-
Notifications
You must be signed in to change notification settings - Fork 2
Frequently Asked Questions (FAQ)
This page answers common questions about the Linux Security Audit Project, its capabilities, usage, and security concepts.
- General Questions
- Installation and Setup
- Usage Questions
- Security Frameworks
- Results and Reporting
- Remediation Questions
- Technical Questions
- Comparison Questions
The Linux Security Audit Project is a comprehensive, modular security assessment framework for Linux systems. It audits systems against multiple security frameworks including CIS Benchmarks, NIST standards, DISA STIGs, and more, providing detailed reports and automated remediation capabilities.
Key Features:
- 8 security framework modules (1,207 validated checks)
- Compliance scoring (weighted, simple, severity-adjusted) with pass/fail thresholds
- Interactive HTML reports with 18+ features (dashboard filtering, export, compliance overview)
- Performance engine: shared caching (~50% hit rate), parallel execution, /proc reads
- Structured logging with configurable levels and JSON output
- Multiple output formats (HTML, CSV, JSON, XML, Console) with companion JSON
- Automated and selective remediation
- Privilege-aware execution (works with or without root)
Yes, completely free and open source under the MIT License. You can:
- Use it for personal or commercial purposes
- Modify it to suit your needs
- Distribute it (with attribution)
- Include it in proprietary software
License: MIT - See LICENSE
Ideal Users:
- System Administrators: Regular security assessments
- Security Teams: Compliance auditing and hardening
- DevOps Engineers: CI/CD security integration
- Compliance Officers: Framework compliance verification
- IT Auditors: Security posture assessment
- Hobbyists: Learning Linux security
Organizations:
- Enterprises requiring compliance (ISO 27001, SOX, etc.)
- Government agencies (federal, state, local)
- Defense contractors (NIST 800-171, STIG compliance)
- Healthcare organizations (HIPAA security requirements)
- Financial institutions (PCI-DSS, regulatory compliance)
No. This tool is a security assessment aid, not a replacement for professional audits.
What it does:
- Automated technical security checks
- Configuration compliance verification
- Known vulnerability identification
- Best practice validation
What it doesn't do:
- Manual security testing (penetration testing)
- Risk assessment and analysis
- Policy and procedure review
- Business context evaluation
- Legal compliance interpretation
Best Practice: Use this tool as part of a comprehensive security program that includes professional audits, penetration testing, and security expertise.
Yes, for auditing. The audit functionality is read-only and safe.
Audit Mode (Default):
- ✅ Safe - Only reads system information
- ✅ No modifications made
- ✅ No service interruptions
- ✅ Can run during business hours
Remediation Mode (Optional):
⚠️ Use caution - Makes system changes⚠️ Test in non-production first⚠️ Review commands before executing⚠️ Have backups and rollback plan
Recommendation:
- Run audit first in production (safe)
- Review results carefully
- Test remediation in development/staging
- Apply selected fixes during maintenance window
Minimum Requirements:
- OS: Linux (any modern distribution)
- Python: Version 3.7 or higher
- Disk: 100 MB free space
- Memory: 512 MB RAM (1 GB recommended)
- Privileges: Root/sudo recommended (not required)
Supported Distributions:
- Ubuntu 18.04+, Debian 9+, Linux Mint 19+
- RHEL 7+, CentOS 7+, Fedora 28+
- Rocky Linux 8+, AlmaLinux 8+
- SUSE/openSUSE, Arch Linux
No. All required Python modules are part of the standard library.
No external dependencies:
- No pip install needed
- No third-party packages required
- Works out-of-the-box with Python 3.7+
Optional packages (only if you want to check for their presence):
- Security tools:
auditd,aide,fail2ban,rkhunter - These are checked but not required to run the audit
Using Git:
cd Linux-Security-Audit-Project
git pull origin mainManual Download:
# Download latest release
wget https://github.com/Sandler73/Linux-Security-Audit-Project/archive/refs/heads/main.zip
unzip main.zip
cd Linux-Security-Audit-Project-mainVersion Check:
grep "SCRIPT_VERSION = " linux_security_audit.pyWindows: Not directly supported
- Linux security checks are not applicable to Windows
- Use WSL (Windows Subsystem for Linux) if you want to audit WSL instances
- For Windows auditing, see equivalent Windows security audit tools
Mac: Not directly supported
- Some checks may work on macOS (Unix-based)
- Many Linux-specific checks won't apply
- Not officially tested or supported on macOS
Best Use: Run on Linux systems or Linux VMs/containers
Short answer: Recommended but not required.
