Skip to content

D3One/Linux-audit-and-hardening

BranchesTags

Repository files navigation

Linux System Audit & Hardening Toolkit

GitHub Shell Script

A collection of scripts and utilities for security auditing and hardening of Linux servers and workstations.

image

⚠️ Disclaimer / Warning

WARNING! USE AT YOUR OWN RISK! These scripts make changes to your operating system's configuration, which may lead to:

  • Loss of access to the system (e.g., due to firewall settings).
  • Unstable operation of specific services or applications.
  • Incompatibility with certain software.

It is strongly recommended to:

  1. TEST all scripts on a virtual machine or test environment first.
  2. Have a backup of important data and configurations ready.
  3. Understand what each command does before executing it.
  4. DO NOT run these scripts in a production environment without prior testing.

The author is not responsible for any damage caused by the use of these scripts.

📁 Repository Structure and Script Functionality

./audit/

Scripts for checking the current security posture of the system.

  • audit.sh - Main security audit script.

    • Checks for installed patches and updates.
    • Analyzes sudo settings and file permissions.
    • Audits SSH server configuration.
    • Checks network firewall configuration (iptables/nftables).
    • Searches for files with incorrect permissions (SUID, SGID).
    • Audits key kernel parameters.
    • Usage Example: 
      # Make the script executable
chmod +x ./audit/audit.sh
# Run (requires root privileges for a full audit)
sudo ./audit/audit.sh
# Or save output to a file
sudo ./audit/audit.sh | tee audit_report.txt

  • lynis_audit.sh - Run an audit using Lynis.

    • Automatically checks for the Lynis installation and installs it if necessary.
    • Runs a comprehensive system scan.
    • Usage Example: 
      chmod +x ./audit/lynis_audit.sh
sudo ./audit/lynis_audit.sh

./hardening/

Scripts for applying security hardening settings.

  • hardening.sh - Basic system hardening script.

    • Configures stricter file and directory permissions (/tmp, /var/tmp).
    • Installs and configures the UFW (Uncomplicated Firewall) to allow only specific incoming connections (e.g., SSH).
    • Applies basic restrictive rules to iptables.
    • Configures kernel parameters via sysctl (disables IP spoofing, packet forwarding, etc.).
    • Installs and configures fail2ban for protection against bruteforce attacks.
    • Usage Example (WARNING! Be prepared for an SSH session drop when firewall rules change!): 
      chmod +x ./hardening/hardening.sh
# ALWAYS review the script before running!
nano ./hardening/hardening.sh
# Run (MUST be run as root!)
sudo ./hardening/hardening.sh

  • ssh_hardening.sh - Script for SSH server (sshd) hardening.

    • Creates a backup of the original /etc/ssh/sshd_config file.
    • Disables password authentication (enforces key-based auth only).
    • Disables root login.
    • Changes the default SSH port (optional, needs to be uncommented and modified in the script).
    • Configures stricter encryption algorithms.
    • Usage Example (IT IS CRITICAL to have an alternative access method in case of error!): 
      chmod +x ./hardening/ssh_hardening.sh
sudo ./hardening/ssh_hardening.sh
# After applying settings, reload the SSH daemon
sudo systemctl reload sshd
# And verify you haven't locked yourself out!

./utils/

Helper scripts and utilities.

  • install_utils.sh - Installs useful audit utilities.

    • Installs tools like lynis, chkrootkit, rkhunter, clamav.
    • Usage Example: 
      chmod +x ./utils/install_utils.sh
sudo ./utils/install_utils.sh

  • user_audit.sh - Audit system users and groups.

    • Shows users with UID 0 (other than root).
    • Lists users with a password set in /etc/shadow.
    • Checks for accounts with empty passwords.
    • Usage Example: 
      chmod +x ./utils/user_audit.sh
sudo ./utils/user_audit.sh

./configs/

  • Example configuration files (e.g., sshd_config, sysctl.conf) that can be used as references or for comparison.

🚀 Quick Start

  1. Clone the repository:

    git clone https://github.com/D3One/Linux-audit-and-hardening.git
cd Linux-audit-and-hardening

  2. Start with an audit:

    sudo ./audit/audit.sh
sudo ./audit/lynis_audit.sh

    Carefully study the reports to understand the vulnerabilities in your system.

  3. Apply hardening CAUTIOUSLY:

    • Before running ANY script from hardening/, open it and review the settings (nano ./hardening/script_name.sh).
    • Start with the least dangerous changes (e.g., configuring UFW).
    • Always have a rollback plan (config backups, console access via your VPS provider, etc.).

👨‍💻 Authorship

Contributions and stars are welcome! If you find a bug or have an improvement idea, please create an issue or a pull request.

📜 License

This project is distributed under the MIT License. See the LICENSE file for more information (if present in the repository).

About

Simple all-in-one scripts for audit and enable hardened native security options

Topics

linux kernel tweaks policy hardening tuning-parameters

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages