-
Notifications
You must be signed in to change notification settings - Fork 2
Module Documentation
Ryan edited this page Jan 8, 2026
·
1 revision
This guide provides detailed documentation for all security modules included in the Linux Security Audit Project, including their capabilities, check categories, standards coverage, and implementation details.
- Module Overview
- Core Module
- CIS Module
- CISA Module
- ENISA Module
- ISO27001 Module
- NIST Module
- NSA Module
- STIG Module
- Module Architecture
- Creating Custom Modules
The Linux Security Audit Project includes eight specialized security modules, each focusing on different security frameworks, standards, and compliance requirements.
| Module | Version | Checks | Focus Area | Target Audience |
|---|---|---|---|---|
| Core | 1.1 | 150+ | Baseline security, OS-specific best practices | All environments |
| CIS | 2.1 | 200+ | CIS Benchmarks compliance | All environments, compliance |
| CISA | 2.1 | 140+ | Critical infrastructure protection | Government, critical infrastructure |
| ENISA | 1.1 | 135+ | EU cybersecurity guidelines | European organizations |
| ISO27001 | 1.1 | 145+ | Information security management | Compliance, enterprise |
| NIST | 2.1 | 160+ | NIST frameworks and controls | Government, compliance, enterprise |
| NSA | 2.1 | 155+ | Advanced security hardening | Defense, high-security environments |
| STIG | 2.1 | 180+ | DoD security requirements | Government, defense, contractors |
For General Security Assessment:
- Start with: Core + CIS
- Provides fundamental security baseline and industry best practices
For Compliance Requirements:
- Financial/Healthcare: ISO27001 + NIST + CIS
- Government/Federal: STIG + NIST + NSA
- EU Organizations: ISO27001 + ENISA + CIS
- Critical Infrastructure: CISA + NIST + NSA
For Security Hardening:
- General Hardening: Core + CIS + NSA
- Maximum Security: NSA + STIG + NIST
Module Name: Core
Version: 1.1
File: module_core.py
Check Count: 150+
Standards: Industry best practices, vendor security guides
The Core module provides fundamental baseline security assessment for Linux systems with intelligent OS detection and distribution-specific optimizations. It forms the foundation for all other security assessments.
- Dynamic OS Detection: Automatically identifies distribution family (Debian, RedHat, SUSE, Arch)
- Distribution-Specific Checks: Tailored security assessments for Ubuntu, Debian, RHEL, CentOS, Fedora, etc.
- Package Manager Integration: Native support for APT, YUM, DNF, Zypper, Pacman
- Baseline Security Focus: Essential security controls applicable to all Linux systems
- Operating system identification and classification
- Distribution version verification
- Kernel version assessment
- Architecture detection
- Package manager identification
- Init system detection (systemd, sysvinit, upstart)
Example Checks:
- Detect OS family and distribution
- Verify supported OS version
- Check kernel version currency
- Identify package management system
- Security update availability
- Package manager configuration
- Automatic update configuration
- Repository integrity verification
- GPG key validation
Distribution-Specific:
- Debian/Ubuntu: APT security configuration, unattended-upgrades
- RHEL/CentOS/Fedora: YUM/DNF security settings, automatic updates
- SUSE: Zypper configuration, update mechanisms
- Arch: Pacman security settings
Example Checks:
- Security updates available (count and packages)
- Automatic updates enabled
- Package manager GPG verification enabled
- Repository signatures validated
- Running service inventory
- Unnecessary service detection
- Service security configuration
- Systemd hardening options
- Legacy service detection
Example Checks:
- List all running services
- Detect unnecessary services (telnet, rsh, etc.)
- Verify service isolation (PrivateTmp, ProtectHome, etc.)
- Check for insecure protocols
- User account auditing
- Password policy enforcement
- Privileged user detection
- Group membership validation
- Home directory security
- Shell restrictions
Example Checks:
- Verify password aging configuration
- Check for users with UID 0 (besides root)
- Audit sudo/wheel group membership
- Verify password complexity requirements
- Check for users without passwords
- Validate home directory permissions (700)
- Critical file permissions
- Mount point security options
- File system integrity
- SUID/SGID binary audit
- World-writable file detection
Example Checks:
- Verify /etc/passwd permissions (644)
- Verify /etc/shadow permissions (000 or 400)
- Check /etc/ssh/sshd_config permissions (600)
- Audit SUID/SGID binaries
- Detect world-writable files
- Verify separate partitions (/tmp, /var, /home)
- Firewall status and configuration
- Network parameter hardening
- Open port detection
- Network service security
- IPv4/IPv6 configuration
Example Checks:
- UFW/firewalld status and configuration
- IP forwarding disabled (unless router)
- ICMP redirects disabled
- Source routing disabled
- SYN cookies enabled
- Open listening ports audit
- Running process audit
- Memory protection mechanisms
- Core dump configuration
- Process restrictions
- Resource limits
Example Checks:
- ASLR (Address Space Layout Randomization) enabled
- Core dumps restricted
- ptrace protection enabled
- Process accounting configured
- System update status
- Reboot required detection
- Update sources validation
- Security advisory tracking
Example Checks:
- Count of available security updates
- System reboot required check
- Last update timestamp
- Update notification configuration
- Security software detection
- Antivirus/anti-malware status
- Intrusion detection systems
- File integrity monitoring
- Log monitoring tools
Example Checks:
- ClamAV or other antivirus installed
- AIDE/Tripwire file integrity monitoring
- Fail2ban intrusion prevention
- rkhunter/chkrootkit rootkit detection
- Auditd system auditing enabled
- Ubuntu: 18.04 LTS (Bionic), 20.04 LTS (Focal), 22.04 LTS (Jammy), 24.04 LTS (Noble)
- Debian: 9 (Stretch), 10 (Buster), 11 (Bullseye), 12 (Bookworm)
- Linux Mint: 19+, 20+, 21+
- Kali Linux: 2020+
- RHEL: 7, 8, 9
- CentOS: 7, 8 (Stream 8, Stream 9)
- Fedora: 28+, 35+, 38+
- Rocky Linux: 8, 9
- AlmaLinux: 8, 9
- SUSE/openSUSE: Leap 15+, Tumbleweed
- Arch Linux: Rolling release
# Run Core module only
sudo python3 linux_security_audit.py -m Core
# Core + CIS for baseline assessment
sudo python3 linux_security_audit.py -m Core,CISThe Core module provides remediation commands for:
- Enabling firewall (UFW/firewalld)
- Configuring password policies
- Setting file permissions
- Disabling unnecessary services
- Enabling security updates
- Configuring network parameters
Module Name: CIS
Version: 2.1
File: module_cis.py
Check Count: 200+
Standards: CIS Benchmarks for Linux
Comprehensive implementation of Center for Internet Security (CIS) Benchmarks for Linux systems. Provides detailed compliance checks across all CIS Benchmark sections with OS-aware optimizations.
