Raspberry Pi Security Audit Script

Multi-Framework Edition for Raspberry Pi OS

Comprehensive security audit tool specifically designed for Raspberry Pi OS

Audit a Raspberry Pi against CIS Benchmark, NIST 800-53, DISA STIG, NSA Hardening Guide, and CISA Cybersecurity Best Practices plus 15+ Raspberry Pi-specific security checks.

---

🍓 Overview

raspberry_security_audit.py is a specialized security auditing tool for Raspberry Pi systems that combines:

• All standard Linux security checks (136+ checks from the parent script)
• 15+ Raspberry Pi-specific checks (GPIO, VNC, Wi-Fi, default pi user, etc.)
• Auto-detection of Raspberry Pi hardware (safely skips Pi checks on other systems)
• IoT security focus for edge devices and embedded systems

Intended for:

• 🏠 Home servers (Pi-hole, Home Assistant, NAS)
• 🔬 IoT projects (sensors, automation, monitoring)
• 🎓 Educational environments (teaching security)
• 💼 Small business servers
• 🔧 Development and test environments
• 🚀 Edge computing deployments

---

✨ Key Features

🍓 Raspberry Pi-Specific Checks (15+)

Hardware & Interface Security

1. Default 'pi' User Security (CAT I - CRITICAL)

   • Checks if default pi user exists
   • Verifies password changed from default raspberry
   • Ensures account is locked or disabled
   • Automated fix: Lock or disable account

2. Boot Configuration Security (CAT II)

   • /boot/config.txt permissions (should be 644 root:root)
   • /boot/cmdline.txt permissions
   • No debug boot options enabled
   • Automated fix: Secure file permissions

3. GPIO Permissions (CAT III)

   • Checks gpio group membership
   • Ensures only authorized users have hardware access
   • Limits physical interface exposure

4. Camera Interface Security (CAT III)

   • Detects if camera is enabled
   • Checks video group membership
   • Recommends disabling if not needed

5. I2C Interface Security (CAT III)

   • Checks if I2C is enabled
   • Recommends disabling unused interfaces
   • Automated fix: Disable in /boot/config.txt

6. SPI Interface Security (CAT III)

   • Checks if SPI is enabled
   • Recommends disabling unused interfaces
   • Automated fix: Disable in /boot/config.txt

7. Serial Console Security (CAT II - HIGH)

   • Detects serial console in boot parameters
   • Critical security risk - provides root access
   • Automated fix: Disable serial console

####Network & Wireless Security 8. Wi-Fi Security Configuration (CAT I - CRITICAL)

• Checks for plaintext passwords in wpa_supplicant.conf
• Verifies WPA2/WPA3 encryption
• Detects open/insecure networks
• Automated fix: Instructions for PSK hashing

9. Bluetooth Security (CAT II)

   • Checks if Bluetooth is enabled
   • Verifies not discoverable
   • Recommends disabling if not needed
   • Automated fix: Disable Bluetooth service

10. VNC Server Security (CAT I - CRITICAL)

    • Detects RealVNC or other VNC servers
    • Checks encryption settings
    • Verifies password protection
    • Automated fix: Secure VNC or disable

11. Avahi/mDNS Service (CAT III)

    • Checks if Avahi is running (.local hostname resolution)
    • Recommends disabling if not needed
    • Automated fix: Disable avahi-daemon

System Configuration

12. Default Hostname (CAT III)

    • Checks if hostname is still raspberrypi
    • Recommends unique hostname
    • Automated fix: Change hostname instructions

13. Firmware Updates (CAT II)

    • Checks for rpi-update tool
    • Recommends regular firmware updates
    • Automated fix: Update firmware

14. SD Card Security (CAT III)

    • Checks SD card mount options
    • Recommends noatime to reduce writes
    • Optimizes for SD card longevity

📊 All Standard Linux Checks (136+)

Plus all checks from the parent script:

• File Permissions (8 checks)
• User Account Security (7 checks)
• SSH Configuration (15 checks) - CRITICAL for Pi
• Firewall (3 checks)
• Kernel Parameters (9 checks)
• Filesystem (7 checks)
• Logging & Auditing (5 checks)
• System Hardening (6 checks)
• Network Security (3 checks)
• Password Complexity (5 checks)
• And 60+ more...