With Root/Sudo (Recommended):
- ✅ Complete security assessment
- ✅ Access to all system files
- ✅ Full check coverage
- ✅ Remediation capabilities
- Results: ~1000+ checks
Without Root/Sudo (Limited):
⚠️ Limited security assessment⚠️ Some checks will fail with "Error" status⚠️ Cannot read privileged files (/etc/shadow, etc.)⚠️ No remediation available- Results: ~60-70% of checks complete
Command Examples:
# With root (recommended)
sudo python3 linux_security_audit.py
# Without root (limited)
python3 linux_security_audit.pyTypical Execution Times:
| Configuration | Time | Checks |
|---|---|---|
| Single module (Core) | 20-30 seconds | 150 |
| Three modules (Core,CIS,NIST) | 1-2 minutes | 500+ |
| All modules | 3-5 minutes | 1000+ |
| Large system (1000+ users) | 5-10 minutes | 1000+ |
Factors Affecting Speed:
- Number of modules selected
- System size (users, files, services)
- Network filesystem mounts
- System load
- Disk I/O speed
Fastest Test:
python3 linux_security_audit.py -m Core -f Console
# ~20-30 secondsYes, using cron or systemd timers.
Cron Example (Daily at 2 AM):
# Edit crontab
sudo crontab -e
# Add line:
0 2 * * * /usr/bin/python3 /opt/security-audit/linux_security_audit.py -f JSON -o /var/log/audit-$(date +\%Y\%m\%d).json
# For email notifications
0 2 * * * /usr/bin/python3 /opt/security-audit/linux_security_audit.py -f Console | mail -s "Security Audit" admin@example.comSystemd Timer Example:
# Create service
sudo nano /etc/systemd/system/security-audit.service
# Create timer
sudo nano /etc/systemd/system/security-audit.timer
# Enable and start
sudo systemctl enable security-audit.timer
sudo systemctl start security-audit.timerBest Practices:
- Use JSON format for automated runs
- Store reports with date in filename
- Set up log rotation
- Monitor for significant changes
- Alert on increased failure counts
Yes, several approaches:
1. Manual Execution via SSH:
for server in server1 server2 server3; do
ssh $server "sudo python3 /opt/audit/linux_security_audit.py -f JSON -o /tmp/audit.json"
scp $server:/tmp/audit.json ./reports/$server-audit.json
done2. Ansible Playbook:
- name: Run security audit
hosts: all
tasks:
- name: Execute audit
command: python3 /opt/audit/linux_security_audit.py -f JSON
become: yes3. Parallel Execution:
# Use GNU parallel
parallel -j 10 ssh {} "sudo python3 /opt/audit/linux_security_audit.py" ::: server1 server2 server34. Configuration Management:
- Puppet, Chef, Salt, Ansible
- Deploy script to all systems
- Schedule via cron
- Collect results centrally
Choose based on your use case:
HTML - For manual review:
- ✅ Interactive filtering and search
- ✅ Visual presentation
- ✅ Best for human consumption
- ✅ Management reporting
CSV - For spreadsheet analysis:
- ✅ Excel/Google Sheets import
- ✅ Trending and graphing
- ✅ Custom reporting
- ✅ Historical comparison
JSON - For automation:
- ✅ API integration
- ✅ SIEM ingestion
- ✅ Custom scripting
- ✅ Selective remediation
- ✅ Programmatic processing
XML - For enterprise tools:
- ✅ SIEM ingestion (Splunk, QRadar)
- ✅ GRC platforms
- ✅ Legacy system integration
Console - For quick checks:
- ✅ Real-time viewing
- ✅ SSH sessions
- ✅ Quick validation
- ✅ Terminal-only environments
Multiple Formats:
# Generate multiple formats
sudo python3 linux_security_audit.py -f HTML -o report.html
sudo python3 linux_security_audit.py -f JSON -o report.json
sudo python3 linux_security_audit.py -f CSV -o report.csvDepends on your requirements:
For Everyone:
- Start with: Core + CIS
- Provides: Baseline security + industry best practices
- Time: ~1-2 minutes
For Compliance:
- Financial/Healthcare: ISO27001 + NIST + CIS
- Government/Federal: NIST + STIG + CISA
- EU Organizations: ISO27001 + ENISA + CIS
- Defense Contractors: STIG + NIST 800-171 + NSA
For Security Hardening:
- Standard: Core + CIS + NSA
- Maximum: All modules
Recommendation: Run all modules once to establish baseline, then focus on relevant frameworks.
