Security hardening is one of those things everyone talks about but few actually implement consistently. The CIS Benchmarks exist for a reasonthey’re the gold standard for OS-level security configuration. So I built a tool that actually checks your system against them, automatically, on both macOS and Linux.
What it does
The CIS Benchmark Compliance Checker audits your system configuration against CIS Level 1 controls the baseline hardening standards used by enterprises, government agencies, and security teams worldwide. It runs locally, requires no agent, and outputs a clean compliance report.
It checks for:
Password policy enforcement (minimum length, complexity, expiry)
SSH hardening (root login disabled, protocol version, idle timeout)
Firewall status (pf on macOS, ufw/iptables on Linux)
Audit logging (auditd on Linux, audit framework on macOS)
World-writable file detection
Core dump restrictions
Unnecessary service enumeration
Why cross-platform matters
Most compliance scripts are written for one OS and abandoned. Security teams in the real world manage mixed fleets developers on macOS, servers on Ubuntu or RHEL. This tool detects the OS at runtime and applies the correct benchmark checks automatically. One script, two platforms, zero manual switching.
How it works
The tool uses Python’s subprocess module to run native OS commands — defaults read, sysctl, launchctl, systemctl, ss, auditctl — and parses the output against expected CIS-compliant values. Each check returns PASS, FAIL, or WARNING, and the final report includes a compliance percentage score.
python
def check_ssh_root_login():
result = subprocess.run(['sshd', '-T'], capture_output=True, text=True)
if 'permitrootlogin no' in result.stdout.lower():
return "PASS"
return "FAIL"
The report is exported as a structured text file, organized by control category — ready to drop into a GRC audit trail or a SOC ticket.
MITRE ATT&CK mapping
Each control maps back to ATT&CK techniques:
SSH hardening → T1021.004 (Remote Services: SSH)
Audit logging → T1562.002 (Disable Windows Event Logging — Linux equivalent)
World-writable files → T1222 (File and Directory Permissions Modification)
What I learned
macOS and Linux look similar on the surface but behave very differently at the syscall and config level. launchctl vs systemctl, pf vs ufw, defaults vs /etc/ — mapping equivalent controls across both took real research. That gap is exactly why most compliance tools are single-platform.
Try it yourself
GitHub: github.com/SankethSubhas/cis-benchmark-compliance-checker
Run it, check your score, and see how hardened your system actually is.
Top comments (0)