Total: 150+ comprehensive security checks

---

💻 Requirements

Hardware

• Raspberry Pi 5, 4, 3, 2, Zero 2 W (any model)
• 1GB+ RAM (512MB may work but untested)
• SD card or USB/SSD boot

Software

• Raspberry Pi OS (32-bit or 64-bit)
  • Bookworm (latest)
  • Bullseye (previous)
  • Buster (older, should work)
• Python: 3.8 or higher (included in Raspberry Pi OS)
• Root access: Required for complete audit and remediation
• Dependencies: Standard library only (no pip installs needed)

Tested On

• ✅ Raspberry Pi 5 - Raspberry Pi OS 64-bit
• ✅ Raspberry Pi 4 Model B - Raspberry Pi OS 64-bit
• ✅ Raspberry Pi 4 Model B - Raspberry Pi OS 32-bit
• ✅ Raspberry Pi Zero 2 W - Raspberry Pi OS 32-bit Lite
• ⚠️ Other Debian-based systems - Will work but skip Pi-specific checks

---

📥 Installation

Quick Install

# Update system
sudo apt update

# Download script
wget https://your-repo/raspberry_security_audit.py

# Make executable
chmod +x raspberry_security_audit.py

# Run audit
sudo ./raspberry_security_audit.py

Alternative: Git Clone

git clone https://github.com/your-username/raspberry-security-audit.git
cd raspberry-security-audit
chmod +x raspberry_security_audit.py
sudo ./raspberry_security_audit.py

System-Wide Installation

sudo cp raspberry_security_audit.py /usr/local/bin/pi-security-audit
sudo chmod +x /usr/local/bin/pi-security-audit

# Run from anywhere
sudo pi-security-audit --help

---

🚀 Quick Start

1. Basic Audit

# Run comprehensive audit (auto-detects Raspberry Pi)
sudo ./raspberry_security_audit.py

# Output shows:
# - Raspberry Pi model detected
# - Architecture (32-bit or 64-bit)
# - 150+ security checks
# - Per-framework compliance scores

2. Fix Critical Issues

# Fix CAT I (Critical) issues
sudo ./raspberry_security_audit.py --cat "CAT I" --remediate

# This will fix:
# - Default 'pi' user (lock account)
# - Wi-Fi security (recommendations)
# - VNC security (secure or disable)
# - SSH root login (disable)
# - Empty passwords (lock accounts)
# - Firewall (install and enable)

3. Generate Reports

# Auto-save comprehensive report
sudo ./raspberry_security_audit.py --auto-save

# CSV for tracking
sudo ./raspberry_security_audit.py -f csv -o pi_audit.csv

# JSON for automation
sudo ./raspberry_security_audit.py -f json -o pi_audit.json

---

📋 Usage Examples

Initial Raspberry Pi Hardening

# Step 1: Baseline audit
sudo ./raspberry_security_audit.py -o baseline.txt

# Step 2: Fix critical Pi-specific issues
sudo ./raspberry_security_audit.py --cat "CAT I" --remediate
# Answer 'y' to:
# - Lock default 'pi' user
# - Secure VNC or disable
# - Fix Wi-Fi security
# - Disable SSH root login

# Step 3: Fix important issues
sudo ./raspberry_security_audit.py --cat "CAT II" --remediate
# - Disable serial console
# - Secure Bluetooth
# - Update firmware

# Step 4: Verify improvements
sudo ./raspberry_security_audit.py -o final.txt

# Compare:
diff baseline.txt final.txt

Headless Pi Server Setup

# For Pi-hole, Home Assistant, etc.
sudo ./raspberry_security_audit.py --level 1 --remediate

# Focuses on essential hardening:
# - SSH security
# - Firewall
# - User accounts
# - File permissions
# - Network security

IoT Device Security

# For sensor hubs, automation controllers
sudo ./raspberry_security_audit.py --framework nist --remediate

# Addresses:
# - Access controls (AC-6, AC-17)
# - Authentication (IA-2, IA-5)
# - System hardening (CM-6, CM-7)
# - Logging (AU-2, AU-12)

