π CIS Linux Audit Script *
This repository contains a comprehensive script to perform a full CIS (Center for Internet Security) benchmark audit for RHEL-based and Debian-based Linux distributions. It automates the process of checking system compliance with CIS security standards, helping system administrators and security professionals harden their systems effectively. π What Is CIS Benchmark?
The CIS Benchmarks are best-practice security configuration guides developed by cybersecurity experts. They provide detailed recommendations for securing systems, applications, and networks. This script focuses on the CIS benchmarks for:
RHEL-based systems (e.g., RHEL, CentOS, Rocky Linux, AlmaLinux)
Debian-based systems (e.g., Debian, Ubuntu)
π Features
β
Covers all major CIS audit checks (authentication, logging, permissions, services, etc.)
π§ Detects system type and applies relevant checks
π¦ Modular and easy to extend
π Generates detailed audit reports
π Supports dry-run and fix modes
π¦ Supported Platforms
Distribution Version(s)
RHEL 7, 8, 9
CentOS 7, 8
Oracle Linux 8, 9
Rocky Linux 8, 9
AlmaLinux 8, 9
Debian 9, 10, 11
Ubuntu 18.04, 20.04, 22.04, 24.04π οΈ How to Use
git clone https://github.com/behnam0x/cis-linux-audit-script.git
cd cis-linux-audit-script/script
chmod +x AuditCISHardening.sh
sudo ./AuditCISHardening.shπ Checklist Overview
The script checks and optionally remediates the following categories:
π Authentication & Password Policies
π File Permissions & Ownership
π Logging & Auditing
𧱠Firewall & Network Configuration
π§Ή Unused Services & Packages
π§Ύ System Updates & Patch Management
𧬠Kernel Parameters & Sysctl Settings
π§βπ» User Accounts & Access Controls
Each check is mapped to its corresponding CIS control ID (e.g., 1.1.1, 5.2.3) for easy cross-reference.
π Sample Output
[β] 1.1.1 Ensure mounting of cramfs filesystems is disabled
[β] 1.1.2 Ensure mounting of squashfs filesystems is disabled
[β] 5.2.3 Ensure password expiration is 365 days or less
...π References
CIS Benchmark RHEL Security Guide
π€ Contributing Pull requests are welcome! If you want to add new checks, improve compatibility, or enhance reporting, feel free to contribute.
π License This project is licensed under the MIT License. See the