Quick Comparison:
| Framework | Focus | Prescriptive | Certification | Best For |
|---|---|---|---|---|
| Core | Baseline security | Low | No | Everyone |
| CIS | Best practices | Medium | No | General hardening |
| CISA | Critical infrastructure | Medium | No | Government, critical sectors |
| ENISA | EU standards | Low | No | EU organizations |
| ISO27001 | ISMS | Medium | Yes | Compliance certification |
| NIST | Federal standards | High | No | Government, contractors |
| NSA | Advanced hardening | High | No | High-security environments |
| STIG | DoD requirements | Very High | No | Defense, contractors |
Detailed comparison: See Framework Reference
No. Choose frameworks based on your requirements:
Legal Requirements:
- Some frameworks are legally required (NIST 800-171 for CUI)
- Some are contractually required (STIG for DoD contracts)
- Some are industry requirements (PCI-DSS for payment cards)
Voluntary Standards:
- CIS Benchmarks: Recommended best practices
- ISO 27001: Optional certification
- NIST CSF: Voluntary framework
Best Practice: Implement what's required, consider what's recommended.
Yes. The tool is designed for extensibility.
Process:
- Create new module file:
modules/module_custom.py - Implement required interface:
run_module(shared_data) - Add your security checks
- Place in project directory
- Run:
python3 linux_security_audit.py -m CUSTOM
Documentation: See Development Guide for complete instructions.
Example Template: Included in Development Guide with detailed comments.
| Status | Meaning | Action Required | Priority |
|---|---|---|---|
| Pass | Check passed | None | ✅ Good |
| Fail | Security issue detected | Yes - Fix | 🔴 High |
| Warning | Potential concern | Review and consider | 🟡 Medium |
| Info | Informational | Awareness only | 🔵 Low |
| Error | Check couldn't run | Investigate | ⚪ Variable |
Detailed Explanation: See Output Reference
General Guidelines:
Excellent (80%+ pass):
- Strong security posture
- Well-maintained system
- Regular updates applied
Good (60-79% pass):
- Acceptable security
- Some improvements needed
- Address failures first
Needs Attention (<60% pass):
- Significant security gaps
- Immediate action required
- Prioritize critical failures
Important Notes:
- Pass rate varies by framework
- Newly installed systems typically have lower rates
- Focus on fixing failures, not just improving numbers
- Some failures may be acceptable for your environment
Step-by-Step Process:
-
Review Summary Statistics:
- Total checks performed
- Pass/Fail/Warning/Info/Error counts
- Identify which modules had most failures
-
Prioritize Failures:
- Start with "Fail" status items
- Focus on security-critical issues
- Consider business impact
-
Understand Context:
- Read the "Details" field
- Understand why it's a security concern
- Determine if it applies to your environment
-
Review Remediation:
- Check the remediation command
- Understand what it changes
- Assess potential impact
-
Plan Action:
- Group related findings
- Create remediation plan
- Schedule fixes appropriately
Example Workflow: See Usage Guide
Yes, multiple methods:
Method 1: Filter in HTML Report:
- Open HTML report
- Filter by status (show only "Fail")
- Select specific issues (checkboxes)
- Click "Export Selected"
- Save JSON file
Method 2: Command-line filtering (using jq):
# Export only failures
jq '.results[] | select(.status=="Fail")' audit.json > failures-only.json
# Export specific module
jq '.results[] | select(.module=="CIS")' audit.json > cis-only.jsonMethod 3: Spreadsheet filtering:
- Export to CSV
- Open in Excel/Sheets
- Use filter function
- Copy/export filtered results
Approaches:
1. Regular Audits with Date Stamps:
# Weekly audits
sudo python3 linux_security_audit.py -f JSON -o audit-$(date +%Y%m%d).json2. Compare JSON Files:
# Compare two audit results
python3 -c "
import json
with open('audit-20250101.json') as f1, open('audit-20250107.json') as f2:
old = json.load(f1)
new = json.load(f2)
print(f'Before: {old[\"execution_info\"][\"fail_count\"]} failures')
print(f'After: {new[\"execution_info\"][\"fail_count\"]} failures')
"3. Track Key Metrics:
- Total checks
- Fail count
- Pass rate percentage
- Specific high-priority findings
4. Visualization:
- Import CSV into graphing tool
- Plot pass rate over time
