### Check AIDE File Integrity Monitoring Setup Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies the installation of AIDE (Advanced Intrusion Detection Environment), database initialization, and the presence of a scheduled integrity check. Includes commands for installation, initialization, and cron job setup. ```bash sudo ./ubuntu-sec-audit.sh --check check_aide --skip-apt-update --output-dir /tmp/audit ``` ```bash # sudo apt-get install -y aide aide-common # sudo aideinit # sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db # echo '0 5 * * 0 root /usr/bin/aide --check' | sudo tee /etc/cron.d/aide-check # sudo aide --check # verify baseline ``` -------------------------------- ### Clone and Run Ubuntu Security Audit Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Clone the repository and execute the audit script. The interactive wizard will guide you through the setup on the first run. ```bash git clone https://github.com/secopsxsaiyan/ubuntu-sec-audit.git cd ubuntu-sec-audit sudo ./ubuntu-sec-audit.sh ``` -------------------------------- ### Check Auditd Framework Configuration Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Ensures the auditd service is installed, active, enabled at boot, and configured with essential audit rules for sensitive files and log retention settings. Provides commands for installation, enabling, rule configuration, and log setting adjustments. ```bash sudo ./ubuntu-sec-audit.sh --check check_auditd --skip-apt-update --output-dir /tmp/audit ``` ```bash # sudo apt-get install -y auditd audispd-plugins # sudo systemctl enable --now auditd # sudo auditctl -w /etc/passwd -p wa -k identity # sudo auditctl -w /etc/shadow -p wa -k identity # sudo auditctl -w /etc/sudoers -p wa -k sudoers # sudo auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -k root_commands # sudo augenrules --load # sudo sed -i 's/^num_logs.*/num_logs = 5/' /etc/audit/auditd.conf # sudo sed -i 's/^max_log_file .*/max_log_file = 8/' /etc/audit/auditd.conf # sudo sed -i 's/^max_log_file_action.*/max_log_file_action = rotate/' /etc/audit/auditd.conf # sudo systemctl restart auditd ``` -------------------------------- ### Automate Audits with systemd Timers Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Install and enable systemd timer units for automated weekly standard audits and monthly deep audits. Verify timers and check logs. ```bash # Install and enable weekly standard audit (Sundays at 02:00): sudo cp systemd/ubuntu-sec-audit.service systemd/ubuntu-sec-audit.timer \ /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now ubuntu-sec-audit.timer # Install and enable monthly deep audit (first Sunday at 03:00): sudo cp systemd/ubuntu-sec-audit-deep.service systemd/ubuntu-sec-audit-deep.timer \ /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now ubuntu-sec-audit-deep.timer # Verify timers are active: systemctl list-timers ubuntu-sec-audit* # Check last audit run: journalctl -u ubuntu-sec-audit.service --since "7 days ago" | tail -30 ``` -------------------------------- ### Run Ansible Playbook Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Commands to execute the generated Ansible playbook locally or against a remote inventory. Ensure you have Ansible installed. ```bash # Local ansible-playbook remediate-*.yml -i "localhost," -c local --become # Remote fleet ansible-playbook remediate-*.yml -i inventory --become ``` -------------------------------- ### Bash Script with Compliance Framework Annotations Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Example of a remediation script generated by the tool. It includes annotations for different compliance frameworks, indicating which controls are relevant for each. ```bash # Fix 1: SSH configuration weaknesses found # Severity : HIGH # NIST SP 800-53: AC-17,IA-5,SC-8,AC-3,AC-7 # ISO/IEC 27001 : A.8.5,A.8.20 # SOC 2 TSC : CC6.1,CC6.2,CC6.6 ``` -------------------------------- ### Check Fail2Ban SSH Jail Configuration Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies Fail2Ban installation, its active status, and the presence of a