Building a Linux Security Audit Toolkit with Bash: A Practical Approach to System Hardening
Linux is widely considered a secure operating system. However, security does not come automatically after installing a distribution.
A properly configured Linux system can be very secure, but a system with weak configuration, unnecessary services, outdated packages, or excessive privileges can still become an easy target.
One of the most important steps in cybersecurity is visibility.
Before improving security, you need to understand what is happening inside your system.
Which services are running?
Who has administrative privileges?
Are there unnecessary open ports?
Is SSH configured securely?
Are file permissions correct?
To answer these questions, I created a lightweight Linux Security Audit Toolkit written in Bash.
The goal was not to replace enterprise security scanners, but to build a simple, transparent tool that Linux administrators, students, and security enthusiasts can use to perform basic security checks.
Why Build a Security Audit Toolkit?
There are many professional security auditing solutions available:
- Lynis
- OpenSCAP
- Nessus
- CIS security scanners
These tools are extremely valuable, especially in enterprise environments.
However, sometimes you need something simpler.
A small Bash-based toolkit has several advantages:
- no complicated installation,
- easy to understand source code,
- works directly from the terminal,
- easy to customize,
- useful for learning Linux security fundamentals.
The idea behind this project was simple:
Security starts with understanding your system.
Project Architecture
The toolkit is divided into independent security modules.
Each script focuses on a specific area of Linux security.
Example structure:
linux-security-audit/
├── run.sh
├── VERSION
├── README.md
│
└── scripts/
├── system-security-check.sh
├── firewall-check.sh
├── users-audit.sh
├── permissions-check.sh
├── updates-check.sh
└── ssh-hardening.sh
The main launcher executes all modules and creates a final security report.
Firewall Security Audit
The firewall is one of the first layers protecting a Linux system.
The toolkit checks common firewall technologies:
- UFW
- Firewalld
- nftables
- iptables
It also reviews listening network services.
Example:
ss -tulnp
This command helps identify:
- active network services,
- open ports,
- applications listening for connections.
A common mistake is leaving services exposed even though they are no longer needed.
For example:
A server running a database service should not expose that database directly to the internet unless there is a specific reason.
Reducing the attack surface is one of the simplest security improvements.
User Account Security Audit
User management is a critical part of Linux security.
The toolkit checks:
- users with UID 0,
- sudo users,
- locked accounts,
- active login shells,
- SSH authorized keys.
Example:
awk -F: '$3 == 0 {print $1}' /etc/passwd
UID 0 accounts have root privileges.
Normally, only the root account and intentionally configured administrative accounts should have this level of access.
Unexpected privileged users may indicate:
- incorrect configuration,
- forgotten accounts,
- potential compromise.
Linux File Permissions Review
Linux permissions are powerful, but incorrect permissions can create serious security problems.
The audit checks:
- SUID files,
- SGID files,
- world-writable files,
- insecure directories,
- files without owners,
- files without groups.
Example:
find / -perm -4000
SUID binaries deserve special attention.
A vulnerable SUID application can sometimes allow privilege escalation from a normal user to root.
This does not mean every SUID file is dangerous.
Many system components require this functionality.
The important part is knowing what exists on your system.
System Update Verification
Outdated software remains one of the most common security problems.
The update module checks:
- available package updates,
- kernel version,
- package manager status.
Supported systems include:
- Debian,
- Ubuntu,
- Linux Mint,
- Fedora,
- RHEL-based distributions,
- Arch Linux,
- openSUSE.
Regular updates help protect against:
- known vulnerabilities,
- privilege escalation bugs,
- remote code execution issues.
Security is not only about installing tools.
Maintenance is equally important.
SSH Security Audit
SSH is one of the most important services on Linux servers.
It is also one of the most commonly attacked.
The toolkit checks:
- SSH service status,
- OpenSSH version,
- root login configuration,
- password authentication,
- empty passwords,
- SSH keys,
- failed login attempts.
Recommended SSH configuration usually includes:
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
Using SSH keys instead of passwords provides stronger authentication and reduces the risk of brute-force attacks.
Additional protections can include:
- Fail2ban,
- firewall restrictions,
- VPN-only SSH access,
- multi-factor authentication.
Running the Security Audit
Clone the repository:
git clone https://github.com/cyberbezpieczenstwo/linux-security-audit.git
Enter the directory:
cd linux-security-audit
Make scripts executable:
chmod +x run.sh scripts/*.sh
Run the audit:
sudo ./run.sh
The result is a generated report:
security-report-hostname-date.txt
The report contains:
- system information,
- firewall status,
- user audit results,
- permission findings,
- SSH recommendations,
- update status.
Security Auditing Is Not About Finding Fault
A security audit should not be treated as a checklist where every warning means failure.
The purpose is understanding risk.
A good security process asks:
- What is exposed?
- Who has access?
- What software is running?
- What can be removed?
- What needs monitoring?
Security is about reducing unnecessary risk.
Future Development
The project is still evolving.
Planned improvements:
- HTML report generation,
- Docker security checks,
- SELinux and AppArmor analysis,
- CIS Benchmark integration,
- Fail2ban detection,
- network security module,
- automated recommendations.
The goal is to transform a collection of Bash scripts into a practical Linux security baseline tool.
Final Thoughts
Linux gives administrators excellent control and visibility.
But visibility only helps when you use it.
A secure system is not created by installing one security application.
It is built through:
- regular auditing,
- proper configuration,
- updates,
- monitoring,
- understanding the environment.
Even a simple Bash script can help reveal problems before they become security incidents.
Security starts with knowing what is running on your machine.
Project repository:
https://github.com/cyberbezpieczenstwo/linux-security-audit
Author:
Marek "Netbe" Lampart
Linux | Cybersecurity | Infrastructure
Top comments (1)
Great walkthrough. I like that you focus on auditing before hardening—it's a much safer approach than blindly applying security tweaks. Checks for SSH configuration, firewall status, permissions, and exposed services provide a solid baseline that every Linux administrator should automate.
One nice extension would be generating structured reports (JSON/HTML), assigning severity levels, and mapping findings to CIS Benchmarks so the toolkit can fit into CI/CD pipelines or continuous compliance workflows. Projects like this are great examples of how simple Bash scripts can deliver real operational value. Nice work!