DEV Community

Marek „Netbe” Lampart
Marek „Netbe” Lampart

Posted on

Building a Linux Security Audit Toolkit with Bash: From Firewall Checks to SSH Hardening

Building a Linux Security Audit Toolkit with Bash: A Practical Approach to System Hardening

Linux is widely considered a secure operating system. However, security does not come automatically after installing a distribution.

A properly configured Linux system can be very secure, but a system with weak configuration, unnecessary services, outdated packages, or excessive privileges can still become an easy target.

One of the most important steps in cybersecurity is visibility.

Before improving security, you need to understand what is happening inside your system.

Which services are running?

Who has administrative privileges?

Are there unnecessary open ports?

Is SSH configured securely?

Are file permissions correct?

To answer these questions, I created a lightweight Linux Security Audit Toolkit written in Bash.

The goal was not to replace enterprise security scanners, but to build a simple, transparent tool that Linux administrators, students, and security enthusiasts can use to perform basic security checks.


Why Build a Security Audit Toolkit?

There are many professional security auditing solutions available:

  • Lynis
  • OpenSCAP
  • Nessus
  • CIS security scanners

These tools are extremely valuable, especially in enterprise environments.

However, sometimes you need something simpler.

A small Bash-based toolkit has several advantages:

  • no complicated installation,
  • easy to understand source code,
  • works directly from the terminal,
  • easy to customize,
  • useful for learning Linux security fundamentals.

The idea behind this project was simple:

Security starts with understanding your system.


Project Architecture

The toolkit is divided into independent security modules.

Each script focuses on a specific area of Linux security.

Example structure:

linux-security-audit/

├── run.sh
├── VERSION
├── README.md
│
└── scripts/
    ├── system-security-check.sh
    ├── firewall-check.sh
    ├── users-audit.sh
    ├── permissions-check.sh
    ├── updates-check.sh
    └── ssh-hardening.sh
Enter fullscreen mode Exit fullscreen mode

The main launcher executes all modules and creates a final security report.


Firewall Security Audit

The firewall is one of the first layers protecting a Linux system.

The toolkit checks common firewall technologies:

  • UFW
  • Firewalld
  • nftables
  • iptables

It also reviews listening network services.

Example:

ss -tulnp
Enter fullscreen mode Exit fullscreen mode

This command helps identify:

  • active network services,
  • open ports,
  • applications listening for connections.

A common mistake is leaving services exposed even though they are no longer needed.

For example:

A server running a database service should not expose that database directly to the internet unless there is a specific reason.

Reducing the attack surface is one of the simplest security improvements.


User Account Security Audit

User management is a critical part of Linux security.

The toolkit checks:

  • users with UID 0,
  • sudo users,
  • locked accounts,
  • active login shells,
  • SSH authorized keys.

Example:

awk -F: '$3 == 0 {print $1}' /etc/passwd
Enter fullscreen mode Exit fullscreen mode

UID 0 accounts have root privileges.

Normally, only the root account and intentionally configured administrative accounts should have this level of access.

Unexpected privileged users may indicate:

  • incorrect configuration,
  • forgotten accounts,
  • potential compromise.

Linux File Permissions Review

Linux permissions are powerful, but incorrect permissions can create serious security problems.

The audit checks:

  • SUID files,
  • SGID files,
  • world-writable files,
  • insecure directories,
  • files without owners,
  • files without groups.

Example:

find / -perm -4000
Enter fullscreen mode Exit fullscreen mode

SUID binaries deserve special attention.

A vulnerable SUID application can sometimes allow privilege escalation from a normal user to root.

This does not mean every SUID file is dangerous.

Many system components require this functionality.

The important part is knowing what exists on your system.


System Update Verification

Outdated software remains one of the most common security problems.

The update module checks:

  • available package updates,
  • kernel version,
  • package manager status.

Supported systems include:

  • Debian,
  • Ubuntu,
  • Linux Mint,
  • Fedora,
  • RHEL-based distributions,
  • Arch Linux,
  • openSUSE.

Regular updates help protect against:

  • known vulnerabilities,
  • privilege escalation bugs,
  • remote code execution issues.

Security is not only about installing tools.

Maintenance is equally important.


SSH Security Audit

SSH is one of the most important services on Linux servers.

It is also one of the most commonly attacked.

The toolkit checks:

  • SSH service status,
  • OpenSSH version,
  • root login configuration,
  • password authentication,
  • empty passwords,
  • SSH keys,
  • failed login attempts.

Recommended SSH configuration usually includes:

PermitRootLogin no

PasswordAuthentication no

PermitEmptyPasswords no
Enter fullscreen mode Exit fullscreen mode

Using SSH keys instead of passwords provides stronger authentication and reduces the risk of brute-force attacks.

Additional protections can include:

  • Fail2ban,
  • firewall restrictions,
  • VPN-only SSH access,
  • multi-factor authentication.

Running the Security Audit

Clone the repository:

git clone https://github.com/cyberbezpieczenstwo/linux-security-audit.git
Enter fullscreen mode Exit fullscreen mode

Enter the directory:

cd linux-security-audit
Enter fullscreen mode Exit fullscreen mode

Make scripts executable:

chmod +x run.sh scripts/*.sh
Enter fullscreen mode Exit fullscreen mode

Run the audit:

sudo ./run.sh
Enter fullscreen mode Exit fullscreen mode

The result is a generated report:

security-report-hostname-date.txt
Enter fullscreen mode Exit fullscreen mode

The report contains:

  • system information,
  • firewall status,
  • user audit results,
  • permission findings,
  • SSH recommendations,
  • update status.

Security Auditing Is Not About Finding Fault

A security audit should not be treated as a checklist where every warning means failure.

The purpose is understanding risk.

A good security process asks:

  • What is exposed?
  • Who has access?
  • What software is running?
  • What can be removed?
  • What needs monitoring?

Security is about reducing unnecessary risk.


Future Development

The project is still evolving.

Planned improvements:

  • HTML report generation,
  • Docker security checks,
  • SELinux and AppArmor analysis,
  • CIS Benchmark integration,
  • Fail2ban detection,
  • network security module,
  • automated recommendations.

The goal is to transform a collection of Bash scripts into a practical Linux security baseline tool.


Final Thoughts

Linux gives administrators excellent control and visibility.

But visibility only helps when you use it.

A secure system is not created by installing one security application.

It is built through:

  • regular auditing,
  • proper configuration,
  • updates,
  • monitoring,
  • understanding the environment.

Even a simple Bash script can help reveal problems before they become security incidents.

Security starts with knowing what is running on your machine.


Project repository:

https://github.com/cyberbezpieczenstwo/linux-security-audit

Author:

Marek "Netbe" Lampart

Linux | Cybersecurity | Infrastructure

Top comments (1)

Collapse
 
topstar_ai profile image
Luis

Great walkthrough. I like that you focus on auditing before hardening—it's a much safer approach than blindly applying security tweaks. Checks for SSH configuration, firewall status, permissions, and exposed services provide a solid baseline that every Linux administrator should automate.

One nice extension would be generating structured reports (JSON/HTML), assigning severity levels, and mapping findings to CIS Benchmarks so the toolkit can fit into CI/CD pipelines or continuous compliance workflows. Projects like this are great examples of how simple Bash scripts can deliver real operational value. Nice work!