The module implements CIS Benchmarks organized into six major sections:
- 1.1 Filesystem Configuration: Partition schemes, mount options, filesystem types
- 1.2 Configure Software Updates: Package management and update configuration
- 1.3 Filesystem Integrity Checking: AIDE configuration and scheduling
- 1.4 Secure Boot Settings: Boot loader password, permissions
- 1.5 Additional Process Hardening: Address space randomization, core dumps
- 1.6 Mandatory Access Control: SELinux/AppArmor configuration
Example Checks:
- Ensure separate partition for /tmp
- Ensure nodev option set on /tmp partition
- Ensure nosuid option set on /tmp partition
- Ensure noexec option set on /tmp partition
- Ensure separate partition for /var
- Ensure separate partition for /var/tmp
- Ensure separate partition for /var/log
- Ensure separate partition for /var/log/audit
- Ensure separate partition for /home
- Ensure AIDE is installed
- Ensure filesystem integrity checked periodically
- Ensure bootloader password is set
- Ensure permissions on bootloader config are configured (400)
- Ensure core dumps are restricted
- Ensure address space layout randomization is enabled
- 2.1 Time Synchronization: NTP/chrony configuration
- 2.2 Special Purpose Services: X11, Avahi, CUPS, DHCP, LDAP, NFS, RPC, DNS, FTP, HTTP, IMAP/POP3, Samba, SNMP, rsync
- 2.3 Service Clients: NIS, rsh, talk, telnet, LDAP clients
Example Checks:
- Ensure time synchronization is in use (systemd-timesyncd/chronyd/ntpd)
- Ensure chrony is configured
- Ensure X Window System is not installed
- Ensure Avahi Server is not installed
- Ensure CUPS is not installed
- Ensure DHCP Server is not installed
- Ensure LDAP server is not installed
- Ensure NFS is not installed
- Ensure DNS Server is not installed
- Ensure FTP Server is not installed
- Ensure HTTP server is not installed
- Ensure IMAP and POP3 server is not installed
- Ensure Samba is not installed
- Ensure HTTP Proxy Server is not installed
- Ensure SNMP Server is not installed
- Ensure rsync service is not installed
- Ensure NIS Client is not installed
- Ensure rsh client is not installed
- Ensure talk client is not installed
- Ensure telnet client is not installed
- 3.1 Network Parameters (Host Only): IP forwarding, packet redirects, source routing, ICMP
- 3.2 Network Parameters (Host and Router): Suspicious packets, TCP SYN cookies
- 3.3 IPv6 Configuration: IPv6 parameters (if applicable)
- 3.4 TCP Wrappers: Host allow/deny configuration
- 3.5 Uncommon Network Protocols: DCCP, SCTP, RDS, TIPC
Example Checks:
- Ensure IP forwarding is disabled
- Ensure packet redirect sending is disabled
- Ensure source routed packets are not accepted
- Ensure ICMP redirects are not accepted
- Ensure secure ICMP redirects are not accepted
- Ensure suspicious packets are logged
- Ensure broadcast ICMP requests are ignored
- Ensure bogus ICMP responses are ignored
- Ensure Reverse Path Filtering is enabled
- Ensure TCP SYN Cookies is enabled
- Ensure IPv6 router advertisements are not accepted
- Ensure IPv6 redirects are not accepted
- Ensure TCP Wrappers is installed
- Ensure /etc/hosts.allow is configured
- Ensure /etc/hosts.deny is configured
- Ensure DCCP is disabled
- Ensure SCTP is disabled
- Ensure RDS is disabled
- Ensure TIPC is disabled
- 4.1 Configure System Accounting (auditd): Audit system configuration, rules, log management
- 4.2 Configure Logging: rsyslog/syslog-ng configuration, remote logging, log file permissions
Example Checks:
- Ensure auditd is installed
- Ensure auditd service is enabled
- Ensure auditing for processes that start prior to auditd is enabled
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure system is disabled when audit logs are full
- Ensure audit_backlog_limit is sufficient
- Ensure events that modify date and time are collected
- Ensure events that modify user/group information are collected
- Ensure events that modify the system's network environment are collected
- Ensure events that modify the system's MAC are collected
- Ensure login and logout events are collected
- Ensure session initiation information is collected
- Ensure discretionary access control permission changes are collected
- Ensure unsuccessful unauthorized file access attempts are collected
- Ensure successful file system mounts are collected
- Ensure file deletion events are collected
- Ensure kernel module loading/unloading is collected
- Ensure rsyslog is installed
- Ensure rsyslog service is enabled
- Ensure logging is configured
- Ensure rsyslog is configured to send logs to remote host
- Ensure remote rsyslog messages accepted on designated log hosts
- Ensure all logfiles have appropriate permissions and ownership
- 5.1 Configure Cron: Cron daemon, crontab permissions
- 5.2 SSH Server Configuration: SSH hardening settings
- 5.3 Configure PAM: Password quality, lockout policies, password reuse
