForce timeout:
# Kill after 10 minutes
timeout 600 python3 linux_security_audit.pyReport issue:
- Note which check hangs
- Report on GitHub Issues
- Include OS version and system details
Symptom:
[*] Executing module: CIS
Running filesystem checks... (5+ minutes)
Causes:
Cause 1: Large filesystem
- Searching for SUID/SGID files
- Searching for world-writable files
- Expected on systems with millions of files
Cause 2: Network filesystems
- NFS mounts slow down checks
- SMB shares cause timeouts
Solutions:
Exclude network mounts:
# Temporary unmount if possible
# Or accept longer execution timeSkip filesystem-intensive modules:
# Run without CIS module on large systems
python3 linux_security_audit.py -m Core,NIST,CISAIssue: AppArmor checks fail
Symptom:
[Error] AppArmor profiles not loaded
Solution:
# Check AppArmor status
sudo aa-status
# If disabled
sudo systemctl enable apparmor
sudo systemctl start apparmorIssue: unattended-upgrades not configured
Symptom:
[Fail] Automatic security updates not configured
Solution:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgradesIssue: SELinux checks fail unexpectedly
Symptom:
[Error] Cannot determine SELinux status
Solution:
# Check SELinux installation
rpm -q libselinux
# Install if missing
sudo yum install libselinux-utilsIssue: yum/dnf version confusion
Symptom:
[Error] Package manager command failed
Solution:
# RHEL 7/CentOS 7: Use yum
sudo yum update
# RHEL 8+/CentOS 8+/Fedora: Use dnf
sudo dnf update
# Script should auto-detect, but verifyIssue: Clock synchronization checks fail
Symptom:
[Fail] Time synchronization not configured
Cause: Cloud VMs often use different time sync.
Solution:
AWS EC2:
# Uses Amazon Time Sync Service
chronyc sources
# Should show: 169.254.169.123Azure:
# Uses Azure Time Sync
chronyc sourcesSolution: These are correct configurations, findings can be noted but not necessarily failures.
Issue: Many services "not installed"
Symptom:
[Error] auditd not installed
[Error] AIDE not installed
[Error] rsyslog not installed
Cause: Minimal OS or container installation.
Solution:
For containers: This is expected and correct
- Containers should be minimal
- Install only required security tools
- Use host-level security monitoring
For minimal OS: Install required packages:
# Security essentials
sudo apt install auditd aide rsyslog fail2ban
# Or equivalent for your distributionWhen reporting issues, include:
- System Information:
# OS version
cat /etc/os-release
uname -a
# Python version
python3 --version
# Privileges
id- Error Output:
# Full error output
python3 linux_security_audit.py -m Core 2>&1 | tee error.log- Module List:
python3 linux_security_audit.py --list-modules- File Verification:
ls -lh linux_security_audit.py module_*.py# If debug mode is implemented
export DEBUG=1
python3 linux_security_audit.py| Error Message | Likely Cause | Solution |
|---|---|---|
Permission denied |
Not running as root | Use sudo
|
Module not found |
Files not in same directory | Verify file locations |
Command not found: X |
Security tool not installed | Install package |
No modules found |
Module files missing | Re-download project |
Timeout |
Long-running command | Wait or investigate hanging process |
Invalid JSON |
Corrupted output file | Re-run audit |
Cannot determine OS |
Unusual distribution | Report as issue |
GitHub Issues:
- Bug reports: https://github.com/Sandler73/Linux-Security-Audit-Project/issues
- Feature requests: Use "enhancement" label
- Questions: Use "question" label
Before Opening Issue:
- Search existing issues
- Try troubleshooting steps in this guide
- Collect diagnostic information
- Provide clear reproduction steps
Issue Template:
**Description**
Clear description of the issue
**Steps to Reproduce**
1. Step one
2. Step two
3. ...
**Expected Behavior**
What should happen
**Actual Behavior**
What actually happens
**Environment**
- OS: [e.g., Ubuntu 22.04]
- Python Version: [e.g., 3.10.12]
- Running as: [root/non-root]
- Module: [e.g., Core, CIS]
**Error Output**Paste error output here
**Additional Context**
Any other relevant information
Most Common Fixes:
-
Permission issues: Run with
sudo - Module not found: Ensure all files in same directory
- Slow execution: Run fewer modules at once
- Service broken after remediation: Restore from backup
- HTML report doesn't open: Manually open or copy to local system
When to Report Bug:
- Script crashes unexpectedly
- Incorrect security assessment
- Remediation command is wrong or dangerous
- Documentation is unclear or incorrect
When Not to Report:
- "Error" status for uninstalled packages (expected)
- "Fail" status for unconfigured security (that's the point)
- Slow execution on large systems (expected)
- Need sudo privileges (by design)
- FAQ: Common questions
- Usage Guide: Proper usage instructions
- Module Documentation: Understanding check results
- Development Guide: For developers debugging issues
Linux Security Audit Project - Version 3.9 - MIT License
Repository - Releases - Issues - Pull Requests
Changelog - Contributing - Security Policy - License
Frameworks: Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG - ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Coverage: 16 Modules - 2,297 Automated Security Checks - 5 Native Output Formats - Zero External Dependencies
This documentation reflects Linux Security Audit Project v3.9 (cross-framework remediation consistency via the canonical remediation registry, PCI-DSS module rename, compliance-scoring fix, attack-surface assessment, per-framework split reports, cross-module correlation, 18 distribution profiles, rollup metrics, OS-aware remediation library). For older versions, see the release tags.
Version 3.9 - 16 modules - 2,297 checks
Original modules (v2.0 baseline + v3.3 expansion)
Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG
New modules (v3.0+ Phase 3)
ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Output Formats
HTML - JSON - CSV - XML - Console
Status Values
Pass - Fail - Warning - Info - Error
Severity Levels
Critical - High - Medium - Low - Informational