functional SSH jail. Includes commands to install Fail2Ban and configure a basic SSH jail. ```bash sudo ./ubuntu-sec-audit.sh --check check_fail2ban --skip-apt-update --output-dir /tmp/audit ``` ```bash # sudo apt-get install -y fail2ban # sudo tee /etc/fail2ban/jail.d/hardening.conf > /dev/null << 'F2BEOF' # [DEFAULT] # allowipv6 = auto # [sshd] # enabled = true # port = ssh # filter = sshd # backend = systemd # maxretry = 5 # bantime = 1d # findtime = 10m # F2BEOF # sudo systemctl enable --now fail2ban # sudo fail2ban-client status sshd ``` -------------------------------- ### Directly Invoke check_updates Function Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt This example shows how to directly invoke the `check_updates` function using `bash -c` and sourcing the script. This bypasses the standard runner and its filtering overhead but still requires root privileges. ```bash sudo bash -c 'source ./ubuntu-sec-audit.sh; check_updates' ``` -------------------------------- ### Check PAM Password Quality Enforcement Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies that pam_pwquality or pam_cracklib is active and enforces a minimum password length of 8 characters. Includes commands to install and configure pwquality. ```bash sudo ./ubuntu-sec-audit.sh --check check_pam_pwquality --skip-apt-update --output-dir /tmp/audit ``` ```bash # sudo apt-get install -y libpam-pwquality # sudo pam-auth-update --enable pwquality # sudo tee /etc/security/pwquality.conf << 'EOF' # minlen = 12 # dcredit = -1 # ucredit = -1 # lcredit = -1 # ocredit = -1 # EOF ``` -------------------------------- ### Ansible Playbook Task Example Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md This YAML snippet demonstrates an Ansible task generated by the script for remediating SSH configuration weaknesses. It includes control IDs from NIST and ISO27001. ```yaml # NIST: AC-17,IA-5,SC-8 # ISO27001: A.8.5,A.8.20 - name: "Fix: SSH configuration weaknesses found" ansible.builtin.shell: | sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config ... ignore_errors: true changed_when: false ``` -------------------------------- ### Apply AppArmor Enforcement Fix Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Installs necessary AppArmor packages, enables the AppArmor service, and sets all profiles in `/etc/apparmor.d/` to enforce mode. Finally, it checks the status again. ```bash sudo apt-get install -y apparmor apparmor-profiles apparmor-utils sudo systemctl enable --now apparmor sudo aa-enforce /etc/apparmor.d/* sudo aa-status ``` -------------------------------- ### Delta Report Example Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md This shows the format of the delta report, which highlights changes in findings since the last audit run. It indicates fixed, regressed, and new issues. ```text Changes since last run: ✔ Fixed : check_updates check_unattended ↘ Regressed : check_ssh ⚠ New failures: check_secrets ``` -------------------------------- ### ClamAV Antivirus Scan Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Installs and runs ClamAV for a deep filesystem scan, updating virus definitions first. Provides commands for manual targeted scans and quarantine fixes. ```bash # Install and run ClamAV scan: sudo apt-get install -y clamav sudo systemctl enable --now clamav-freshclam sudo ./ubuntu-sec-audit.sh --deep --skip-apt-update --output-dir /var/log/audits ``` ```bash # Manual targeted scan: sudo clamscan -r -i \ --exclude-dir='^/proc' --exclude-dir='^/sys' --exclude-dir='^/dev' \ /home /root /tmp /var /etc /usr/bin /usr/sbin /bin /sbin ``` ```bash # Generated quarantine fix: # QUARANTINE_DIR=$(sudo mktemp -d /var/clam-quarantine-XXXXXX) # sudo chmod 700 "$QUARANTINE_DIR" # sudo clamscan --move="$QUARANTINE_DIR" /path/to/infected/file # sudo ls -lah "$QUARANTINE_DIR" # review before deleting ``` -------------------------------- ### Debsums Package Integrity Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Checks installed package file checksums against their manifests to detect tampering. Provides commands for manual