- 5.4 User Accounts and Environment: Password expiration, default umask, shell timeouts
- 5.5 Ensure root login restricted: Console restrictions
- 5.6 Ensure access to su command restricted: Wheel group restriction
Example Checks:
- Ensure cron daemon is enabled
- Ensure permissions on /etc/crontab are configured (600)
- Ensure permissions on /etc/cron.hourly are configured (700)
- Ensure permissions on /etc/cron.daily are configured (700)
- Ensure permissions on /etc/cron.weekly are configured (700)
- Ensure permissions on /etc/cron.monthly are configured (700)
- Ensure permissions on /etc/cron.d are configured (700)
- Ensure at/cron is restricted to authorized users
- Ensure permissions on /etc/ssh/sshd_config are configured (600)
- Ensure SSH Protocol is set to 2
- Ensure SSH LogLevel is appropriate (INFO or VERBOSE)
- Ensure SSH X11 forwarding is disabled
- Ensure SSH MaxAuthTries is set to 4 or less
- Ensure SSH IgnoreRhosts is enabled
- Ensure SSH HostbasedAuthentication is disabled
- Ensure SSH root login is disabled
- Ensure SSH PermitEmptyPasswords is disabled
- Ensure SSH PermitUserEnvironment is disabled
- Ensure only strong ciphers are used
- Ensure only strong MAC algorithms are used
- Ensure only strong Key Exchange algorithms are used
- Ensure SSH Idle Timeout Interval is configured
- Ensure SSH LoginGraceTime is set to one minute or less
- Ensure SSH warning banner is configured
- Ensure password creation requirements are configured
- Ensure lockout for failed password attempts is configured
- Ensure password reuse is limited
- Ensure password hashing algorithm is SHA-512
- Ensure password expiration is 365 days or less
- Ensure minimum days between password changes is 7 or more
- Ensure password expiration warning days is 7 or more
- Ensure inactive password lock is 30 days or less
- Ensure default group for root account is GID 0
- Ensure default user umask is 027 or more restrictive
- Ensure default user shell timeout is 900 seconds or less
- Ensure root login is restricted to system console
- Ensure access to su command is restricted
- 6.1 System File Permissions: Permissions on critical files
- 6.2 User and Group Settings: Password fields, duplicate UIDs/GIDs, user home directories
Example Checks:
- Ensure permissions on /etc/passwd are configured (644)
- Ensure permissions on /etc/shadow are configured (000 or 400)
- Ensure permissions on /etc/group are configured (644)
- Ensure permissions on /etc/gshadow are configured (000 or 400)
- Ensure permissions on /etc/passwd- are configured (600)
- Ensure permissions on /etc/shadow- are configured (000 or 400)
- Ensure permissions on /etc/group- are configured (600)
- Ensure permissions on /etc/gshadow- are configured (000 or 400)
- Ensure no world writable files exist
- Ensure no unowned files or directories exist
- Ensure no ungrouped files or directories exist
- Audit SUID executables
- Audit SGID executables
- Ensure password fields are not empty
- Ensure no legacy "+" entries exist in /etc/passwd
- Ensure no legacy "+" entries exist in /etc/shadow
- Ensure no legacy "+" entries exist in /etc/group
- Ensure root is the only UID 0 account
- Ensure all users' home directories exist
- Ensure users' home directories permissions are 750 or more restrictive
- Ensure users own their home directories
- Ensure users' dot files are not group or world writable
- Ensure no users have .forward files
- Ensure no users have .netrc files
- Ensure users' .netrc Files are not group or world accessible
- Ensure no users have .rhosts files
- Ensure all groups in /etc/passwd exist in /etc/group
- Ensure no duplicate UIDs exist
- Ensure no duplicate GIDs exist
- Ensure no duplicate user names exist
- Ensure no duplicate group names exist
The CIS module automatically adapts checks based on detected OS:
- Package Managers: APT, YUM, DNF, Zypper-specific commands
- Mandatory Access Control: SELinux (RedHat) vs AppArmor (Debian)
- Init Systems: Systemd vs SysVinit commands
- File Paths: Distribution-specific configuration locations
# Run CIS module only
sudo python3 linux_security_audit.py -m CIS
# CIS compliance report
sudo python3 linux_security_audit.py -m CIS -o cis-compliance-$(date +%Y%m%d).htmlCIS Benchmarks define two compliance profiles:
- Level 1: Basic security requirements with minimal impact
- Level 2: Defense-in-depth security with potential operational impact
This module implements checks from both levels, allowing organizations to assess against their target compliance level.
Module Name: CISA
Version: 2.1
File: module_cisa.py
Check Count: 140+
Standards: CISA BODs, Emergency Directives, Security Advisories
Implements Cybersecurity and Infrastructure Security Agency (CISA) guidance for protecting critical infrastructure systems. Focuses on practical security measures to defend against active threats.
