-
Notifications
You must be signed in to change notification settings - Fork 2
Output Reference
Ryan edited this page Jan 8, 2026
·
1 revision
This guide provides comprehensive documentation for all output formats generated by the Linux Security Audit Project, including data structures, field definitions, and usage examples.
- Output Format Overview
- HTML Report
- CSV Format
- JSON Format
- XML Format
- Console Output
- Data Field Definitions
- Status Codes
- File Naming Conventions
The Linux Security Audit Project supports five output formats, each designed for specific use cases:
| Format | File Extension | Use Case | Interactive | Machine-Readable |
|---|---|---|---|---|
| HTML | .html |
Human review, reporting, management presentation | Yes | No |
| CSV | .csv |
Spreadsheet analysis, trending, bulk data manipulation | No | Yes |
| JSON | .json |
API integration, SIEM, automation, selective remediation | No | Yes |
| XML | .xml |
Enterprise tools, legacy systems, SIEM integration | No | Yes |
| Console | N/A | Quick checks, SSH sessions, terminal-only environments | No | Partial |
Choose HTML when:
- Conducting manual security reviews
- Presenting findings to management or auditors
- Interactive exploration of results is needed
- Exporting specific issues for targeted remediation
Choose CSV when:
- Performing trend analysis over time
- Creating custom reports in Excel/Sheets
- Generating graphs and visualizations
- Bulk data manipulation is required
Choose JSON when:
- Integrating with modern APIs
- Feeding data to SIEM or monitoring tools
- Implementing automated workflows
- Using selective remediation features
- Custom scripting and analysis
Choose XML when:
- Integrating with enterprise security tools
- Working with legacy systems requiring XML
- Compliance with XML-based standards
- Enterprise SIEM ingestion (Splunk, QRadar)
Choose Console when:
- Performing quick security checks
- Working in terminal-only environments
- No file storage is desired
- Real-time output monitoring is needed
The HTML report is a fully self-contained, interactive web page that can be opened in any modern browser. It includes embedded JavaScript for interactivity and CSS for styling.
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Linux Security Audit Report</title>
<style>/* Embedded CSS for styling */</style>
<script>/* Embedded JavaScript for interactivity */</script>
</head>
<body>
<!-- Report Header -->
<!-- Summary Statistics -->
<!-- Interactive Controls -->
<!-- Results Table -->
</body>
</html>Contains execution metadata and branding:
====================================================================================================
LINUX SECURITY AUDIT REPORT
====================================================================================================
Hostname: server01.example.com
Operating System: Linux 5.15.0-91-generic
Scan Date: 2025-01-07 14:30:22
Execution Time: 0:03:45
Modules Executed: CIS, CISA, CORE, ENISA, ISO27001, NIST, NSA, STIG
Script Version: 1.1
Visual dashboard with key metrics:
- Total Checks: Number of security checks performed
- Pass Count: Checks that passed successfully (Green)
- Fail Count: Critical security issues detected (Red)
- Warning Count: Best practice violations (Yellow)
- Info Count: Informational findings (Cyan)
- Error Count: Checks that could not be completed (Magenta)
Example:
Total Checks: 1,174
Passed: 892 (76%)
Failed: 156 (13%)
Warnings: 98 (8%)
Info: 28 (2%)
Errors: 0 (0%)
Filter by Status:
- Buttons to show/hide specific statuses (All, Pass, Fail, Warning, Info, Error)
- Click to toggle visibility of results with that status
Filter by Module:
- Dropdown or buttons to filter by security framework
- Shows results from specific modules (Core, CIS, NIST, etc.)
