Configuration audit tools
Introduction
The level of security of computer systems dependent on software patch management and how well software is configured. A configuration audit helps to discover weaknesses in the way the software is tuned for its purpose. Auditing tools can be of great help here to automate this task.
Almost every software package has the ability to be configured. Most services will benefit when the configuration is done correctly. It will boost performance, decrease system resources, and might even help with enhancing system security. While most software has documentation, it is rarely fully used by its users. This is where configuration audit tools come into play. They help to uncover weaknesses in configuration files.
The tools in this section have each their own focus. So they can't be directly compared. Also, there is no such thing as the best tool in this category. We suggest reviewing all tools and see which ones complement your toolbox. Use those tools that focus on the software that you use. Don't forget the tools that perform an audit on the operating system itself. After all, software needs the host operating system to function.
Usage
Configuration audit tools are typically used for IT audit, compliance testing, configuration audit.
Users for these tools include auditors, security professionals, system administrators.
Tools
Highlighted tools
Some of the configuration audit tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.
Popular configuration audit tools
Cloud Security Suite (cloud security toolkit)
IT audit, configuration audit, penetration testing, system hardening
Cloud Security Suite (CS Suite) is a security toolkit that allows scanning Amazon, Google, and Azure cloud platforms. It leverages tools like Lynis, Prowler, and Scout2 to collect all information. The promise of the tool is to simplify the installation of the tools, their configuration, and the data collection.
CloudSploit scans (AWS account scanner)
IT audit, configuration audit, security assessment
CloudSploit scans is an open source software project to test security risks related to an AWS account. It runs tests against your Amazon account and aims to discover any potential misconfigured setting or other risks.
Kube-Bench (security benchmark testing for Kubernetes)
Tools like Kube-Bench help with quickly checking configuration weaknesses or discovering bad defaults.
LUNAR (system security scanner)
security assessment, self-assessment, system hardening
LUNAR is a security scanner that runs on a Linux system or other flavors of Unix. It provides insights on what can be done to harden the system.
Lynis (security scanner and compliance auditing tool)
IT audit, penetration testing, security assessment, system hardening, vulnerability scanning
Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for an in-depth audit and continuous improvement. For this reason, it needs to be executed on the host system itself. By seeing the system from the inside out, it can provide more specific details than the average vulnerability scanner.
OpenSCAP (suite with tools and security data)
security assessment, vulnerability scanning
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Prowler (AWS benchmark tool)
compliance testing, security assessment, system hardening
Prowler is a security tool to check systems on AWS against the related CIS benchmark. This benchmark provides a set of best practices for AWS. The primary usage for this tool is system hardening and compliance checking.
SSHsec (SSH configuration scanner)
information gathering, penetration testing, security assessment
SSHsec scans a system running the SSH protocol and retrieves its configuration, host keys, and Diffie-Hellman groups.
Tiger (local security scanner)
IT audit, intrusion detection, system hardening, vulnerability scanning
The Tiger tool is used to scan your system and perform a security audit. Tiger checks configuration files and the system state. Based on the findings it will show suggestions to improve the security level of the system.
The Tiger project also states on their project page it can be used as an intrusion detection tool. This promise is somewhat outdated. To be effective in the area of intrusion detection, its technology needs to be kept up-to-date. Still, the tool might find t…
VHostScan (virtual host scanner)
penetration testing, reconnaissance
Tools like VHostScan are powerful to perform reconnaissance and discover configuration defaults. This can be useful during penetration tests or security testing, to see if a system has been stripped from default pages. If not, this tool might discover them and provide valuable information about the system.
YASAT (local security scanner)
IT audit, configuration audit, security assessment
The YASAT tool performs a system scan to detect configuration issues and possible improvements for hardening the system. Typically you would use this on new and existing systems.
Zeus (AWS auditing and hardening tool)
configuration audit, security assessment, self-assessment, system hardening
Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.
iniscan (PHP configuration scanner)
configuration audit, security assessment
Iniscan scans a given php.ini file and tests it against security best practices. It reports back the results by showing a Pass or Fail for each related test. As it is a command-line utility, it can be used in automated testing.
orthrus (security framework and auditing tool)
security assessment, self-assessment, system hardening, vulnerability scanning
Orthrus is a security framework and auditing tool. It allows monitoring and analyzing security configurations across multiple environments.
otseca (system information gathering tool)
configuration audit, penetration testing, security assessment
Tools like otseca help with data collection. This could be useful for system administrators to collect data on a regular interval. This data then can be compared with a future data capture. Another possibility is to use it during pentesting. In that case one should have already obtained root access, as the tool requires this as well.
sysechk (system auditing tool)
IT audit, system hardening
System Security Checker, or sysechk, is a tool to perform a system audit against a set of best practices. It uses a modular approach to test the system.
testssl.sh (TLS/SSL configuration scanner)
application testing, configuration audit
testssl.sh is a command line tool which checks a system on any port for the support of TLS/SSL ciphers, protocols, as well as some cryptographic flaws.
Missing a favorite tool in this list? Share a tool suggestion and we will review it.