hardening-check

hardening-check [options]

-c, --check CHECK
    Specify which check(s) to run. Multiple checks can be specified separated by commas.

-e, --exclude CHECK
    Exclude specific check(s) from being run.

-f, --format FORMAT
    Specify the output format (e.g., text, json, html).

-o, --output FILE
    Write the output to a specified file.

-v, --verbose
    Enable verbose output, providing more detailed information during the checks.

-h, --help
    Display help message and exit.

-V, --version
    Display version information and exit.

The hardening-check command is a security auditing tool designed to assess the hardening level of a Linux system. It performs various checks against security best practices and industry standards to identify potential vulnerabilities and misconfigurations. The tool analyzes system settings, software versions, user accounts, file permissions, network configurations, and other aspects of the system to determine if it adheres to a secure baseline. The checks are typically based on recommendations from organizations like CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology). The output of hardening-check provides a report with identified issues, along with recommendations for remediation. It is a valuable resource for security professionals and system administrators aiming to improve the overall security posture of their Linux systems and ensure compliance with security policies.

The accuracy and completeness of the checks depend on the hardening-check version and the configuration files used. The absence of a reported issue does not guarantee that the system is completely secure. It is crucial to review the results and implement the recommended fixes. It's always recommended to test changes in a non-production environment first.

Run all checks and save the output to a file called 'security_report.txt':
hardening-check -o security_report.txt

Run only the 'ssh' and 'firewall' checks:
hardening-check -c ssh,firewall

Run all checks except the 'kernel' check:
hardening-check -e kernel

lynis(8), tiger(8)