Skip to main content

Comprehensive Linux security auditing and hardening tool

Project description

Linux Security Audit Tool

A comprehensive CLI tool for auditing Linux system security posture.

For all the checks to effectively be done this tool it needs root access.

PyPI Python Coverage Ruff Ask DeepWiki

Install

pip install linux-security-audit-tool

Usage

sudo env "PATH=$PATH" security-audit --help
sudo env "PATH=$PATH" security-audit audit
sudo env "PATH=$PATH" security-audit audit -p 0 -1           # Run specific phases
sudo env "PATH=$PATH" security-audit audit -o report.md      # Save markdown report
sudo env "PATH=$PATH" security-audit audit --quiet           # Summary only
sudo env "PATH=$PATH" security-audit audit --debug           # Show executed commands
sudo env "PATH=$PATH" security-audit audit --remediate-all   # Generate remediation script for all findings
sudo env "PATH=$PATH" security-audit audit --remediate-only-critical  # Generate remediation script for CRITICAL only
sudo env "PATH=$PATH" security-audit audit --remediate-non-critical   # Generate remediation script for non-CRITICAL
sudo env "PATH=$PATH" security-audit audit --pdf report.pdf  # Generate PDF report

CLI

security-audit [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  audit    Run a full security audit.
  version  Show version information.

Audit Command Options

  • --output, -o FILE - Output file for markdown report
  • --phases, -p [0-9] - Specific phases to run (can be repeated)
  • --quiet, -q - Suppress detailed output
  • --verbose, -v - Show descriptions and remediation
  • --debug, -d - Show low-level commands being executed
  • --remediate-all, -r - Generate remediation script for all findings
  • --remediate-only-critical - Generate remediation script for CRITICAL findings only
  • --remediate-non-critical - Generate remediation script for non-CRITICAL findings
  • --remediate-script FILE - Save remediation script to file
  • --pdf FILE - Generate PDF executive report
  • --cache - Enable caching of check results
  • --cache-ttl INTEGER - Cache TTL in seconds (default: 3600)

API

from security_audit import gather_context, run_identity_checks, calculate_security_score
from security_audit.core import Finding, Severity

# Run a full audit
context = gather_context()
findings = run_identity_checks()
score = calculate_security_score(findings)

Audit Phases

The tool performs security checks across 9 phases:

  • Phase 0: Context Gathering (hostname, OS, kernel)
  • Phase 1: Identity & Access Control (users, sudo, SSH)
  • Phase 2: Network Exposure (listening services, firewall, sysctl)
  • Phase 3: File System & Permissions (SUID, world-writable, cron)
  • Phase 4: Process & Service Posture (services, AppArmor, SELinux, rkhunter)
  • Phase 5: Kernel & OS Hardening (sysctl, ASLR, module blacklist)
  • Phase 6: Logging & Monitoring (auditd, logs, syslog)
  • Phase 7: Package & Update Hygiene (updates, repos)
  • Phase 8: Cryptographic Posture (SSH keys, TLS, password hashing)

Development

git clone https://github.com/daedalus/linux-security-audit-tool.git
cd linux-security-audit-tool
pip install -e ".[test]"

# run tests
pytest

# format
ruff format src/ tests/

# format markdown
mdformat .

# lint + type check (prospector runs ruff check + mypy + pylint together)
prospector --with-tool ruff --with-tool mypy --with-tool pylint src/
opengrep --config=auto --severity=ERROR src/

# find unused code (vulture reports dead code with 90%+ confidence)
vulture --min-confidence 90 src/

# analyze code complexity (lizard reports cyclomatic complexity, NLOC, etc.)
lizard src/ --CCN 10

# track API impact (impactguard analyzes how staged changes affect public API)
impactguard-check-staged

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

linux_security_audit_tool-0.1.10.tar.gz (47.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

linux_security_audit_tool-0.1.10-py3-none-any.whl (56.0 kB view details)

Uploaded Python 3

File details

Details for the file linux_security_audit_tool-0.1.10.tar.gz.

File metadata

File hashes

Hashes for linux_security_audit_tool-0.1.10.tar.gz
Algorithm Hash digest
SHA256 0a132aabb10b323e8000e2d89d35265a48d0e595e6b5ed1ae40e8228e8251981
MD5 74501ee460fa351afdeeed270a2fa1f8
BLAKE2b-256 b040d082b4174055de450c83ea11dfb2958ab1163228d3b3467077a9c06e05b9

See more details on using hashes here.

Provenance

The following attestation bundles were made for linux_security_audit_tool-0.1.10.tar.gz:

Publisher: pypi-publish.yml on daedalus/linux-security-audit-tool

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file linux_security_audit_tool-0.1.10-py3-none-any.whl.

File metadata

File hashes

Hashes for linux_security_audit_tool-0.1.10-py3-none-any.whl
Algorithm Hash digest
SHA256 fdfacdbf66b285763741ba07471695cd87b19bbb01f233d68b1e8bee4dd3ded4
MD5 045eafa1b240a898d1706a46e4d10650
BLAKE2b-256 cf76e2dfe0b94e8a5c62def62044261e2019b04c2fc01c965d14ca2fff982f03

See more details on using hashes here.

Provenance

The following attestation bundles were made for linux_security_audit_tool-0.1.10-py3-none-any.whl:

Publisher: pypi-publish.yml on daedalus/linux-security-audit-tool

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page