A Python security automation tool that performs basic read-only Linux hardening checks and generates multiple report formats for IT, Security, SOC, SIEM, and compliance workflows.
- Collect operating system information
- Check SSH root login configuration
- Check SSH password authentication configuration
- Check firewall status
- List open listening ports
- Identify sudo group users
- Check for world-writable files in
/tmp - Check package update status
- Calculate an overall risk score
- Assign an overall risk level
- Run selected checks only
- Generate CSV reports
- Generate TXT summary reports
- Generate JSON reports
- Generate structured security findings
- Generate NDJSON events for SIEM-style ingestion
- Generate HTML reports
- Print suggested remediation actions without applying changes
- Run from the command line
- Includes unit tests
- Includes GitHub Actions workflow
python-linux-hardening-auditor/
├── .github/
│ └── workflows/
│ └── python-check.yml
├── docs/
│ ├── screenshots/
│ │ └── .gitkeep
│ ├── audit-checks.md
│ ├── cis-style-categories.md
│ └── project-notes.md
├── reports/
│ └── .gitkeep
├── sample_outputs/
│ ├── linux_hardening_summary_example.txt
│ ├── linux_hardening_report_example.json
│ ├── findings_example.json
│ ├── events_example.ndjson
│ └── linux_hardening_report_example.html
├── src/
│ └── linux_auditor.py
├── tests/
│ └── test_risk_score.py
├── README.md
├── requirements.txt
└── .gitignore
This tool is read-only.
It does not:
- Modify SSH settings
- Enable or disable firewall rules
- Modify users
- Close ports
- Delete files
- Apply hardening automatically
It only checks and reports.
The suggest-remediation mode prints recommended actions but does not apply changes.
This tool is designed for Linux systems.
Recommended test environments:
- WSL Ubuntu
- Ubuntu VM
- Kali VM
- Linux lab machine
- Test server
The tool can run on Windows, but some Linux-specific checks may be skipped or unavailable.
No external dependencies are required.
This project uses only Python standard library modules.
pip install -r requirements.txtRun the auditor from the project root:
python src/linux_auditor.pyOn Linux systems where Python 3 is invoked as python3, use:
python3 src/linux_auditor.pyRun all checks and generate all report formats:
python src/linux_auditor.py --output reports --format allRun selected checks only:
python src/linux_auditor.py --checks os,ssh,firewall --output reports --format allGenerate only JSON reports:
python src/linux_auditor.py --format json --output reportsGenerate only HTML report:
python src/linux_auditor.py --format html --output reportsPrint suggested remediation actions without applying changes:
python src/linux_auditor.py --mode suggest-remediation --output reports --format txt| Option | Description | Example |
|---|---|---|
--output |
Output directory for generated reports | --output reports |
--format |
Report format to generate: all, csv, txt, json, ndjson, html |
--format json |
--checks |
Comma-separated list of checks to run | --checks os,ssh,firewall |
--mode |
Run mode: audit or suggest-remediation |
--mode suggest-remediation |
The tool supports the following check names:
os
ssh
firewall
ports
sudo
tmp
updates
Example:
python src/linux_auditor.py --checks os,ssh,firewallThe tool currently performs the following checks:
| Check | Category | Purpose |
|---|---|---|
| Operating System | System Information | Collects OS, kernel, architecture, and hostname information |
| SSH Root Login | SSH Hardening | Checks whether direct SSH root login appears disabled |
| SSH Password Authentication | SSH Hardening | Checks whether SSH password authentication appears disabled |
| Firewall Status | Network Security | Checks UFW firewall status |
| Open Ports | Network Exposure | Lists listening TCP/UDP services using ss or netstat |
| Sudo Users | User Privileges | Lists users in the sudo group |
World-Writable Files in /tmp |
File Permissions | Checks for world-writable files in /tmp |
| Package Update Status | Patch Management | Checks whether package updates may be available |
More details are available in:
docs/audit-checks.md
docs/cis-style-categories.md
The tool calculates an overall risk score based on findings:
High = 10 points
Medium = 5 points
Low = 2 points
Info = 0 points
Risk level logic:
0-7 = Low
8-19 = Medium
20+ = High
The risk score appears in:
linux_hardening_summary.txt
linux_hardening_report.json
linux_hardening_report.html
console output
The script generates the following files locally inside the reports/ folder:
linux_hardening_report.csv
linux_hardening_summary.txt
linux_hardening_report.json
findings.json
events.ndjson
linux_hardening_report.html
These generated report files are ignored by Git and should not be committed to the repository.
linux_hardening_report.csv
Used for spreadsheet-based review, filtering, sorting, and manual analysis.
linux_hardening_summary.txt
Used for a human-readable summary of the audit results.
linux_hardening_report.json
Used for automation, dashboards, APIs, or integration with other tools.
findings.json
Used to represent security findings in a structured format.
