Skip to content

behnam0x/cis-linux-audit-script

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 

Repository files navigation

🔐 CIS Linux Audit Script *

This repository contains a comprehensive script to perform a full CIS (Center for Internet Security) benchmark audit for RHEL-based and Debian-based Linux distributions. It automates the process of checking system compliance with CIS security standards, helping system administrators and security professionals harden their systems effectively. 📋 What Is CIS Benchmark?

The CIS Benchmarks are best-practice security configuration guides developed by cybersecurity experts. They provide detailed recommendations for securing systems, applications, and networks. This script focuses on the CIS benchmarks for:

RHEL-based systems (e.g., RHEL, CentOS, Rocky Linux, AlmaLinux)

Debian-based systems (e.g., Debian, Ubuntu)

🚀 Features

✅ Covers all major CIS audit checks (authentication, logging, permissions, services, etc.)

🧠 Detects system type and applies relevant checks

📦 Modular and easy to extend

📄 Generates detailed audit reports

🔄 Supports dry-run and fix modes

📦 Supported Platforms

Distribution	Version(s)
RHEL	7, 8, 9
CentOS	7, 8
Oracle Linux 8, 9
Rocky Linux	8, 9
AlmaLinux	8, 9
Debian	9, 10, 11
Ubuntu	18.04, 20.04, 22.04, 24.04

🛠️ How to Use

git clone https://github.com/behnam0x/cis-linux-audit-script.git
cd cis-linux-audit-script/script
chmod +x AuditCISHardening.sh
sudo ./AuditCISHardening.sh

📑 Checklist Overview

The script checks and optionally remediates the following categories:

🔐 Authentication & Password Policies

📁 File Permissions & Ownership

🔍 Logging & Auditing

🧱 Firewall & Network Configuration

🧹 Unused Services & Packages

🧾 System Updates & Patch Management

🧬 Kernel Parameters & Sysctl Settings

🧑‍💻 User Accounts & Access Controls

Each check is mapped to its corresponding CIS control ID (e.g., 1.1.1, 5.2.3) for easy cross-reference.

📊 Sample Output

[] 1.1.1 Ensure mounting of cramfs filesystems is disabled
[] 1.1.2 Ensure mounting of squashfs filesystems is disabled
[] 5.2.3 Ensure password expiration is 365 days or less
...

📚 References

CIS Benchmark RHEL Security Guide

🤝 Contributing Pull requests are welcome! If you want to add new checks, improve compatibility, or enhance reporting, feel free to contribute.

📄 License This project is licensed under the MIT License. See the

Releases

No releases published

Packages

 
 
 

Contributors

Languages