-
BOD 18-01: Enhanced Email and Web Security
- SPF, DMARC, and DKIM implementation
- Web security headers
- TLS configuration
-
BOD 19-02: Vulnerability Remediation Requirements
- Critical vulnerability patching timelines
- Vulnerability scanning requirements
- Patch management processes
-
BOD 20-01: Vulnerability Disclosure Policy
- Security contact availability
- Vulnerability reporting mechanisms
- Responsible disclosure practices
-
BOD 22-01: Known Exploited Vulnerabilities (KEV)
- Remediation of KEV catalog items
- Tracking actively exploited vulnerabilities
- Emergency patching procedures
-
BOD 23-01: Asset Visibility and Vulnerability Detection
- Asset inventory requirements
- Vulnerability detection capabilities
- Network segmentation verification
Example Checks:
- Verify vulnerability scanning is configured
- Check for patches to known exploited vulnerabilities
- Ensure security contact information is available
- Verify vulnerability disclosure policy exists
- Check asset inventory is maintained
- Ensure network segmentation is implemented
- Critical vulnerability identification
- Zero-day threat mitigation
- Immediate action requirements
- Emergency patching verification
Example Checks:
- Check for emergency directive compliance
- Verify critical patches applied
- Ensure emergency response procedures exist
- Check for active exploitation indicators
- Known Exploited Vulnerabilities Catalog
- Patch management and timelines
- Vulnerability scanning
- Configuration management
- Security baseline enforcement
Example Checks:
- Count unpatched vulnerabilities
- Check patch application timeline compliance
- Verify automated vulnerability scanning
- Ensure security baselines are applied
- Check configuration drift detection
- Essential services security
- Network segmentation
- Access control hardening
- Incident response readiness
- Business continuity planning
Example Checks:
- Verify critical services are isolated
- Check network segmentation implementation
- Ensure least privilege access controls
- Verify incident response procedures exist
- Check backup and recovery capabilities
- Multi-factor authentication (MFA)
- Least privilege principles
- Secure configuration baselines
- Logging and monitoring
- Backup and recovery
Example Checks:
- Ensure MFA is enabled for privileged accounts
- Verify sudo/wheel group restrictions
- Check secure configuration standards applied
- Ensure comprehensive logging enabled
- Verify backup procedures are functional
- Check backup encryption and offsite storage
- Cloud security posture
- Container security
- DevSecOps practices
- API security
- Identity and access management
Example Checks:
- Check cloud security configuration
- Verify container runtime security
- Ensure DevSecOps pipeline security
- Check API authentication and authorization
- Verify identity federation is secure
- Detection capabilities
- Response procedures
- Recovery planning
- Communication protocols
- Forensic readiness
Example Checks:
- Ensure incident detection tools are active
- Verify incident response plan exists
- Check disaster recovery procedures
- Ensure communication channels are established
- Verify forensic logging is enabled
CISA guidance categorizes findings by priority:
- Critical: Immediate action required (active exploitation risk)
- High: Urgent remediation (known vulnerability, not yet exploited)
- Medium: Important security improvements
- Low: Best practice recommendations
# Run CISA module only
sudo python3 linux_security_audit.py -m CISA
# Critical infrastructure assessment
sudo python3 linux_security_audit.py -m CISA,NSA,Core
# CISA compliance report
sudo python3 linux_security_audit.py -m CISA -o cisa-compliance-$(date +%Y%m%d).html- Federal agencies and departments
- State, local, tribal, and territorial (SLTT) governments
- Critical infrastructure operators
- Defense Industrial Base (DIB) contractors
- Organizations requiring federal compliance
Module Name: ENISA
Version: 1.1
File: module_enisa.py
Check Count: 135+
Standards: ENISA Cybersecurity Guidelines, EU Regulations
Implements European Union Agency for Cybersecurity (ENISA) guidelines and recommendations. Provides practical cybersecurity measures aligned with EU standards and GDPR requirements.
- Essential security controls
- Risk-based security approach
- Proportionate security measures
- Security by design principles
Example Checks:
- Verify baseline security controls implemented
- Check risk assessment procedures exist
- Ensure security measures are proportionate
- Verify secure-by-default configurations
- Network segmentation
- Firewall configuration
- Intrusion detection/prevention
- Secure communications
- VPN and remote access security
Example Checks:
- Ensure firewall is enabled and configured
- Verify network segmentation exists
- Check IDS/IPS deployment
- Ensure encrypted communications (TLS/SSL)
- Verify VPN security configuration
- Secure OS configuration
- Service minimization
- Patch management
- Security updates
- Hardening guidelines implementation
Example Checks:
- Verify unnecessary services are disabled
- Check security patches are current
- Ensure automatic updates configured
- Verify system hardening applied
- Check configuration management
- Strong authentication
- Privileged access management
- Identity lifecycle management
- Access reviews
- Role-based access control (RBAC)
Example Checks:
- Ensure strong password policies
- Verify MFA for privileged accounts
- Check regular access reviews occur
- Ensure RBAC is implemented
- Verify account lifecycle procedures
- Data encryption
- Data classification
- Personal data protection
- Data retention policies
- Privacy by design
Example Checks:
- Ensure data encryption at rest
- Verify encryption in transit
- Check data classification scheme exists
- Ensure GDPR compliance measures
- Verify data retention policies
- Check personal data handling procedures
- Comprehensive logging
- Security monitoring
- SIEM integration
- Incident detection
- Incident response procedures
Example Checks:
- Ensure comprehensive logging enabled
- Verify log retention meets requirements
- Check security monitoring active
- Ensure incident response plan exists
- Verify incident reporting procedures
- Strong cryptography
- Key management
- Certificate management
- Cryptographic standards compliance
- TLS/SSL configuration
Example Checks:
- Verify strong cryptographic algorithms used
- Check weak ciphers are disabled
- Ensure proper key management
- Verify certificate validation
- Check TLS version and configuration
- Vulnerability scanning
- Patch management process
- Security advisory tracking
- Vulnerability remediation timelines
- Configuration management
Example Checks:
- Ensure vulnerability scanning configured
- Verify patch management process exists
- Check security advisories are tracked
- Ensure timely vulnerability remediation
- Verify configuration baselines
- Secure coding practices
- Security testing
- Change management
- DevSecOps integration
- Security in SDLC
Example Checks:
- Verify secure development practices
- Check security testing in pipeline
- Ensure change management process
- Verify security in development lifecycle
- Check code review procedures
The ENISA module adapts to both major Linux families:
Debian-based (Ubuntu, Debian, Mint, Kali):
- APT package management checks
- AppArmor MAC implementation
- Debian-specific security configurations
- Ubuntu security advisories
RedHat-based (RHEL, CentOS, Fedora, Rocky, AlmaLinux):
- YUM/DNF package management checks
- SELinux MAC implementation
- RedHat security advisories
- Enterprise Linux security configurations
Many ENISA checks align with GDPR requirements:
- Data protection by design and default
- Security of processing (Article 32)
- Personal data breach notification
- Data protection impact assessments
- Privacy controls
# Run ENISA module only
sudo python3 linux_security_audit.py -m ENISA
# EU compliance assessment
sudo python3 linux_security_audit.py -m ENISA,ISO27001
# ENISA + GDPR alignment check
sudo python3 linux_security_audit.py -m ENISA -o enisa-gdpr-$(date +%Y%m%d).html- European Union organizations
- EU member state agencies
- Organizations handling EU citizen data
- Companies subject to GDPR
- European critical infrastructure operators
Module Name: ISO27001
Version: 1.1
File: module_iso27001.py
Check Count: 145+
Standards: ISO/IEC 27001:2022, ISO/IEC 27002:2022
Comprehensive assessment of ISO/IEC 27001:2022 Annex A technical controls that can be audited on Linux systems. Focuses on information security management system (ISMS) technical requirements.