checks, identifying affected packages, and reinstalling them. ```bash sudo ./ubuntu-sec-audit.sh --deep --skip-apt-update --output-dir /var/log/audits ``` ```bash # Manual debsums check: sudo debsums -c 2>&1 | head -20 ``` ```bash # Identify affected package for a modified file: sudo dpkg -S /path/to/modified/file ``` ```bash # Generated fix (reinstalls affected packages to restore originals): # sudo apt-get install --reinstall # sudo debsums -c # re-verify ``` -------------------------------- ### Build and Run Docker Image Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Instructions for building the Docker image and running audits within a Docker container. The --privileged flag is often required for system-level access. ```bash # Build docker build -t ubuntu-sec-audit . # Run docker run --rm --privileged \ -v /var/log/audits:/output \ ubuntu-sec-audit \ --oscal --catalog nist --output-dir /output ``` -------------------------------- ### Run Docker Integration Tests Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Execute the integration test suite for the Docker image. Use --no-build to skip rebuilding the image. ```bash # Integration test suite (builds misconfigured container, verifies all expected findings): bash tests/run-tests.sh # Skip rebuild (use existing image): bash tests/run-tests.sh --no-build ``` -------------------------------- ### Check Mount Options for /tmp, /dev/shm, /var/tmp Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies security-related mount options (noexec, nosuid, nodev) and the sticky bit on temporary directories. Provides commands for checking current flags and generating persistent fstab entries. ```bash sudo ./ubuntu-sec-audit.sh --check check_mount_options --skip-apt-update --output-dir /tmp/audit ``` ```bash # Check current mount flags: mount | grep -E '/tmp|/dev/shm|/var/tmp' stat -c '%a' /tmp # should end in 1 (sticky bit), e.g. 1777 ``` ```bash # Generated fix (persistent fstab entry + immediate remount): # grep -qE '^tmpfs[[:space:]]+/tmp[[:space:]]' /etc/fstab || \ # echo 'tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev,size=512M 0 0' | sudo tee -a /etc/fstab # sudo mount -o remount,noexec,nosuid,nodev /tmp # sudo chmod +t /tmp # sudo mount -o remount,noexec,nosuid,nodev /dev/shm 2>/dev/null || true ``` -------------------------------- ### Apply Kernel Hardening Fix Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Applies the generated kernel hardening configuration by writing all 35 sysctl parameters to `/etc/sysctl.d/99-hardening.conf` and then applying them with `sysctl --system`. It also includes steps to blacklist specific kernel modules and update the initramfs. ```bash sudo mkdir -p /etc/sysctl.d sudo tee /etc/sysctl.d/99-hardening.conf > /dev/null << 'SYSCTLEOF' # kernel.randomize_va_space = 2 # fs.protected_hardlinks = 1 # fs.protected_symlinks = 1 # kernel.dmesg_restrict = 1 # kernel.kptr_restrict = 2 # kernel.yama.ptrace_scope = 1 # net.ipv4.conf.all.accept_redirects = 0 # net.ipv4.tcp_syncookies = 1 # kernel.unprivileged_bpf_disabled = 1 # net.core.bpf_jit_harden = 2 # ... (all 35 values) # SYSCTLEOF ``` ```bash sudo sysctl --system ``` ```bash echo 'blacklist usb-storage' | sudo tee -a /etc/modprobe.d/99-hardening-blacklist.conf echo 'install usb-storage /bin/false' | sudo tee -a /etc/modprobe.d/99-hardening-blacklist.conf sudo update-initramfs -u ``` -------------------------------- ### Configure PAM Brute-Force Lockout Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Generates a `faillock.conf` file to configure PAM brute-force lockout settings, including deny count, unlock time, and audit settings. It then enables the `faillock` module via `pam-auth-update`. ```bash sudo tee /etc/security/faillock.conf > /dev/null << 'FAILLOCKEOF' # deny = 5 # unlock_time = 900 # fail_interval = 900 # even_deny_root = yes # audit = yes # FAILLOCKEOF ``` ```bash sudo pam-auth-update --enable faillock ``` -------------------------------- ### Run Ansible Playbook Locally Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes the generated Ansible playbook locally on