4.6 KiB
4.6 KiB
██████╗██╗███████╗ █████╗ ██╗ ██╗██████╗ ██╗████████╗
██╔════╝██║██╔════╝██╔══██╗██║ ██║██╔══██╗██║╚══██╔══╝
██║ ██║███████╗███████║██║ ██║██║ ██║██║ ██║
██║ ██║╚════██║██╔══██║██║ ██║██║ ██║██║ ██║
╚██████╗██║███████║██║ ██║╚██████╔╝██████╔╝██║ ██║
╚═════╝╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝
CIS Benchmark compliance auditor for Linux systems with scored reporting, baseline comparison, and remediation guidance.
This is a quick overview — security theory, architecture, and full walkthroughs are in the learn modules.
What It Does
- Audit Linux systems against 104 CIS Benchmark controls (Debian/Ubuntu)
- Check filesystem hardening, services, network parameters, logging, SSH, and user accounts
- Generate scored compliance reports in terminal, JSON, or HTML format
- Compare results against a saved baseline to detect regressions and improvements
- Provide specific remediation commands for every failed control
- Support Level 1 and Level 2 benchmark profiles
- Run in test mode against mock fixtures without root access
Quick Start
./install.sh
sudo cisaudit
[!TIP] This project uses
justas a command runner. Typejustto see all available commands.Install:
curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
Commands
| Command | Description |
|---|---|
sudo cisaudit |
Run full audit with terminal output |
sudo cisaudit -l 1 |
Audit Level 1 controls only |
sudo cisaudit -f json -o report.json |
Generate JSON report |
sudo cisaudit -f html -o report.html |
Generate HTML report |
sudo cisaudit -c 5 |
Audit only Section 5 (Access/Auth) |
cisaudit --list-controls |
List all 104 registered controls |
sudo cisaudit -s baseline.json |
Save current results as baseline |
sudo cisaudit -b baseline.json |
Compare against a previous baseline |
cisaudit -t testdata/fixtures |
Run against test fixtures (no root needed) |
Options
| Flag | Default | Description |
|---|---|---|
-l, --level |
all |
Benchmark level: 1, 2, or all |
-f, --format |
terminal |
Output format: terminal, json, html |
-o, --output |
stdout | Write report to file |
-c, --categories |
all |
Categories to audit: 1,2,3,4,5,6 |
-t, --test-root |
/ |
System root for testing |
--threshold |
0 |
Minimum pass % to exit 0 |
-q, --quiet |
off | Suppress progress output |
CIS Benchmark Sections
| # | Section | Controls |
|---|---|---|
| 1 | Initial Setup | 20 |
| 2 | Services | 18 |
| 3 | Network Configuration | 20 |
| 4 | Logging and Auditing | 18 |
| 5 | Access, Authentication and Authorization | 18 |
| 6 | System Maintenance | 10 |
| Total | 104 |
Examples
sudo cisaudit -l 1 -f json -o report.json
sudo cisaudit -c 3,5 -f terminal
sudo cisaudit -s baselines/march.json
sudo cisaudit -b baselines/march.json
cisaudit -t testdata/fixtures -f json | python3 -m json.tool
Learn
This project includes step-by-step learning materials covering security theory, architecture, and implementation.
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites and quick start |
| 01 - Concepts | CIS benchmarks, real breaches, and compliance frameworks |
| 02 - Architecture | System design, module layout, and data flow |
| 03 - Implementation | Code walkthrough with file references |
| 04 - Challenges | Extension ideas and exercises |
License
AGPL 3.0