The module implements technical controls from ISO 27001:2022 Annex A:
A.8.1 User Endpoint Devices
- Endpoint security configuration
- Device management
- Mobile device security
- Endpoint protection
Example Checks:
- Ensure endpoint security software installed
- Verify device encryption enabled
- Check endpoint configuration management
- Ensure endpoint monitoring active
A.8.2 Privileged Access Rights
- Privileged account management
- Sudo/wheel group restrictions
- Root access limitations
- Administrative access logging
Example Checks:
- Ensure privileged access is restricted
- Verify sudo usage is logged
- Check root account restrictions
- Ensure privileged session recording
A.8.3 Information Access Restriction
- Access control implementation
- File system permissions
- Directory access controls
- Need-to-know enforcement
Example Checks:
- Verify file permissions are restrictive
- Check directory access controls
- Ensure need-to-know principle applied
- Verify access control lists (ACLs)
A.8.4 Access to Source Code
- Source code repository security
- Version control access
- Code review procedures
- Secure development practices
Example Checks:
- Ensure source code access is controlled
- Verify version control authentication
- Check code repository permissions
- Ensure code review process exists
A.8.5 Secure Authentication
- Strong authentication requirements
- Multi-factor authentication
- Password policies
- Authentication logging
Example Checks:
- Ensure strong password policy enforced
- Verify MFA for remote access
- Check authentication logging enabled
- Ensure password complexity requirements
A.8.6 Capacity Management
- Resource monitoring
- Capacity planning
- Performance monitoring
- Resource utilization tracking
Example Checks:
- Ensure resource monitoring configured
- Verify disk space monitoring
- Check capacity alerting configured
- Ensure performance metrics collected
A.8.7 Protection Against Malware
- Antivirus software
- Malware detection
- Signature updates
- Scanning configuration
Example Checks:
- Ensure antivirus software installed
- Verify malware scanning active
- Check signature update frequency
- Ensure real-time protection enabled
A.8.8 Management of Technical Vulnerabilities
- Vulnerability scanning
- Patch management
- Security advisories
- Vulnerability remediation
Example Checks:
- Ensure vulnerability scanning configured
- Verify patch management process
- Check security advisory tracking
- Ensure timely vulnerability remediation
A.8.9 Configuration Management
- Secure baseline configurations
- Configuration change control
- Configuration documentation
- Configuration auditing
Example Checks:
- Ensure configuration baselines exist
- Verify configuration management process
- Check configuration change tracking
- Ensure configuration auditing enabled
A.8.10-A.8.13 Data Protection and Backup
- Data encryption
- Backup procedures
- Backup encryption
- Backup testing
- Data deletion procedures
Example Checks:
- Ensure data encryption at rest
- Verify regular backups configured
- Check backup encryption enabled
- Ensure backup testing occurs
- Verify secure data deletion procedures
A.8.14-A.8.17 System Reliability and Monitoring
- Redundancy implementation
- System monitoring
- Availability controls
- Clock synchronization
Example Checks:
- Ensure critical services redundant
- Verify system monitoring active
- Check availability controls implemented
- Ensure time synchronization configured
A.8.18-A.8.24 Network and Cryptographic Security
- Network controls
- Network segmentation
- Firewall configuration
- Cryptographic controls
- Key management
Example Checks:
- Ensure network segmentation implemented
- Verify firewall properly configured
- Check strong cryptography used
- Ensure proper key management
- Verify TLS/SSL configuration
A.8.25-A.8.34 Secure Development (where applicable)
- Secure coding practices
- Security in SDLC
- Security testing
- Change management
Example Checks:
- Verify secure development practices
- Check security testing in pipeline
- Ensure proper change management
- Verify code review procedures
The ISO27001 module also references:
- ISO/IEC 27002:2022: Code of practice for information security controls
- NIST SP 800-53: Complementary technical guidance
- CIS Controls: Implementation alignment
# Run ISO27001 module only
sudo python3 linux_security_audit.py -m ISO27001
# ISMS technical assessment
sudo python3 linux_security_audit.py -m ISO27001,NIST
# ISO27001 compliance report
sudo python3 linux_security_audit.py -m ISO27001 -o iso27001-compliance-$(date +%Y%m%d).html- Organizations seeking ISO 27001 certification
- Information security management system (ISMS) implementations
- Compliance and audit requirements
- Enterprise security programs
- Financial services, healthcare, and regulated industries
Module Name: NIST
Version: 2.1
File: module_nist.py
Check Count: 160+
Standards: NIST 800-53 Rev 5, NIST CSF 2.0, NIST 800-171 Rev 2
Comprehensive audit of National Institute of Standards and Technology (NIST) security controls and frameworks. Implements controls from multiple NIST publications with focus on technical implementation.
