hardening-check

hardening-check [OPTION]...

-v, --verbose
    Enable verbose output with detailed test results

--tests-only
    Show only test results without hardening advice

--csv
    Output results in CSV format for scripting or reporting

--help
    Display usage summary and exit

--version
    Print version information and exit

hardening-check is a lightweight Perl script designed to assess the security hardening status of a Linux system. It performs a series of non-intrusive tests to evaluate key kernel and binary protection mechanisms, such as Address Space Layout Randomization (ASLR), Position Independent Executables (PIE), RELRO, Stack Smashing Protection (SSP), and Fortify Source. The tool outputs a color-coded summary (green for enabled, red for disabled, yellow for partial) with advice on enabling missing features.

It scans running kernel parameters, libraries, and binaries like /bin/ls to determine compliance with best practices from distributions like Debian, Ubuntu, and Red Hat. Ideal for quick audits during system setup, compliance checks, or penetration testing prep. No root privileges required for most tests, making it suitable for regular users. Results help identify vulnerabilities exploitable by attackers, promoting defense-in-depth strategies.

Results reflect current runtime state; reboot may be needed after kernel tweaks. Not all tests work on non-x86 architectures or containers. False positives possible on custom kernels.

ASLR, Read-Only RELRO, Stack Protector, Fortify Source, PIE binaries, Kernel protections like exec-shield.

0: All tests passed
1: Some tests failed or warnings
2: Critical issues or errors

Developed by Michael Boelen as part of the Lynis auditing tool (2007 origins), hardening-check became a standalone script around 2014. Integrated into Lynis core tests by version 2.5+. Actively maintained for modern kernels up to 6.x.

lynis(8), checksec.sh(1)