Search Function:
- Text input to search across all fields
- Real-time filtering as you type
- Searches: Module, Category, Status, Message, Details, Remediation
Theme Toggle:
- Switch between light and dark themes
- Preference saved to browser localStorage
Export Functions:
- Export All to JSON: Download complete audit results
- Export Selected to JSON: Download only checked items (for selective remediation)
Sortable, filterable table with the following columns:
| Column | Description | Sortable | Searchable |
|---|---|---|---|
| Checkbox | Select for export | No | No |
| Module | Security framework name | Yes | Yes |
| Category | Specific security area | Yes | Yes |
| Status | Check result (Pass/Fail/Warning/Info/Error) | Yes | Yes |
| Message | Brief description of finding | Yes | Yes |
| Details | Detailed explanation | No | Yes |
| Remediation | Commands to fix the issue | No | Yes |
| Timestamp | When check was performed | Yes | No |
Column Sorting:
- Click column header to sort ascending
- Click again to sort descending
- Visual indicators show sort direction
// Filter buttons control row visibility
<button onclick="filterStatus('Fail')">Show Failed Only</button>
// Results are hidden/shown via CSS classes
<tr class="status-fail" style="display: table-row;">...</tr>// Real-time search across all text content
function searchTable() {
var input = document.getElementById("searchInput");
var filter = input.value.toLowerCase();
var rows = document.querySelectorAll("#resultsTable tbody tr");
rows.forEach(function(row) {
var text = row.textContent.toLowerCase();
row.style.display = text.includes(filter) ? "" : "none";
});
}// Export checked rows to JSON for selective remediation
function exportSelected() {
var selected = [];
document.querySelectorAll('input[type="checkbox"]:checked').forEach(function(checkbox) {
var row = checkbox.closest('tr');
selected.push({
module: row.cells[1].textContent,
category: row.cells[2].textContent,
status: row.cells[3].textContent,
message: row.cells[4].textContent,
details: row.cells[5].textContent,
remediation: row.cells[6].textContent,
timestamp: row.cells[7].textContent
});
});
var json = JSON.stringify({
execution_info: {...},
results: selected
}, null, 2);
downloadJSON(json, 'Selected-Report-' + timestamp + '.json');
}Light Theme:
- Background: White (#FFFFFF)
- Text: Dark gray (#333333)
- Pass: Green (#28a745)
- Fail: Red (#dc3545)
- Warning: Orange (#ffc107)
- Info: Blue (#17a2b8)
- Error: Magenta (#6f42c1)
Dark Theme:
- Background: Dark gray (#1e1e1e)
- Text: Light gray (#e0e0e0)
- Pass: Light green (#4caf50)
- Fail: Light red (#f44336)
- Warning: Light orange (#ff9800)
- Info: Light blue (#03a9f4)
- Error: Light magenta (#9c27b0)
The HTML report adapts to different screen sizes:
- Desktop: Full table with all columns visible
- Tablet: Condensed view with scrolling
- Mobile: Stacked cards view (if implemented)
Supported Browsers:
- Chrome/Chromium 90+
- Firefox 88+
- Safari 14+
- Edge 90+
Required Features:
- JavaScript enabled
- localStorage (for theme preference)
- CSS3 support
- HTML5 support
File: Security-Audit-Report-20250107-143022.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Linux Security Audit Report - server01 - 2025-01-07</title>
<style>
body { font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; margin: 20px; }
.header { text-align: center; margin-bottom: 30px; }
.stats { display: flex; justify-content: space-around; margin: 20px 0; }
.stat-box { padding: 20px; border-radius: 5px; text-align: center; }
table { width: 100%; border-collapse: collapse; }
th, td { padding: 12px; text-align: left; border-bottom: 1px solid #ddd; }
.status-pass { color: #28a745; font-weight: bold; }
.status-fail { color: #dc3545; font-weight: bold; }
/* ... more styles ... */
</style>
</head>
<body>
<div class="header">
<h1>Linux Security Audit Report</h1>
<p>Hostname: server01.example.com | Date: 2025-01-07 14:30:22</p>
</div>
<div class="stats">
<div class="stat-box">Total: 1,174</div>
<div class="stat-box" style="background-color: #d4edda;">Pass: 892</div>
<div class="stat-box" style="background-color: #f8d7da;">Fail: 156</div>
<!-- ... more stats ... -->
</div>
<div class="controls">
<button onclick="filterStatus('all')">Show All</button>
<button onclick="filterStatus('Fail')">Failed Only</button>