Access Control (AC)
- Account management
- Access enforcement
- Least privilege
- Remote access controls
- Session management
Example Checks:
- Ensure account management procedures exist
- Verify least privilege implementation
- Check remote access restrictions
- Ensure session timeouts configured
- Verify access control enforcement
Audit and Accountability (AU)
- Audit logging
- Audit review and analysis
- Audit record retention
- Response to audit processing failures
- Time stamps
Example Checks:
- Ensure comprehensive audit logging
- Verify audit log review process
- Check audit retention policy
- Ensure audit failure response configured
- Verify time synchronization for logs
Configuration Management (CM)
- Baseline configurations
- Configuration change control
- Security configuration settings
- Software inventory
- System component inventory
Example Checks:
- Ensure configuration baselines documented
- Verify change control process exists
- Check secure configuration applied
- Ensure software inventory maintained
- Verify system component tracking
Identification and Authentication (IA)
- User identification
- Device identification
- Authenticator management
- Credential management
- Multi-factor authentication
Example Checks:
- Ensure unique user identification
- Verify device authentication
- Check authenticator security
- Ensure MFA for privileged access
- Verify credential lifecycle management
Incident Response (IR)
- Incident handling
- Incident monitoring
- Incident reporting
- Incident response testing
- Information spillage response
Example Checks:
- Ensure incident response plan exists
- Verify incident monitoring capability
- Check incident reporting procedures
- Ensure incident response testing
- Verify information spillage procedures
System and Communications Protection (SC)
- Application partitioning
- Communications protection
- Cryptographic protection
- Network security
- Secure communications
Example Checks:
- Ensure application isolation
- Verify encrypted communications
- Check cryptographic implementation
- Ensure network segmentation
- Verify secure protocol usage
System and Information Integrity (SI)
- Flaw remediation
- Malicious code protection
- Information system monitoring
- Security alerts and advisories
- Software integrity
Example Checks:
- Ensure timely flaw remediation
- Verify malware protection active
- Check system monitoring enabled
- Ensure security alert subscriptions
- Verify software integrity checks
Additional Control Families:
- Contingency Planning (CP)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
Govern (GV) - Organizational cybersecurity governance
- Policies and procedures
- Risk management strategy
- Roles and responsibilities
- Oversight and accountability
Example Checks:
- Ensure security policies documented
- Verify risk management process
- Check defined security roles
- Ensure governance oversight
Identify (ID) - Asset management and risk assessment
- Asset management
- Business environment understanding
- Governance context
- Risk assessment
- Risk management strategy
Example Checks:
- Ensure asset inventory maintained
- Verify asset classification
- Check business impact analysis
- Ensure risk assessment process
- Verify risk treatment plans
Protect (PR) - Access control, data security, platform security
- Identity management and access control
- Awareness and training
- Data security
- Information protection
- Protective technology
Example Checks:
- Ensure access control implementation
- Verify security awareness training
- Check data protection measures
- Ensure information protection
- Verify protective technologies deployed
Detect (DE) - Continuous monitoring and adverse event detection
- Anomalies and events detection
- Security continuous monitoring
- Detection processes
Example Checks:
- Ensure anomaly detection configured
- Verify continuous monitoring active
- Check detection process effectiveness
- Ensure security event correlation
Respond (RS) - Incident response, communications, mitigation
- Response planning
- Communications
- Analysis
- Mitigation
- Improvements
Example Checks:
- Ensure response plan exists
- Verify communication procedures
- Check incident analysis capability
- Ensure mitigation strategies
- Verify lessons learned process
Recover (RC) - Recovery planning and improvements
- Recovery planning
- Improvements
- Communications
Example Checks:
- Ensure recovery plan exists
- Verify recovery testing
- Check recovery improvement process
- Ensure recovery communications
Protection of Controlled Unclassified Information (CUI):
- 14 requirement families
- 110 security requirements
- Focus on protecting federal information
- Mandatory for defense contractors
Example Checks:
- Ensure access control requirements met
- Verify audit and accountability
- Check configuration management
- Ensure identification and authentication
- Verify incident response capability
- Ensure maintenance procedures
- Check media protection
- Verify personnel security
- Ensure physical protection measures
- Check risk assessment process
- Verify security assessment procedures
- Ensure system integrity
- Check communications protection
The NIST module adapts controls based on detected OS, ensuring practical implementation across distributions.
# Run NIST module only
sudo python3 linux_security_audit.py -m NIST
# Federal compliance assessment
sudo python3 linux_security_audit.py -m NIST,STIG
# NIST CSF assessment
sudo python3 linux_security_audit.py -m NIST -o nist-csf-$(date +%Y%m%d).html- Federal agencies and contractors
- Defense Industrial Base (DIB)
- Organizations handling CUI
- FedRAMP compliance requirements
- General enterprise security programs
Module Name: NSA
Version: 2.1
File: module_nsa.py
Check Count: 155+
Standards: NSA Cybersecurity Guidance, SELinux
Implements National Security Agency (NSA) cybersecurity guidance and advanced security hardening measures. Focuses on defense-grade security controls and technologies developed by NSA.
