Home

Linux Security Audit Project

Overview

The Linux Security Audit Project is a comprehensive, modular security assessment framework designed to audit Linux systems against multiple compliance frameworks and security standards. It provides enterprise-grade security scanning capabilities with intelligent privilege detection, interactive HTML reporting, and automated remediation workflows.

Key Features

• Multi-Framework Support: Audit against 8 security frameworks (Core, CIS, CISA, ENISA, ISO27001, NIST, NSA, STIG)
• 1,207 Validated Checks: Comprehensive security coverage across all modules
• Compliance Scoring: Weighted, simple, and severity-adjusted scores with configurable pass/fail thresholds
• Interactive HTML Reports: 18+ features including SVG dashboard, clickable filters, column resizing, multi-format export, compliance overview
• Performance Engine: Shared caching (~50% hit rate), parallel module execution, direct /proc reads
• Structured Logging: Dual console/file output with configurable levels, JSON format, hostname-stamped log files
• Intelligent Remediation: Interactive and automated remediation with safety confirmations and selective issue fixing
• Multi-Format Output: HTML, CSV, JSON, XML, Console with auto-generated companion JSON metadata
• IP Address Identification: Paired host identification (hostname + OS + IPs) for SIEM attribution
• Privilege-Aware Execution: Graceful degradation when running without root privileges
• Dynamic Module Discovery: Automatic detection and validation from modules/ directory
• OS-Aware Checks: Distribution-specific assessments for Debian, Red Hat, SUSE, and Arch families

Quick Navigation

Getting Started

• Quick Start Guide - Get up and running in minutes
• Usage Guide - Comprehensive usage instructions and examples
• Output Reference - Understanding report formats and data

Development & Extension

• Development Guide - Contributing and extending the framework
• Module Documentation - Detailed module API and structure
• Framework Reference - Security framework details and standards

Support & Troubleshooting

• Troubleshooting Guide - Common issues and solutions
• FAQ - Frequently asked questions

Architecture

Core Components

Main Orchestrator (linux_security_audit.py)

The central script (3,486 lines) that coordinates module execution, manages output generation, and handles remediation workflows. Features include:

• Dynamic module discovery from modules/ directory with validation
• Shared data cache initialization and distribution to modules
• Parallel or sequential module execution with timing
• Compliance scoring (simple, weighted, severity-adjusted)
• IP address detection for host identification
• Multi-format report generation to reports/ directory
• Interactive and automated remediation engine
• Structured logging to logs/ directory

Shared Components Library (shared_components/audit_common.py)

A 2,195-line shared library providing performance infrastructure:

• Intelligent Caching: File content and command output caching with ~50% hit rate
• OS Detection: Distribution family identification (Debian, Red Hat, SUSE, Arch)
• Package Manager Abstraction: Unified interface for apt, yum, dnf, zypper, pacman
• /proc Filesystem Reads: Direct kernel parameter reads replacing subprocess calls
• Common Utilities: Shared helper functions used across all modules

Security Modules

Eight specialized modules providing framework-specific security checks:

Module	Description	Checks	Standards
Core	Baseline security assessment	153	Industry best practices, vendor security guides
CIS	CIS Benchmarks compliance	212	CIS Benchmarks for Linux
CISA	CISA cybersecurity guidance	147	CISA Known Exploited Vulnerabilities, Security Advisories
ENISA	ENISA cybersecurity guidelines	97	ENISA Good Practices, EU Cybersecurity Standards
ISO27001	ISO/IEC 27001 controls	115	ISO/IEC 27001:2013/2022
NIST	NIST security frameworks	172	NIST 800-53, NIST CSF 2.0, NIST 800-171
NSA	NSA security hardening	144	NSA Security Configuration Guides
STIG	DISA STIG compliance	167	Defense Information Systems Agency STIGs

Execution Modes

Full Privilege (Root) Mode

When run with sudo or as root:

• Complete access to all security checks
• Full remediation capabilities
• Comprehensive system analysis
• Access to privileged system information

