Production-tested Python tool to audit and optionally harden Linux systems for OPSEC & Security.
- Zero external deps (Python 3.8+)
- Idempotent fixes with
--apply - JSON and human-readable output
- Systemd timer for scheduled audits
- SSH hardening (no root login, no password auth, strict options)
- Kernel params (sysctl) for network & info-leak protection
- Firewall baseline (UFW, fallback: iptables check)
- Critical services (fail2ban, unattended-upgrades)
- Unwanted services (avahi, cups)
- File permissions (passwd, shadow, sudoers)
- Update status (APT-based systems)
- DNS leak safety (resolv.conf basics)
git clone [email protected]:CySecKev/Linux-SecAudit-Hardener.git cd Linux-SecAudit-Hardener sudo ./scripts/run_audit.sh
Apply hardening (careful! review first): sudo python3 -m sec_hardener.sec_audit --apply
cp sec_hardener/config.example.json sec_hardener/config.json
sudo ./scripts/install_systemd.sh sudo systemctl enable --now sec-audit.timer journalctl -u sec-audit.service -f
python3 -m sec_hardener.sec_audit --json python3 -m sec_hardener.sec_audit --sections ssh,sysctl,firewall
- Designed for Debian/Ubuntu/Kali; graceful fallback on others.
- Uses /etc/sysctl.d/99-sec-hardening.conf for kernel params.
- Never overwrites files without a dated backup in /root/sec-audit-backups/.