Each finding includes:
- Finding ID
- Check name
- Category
- Status
- Severity
- Details
- Recommendation
events.ndjson
Used for SIEM-style event ingestion.
Each line is a separate JSON event.
linux_hardening_report.html
Used for a browser-readable report with summary information and detailed checks.
============================================================
Linux Security Hardening Auditor
============================================================
Risk Score: 7
Risk Level: Low
============================================================
INFO | Info | System Information | Operating System
SKIPPED | Info | SSH Hardening | SSH Configuration
SKIPPED | Info | Network Security | Firewall Status
SKIPPED | Info | Network Exposure | Open Ports
SKIPPED | Info | User Privileges | Sudo Users
PASS | Low | File Permissions | World-Writable Files in /tmp
PASS | Low | Patch Management | Package Update Status
============================================================
CSV report created: reports/linux_hardening_report.csv
TXT summary created: reports/linux_hardening_summary.txt
JSON report created: reports/linux_hardening_report.json
Findings JSON created: reports/findings.json
NDJSON events created: reports/events.ndjson
HTML report created: reports/linux_hardening_report.html
{
"tool_name": "Python Linux Hardening Auditor",
"report_type": "linux_security_hardening_audit",
"generated_at": "2026-06-18T13:00:00+00:00",
"host": "ubuntu-lab",
"platform": {
"system": "Linux",
"release": "6.5.0",
"machine": "x86_64"
},
"risk": {
"score": 17,
"level": "Medium"
},
"summary": {
"total_checks": 7,
"pass": 2,
"fail": 1,
"info": 2,
"skipped": 2,
"high": 1,
"medium": 1,
"low": 2,
"info_severity": 3
},
"checks": []
}{
"id": "FINDING-001",
"name": "SSH Root Login",
"category": "SSH Hardening",
"severity": "High",
"status": "FAIL",
"details": "Root login over SSH may not be disabled.",
"recommendation": "Set 'PermitRootLogin no' in /etc/ssh/sshd_config."
}{"timestamp":"2026-06-18T13:00:00+00:00","event_type":"linux_hardening_check","host":"ubuntu-lab","category":"SSH Hardening","check_name":"SSH Root Login","status":"FAIL","severity":"High","message":"SSH Root Login returned FAIL with severity High.","recommendation":"Set 'PermitRootLogin no' in /etc/ssh/sshd_config."}Additional documentation is stored in the docs/ folder:
docs/audit-checks.md
docs/project-notes.md
docs/cis-style-categories.md
docs/screenshots/
The sample_outputs/ folder contains selected example output files that can be safely shared in the repository.
Generated reports are created locally under reports/ and are ignored by Git.
Example files:
sample_outputs/linux_hardening_summary_example.txt
sample_outputs/linux_hardening_report_example.json
sample_outputs/findings_example.json
sample_outputs/events_example.ndjson
sample_outputs/linux_hardening_report_example.html
This project generates multiple output formats commonly used in security operations:
- CSV for spreadsheet-based review
- TXT for human-readable summaries
- JSON for automation, dashboards, and APIs
findings.jsonfor structured security findingsevents.ndjsonfor SIEM/log ingestion workflows- HTML for browser-readable reporting
This project includes a GitHub Actions workflow that:
- Checks Python syntax
- Runs unit tests
- Runs the auditor on an Ubuntu runner
Workflow file:
.github/workflows/python-check.yml
Run unit tests locally:
python -m unittest discover -s testsThe current tests cover:
- Risk score calculation
- Overall risk level classification
No external dependencies are required.
This project uses only Python standard library modules:
- argparse
- csv
- html
- json
- platform
- subprocess
- datetime
- pathlib
- unittest
- Python automation
- Linux security basics
- Linux hardening checks
- Safe read-only command execution
- SSH configuration review
- Firewall status review
- Open port review
- Sudo user review
- File permission review
- Patch management awareness
- Risk scoring
- Command-line arguments with
argparse - CSV report generation
- TXT summary generation
- JSON report generation
- NDJSON event generation
- HTML report generation
- Structured findings
- Unit testing
- GitHub Actions
- SOC/SIEM-friendly output formats
- IT/Security automation workflow
Built a Python Linux hardening audit tool that performs read-only security checks, reviews SSH configuration, firewall status, open ports, sudo users, file permissions, and package update status, calculates risk scores, supports command-line options, and generates CSV/TXT/JSON/NDJSON/HTML reports for IT, Security, SOC, SIEM, and compliance workflows.