- SELinux status and configuration
- Policy enforcement
- Context management
- Boolean settings
- AVC denial analysis
Example Checks:
- Ensure SELinux is installed
- Verify SELinux is enabled
- Check SELinux mode (enforcing)
- Ensure SELinux policy is targeted or strict
- Verify SELinux booleans configured securely
- Check for SELinux AVC denials
- Ensure SELinux context on critical files
- Network stack hardening
- Protocol security
- Firewall configuration
- Network isolation
- Secure remote access
Example Checks:
- Ensure IP forwarding disabled
- Verify ICMP redirects disabled
- Check SYN cookies enabled
- Ensure source routing disabled
- Verify reverse path filtering enabled
- Check TCP timestamps disabled
- Ensure IPv6 configured securely
- Kernel parameters hardening
- Kernel module controls
- Memory protection
- Process isolation
- Kernel lockdown
Example Checks:
- Ensure kernel address space randomization
- Verify kernel pointer restrictions
- Check core dump restrictions
- Ensure kernel module loading restricted
- Verify kernel lockdown mode
- Check kptr_restrict configured
- Ensure dmesg restriction
- Secure boot configuration
- System service hardening
- File system security
- Mount point hardening
- Bootloader security
Example Checks:
- Ensure secure boot enabled
- Verify bootloader password set
- Check unnecessary services disabled
- Ensure mount options secure (nodev, nosuid, noexec)
- Verify /tmp mounted securely
- Check /var/log partition exists
- FIPS 140-2/140-3 compliance
- Strong cryptographic algorithms
- TLS/SSL configuration
- SSH cryptographic settings
- Certificate validation
Example Checks:
- Ensure FIPS mode enabled (if applicable)
- Verify strong crypto algorithms used
- Check weak ciphers disabled
- Ensure TLS 1.2+ required
- Verify SSH strong key exchange
- Check certificate validation enabled
- Service isolation
- Application sandboxing
- Container security
- Service hardening
- Application whitelisting
Example Checks:
- Ensure services run with minimal privileges
- Verify service isolation (systemd sandboxing)
- Check application sandboxing (AppArmor/SELinux)
- Ensure container runtime secured
- Verify application firewall active
- Security-Enhanced Linux (SELinux): NSA's mandatory access control system
- Linux Hardening Guidance: System hardening recommendations
- Cybersecurity Technical Reports: Threat-specific guidance
- System and Communications Protection Profile (SCPP): Defense-grade security
- Commercial Solutions for Classified (CSfC): Classified information protection
The NSA module implements layered security controls:
- Perimeter Security: Firewall, network hardening
- Host Security: System hardening, MAC enforcement
- Application Security: Service isolation, sandboxing
- Data Security: Encryption, access controls
- Monitoring: Logging, auditing, intrusion detection
# Run NSA module only
sudo python3 linux_security_audit.py -m NSA
# Maximum security assessment
sudo python3 linux_security_audit.py -m NSA,STIG
# Defense-grade hardening check
sudo python3 linux_security_audit.py -m NSA -o nsa-hardening-$(date +%Y%m%d).html- Defense and intelligence agencies
- National security systems
- Classified information systems
- High-security environments
- Critical infrastructure (defense sector)
- Defense contractors requiring NSA compliance
Module Name: STIG
Version: 2.1
File: module_stig.py
Check Count: 180+
Standards: DISA STIGs, DoD 8500 series
Comprehensive implementation of Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). Provides detailed compliance checks for Department of Defense (DoD) security requirements.
- Account management
- Access enforcement
- Separation of duties
- Least privilege
- Session controls
Example Checks:
- Ensure account management documented
- Verify access control implementation
- Check separation of duties enforced
- Ensure least privilege applied
- Verify session timeout configured
- Check concurrent session limits
- Audit generation
- Audit record content
- Audit storage capacity
- Response to audit failures
- Audit reduction and reporting
Example Checks:
- Ensure audit system enabled (auditd)
- Verify audit records contain required content
- Check audit storage capacity configured
- Ensure response to audit failures
- Verify audit log protection
- Check audit review process exists
- User identification
- Device identification
- Authenticator management
- Multi-factor authentication
- Password requirements
Example Checks:
- Ensure unique user identification
- Verify password complexity requirements
- Check password reuse restrictions
- Ensure MFA for privileged access
- Verify account lockout policy
- Check credential lifetime limits
- Flaw remediation
- Malicious code protection
- System monitoring
- Security alerts
- Software integrity verification
Example Checks:
- Ensure timely flaw remediation
- Verify antivirus software installed and active
- Check system monitoring enabled
- Ensure security alert subscriptions
- Verify file integrity monitoring (AIDE)
- Check software signature verification
- Baseline configuration
- Configuration change control
- Security configuration settings
- Least functionality
- User-installed software
Example Checks:
- Ensure baseline configuration documented
- Verify configuration change control
- Check security settings enforced
- Ensure unnecessary services disabled
- Verify user software installation restricted
- Application partitioning
- Information flow enforcement
- Network security
- Cryptographic protection
- Session termination
Example Checks:
- Ensure application isolation
- Verify network segmentation
- Check firewall configuration
- Ensure encrypted communications
- Verify automatic session termination
CAT I (High/Critical):
- Vulnerabilities that allow attacker to compromise confidentiality, integrity, or availability
- Immediate remediation required
- Highest priority
Example CAT I Findings:
- Root login via SSH enabled
- No account lockout policy
- Passwords stored in clear text
- Critical patches missing
- Default passwords in use
CAT II (Medium):
- Vulnerabilities that could result in compromise of confidentiality, integrity, or availability
- Remediation required within 30 days
Example CAT II Findings:
- Weak password policy
- Insufficient audit logging
- Unnecessary services running
- Missing security updates
- Weak encryption algorithms
CAT III (Low):
- Vulnerabilities that degrade security measures
- Remediation required within 90 days
Example CAT III Findings:
- Security banner not configured
- Incomplete documentation
- Informational system messages
- Minor configuration deviations
- Red Hat Enterprise Linux (RHEL) STIG: RHEL-specific requirements
- Ubuntu Linux STIG: Ubuntu-specific requirements
- General Purpose Operating System STIG: Common Linux requirements
- Application Security and Development STIG: Application-level security
- DISA Security Requirements Guide (SRG): Overarching security requirements
Open: Non-compliant with STIG requirement (requires remediation)
Not a Finding: Compliant with STIG requirement
Not Applicable: STIG requirement does not apply to this system
Not Reviewed: STIG requirement not yet checked
# Run STIG module only
sudo python3 linux_security_audit.py -m STIG
# DoD compliance assessment
sudo python3 linux_security_audit.py -m STIG,NSA
# STIG compliance report
sudo python3 linux_security_audit.py -m STIG -o stig-compliance-$(date +%Y%m%d).html- Department of Defense (DoD) systems
- Defense contractors
- Federal agencies requiring STIG compliance
- Systems processing classified information
- National security systems
- Defense Industrial Base (DIB)
All security modules follow a consistent architecture:
#!/usr/bin/env python3
"""
module_name.py
Module Description
Version: X.X
SYNOPSIS:
Brief description
DESCRIPTION:
Detailed description of module capabilities
USAGE:
Usage examples
NOTES:
Version, standards, references
"""
import os
import sys
from pathlib import Path
from typing import List, Dict, Any
from linux_security_audit import AuditResult
MODULE_NAME = "MODULE"
MODULE_VERSION = "X.X"
# OS Detection (if needed)
class OSInfo:
# OS detection logic
# Utility Functions
def run_command(cmd: str) -> tuple:
# Command execution wrapper
def check_file_exists(path: str) -> bool:
# File existence check
# Check Functions
def check_category_name(shared_data: Dict[str, Any]) -> List[AuditResult]:
"""
Check description
Args:
shared_data: Shared data from main script
Returns:
List of AuditResult objects
"""
results = []
# Perform checks
# Create AuditResult objects
# Append to results list
return results
# Main Module Entry Point
def run_module(shared_data: Dict[str, Any]) -> List[AuditResult]:
"""
Main module execution function
Args:
shared_data: Shared data from main script
Returns:
List of all AuditResult objects
"""
results = []
# Call check functions
results.extend(check_category_1(shared_data))
results.extend(check_category_2(shared_data))