<input type="text" id="searchInput" onkeyup="searchTable()" placeholder="Search...">
<button onclick="toggleTheme()">Toggle Theme</button>
<button onclick="exportSelected()">Export Selected</button>
</div>
<table id="resultsTable">
<thead>
<tr>
<th><input type="checkbox" onclick="selectAll(this)"></th>
<th onclick="sortTable(1)">Module ▼</th>
<th onclick="sortTable(2)">Category ▼</th>
<th onclick="sortTable(3)">Status ▼</th>
<th onclick="sortTable(4)">Message ▼</th>
<th>Details</th>
<th>Remediation</th>
<th onclick="sortTable(7)">Timestamp ▼</th>
</tr>
</thead>
<tbody>
<tr class="status-fail">
<td><input type="checkbox"></td>
<td>Core</td>
<td>SSH Security</td>
<td class="status-fail">Fail</td>
<td>Root login is enabled</td>
<td>SSH configuration allows direct root login which is a security risk</td>
<td><code>sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd</code></td>
<td>2025-01-07 14:30:25</td>
</tr>
<!-- ... more rows ... -->
</tbody>
</table>
<script>
function filterStatus(status) { /* ... */ }
function searchTable() { /* ... */ }
function sortTable(column) { /* ... */ }
function toggleTheme() { /* ... */ }
function exportSelected() { /* ... */ }
function selectAll(checkbox) { /* ... */ }
</script>
</body>
</html>Comma-separated values format suitable for spreadsheet applications and data analysis tools.
Module,Category,Status,Message,Details,Remediation,Timestamp
Core,SSH Security,Fail,Root login is enabled,SSH configuration allows direct root login,"sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd",2025-01-07 14:30:25
Core,Password Policy,Pass,Password aging is configured,/etc/login.defs contains proper aging settings,,2025-01-07 14:30:26
CIS,Filesystem Configuration,Warning,Separate /tmp partition not found,Consider creating separate partition for /tmp,Create and mount /tmp as separate partition,2025-01-07 14:30:30| Column | Type | Description | Example |
|---|---|---|---|
| Module | String | Security framework name |
Core, CIS, NIST
|
| Category | String | Specific security area |
SSH Security, Password Policy
|
| Status | String | Result status |
Pass, Fail, Warning, Info, Error
|
| Message | String | Brief finding description | Root login is enabled |
| Details | String | Detailed explanation | SSH configuration allows direct root login |
| Remediation | String | Fix command(s) | sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config |
| Timestamp | DateTime | Check execution time | 2025-01-07 14:30:25 |
Handling:
- Commas in data are enclosed in quotes
- Quotes in data are escaped with double quotes
- Newlines in data are preserved within quoted fields
Example:
Module,Message,Details
Core,"SSH, Firewall, Password","Configuration issues found: 1) SSH root login, 2) Firewall disabled"The CSV format is fully compatible with:
- Microsoft Excel 2013+
- Google Sheets
- LibreOffice Calc
- Apple Numbers
Opening in Excel:
- File → Open → Select CSV file
- Excel automatically detects delimiters
- All columns import correctly
=COUNTIF(C:C,"Fail") // Count failed checks
=COUNTIF(C:C,"Pass") // Count passed checks
=COUNTIF(C:C,"Pass")/COUNTA(C:C)*100 // Percentage of passed checks
Create pivot table with:
- Rows: Module
- Columns: Status
- Values: Count of Status
Result:
Pass Fail Warning Info
Core 120 15 8 3
CIS 156 42 12 5
NIST 180 35 18 7
File: security-audit-20250107.csv
Module,Category,Status,Message,Details,Remediation,Timestamp
Core,OS Detection,Pass,Operating System identified,Ubuntu 24.04 LTS (Noble Numbat) detected,,2025-01-07 14:30:22
Core,SSH Security,Fail,Root login is enabled,SSH configuration allows direct root login,"sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd",2025-01-07 14:30:25
Core,Firewall Status,Fail,UFW is not enabled,Firewall (UFW) is inactive,sudo ufw enable && sudo ufw default deny incoming && sudo ufw default allow outgoing,2025-01-07 14:30:26
Core,Password Policy,Pass,Password aging is configured,Password aging settings are properly configured in /etc/login.defs,,2025-01-07 14:30:27
CIS,Filesystem Configuration,Warning,Separate /tmp partition not found,/tmp is not on a separate partition,Create and mount /tmp as a separate partition with nodev noexec nosuid options,2025-01-07 14:30:30JavaScript Object Notation - structured data format ideal for APIs, automation, and modern tools.
