Linux security audit tools
Introduction
Technical auditing tools for Linux provide valuable information about the state of a Linux system. It is similar to a health scan for your body, having your car checked for issues. Tools in this category typically go through the file system and check related file permissions. Additionally, they may look at running processes and configuration files, to determine the overall security posture of the system.
Auditing tools for Linux are usually closely related to Linux system hardening. This process of improving system defenses can be costly. A good auditing tool helps to define what can be improved and how to achieve this.
Within this category of tools, a warning is warranted. The number of high-quality tools for Linux auditing is limited. Our advice is to use a popular tool with good community support. Many new projects were promising but had their development stalled very early.
Usage
Linux security audit tools are typically used for IT audit, configuration audit, system hardening.
Users for these tools include auditors, security professionals, system administrators.
Tools
Highlighted tools
Some of the Linux security audit tools have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.
Popular Linux security audit tools
Cloud Security Suite (cloud security toolkit)
IT audit, configuration audit, penetration testing, system hardening
Cloud Security Suite (CS Suite) is a security toolkit that allows scanning Amazon, Google, and Azure cloud platforms. It leverages tools like Lynis, Prowler, and Scout2 to collect all information. The promise of the tool is to simplify the installation of the tools, their configuration, and the data collection.
Lynis (security scanner and compliance auditing tool)
IT audit, penetration testing, security assessment, system hardening, vulnerability scanning
Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for an in-depth audit and continuous improvement. For this reason, it needs to be executed on the host system itself. By seeing the system from the inside out, it can provide more specific details than the average vulnerability scanner.
Nix Auditor (system auditing tools)
Nix-Auditor is a tool to help with scanning Linux systems and test them against CIS benchmarks.
OpenSCAP (suite with tools and security data)
security assessment, vulnerability scanning
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Tiger (local security scanner)
IT audit, intrusion detection, system hardening, vulnerability scanning
The Tiger tool is used to scan your system and perform a security audit. Tiger checks configuration files and the system state. Based on the findings it will show suggestions to improve the security level of the system.
The Tiger project also states on their project page it can be used as an intrusion detection tool. This promise is somewhat outdated. To be effective in the area of intrusion detection, its technology needs to be kept up-to-date. Still, the tool might find t…
YASAT (local security scanner)
IT audit, configuration audit, security assessment
The YASAT tool performs a system scan to detect configuration issues and possible improvements for hardening the system. Typically you would use this on new and existing systems.
orthrus (security framework and auditing tool)
security assessment, self-assessment, system hardening, vulnerability scanning
Orthrus is a security framework and auditing tool. It allows monitoring and analyzing security configurations across multiple environments.
otseca (system information gathering tool)
configuration audit, penetration testing, security assessment
Tools like otseca help with data collection. This could be useful for system administrators to collect data on a regular interval. This data then can be compared with a future data capture. Another possibility is to use it during pentesting. In that case one should have already obtained root access, as the tool requires this as well.
sysechk (system auditing tool)
IT audit, system hardening
System Security Checker, or sysechk, is a tool to perform a system audit against a set of best practices. It uses a modular approach to test the system.
Other related categories: Linux hardening tools, configuration audit tools
Missing a favorite tool in this list? Share a tool suggestion and we will review it.