Configuration audit tools

Introduction

The level of security of computer systems dependent on software patch management and how well software is configured. A configuration audit helps to discover weaknesses in the way the software is tuned for its purpose. Auditing tools can be of great help here to automate this task.

Almost every software package has the ability to be configured. Most services will benefit when the configuration is done correctly. It will boost performance, decrease system resources, and might even help with enhancing system security. While most software has documentation, it is rarely fully used by its users. This is where configuration audit tools come into play. They help to uncover weaknesses in configuration files.

The tools in this section have each their own focus. So they can't be directly compared. Also, there is no such thing as the best tool in this category. We suggest reviewing all tools and see which ones complement your toolbox. Use those tools that focus on the software that you use. Don't forget the tools that perform an audit on the operating system itself. After all, software needs the host operating system to function.

Usage

Configuration audit tools are typically used for compliance testing, configuration audit, IT audit.

Users for these tools include auditors, security professionals, system administrators.

Tools

Cloud Security Suite (cloud security toolkit)

configuration audit, IT audit, penetration testing, system hardening

Cloud Security Suite (CS Suite) is a security toolkit that allows scanning Amazon, Google, and Azure cloud platforms. It leverages tools like Lynis, Prowler, and Scout2 to collect all information. The promise of the tool is to simplify the installation of the tools, their configuration, and the data collection.

CloudSploit scans (AWS account scanner)

configuration audit, IT audit, security assessment

CloudSploit scans is an open source software project to test security risks related to an AWS account. It runs tests against your Amazon account and aims to discover any potential misconfigured setting or other risks.

iniscan (PHP configuration scanner)

configuration audit, security assessment

Iniscan scans a given php.ini file and tests it against security best practices. It reports back the results by showing a Pass or Fail for each related test. As it is a command-line utility, it can be used in automated testing.

Kube-Bench (security benchmark testing for Kubernetes)

Tools like Kube-Bench help with quickly checking configuration weaknesses or discovering bad defaults.

LUNAR (system security scanner)

security assessment, self-assessment, system hardening

LUNAR is a security scanner that runs on a Linux system or other flavors of Unix. It provides insights on what can be done to harden the system.

Lynis (security scanner and compliance auditing tool)

IT audit, penetration testing, security assessment, system hardening, vulnerability scanning

Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for continuous improvement. For this reason, it requires to be executed on the host system itself and providing more details than the average vulnerability scanner.

orthrus (security framework and auditing tool)

security assessment, self-assessment, system hardening, vulnerability scanning

Orthrus is a security framework and auditing tool. It allows monitoring and analyzing security configurations across multiple environments.

otseca (system information gathering tool)

configuration audit, penetration testing, security assessment

Tools like otseca help with data collection. This could be useful for system administrators to collect data on a regular interval. This data then can be compared with a future data capture. Another possibility is to use it during pentesting. In that case one should have already obtained root access, as the tool requires this as well.

Prowler (AWS benchmark tool)

compliance testing, security assessment, system hardening

Prowler is a security tool to check systems on AWS against the related CIS benchmark. This benchmark provides a set of best practices for AWS. The primary usage for this tool is system hardening and compliance checking.

SSHsec (SSH configuration scanner)

information gathering, penetration testing, security assessment

SSHsec scans a system running the SSH protocol and retrieves its configuration, host keys, and Diffie-Hellman groups.

sysechk (system auditing tool)

IT audit, system hardening

System Security Checker, or sysechk, is a tool to perform a system audit against a set of best practices. It uses a modular approach to test the system.

testssl.sh (TLS/SSL configuration scanner)

application testing, configuration audit

testssl.sh is a command line tool which checks a system on any port for the support of TLS/SSL ciphers, protocols, as well as some cryptographic flaws.

Tiger (local security scanner)

intrusion detection, IT audit, system hardening, vulnerability scanning

The Tiger tool is used to scan your system and perform a security audit. Tiger checks configuration files and the system state. Based on the findings it will show suggestions to improve the security level of the system.

The Tiger project also states on their project page it can be used as an intrusion detection tool. This promise is somewhat outdated. To be effective in the area of intrusion detection, its technology needs to be kept up-to-date. Still, the tool might find...

VHostScan (virtual host scanner)

penetration testing, reconnaissance

Tools like VHostScan are powerful to perform reconnaissance and discover configuration defaults. This can be useful during penetration tests or security testing, to see if a system has been stripped from default pages. If not, this tool might discover them and provide valuable information about the system.

YASAT (local security scanner)

configuration audit, IT audit, security assessment

The YASAT tool performs a system scan to detect configuration issues and possible improvements for hardening the system. Typically you would use this on new and existing systems.

Zeus (AWS auditing and hardening tool)

configuration audit, security assessment, self-assessment, system hardening

Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.

Highlighted tools based on their strenghts

Some of the configuration audit tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.

» Easy to use = Lynis
» Low on requirements = Lynis

Missing a favorite tool in this list? Share a tool suggestion and we will review it.