Limited Privilege (Non-Root) Mode

When run as a regular user:

• Graceful degradation of checks requiring elevated privileges
• Read-only security assessment
• No remediation capabilities (requires root)
• Useful for scheduled monitoring and reporting

System Requirements

Supported Operating Systems

• Debian-based: Ubuntu 18.04+, Debian 9+, Linux Mint 19+, Kali Linux
• RedHat-based: RHEL 7+, CentOS 7+, Fedora 28+, Rocky Linux, AlmaLinux
• Other: SUSE/openSUSE, Arch Linux (with varying module compatibility)

Prerequisites

• Python: Version 3.7 or higher (dataclasses required) (dataclasses required)
• Privileges: Root/sudo access recommended for complete assessment and remediation
• Disk Space: Minimum 100MB for reports and logs
• Memory: Minimum 512MB RAM (1GB+ recommended for large audits)

Required Python Modules

All required modules are part of Python's standard library:

• os, sys, json, csv, argparse
• subprocess, platform, socket, datetime
• pathlib, typing, dataclasses
• xml.etree.ElementTree, html

Typical Workflows

Basic Security Audit

# Run complete audit with all modules
sudo python3 linux_security_audit.py

# Run specific modules
sudo python3 linux_security_audit.py -m Core,NIST,CIS

# Generate CSV report
sudo python3 linux_security_audit.py -f CSV -o security-report.csv

Targeted Remediation

# 1. Run audit and generate HTML report
sudo python3 linux_security_audit.py

# 2. Review report in browser, select issues to fix

# 3. Export selected issues to JSON

# 4. Automatically remediate selected issues
sudo python3 linux_security_audit.py --auto-remediate --remediation-file Selected-Report.json

Scheduled Monitoring (Non-Root)

# Regular security monitoring without root
python3 linux_security_audit.py -f JSON -o /var/log/security-audit.json

# Can be scheduled via cron for continuous monitoring
0 2 * * * /usr/bin/python3 /opt/security-audit/linux_security_audit.py -f JSON -o /var/log/audit-$(date +\%Y\%m\%d).json

SIEM Integration

# Generate XML output for SIEM ingestion
sudo python3 linux_security_audit.py -f XML -o siem-feed.xml

# JSON format for API integration
sudo python3 linux_security_audit.py -f JSON -o api-feed.json

Key Capabilities

Reporting Features

• Interactive HTML Reports: 18+ features: SVG donut, compliance matrix, remediation priority
• Dashboard Filtering: Click donut segments, summary cards, or severity cards to filter all tables
• Compliance Scoring: Weighted, simple, severity-adjusted scores with thresholds
• Theme Support: Dark and light themes with CSS custom properties
• Export Options: Per-module and global export to CSV, Excel, JSON, XML, TXT
• Column Controls: Resizable columns, in-column filtering, column visibility toggles
• Global Search: Include/exclude text search across all results
• Statistics Dashboard: SVG donut chart, IP identification, compliance overview

Remediation Modes

• Interactive Remediation: Review and approve each fix individually
• Filtered Remediation: Fix only FAIL, WARNING, or INFO status issues
• Automated Remediation: Batch fix all issues with safety confirmations
• Selective Remediation: Fix only specific issues exported from HTML report
• Dry-Run Support: Preview remediation commands before execution

Data Export Formats

HTML

• Rich interactive interface with JavaScript functionality
• Responsive design for mobile and desktop
• Built-in filtering, sorting, and search
• Export selected issues to JSON for targeted remediation

CSV

• Structured tabular format for spreadsheet analysis
• Compatible with Excel, Google Sheets, LibreOffice
• Suitable for trending analysis and reporting

JSON

• Structured data with complete audit metadata
• Companion JSON auto-generated alongside all report formats
• Includes compliance scores and host identification (hostname, OS, IPs)
• Supports selective remediation workflows
• SIEM and automation tool compatible