{
"execution_info": {
"hostname": "string",
"os_version": "string",
"scan_date": "string",
"duration": "string",
"modules_run": ["string"],
"total_checks": integer,
"pass_count": integer,
"fail_count": integer,
"warning_count": integer,
"info_count": integer,
"error_count": integer
},
"results": [
{
"module": "string",
"category": "string",
"status": "string",
"message": "string",
"details": "string",
"remediation": "string",
"timestamp": "string"
}
]
}File: security-audit-20250107.json
{
"execution_info": {
"hostname": "server01.example.com",
"os_version": "Linux 5.15.0-91-generic",
"scan_date": "2025-01-07 14:30:22",
"duration": "0:03:45",
"modules_run": [
"CIS",
"CISA",
"CORE",
"ENISA",
"ISO27001",
"NIST",
"NSA",
"STIG"
],
"total_checks": 1174,
"pass_count": 892,
"fail_count": 156,
"warning_count": 98,
"info_count": 28,
"error_count": 0
},
"results": [
{
"module": "Core",
"category": "OS Detection",
"status": "Pass",
"message": "Operating System identified",
"details": "Ubuntu 24.04 LTS (Noble Numbat) detected - Debian family",
"remediation": "",
"timestamp": "2025-01-07 14:30:22"
},
{
"module": "Core",
"category": "SSH Security",
"status": "Fail",
"message": "Root login is enabled",
"details": "SSH configuration allows direct root login which is a security risk. Found: PermitRootLogin yes",
"remediation": "sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd",
"timestamp": "2025-01-07 14:30:25"
},
{
"module": "Core",
"category": "Firewall Status",
"status": "Fail",
"message": "UFW is not enabled",
"details": "Firewall (UFW) is inactive. System is vulnerable to network attacks.",
"remediation": "sudo ufw enable && sudo ufw default deny incoming && sudo ufw default allow outgoing",
"timestamp": "2025-01-07 14:30:26"
},
{
"module": "CIS",
"category": "Filesystem Configuration",
"status": "Warning",
"message": "Separate /tmp partition not found",
"details": "/tmp is not on a separate partition. CIS recommends separate partitions for better security isolation.",
"remediation": "Create and mount /tmp as a separate partition with nodev,noexec,nosuid options",
"timestamp": "2025-01-07 14:30:30"
}
]
}| Field | Type | Nullable | Description |
|---|---|---|---|
| execution_info | Object | No | Metadata about the audit execution |
| execution_info.hostname | String | No | System hostname |
| execution_info.os_version | String | No | Operating system and kernel version |
| execution_info.scan_date | String | No | ISO 8601 datetime |
| execution_info.duration | String | No | Execution time (HH:MM:SS) |
| execution_info.modules_run | Array[String] | No | List of executed modules |
| execution_info.total_checks | Integer | No | Total number of checks performed |
| execution_info.*_count | Integer | No | Count by status type |
| results | Array[Object] | No | Array of check results |
| results[].module | String | No | Security framework name |
| results[].category | String | No | Security area |