Education & Training

# Show students security issues without fixing
sudo ./raspberry_security_audit.py

# Have students manually fix items
# Then re-run to verify:
sudo ./raspberry_security_audit.py

---

🔧 Raspberry Pi-Specific Workflows

Securing Default Pi Installation

Problem: Fresh Raspberry Pi OS has known weaknesses

• Default pi user with password raspberry
• SSH enabled with password authentication
• VNC might be enabled
• Default hostname raspberrypi

Solution:

sudo ./raspberry_security_audit.py --cat "CAT I" --remediate

Fixes:

1. ✅ Locks pi user
2. ✅ Hardens SSH (disables root login, enables key auth)
3. ✅ Secures or disables VNC
4. ✅ Configures firewall

Time: 5-10 minutes

---

Disabling Unused Interfaces

Problem: Many interfaces enabled by default (GPIO, I2C, SPI, camera, etc.)

Solution:

sudo ./raspberry_security_audit.py

# Review INFO items about enabled interfaces
# Disable manually if not needed:

# Disable camera
sudo raspi-config  # Interface Options -> Camera -> No

# Disable I2C
sudo raspi-config  # Interface Options -> I2C -> No

# Disable SPI
sudo raspi-config  # Interface Options -> SPI -> No

# Or edit /boot/config.txt directly
sudo nano /boot/config.txt
# Comment out: dtparam=i2c_arm=on, dtparam=spi=on, etc.

# Reboot
sudo reboot

---

Wireless Security Hardening

Problem: Wi-Fi configuration may have plaintext passwords

Solution:

# Generate hashed PSK
wpa_passphrase "YourSSID" "YourPassword"

# Copy the psk=HASH line
# Edit config:
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

# Replace:
# psk="PlaintextPassword"
# With:
# psk=0123456789abcdef...  (the hash)

# For WPA3, add:
# proto=RSN
# key_mgmt=SAE

# Restart networking
sudo systemctl restart dhcpcd

---

Monthly Security Maintenance

#!/bin/bash
# /root/monthly_pi_security.sh

DATE=$(date +%Y%m%d)

# Update system
sudo apt update
sudo apt upgrade -y

# Update firmware
sudo rpi-update

# Run security audit
sudo /usr/local/bin/pi-security-audit \
    -f csv \
    -o /var/log/security/pi_audit_$DATE.csv \
    --no-console

# Email if critical issues found
CRITICAL=$(grep "CAT I.*FAIL" /var/log/security/pi_audit_$DATE.csv | wc -l)
if [ $CRITICAL -gt 0 ]; then
    echo "ALERT: $CRITICAL critical findings on Raspberry Pi" | \
        mail -s "Pi Security Alert" admin@example.com
fi

Cron: 0 3 1 * * /root/monthly_pi_security.sh

---

📊 Sample Output

Raspberry Pi Detection

================================================================================
Raspberry Pi Security Audit v1.0.0-PI - Multi-Framework Edition
================================================================================
Hostname: pihole
Timestamp: 2025-12-21 22:30:00
================================================================================

================================================================================
RASPBERRY PI DETECTED: Raspberry Pi 4 Model B Rev 1.5
Architecture: 64-bit
================================================================================

Running Raspberry Pi-specific security checks...

[CIS 5.4.2 | NIST IA-5,AC-6 | NSA ✓ | CISA ✓]
Default Pi User Security
Category: CAT I | Status: FAIL | Severity: Critical
Current: Default 'pi' user exists: Account not locked, Login shell still active
Expected: User disabled or renamed
Recommendation: CRITICAL: Default 'pi' user should be disabled, renamed, or secured

Fix commands:
  # Option 1: Lock the account
  sudo passwd -l pi
  # Option 2: Disable login shell
  sudo usermod -s /usr/sbin/nologin pi
  # Option 3: Rename the user (recommended)
  # sudo usermod -l newusername pi

Apply fix? (y/n/q):

Framework Compliance Summary

FRAMEWORK COMPLIANCE SUMMARY
--------------------------------------------------------------------------------
CIS   : 102/112 checks passed (91.1%)
NIST  :  88/100 checks passed (88.0%)
STIG  :  95/112 checks passed (84.8%)
NSA   :  98/107 checks passed (91.6%)
CISA  :  73/83  checks passed (88.0%)