- Track failure trends by module
It depends on your approach:
Safest Approach (Recommended):
- Run audit without remediation
- Review HTML report carefully
- Select specific issues to fix
- Export selected to JSON
- Review exported JSON
- Test in non-production
- Run selective auto-remediation
# Selective remediation
sudo python3 linux_security_audit.py --auto-remediate --remediation-file selected.jsonRisky Approach (Not Recommended):
# Auto-remediate everything - DON'T DO THIS in production
sudo python3 linux_security_audit.py --auto-remediateSafety Measures:
- ✅ Test in development/staging first
- ✅ Backup configurations
- ✅ Have rollback plan
- ✅ Schedule during maintenance window
- ✅ Have console access (in case SSH breaks)
Prevention:
Before Remediation:
# Backup critical configs
sudo cp -r /etc/ssh /etc/ssh.backup.$(date +%Y%m%d)
sudo cp -r /etc/pam.d /etc/pam.d.backup.$(date +%Y%m%d)
sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup
# Document current state
sudo systemctl list-units --state=active > services-before.txtRecovery:
If you still have access:
# Restore backup
sudo cp -r /etc/ssh.backup.20250107 /etc/ssh
sudo systemctl restart sshdIf SSH is broken:
- Connect via console (physical or virtual)
- Restore configurations from backups
- Restart affected services
- Verify functionality
If system won't boot:
- Boot from rescue media
- Mount root filesystem
- Restore backed-up files
- Reboot
Best Practice: Always have out-of-band access (console, IPMI, remote KVM).
Partial. Some remediations are reversible, others are not.
Easily Reversible:
- File permission changes:
chmod,chown - Configuration changes: Restore from backup
- Service enable/disable:
systemctl disable/enable - Sysctl parameters: Edit
/etc/sysctl.confand reload
Difficult to Reverse:
- Installed packages: Can uninstall but may affect dependencies
- Password changes: Can't recover old passwords
- Deleted data: May be unrecoverable
Not Reversible:
- Security updates: Generally shouldn't reverse
- Kernel patches: Require downgrade (not recommended)
Recommendation:
- Keep detailed logs of changes
- Maintain configuration backups
- Document remediation actions
- Test rollback procedures
Method 1: Use Status Filters:
# Remediate only FAIL status
sudo python3 linux_security_audit.py --remediate-fail --auto-remediateMethod 2: Selective Export:
- Open HTML report
- Filter by status: "Fail"
- Review each failure
- Select only critical issues (checkboxes)
- Export to JSON
- Run selective remediation
Method 3: Manual Review and Apply:
# Generate report
sudo python3 linux_security_audit.py -o report.html
# Review report
# Manually copy and run critical remediation commandsPrioritization:
- Critical: Remote access (SSH), authentication, authorization
- High: Unpatched vulnerabilities, weak cryptography
- Medium: Logging, monitoring, file permissions
- Low: Documentation, informational settings
No. The tool is completely offline.
Network Activity: None
- No external connections
- No data transmission
- No "phone home" functionality
- No update checks
Dependencies: All local
- Python standard library only
- No pip packages
- No internet required
Note: The tool itself doesn't use internet, but some checks verify internet-dependent configurations (like checking if updates are available via the configured package manager).
No. Zero data collection or transmission.
Privacy:
- No telemetry
- No analytics
- No usage tracking
- No data sent anywhere
Data Stays Local:
- All results saved locally
- You control all output files
- No cloud services
- No external APIs
Audit Mode: No
- Read-only operations
- No system changes
- Cannot harm system
Remediation Mode: Potentially
- Makes system changes
- Could misconfigure services
- Could break functionality if misused
Best Practices:
- Test in non-production first
- Review remediation commands
- Have backups
- Have rollback plan
- Use selective remediation
Minimum: Python 3.7
Recommended: Python 3.8+
Check Your Version:
python3 --versionWhy Python 3.7+:
- Uses f-strings (3.6+)
- Uses dataclasses (3.7+ or backport)
- Type hints
- Modern standard library features
Compatibility:
- ✅ Python 3.7 (minimum)
- ✅ Python 3.7
- ✅ Python 3.8
- ✅ Python 3.9
- ✅ Python 3.10
- ✅ Python 3.11
- ✅ Python 3.12+
No. Python 2 is not supported.