| results[].status | String | No | Pass/Fail/Warning/Info/Error |
| results[].message | String | No | Brief description |
| results[].details | String | Yes | Detailed explanation (can be empty) |
| results[].remediation | String | Yes | Fix command (can be empty for Pass) |
| results[].timestamp | String | No | ISO 8601 datetime |
import json
# Load JSON file
with open('security-audit-20250107.json', 'r') as f:
audit_data = json.load(f)
# Get summary statistics
print(f"Total Checks: {audit_data['execution_info']['total_checks']}")
print(f"Failed: {audit_data['execution_info']['fail_count']}")
# Filter failed checks
failed_checks = [r for r in audit_data['results'] if r['status'] == 'Fail']
# Group by module
from collections import defaultdict
by_module = defaultdict(list)
for result in failed_checks:
by_module[result['module']].append(result)
# Print failed checks by module
for module, checks in by_module.items():
print(f"\n{module}: {len(checks)} failures")
for check in checks:
print(f" - {check['category']}: {check['message']}")# Count failed checks
jq '.execution_info.fail_count' security-audit-20250107.json
# List all failed check messages
jq '.results[] | select(.status=="Fail") | .message' security-audit-20250107.json
# Get remediation commands for failed checks
jq '.results[] | select(.status=="Fail") | .remediation' security-audit-20250107.json
# Count issues by module
jq '.results | group_by(.module) | map({module: .[0].module, count: length})' security-audit-20250107.json
# Export only Core module failures
jq '{execution_info, results: [.results[] | select(.module=="Core" and .status=="Fail")]}' security-audit-20250107.json// Fetch audit data
fetch('https://api.example.com/audit/latest')
.then(response => response.json())
.then(data => {
// Display summary
console.log(`Total: ${data.execution_info.total_checks}`);
console.log(`Failed: ${data.execution_info.fail_count}`);
// Filter critical issues
const critical = data.results.filter(r => r.status === 'Fail');
// Send alerts
critical.forEach(issue => {
sendAlert({
severity: 'high',
title: `${issue.module} - ${issue.category}`,
message: issue.message,
remediation: issue.remediation
});
});
});When exporting selected issues from HTML report, the JSON structure is identical but contains only the selected results:
{
"execution_info": {
"hostname": "server01.example.com",
"scan_date": "2025-01-07 14:30:22"
},
"results": [
{
"module": "Core",
"category": "SSH Security",
"status": "Fail",
"message": "Root login is enabled",
"details": "SSH configuration allows direct root login",
"remediation": "sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd",
"timestamp": "2025-01-07 14:30:25"
}
]
}This format is used with:
sudo python3 linux_security_audit.py --auto-remediate --remediation-file Selected-Report-20250107-143022.jsonExtensible Markup Language format for enterprise tools, legacy systems, and SIEM integration.