the machine. Uses 'localhost' as the inventory and 'local' connection with become privileges. ```bash ansible-playbook remediate-20250415-1030.yml \ -i "localhost," \ -c local \ --become ``` -------------------------------- ### Run Integration Tests Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Execute the integration test suite, which uses a deliberately misconfigured Docker container to verify the script's detection capabilities across various security checks. ```bash bash tests/run-tests.sh ``` -------------------------------- ### Configure and Enable systemd Timers Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Steps to copy the provided systemd unit files, reload the daemon, and enable the audit timers for automated scheduling. The weekly timer runs at Sunday 02:00, and the deep audit timer runs monthly. ```bash sudo cp systemd/ubuntu-sec-audit.* /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now ubuntu-sec-audit.timer ``` -------------------------------- ### Run User and Sudo Configuration Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes the check for user and sudo configurations. This identifies NOPASSWD sudo entries, accounts with plaintext passwords, locked accounts with interactive shells, and multiple UID 0 accounts. ```bash sudo ./ubuntu-sec-audit.sh --check check_users --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Check DNS Security Settings Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies DNSSEC and DNS-over-TLS configurations for systemd-resolved. Generates a drop-in file for persistent settings. ```bash sudo ./ubuntu-sec-audit.sh --check check_dns_security --skip-apt-update --output-dir /tmp/audit ``` ```bash # Generated fix writes a single drop-in to avoid duplicate [Resolve] headers: # sudo mkdir -p /etc/systemd/resolved.conf.d # sudo tee /etc/systemd/resolved.conf.d/99-hardening.conf > /dev/null << 'DNSEOF' # [Resolve] # DNSSEC=allow-downgrade # DNSOverTLS=opportunistic # DNSEOF # sudo systemctl restart systemd-resolved # resolvectl status | grep -E 'DNSSEC|DNS over TLS' ``` -------------------------------- ### Apply Critical File Permissions Fix Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Applies the correct file permissions and ownership for `/etc/shadow`, `/etc/passwd`, and `/etc/ssh/sshd_config` to enhance system security. ```bash sudo chmod 640 /etc/shadow sudo chmod 644 /etc/passwd sudo chown root:shadow /etc/shadow sudo chown root:root /etc/passwd sudo chmod 600 /etc/ssh/sshd_config sudo chown root:root /etc/ssh/sshd_config ``` -------------------------------- ### Check Idle Session Timeout Configuration Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies that the TMOUT environment variable is set in /etc/profile or /etc/profile.d/, is less than or equal to 900 seconds, and is declared as readonly. Includes commands to create a profile script and verify the setting. ```bash sudo ./ubuntu-sec-audit.sh --check check_idle_timeout --skip-apt-update --output-dir /tmp/audit ``` ```bash # Generated fix (writes /etc/profile.d/99-idle-timeout.sh): # sudo tee /etc/profile.d/99-idle-timeout.sh > /dev/null << 'TMOUTEOF' # TMOUT=900 # readonly TMOUT # export TMOUT # TMOUTEOF # sudo chmod 644 /etc/profile.d/99-idle-timeout.sh # Verify in a new shell: bash -l -c 'echo TMOUT=$TMOUT' ``` -------------------------------- ### Run Audit with Logging/Audit Profile Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes a security audit using a pre-defined profile focused on logging and audit controls. Ensure the script is executable and output directory exists. ```bash sudo ./ubuntu-sec-audit.sh \ --oscal \ --profile oscal/profiles/logging-audit.json \ --output-dir /var/log/audits ``` -------------------------------- ### Run CIS Benchmark Audit with Ansible Playbook Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Performs a CIS benchmark audit and generates an Ansible remediation playbook. Output is saved to a temporary directory. ```bash sudo ./ubuntu-sec-audit.sh \ --framework cis \ --ansible \ --output-dir /tmp/cis-audit ``` -------------------------------- ### Run