---

🎯 Raspberry Pi-Specific Best Practices

1. Always Change Default User

# Best: Rename the pi user
sudo usermod -l yourname pi
sudo usermod -d /home/yourname -m yourname
sudo groupmod -n yourname pi

# Or: Lock it and create new user
sudo passwd -l pi
sudo adduser yourname
sudo usermod -aG sudo yourname

2. Use SSH Keys, Not Passwords

# On your computer:
ssh-keygen -t ed25519 -C "pi@$(hostname)"
ssh-copy-id youruser@raspberrypi.local

# On Pi, disable password auth:
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl reload sshd

3. Firewall is Essential

# Even on home network!
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp  # If web server
sudo ufw enable

4. Disable Unnecessary Services

# Check what's running
systemctl list-units --type=service --state=running

# Common candidates for disabling:
sudo systemctl disable bluetooth
sudo systemctl disable avahi-daemon
sudo systemctl disable triggerhappy

5. Keep Firmware Updated

# Monthly:
sudo apt update && sudo apt full-upgrade -y
sudo rpi-update
sudo reboot

6. Monitor Your Pi

# Install monitoring
sudo apt install vnstat htop

# Check temperature (overheating can indicate crypto-mining)
vcgencmd measure_temp

# Check for unauthorized processes
ps aux | grep -v grep | grep -v root

---

🔍 Troubleshooting

Script Shows "Not Raspberry Pi"

Cause: Running on non-Pi hardware or virtualized environment

Solution:

# Check CPU info
cat /proc/cpuinfo | grep "Raspberry Pi"

# Check for Pi-specific files
ls -la /boot/config.txt

# If on actual Pi but not detected:
# Script will still run standard Linux checks
# Only Pi-specific checks are skipped

---

"Permission Denied" Errors

Cause: Not running as root

Solution:

# Always use sudo
sudo ./raspberry_security_audit.py

---

Wi-Fi Check Reports Issues

Cause: wpa_supplicant.conf has plaintext passwords

Solution:

# Generate hashed PSK
wpa_passphrase "SSID" "password"

# Edit config with hash
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

---

VNC Security Failures

Cause: VNC is enabled with weak security

Solution:

# Option 1: Disable VNC
sudo systemctl stop vncserver-x11-serviced
sudo systemctl disable vncserver-x11-serviced

# Option 2: Secure VNC
sudo raspi-config
# Interface Options -> VNC -> Configure encryption
# Use strong password

---

📚 Resources

Official Raspberry Pi Security

• Raspberry Pi Security Documentation
• Raspberry Pi OS Security Guide

Framework Standards

• CIS Benchmarks
• NIST 800-53
• NSA Hardening Guide
• CISA Best Practices

Community

• Raspberry Pi Forums - Security
• r/raspberry_pi

---

🤝 Contributing

Contributions welcome! Especially:

• Testing on different Pi models
• Additional Pi-specific security checks
• Raspbian/Pi OS compatibility fixes
• Documentation improvements

---

📜 License

MIT License - See LICENSE file

---

🙏 Acknowledgments

• Raspberry Pi Foundation - For the amazing hardware
• Debian Project - For the OS foundation
• Security Community - For frameworks and best practices
• Based on `linux_security_audit" (https://github.com/Sandler73/Linux-Security-Audit-and-Remediation-Script)

---

⚠️ Disclaimer

This tool helps identify security issues but doesn't guarantee complete security. Always:

• Test in non-production environment first
• Backup your Pi before major changes
• Understand what each fix does
• Have physical access in case of lockouts

Use at your own risk.

---

📊 Statistics

• Total Checks: 150+
• Pi-Specific Checks: 15+
• Framework Mappings: 112
• Automated Fixes: 95%+
• Supported Models: All Raspberry Pi models
• Supported OS: Raspberry Pi OS (32 & 64-bit)

---

Last Updated: December 21, 2025
Version: 1.0.0-PI
Based On: linux_security_audit (https://github.com/Sandler73/Linux-Security-Audit-and-Remediation-Script)

---

🍓 Secure your Raspberry Pi today! 🔒

Report Bug · Request Feature · Documentation