<?xml version="1.0" encoding="UTF-8"?>
<security_audit>
<execution_info>
<hostname>string</hostname>
<os_version>string</os_version>
<scan_date>string</scan_date>
<duration>string</duration>
<modules_run>
<module>string</module>
</modules_run>
<total_checks>integer</total_checks>
<pass_count>integer</pass_count>
<fail_count>integer</fail_count>
<warning_count>integer</warning_count>
<info_count>integer</info_count>
<error_count>integer</error_count>
</execution_info>
<results>
<r>
<module>string</module>
<category>string</category>
<status>string</status>
<message>string</message>
<details>string</details>
<remediation>string</remediation>
<timestamp>string</timestamp>
</r>
</results>
</security_audit>File: security-audit-20250107.xml
<?xml version="1.0" encoding="UTF-8"?>
<security_audit>
<execution_info>
<hostname>server01.example.com</hostname>
<os_version>Linux 5.15.0-91-generic</os_version>
<scan_date>2025-01-07 14:30:22</scan_date>
<duration>0:03:45</duration>
<modules_run>
<module>CIS</module>
<module>CISA</module>
<module>CORE</module>
<module>ENISA</module>
<module>ISO27001</module>
<module>NIST</module>
<module>NSA</module>
<module>STIG</module>
</modules_run>
<total_checks>1174</total_checks>
<pass_count>892</pass_count>
<fail_count>156</fail_count>
<warning_count>98</warning_count>
<info_count>28</info_count>
<error_count>0</error_count>
</execution_info>
<results>
<r>
<module>Core</module>
<category>OS Detection</category>
<status>Pass</status>
<message>Operating System identified</message>
<details>Ubuntu 24.04 LTS (Noble Numbat) detected - Debian family</details>
<remediation></remediation>
<timestamp>2025-01-07 14:30:22</timestamp>
</r>
<r>
<module>Core</module>
<category>SSH Security</category>
<status>Fail</status>
<message>Root login is enabled</message>
<details>SSH configuration allows direct root login which is a security risk. Found: PermitRootLogin yes</details>
<remediation>sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshd</remediation>
<timestamp>2025-01-07 14:30:25</timestamp>
</r>
<r>
<module>CIS</module>
<category>Filesystem Configuration</category>
<status>Warning</status>
<message>Separate /tmp partition not found</message>
<details>/tmp is not on a separate partition. CIS recommends separate partitions for better security isolation.</details>
<remediation>Create and mount /tmp as a separate partition with nodev,noexec,nosuid options</remediation>
<timestamp>2025-01-07 14:30:30</timestamp>
</r>
</results>
</security_audit>XML entities are automatically escaped:
-
&→& -
<→< -
>→> -
"→" -
'→'
import xml.etree.ElementTree as ET
# Parse XML file
tree = ET.parse('security-audit-20250107.xml')
root = tree.getroot()
# Get execution info
exec_info = root.find('execution_info')
print(f"Hostname: {exec_info.find('hostname').text}")
print(f"Total Checks: {exec_info.find('total_checks').text}")
print(f"Failed: {exec_info.find('fail_count').text}")
# Iterate through results
for result in root.find('results'):
status = result.find('status').text
if status == 'Fail':
module = result.find('module').text
message = result.find('message').text
print(f"{module}: {message}")<!-- Count failed checks -->
count(//r[status='Fail'])
<!-- Get all SSH-related issues -->
//r[contains(category, 'SSH')]
<!-- Get remediation commands for failed checks -->
//r[status='Fail']/remediation/text()
<!-- Count issues by module -->
//r/module[not(.=preceding::module)]/text()
Upload XML to Splunk using HTTP Event Collector:
curl -X POST https://splunk.example.com:8088/services/collector \
-H "Authorization: Splunk YOUR-TOKEN" \
-d @security-audit-20250107.xmlConfigure QRadar to ingest XML files from network share:
# Copy XML to QRadar intake directory
scp security-audit-20250107.xml admin@qradar:/store/intake/Real-time terminal output with ANSI color coding for immediate visual feedback.
====================================================================================================
Linux Security Audit Script v1.1
====================================================================================================
[*] Checking prerequisites...
[+] Running as: ROOT (Full Access)
[+] Python version: 3.10.12
[+] All prerequisites met
[*] Discovering security modules...
[+] Found 8 modules: CIS, CISA, CORE, ENISA, ISO27001, NIST, NSA, STIG
[*] Modules to execute: CIS, CISA, CORE, ENISA, ISO27001, NIST, NSA, STIG
[*] Executing module: CORE
[PASS] Core - OS Detection: Operating System identified
[FAIL] Core - SSH Security: Root login is enabled
[FAIL] Core - Firewall Status: UFW is not enabled
[PASS] Core - Password Policy: Password aging is configured
[WARNING] Core - System Updates: Security updates available
...
[+] Module CORE completed: 150 checks
====================================================================================================
AUDIT SUMMARY
====================================================================================================
Execution Mode: ROOT (Full Access)
Total Checks: 1174
Passed: 892
Failed: 156
Warnings: 98
Info: 28
Errors: 0
Duration: 0:03:45
====================================================================================================
[+] Audit completed successfully!