# etc.
return results
# Standalone Testing
if __name__ == "__main__":
# Test module independently
test_data = {
"hostname": socket.gethostname(),
"is_root": os.geteuid() == 0
}
results = run_module(test_data)
# Display results
for result in results:
print(f"[{result.status}] {result.category}: {result.message}")Every check returns an AuditResult object with the following fields:
@dataclass
class AuditResult:
module: str # Module name (Core, CIS, NIST, etc.)
category: str # Check category
status: str # Pass, Fail, Warning, Info, Error
message: str # Brief description
details: str = "" # Detailed explanation
remediation: str = "" # Fix command(s)
timestamp: str # Execution timestampModules are discovered dynamically by the main orchestrator:
-
Scan Directory: Look for
module_*.pyfiles - Import Modules: Dynamically import discovered modules
-
Validate Interface: Verify
run_module()function exists -
Execute Modules: Call
run_module()with shared data
All modules receive a shared_data dictionary containing:
{
"hostname": str, # System hostname
"os_version": str, # OS version string
"scan_date": datetime, # Scan start time
"is_root": bool, # Running as root?
"script_path": Path # Script directory path
}Modules implement comprehensive error handling:
try:
# Perform check
result = AuditResult(
module=MODULE_NAME,
category="Category Name",
status="Pass",
message="Check description",
details="Detailed information"
)
except PermissionError:
result = AuditResult(
module=MODULE_NAME,
category="Category Name",
status="Error",
message="Check description",
details="Permission denied - requires root access"
)
except FileNotFoundError:
result = AuditResult(
module=MODULE_NAME,
category="Category Name",
status="Error",
message="Check description",
details="Required file not found"
)
except Exception as e:
result = AuditResult(
module=MODULE_NAME,
category="Category Name",
status="Error",
message="Check description",
details=f"Unexpected error: {str(e)}"
)-
Create Module File:
module_custom.pyin project directory -
Implement Required Interface:
run_module(shared_data)function - Define Check Functions: Individual security checks
- Return AuditResult Objects: Properly formatted results
- Test Standalone: Run module independently
- Test Integrated: Run with main orchestrator
#!/usr/bin/env python3
"""
module_custom.py
Custom Security Module
Version: 1.0
SYNOPSIS:
Custom security checks for specific requirements
DESCRIPTION:
Detailed description of what this module checks
USAGE:
python3 linux_security_audit.py --modules CUSTOM
NOTES:
Version: 1.0
Custom module template
"""
import os
import sys
from pathlib import Path
from typing import List, Dict, Any
# Import AuditResult from main script
sys.path.insert(0, str(Path(__file__).parent))
from linux_security_audit import AuditResult
MODULE_NAME = "CUSTOM"
MODULE_VERSION = "1.0"
def check_example(shared_data: Dict[str, Any]) -> List[AuditResult]:
"""Example security check"""
results = []
try:
# Perform your check
check_passed = True # Your logic here
if check_passed:
result = AuditResult(
module=MODULE_NAME,
category="Example Category",
status="Pass",
message="Check passed successfully",
details="Detailed information about the check",
remediation=""
)
else:
result = AuditResult(
module=MODULE_NAME,
category="Example Category",
status="Fail",
message="Check failed",
details="Explanation of what failed",
remediation="command to fix the issue"
)
results.append(result)
except Exception as e:
result = AuditResult(
module=MODULE_NAME,
category="Example Category",
status="Error",
message="Check could not be completed",
details=f"Error: {str(e)}"
)
results.append(result)
return results
def run_module(shared_data: Dict[str, Any]) -> List[AuditResult]:
"""
Main module entry point - REQUIRED
Args:
shared_data: Dictionary with hostname, os_version, is_root, etc.
Returns:
List of AuditResult objects
"""
results = []
# Call your check functions
results.extend(check_example(shared_data))
# Add more checks...
return results
# Standalone testing
if __name__ == "__main__":
import socket
test_data = {
"hostname": socket.gethostname(),
"is_root": os.geteuid() == 0
}
results = run_module(test_data)
print(f"\n{MODULE_NAME} Module Test Results:")
print("=" * 60)
for result in results:
print(f"[{result.status}] {result.category}: {result.message}")
print(f"\nTotal Checks: {len(results)}")-
Follow Naming Convention:
module_name.pywhere name is lowercase -
Implement
run_module(): Required function signature - Return AuditResult Objects: Consistent data structure
- Handle Errors Gracefully: Use try/except blocks
- Provide Remediation: Include fix commands when applicable
- Document Thoroughly: Synopsis, description, usage, notes
- Test Independently: Verify module works standalone
- OS-Aware Checks: Adapt to different distributions when needed
- Privilege Awareness: Handle both root and non-root execution
- Consistent Status Values: Use Pass, Fail, Warning, Info, Error
# Test module independently
python3 module_custom.py
# Test with main orchestrator
python3 linux_security_audit.py --modules CUSTOM
# Test with other modules
python3 linux_security_audit.py --modules Core,CUSTOM
# Full integration test
sudo python3 linux_security_audit.py --modules All- Development Guide: Comprehensive development documentation
- Framework Reference: Security framework standards and sources
- Usage Guide: How to run specific modules
- Output Reference: Understanding module output
← Back to Output Reference | Home | Next: Framework Reference →