hardening-check
Analyze system security configuration for hardening
SYNOPSIS
hardening-check [options]
PARAMETERS
-c, --check CHECK
Specify which check(s) to run. Multiple checks can be specified separated by commas.
-e, --exclude CHECK
Exclude specific check(s) from being run.
-f, --format FORMAT
Specify the output format (e.g., text, json, html).
-o, --output FILE
Write the output to a specified file.
-v, --verbose
Enable verbose output, providing more detailed information during the checks.
-h, --help
Display help message and exit.
-V, --version
Display version information and exit.
DESCRIPTION
The hardening-check command is a security auditing tool designed to assess the hardening level of a Linux system. It performs various checks against security best practices and industry standards to identify potential vulnerabilities and misconfigurations. The tool analyzes system settings, software versions, user accounts, file permissions, network configurations, and other aspects of the system to determine if it adheres to a secure baseline. The checks are typically based on recommendations from organizations like CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology). The output of hardening-check provides a report with identified issues, along with recommendations for remediation. It is a valuable resource for security professionals and system administrators aiming to improve the overall security posture of their Linux systems and ensure compliance with security policies.
CAVEATS
The accuracy and completeness of the checks depend on the hardening-check version and the configuration files used. The absence of a reported issue does not guarantee that the system is completely secure. It is crucial to review the results and implement the recommended fixes. It's always recommended to test changes in a non-production environment first.
EXAMPLE USAGE
Run all checks and save the output to a file called 'security_report.txt':hardening-check -o security_report.txt
Run only the 'ssh' and 'firewall' checks:hardening-check -c ssh,firewall
Run all checks except the 'kernel' check:hardening-check -e kernel
SEE ALSO
lynis(8), tiger(8)