[*] GitHub: https://github.com/Sandler73/Linux-Security-Audit-Project.git
| Status | Color | ANSI Code | Visual Indicator |
|---|---|---|---|
| Pass | Green | \033[92m |
✓ or [PASS] |
| Fail | Red | \033[91m |
✗ or [FAIL] |
| Warning | Yellow | \033[93m |
⚠ or [WARNING] |
| Info | Cyan | \033[96m |
ℹ or [INFO] |
| Error | Magenta | \033[95m |
! or [ERROR] |
| Header | Cyan | \033[96m |
[*] |
| Success | Green | \033[92m |
[+] |
| Notice | Yellow | \033[93m |
[!] |
====================================================================================================
Linux Security Audit Script v1.1
====================================================================================================
[*] Checking prerequisites...
[+] Running as: ROOT (Full Access)
[+] Python version: 3.10.12
[+] All prerequisites met
[*] Discovering security modules...
[+] Found 8 modules: CIS, CISA, CORE, ENISA, ISO27001, NIST, NSA, STIG
[*] Executing module: CORE
[PASS] Core - OS Detection: Operating System identified
[FAIL] Core - SSH Security: Root login is enabled
...
[+] Module CORE completed: 150 checks
====================================================================================================
AUDIT SUMMARY
====================================================================================================
Execution Mode: ROOT (Full Access)
Total Checks: 1174
Passed: 892
Failed: 156
Warnings: 98
Info: 28
Errors: 0
Duration: 0:03:45
====================================================================================================
# Redirect all output
sudo python3 linux_security_audit.py -f Console > audit-$(date +%Y%m%d).txt 2>&1
# Redirect only stdout
sudo python3 linux_security_audit.py -f Console > audit-$(date +%Y%m%d).txt
# View while saving (tee)
sudo python3 linux_security_audit.py -f Console | tee audit-$(date +%Y%m%d).txt# Using sed
sudo python3 linux_security_audit.py -f Console | sed 's/\x1B\[[0-9;]*[JKmsu]//g' > audit-clean.txt
# Using ansi2txt (if available)
sudo python3 linux_security_audit.py -f Console | ansi2txt > audit-clean.txtFull Color Support:
- Linux terminal emulators (GNOME Terminal, Konsole, xterm)
- macOS Terminal.app
- iTerm2
- Windows Terminal
- WSL terminals
Limited/No Color Support:
- Old terminal emulators
- Serial consoles
- Some SSH clients with color disabled
Type: String
Values: Core, CIS, CISA, ENISA, ISO27001, NIST, NSA, STIG
Description: Security framework or standard being evaluated
Examples:
-
Core- Core security baseline assessment -
CIS- Center for Internet Security Benchmarks -
NIST- NIST 800-53, CSF 2.0, 800-171 controls
Type: String
Description: Specific security area or control family within the module
Examples:
-
SSH Security- SSH daemon configuration -
Password Policy- Password requirements and aging -
Filesystem Configuration- Filesystem mount options and partitioning -
Network Configuration- Network stack and firewall settings -
Audit Configuration- System auditing and logging
Type: String (Enum)
Values: Pass, Fail, Warning, Info, Error
Description: Result of the security check
See Status Codes section for detailed definitions.
Type: String
Description: Brief, human-readable description of the finding (typically 1 sentence)
Examples:
Root login is enabledPassword aging is configuredUFW is not enabledSeparate /tmp partition not found
Type: String (Optional)
Description: Detailed explanation of the finding, including context and impact
Examples:
SSH configuration allows direct root login which is a security risk. Found: PermitRootLogin yes in /etc/ssh/sshd_configPassword aging settings are properly configured in /etc/login.defs: PASS_MAX_DAYS=90, PASS_MIN_DAYS=7, PASS_WARN_AGE=14Firewall (UFW) is inactive. System is vulnerable to network attacks. No iptables rules configured.
