Quick and dirty security audit for Linux servers. Checks the usual suspects - firewall, SSH config, file permissions, sketchy services, and other stuff that should probably be locked down.
- Firewall status (UFW/iptables)
- SSH hardening checks
- Critical file permissions (/etc/passwd, /etc/shadow, etc.)
- Unnecessary/risky services
- Basic rootkit indicators
- User account issues
- Available system updates
Spits out a score and tells you what's broken.
# Basic run (some checks will be limited)
python3 security_audit.py
# Full audit (recommended)
sudo python3 security_audit.pyLinux security audit
----------------------------------------
[firewall]
ok UFW: active
FAIL iptables: no custom rules
FAIL open ports: check these: 80, 443, 3306
[ssh]
ok ssh root login: disable root ssh
FAIL ssh password auth: fix: keys only
ok ssh empty passwords: no empty passwords
[files]
ok perms passwd: /etc/passwd ok
FAIL perms shadow: /etc/shadow: mode 644 (want 640)
==================================================
AUDIT RESULTS
==================================================
Host: webserver01
Date: 2024-03-15 14:32
Score: 67.3% (15/23)
Status: NEEDS WORK
CRITICAL ISSUES:
! no password: mysql
WARNINGS:
- ports 80, 443, 3306 are open
TODO:
1. sudo ufw enable
2. SSH: keys only
3. chmod 640 /etc/shadow && chown root:shadow /etc/shadow
4. systemctl disable postfix
... and 3 more
Full report saved: audit_20240315_1432.json
- Python 3.6+
- Linux (obviously)
- Root access for complete results
Most commands should work on any modern distro. Tested on Ubuntu, CentOS, and Debian.
- UFW status
- Basic iptables rules
- Open listening ports
- Root login disabled
- Password authentication disabled
- Empty passwords blocked
- Max auth attempts limited
Standard system files that attackers love to mess with:
- /etc/passwd (644)
- /etc/shadow (640)
- /etc/group (644)
- /etc/gshadow (640)
- /etc/sudoers (440)
- /etc/crontab (600)
Looks for commonly enabled services that you probably don't need:
- telnet, rsh, rlogin
- FTP daemons
- Mail servers (sendmail, postfix, dovecot)
- Print services (cups)
Basic checks for common hiding spots:
- Suspicious paths in /tmp, /dev, /usr/src
- Process count anomalies
- /etc/ld.so.preload modifications
- Users with empty passwords
- Multiple UID 0 accounts (should only be root)
Checks for available security updates using apt or yum.
Creates a JSON report with full details:
{
"timestamp": "2024-03-15T14:32:15",
"hostname": "webserver01",
"score": 67.3,
"checks_run": 23,
"checks_passed": 15,
"critical": ["no password: mysql"],
"warnings": ["ports 80, 443, 3306 are open"],
"todo": ["sudo ufw enable", "SSH: keys only", ...]
}This isn't a replacement for proper security tools. It's meant for:
- Quick server checkups
- Basic hardening verification
- Spotting obvious misconfigurations
For serious security auditing, use proper tools like:
- Lynis
- OpenSCAP
- Nessus
- chkrootkit/rkhunter
PRs welcome. Keep it simple and practical - this isn't meant to be comprehensive, just useful for common scenarios.