XML

• Standards-compliant XML structure
• Suitable for SIEM ingestion (Splunk, QRadar, etc.)
• Enterprise security tool integration
• Custom schema support for specific requirements

Security Considerations

Privilege Management

• Script checks for required privileges before execution
• Clear messaging about privilege requirements
• Graceful degradation for non-privileged execution
• No unnecessary privilege escalation

Remediation Safety

• Interactive confirmations for all automated fixes
• Preview of commands before execution
• Backup recommendations for critical changes
• Rollback guidance for failed remediations

Data Handling

• No sensitive data logged to console (use --quiet for minimal output)
• File permissions: 600 for reports, 644 for logs
• Structured logs in logs/, reports in reports/ with hostname-stamped filenames
• No external network calls (fully offline operation)
• SUDO_USER detection for proper file ownership

Performance Characteristics

Execution Time

• Full Audit (Sequential): 60-120 seconds on typical systems
• Full Audit (Parallel, 4 workers): 30-60 seconds
• Single Module: 5-15 seconds depending on module

Resource Usage

• CPU: Low to moderate; parallel mode uses multiple cores
• Memory: 50-200MB depending on number of checks
• Disk I/O: Minimal (mostly read operations)
• Network: None (fully offline operation)

Scalability

• Tested on systems with 1000+ users
• Handles large filesystem hierarchies efficiently
• Suitable for both workstations and servers
• Parallel execution scales with --workers N

Project Structure

Linux-Security-Audit-Project/
├── linux_security_audit.py           # Main orchestrator (3,486 lines)
├── modules/                          # Security framework modules
│   ├── module_core.py                #   Core baseline (153 checks)
│   ├── module_cis.py                 #   CIS Benchmarks (212 checks)
│   ├── module_cisa.py                #   CISA guidance (147 checks)
│   ├── module_enisa.py               #   ENISA guidelines (97 checks)
│   ├── module_iso27001.py            #   ISO 27001 controls (115 checks)
│   ├── module_nist.py                #   NIST frameworks (172 checks)
│   ├── module_nsa.py                 #   NSA hardening (144 checks)
│   └── module_stig.py                #   DISA STIGs (167 checks)
├── shared_components/                # Shared library
│   └── audit_common.py              #   Caching, parallel, /proc (2,195 lines)
├── logs/                             # Structured log files (auto-created)
├── reports/                          # Generated reports (auto-created)
├── README.md
├── LICENSE
├── SECURITY.md
├── CHANGELOG.md
├── CONTRIBUTING.md
└── .gitignore

Version Information

Current Version: 2.0
Release Date: March 2026
Python Compatibility: 3.7+ (dataclasses required)
Total Checks: 1,207 (validated)
License: MIT

Contributing

We welcome contributions! Please see the Development Guide for:

• Setting up your development environment
• Creating new security modules
• Submitting pull requests
• Coding standards and best practices

Support

Getting Help

1. Check the FAQ for common questions
2. Review the Troubleshooting Guide for known issues
3. Consult the Usage Guide for detailed examples
4. Open an issue on GitHub

Reporting Issues

• Bugs: Use the GitHub issue tracker with detailed reproduction steps
• Feature Requests: Open an issue with the enhancement label
• Security Issues: Follow the Security Policy

Links & Resources

• GitHub Repository: https://github.com/Sandler73/Linux-Security-Audit-Project
• Issue Tracker: https://github.com/Sandler73/Linux-Security-Audit-Project/issues
• Wiki Home: https://github.com/Sandler73/Linux-Security-Audit-Project/wiki

Referenced Standards & Frameworks

• CIS Benchmarks
• NIST Cybersecurity Framework
• NIST SP 800-53
• DISA STIGs
• NSA Security Configuration Guides
• CISA Security Advisories
• ISO/IEC 27001
• ENISA Good Practices

License

This project is licensed under the MIT License - see the LICENSE file for details.

---

Last Updated: March 2026
Maintained By: Sandler
Project Status: Active Development