Type: String (Optional)
Description: Command(s) to fix the issue (empty for Pass status)
Format: Shell command(s), typically using && for command chaining
Examples:
sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && systemctl restart sshdsudo ufw enable && sudo ufw default deny incoming && sudo ufw default allow outgoingapt-get update && apt-get upgrade -y
Multi-line Commands: Complex remediations may include multiple steps separated by && or ;
Type: String (ISO 8601)
Format: YYYY-MM-DD HH:MM:SS
Description: Date and time when the check was performed
Examples:
2025-01-07 14:30:222025-01-07 14:30:25
Meaning: Security check passed successfully
Color: Green
Action Required: None
Interpretation: The system meets the security requirement for this check.
Examples:
- Password aging is properly configured
- SSH root login is disabled
- Firewall is enabled and configured
- System is up to date
Meaning: Critical security vulnerability or misconfiguration detected
Color: Red
Action Required: Immediate remediation recommended
Interpretation: The system has a security weakness that should be addressed.
Examples:
- SSH allows root login
- Firewall is disabled
- Weak password policy
- Critical security updates missing
Priority: High - Address as soon as possible
Meaning: Potential security concern or best practice violation
Color: Yellow
Action Required: Review and consider remediation
Interpretation: The system configuration could be improved for better security posture.
Examples:
- /tmp not on separate partition
- Unnecessary services running
- Logging verbosity could be increased
- Security-related packages not installed
Priority: Medium - Schedule remediation during maintenance window
Meaning: Informational finding about system configuration
Color: Cyan
Action Required: Awareness only
Interpretation: Configuration information that may be useful for security awareness.
Examples:
- System has 5 security updates available
- Specific kernel version detected
- Package versions for awareness
- Configuration details for documentation
Priority: Low - No immediate action needed
Meaning: Check could not be completed
Color: Magenta
Action Required: Investigate
Interpretation: The check failed to execute, possibly due to permissions, missing files, or system issues.
Examples:
- Permission denied reading configuration file
- Required command not found
- File does not exist
- Service is not installed
Priority: Varies - May indicate missing root privileges or system issues
Common Causes:
- Running without root/sudo (most common)
- Missing system packages
- Unusual system configuration
- File system issues
When no output path is specified, files are automatically named:
Security-Audit-Report-YYYYMMDD-HHMMSS.html
Example: Security-Audit-Report-20250107-143022.html
Security-Audit-Report-YYYYMMDD-HHMMSS.csv
Example: Security-Audit-Report-20250107-143022.csv
Security-Audit-Report-YYYYMMDD-HHMMSS.json
Example: Security-Audit-Report-20250107-143022.json
Security-Audit-Report-YYYYMMDD-HHMMSS.xml
Example: Security-Audit-Report-20250107-143022.xml
When exporting selected issues from HTML report:
Selected-Report-YYYYMMDD-HHMMSS.json
Example: Selected-Report-20250107-143022.json
sudo python3 linux_security_audit.py -o $(hostname)-audit-$(date +%Y%m%d).htmlResult: server01-audit-20250107.html
sudo python3 linux_security_audit.py -m CIS,NIST -o cis-nist-audit-$(date +%Y%m%d).htmlResult: cis-nist-audit-20250107.html
sudo python3 linux_security_audit.py -m STIG -o fedramp-compliance-$(date +%Y%m).htmlResult: fedramp-compliance-202501.html
sudo python3 linux_security_audit.py -o audit-v1.0-baseline.htmlResult: audit-v1.0-baseline.html
All generated files are created with secure permissions:
-
Mode:
600(rw-------) - Owner: SUDO_USER (when run with sudo) or current user
- Group: User's primary group
This ensures only the user can read sensitive security information.
- Usage Guide: How to generate different output formats
- Module Documentation: Details on what each module checks
- Development Guide: Creating custom output processors
- Troubleshooting: Common output issues and solutions