Reasons:
- Python 2 reached end-of-life January 1, 2020
- No security updates
- Missing modern features
- Industry has moved to Python 3
Migration: If you only have Python 2, install Python 3:
# Ubuntu/Debian
sudo apt install python3
# RHEL/CentOS
sudo yum install python3Advantages of This Tool:
- ✅ Free and open source
- ✅ No licensing costs
- ✅ Fully transparent (review source code)
- ✅ Customizable and extendable
- ✅ No vendor lock-in
- ✅ Community-driven development
Advantages of Commercial Tools:
- ✅ Professional support
- ✅ Regular updates by dedicated team
- ✅ Advanced features (dashboards, alerting, etc.)
- ✅ Compliance reporting
- ✅ Integration with other enterprise tools
Best Use:
- Small/Medium organizations: This tool is excellent
- Large enterprises: Consider this + commercial tools
- Budget-conscious: This tool provides significant value at zero cost
Linux Security Audit Project:
- Broader framework coverage (8 frameworks)
- Easier to use (Python scripts, no SCAP content)
- Better reporting (interactive HTML)
- Simpler remediation
- More accessible to non-experts
OpenSCAP:
- Official SCAP compliance
- NIST certified
- Better for strict compliance requirements
- More established (longer history)
- Used by government/defense
Recommendation:
- Use this tool for broader security assessment
- Use OpenSCAP if SCAP compliance is required
- Consider using both for comprehensive coverage
Linux Security Audit Project:
- Multiple framework modules
- Interactive HTML reports
- Multiple output formats
- Automated remediation
- Framework-focused
Lynis:
- System hardening focus
- Detailed system analysis
- Malware detection
- Kernel parameter audit
- More granular checks
Recommendation:
- This tool: Framework compliance and remediation
- Lynis: Deep system analysis and hardening
- Use both for comprehensive security
Yes. Several integration methods:
1. As a Task:
# Ansible example
- name: Run security audit
command: python3 /opt/audit/linux_security_audit.py -f JSON -o /tmp/audit.json
become: yes2. As a Custom Fact/Module:
- Parse results into Ansible facts
- Use in conditional tasks
3. As a Reporting Tool:
- Run after configuration management
- Verify desired state
- Alert on drift
4. As a Compliance Check:
- Pre-deployment validation
- Post-configuration verification
Best Practice: Use configuration management for remediation, this tool for verification.
Wiki Pages:
- Home: Project overview
- Quick Start Guide: Get started quickly
- Usage Guide: Comprehensive usage
- Module Documentation: Module details
- Framework Reference: Framework standards
- Development Guide: Extending the tool
- Troubleshooting Guide: Problem solving
- Output Reference: Understanding output
External Resources:
- GitHub Repository: https://github.com/Sandler73/Linux-Security-Audit-Project
- Security Standards: See Framework Reference
GitHub Issues: https://github.com/Sandler73/Linux-Security-Audit-Project/issues
Before Submitting:
- Search existing issues
- Try troubleshooting steps
- Collect diagnostic information
- Prepare clear description
Bug Report Should Include:
- Clear description
- Steps to reproduce
- Expected vs actual behavior
- Environment (OS, Python version, etc.)
- Error output
- Relevant configuration
Feature Request Should Include:
- Use case description
- Why it's needed
- Proposed implementation (if applicable)
- Benefit to other users
Ways to Contribute:
- Report Issues: Bug reports help improve the tool
- Suggest Features: Share ideas for improvements
- Improve Documentation: Fix errors, add examples
- Write Code: Implement features, fix bugs
- Create Modules: Add new security framework checks
- Share Experience: Write blog posts, tutorials
- Spread the Word: Tell others about the project
Getting Started:
- Read Development Guide
- Check open issues for "good first issue" label
- Fork repository
- Make improvements
- Submit pull request
Primary Support:
- Documentation: Start with wiki pages
- Troubleshooting: See Troubleshooting Guide
- FAQ: This page!
- GitHub Issues: For bugs and feature requests
Community:
- GitHub Discussions (if enabled)
- Issue comments
- Pull request discussions
Professional Support:
- This is a community project
- No official commercial support
- Consider hiring Linux security consultants for complex issues
Self-Guided Learning:
- Complete documentation in wiki
- Security framework references
- Example workflows and use cases
External Resources:
- CIS Benchmarks documentation
- NIST publications
- Linux security guides
- System administration courses
Recommended Learning Path:
- Read Quick Start Guide
- Run basic audit
- Review Output Reference
- Learn about specific frameworks in Framework Reference
- Practice remediation in test environment
- Review Development Guide for customization
Have a question not answered here?
Open an issue on GitHub with the "question" label, and we'll add it to this FAQ!