Kernel Sysctl and Module Blacklist Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes the kernel sysctl hardening and module blacklist check. This verifies numerous sysctl parameters and ensures dangerous kernel modules are blacklisted. ```bash sudo ./ubuntu-sec-audit.sh --check check_kernel --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Run Ubuntu Security Audit Script Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Execute the script with different configurations for interactive use, specific frameworks, or custom output directories. Ensure you have sudo privileges for most operations. ```bash sudo ./ubuntu-sec-audit.sh ``` ```bash sudo ./ubuntu-sec-audit.sh --framework nist,iso27001,soc2 --oscal --output-dir /var/log/audits ``` ```bash sudo ./ubuntu-sec-audit.sh --framework cis --ansible --output-dir /tmp/cis-audit ``` ```bash sudo ./ubuntu-sec-audit.sh --check check_ssh,check_firewall --skip-apt-update ``` ```bash sudo ./ubuntu-sec-audit.sh --skip check_docker_hardening,check_debsecan ``` ```bash sudo ./ubuntu-sec-audit.sh --verify --output-dir /var/log/audits ``` ```bash sudo ./ubuntu-sec-audit.sh --deep --webhook https://hooks.example.com/sec-audit ``` ```bash sudo ./ubuntu-sec-audit.sh --oscal --profile oscal/profiles/ssh-hardening.json ``` -------------------------------- ### Run check_updates via Standard Runner Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes the `check_updates` function using the standard script runner, targeting only this check and skipping the APT update. Output is directed to a temporary directory. ```bash sudo ./ubuntu-sec-audit.sh --check check_updates --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Run Delta Report and Verify Mode Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Perform a normal audit to generate a delta report, then use verify mode to re-run only previously failed checks. ```bash # Normal run — delta report is automatic when a previous findings file exists: sudo ./ubuntu-sec-audit.sh --framework nist --output-dir /var/log/audits # Terminal output after second run: # Changes since last run: # ✔ Fixed : check_updates check_unattended # ↘ Regressed : check_ssh # ⚠ New failures: check_secrets # After applying fixes, verify only the previously failing checks: sudo ./ubuntu-sec-audit.sh \ --verify \ --output-dir /var/log/audits # Verify mode output: # [i] Verify mode: re-running 5 previously-failed check(s) from sec-audit-findings-20250415-1020.jsonl # Verify : 4 fixed / 1 still failing ``` -------------------------------- ### Run SSH Daemon Hardening Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes the SSH daemon hardening check and saves the output to a specified directory. This check analyzes various SSH configuration parameters. ```bash sudo ./ubuntu-sec-audit.sh --check check_ssh --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Run PAM Brute-Force Lockout Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies the PAM configuration for brute-force lockout using `pam_faillock` or `pam_tally2`. It checks if `deny` is set to 5 or less and if `unlock_time` is configured. ```bash sudo ./ubuntu-sec-audit.sh --check check_pam_lockout --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Check Firewall Status Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Runs the firewall check to verify UFW status, IPv6 rule management, and UFW logging level. Output is directed to a temporary directory. ```bash sudo ./ubuntu-sec-audit.sh --check check_firewall --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Verify Critical File Permissions Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Verifies the applied permissions and ownership of critical files using the `stat` command. ```bash stat -c '%n %a %U:%G' /etc/shadow /etc/passwd /etc/ssh/sshd_config ``` -------------------------------- ### Run Critical File Permissions Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Validates the permissions and ownership of critical system files like `/etc/shadow`, `/etc/passwd`, and `/etc/ssh/sshd_config`. ```bash sudo ./ubuntu-sec-audit.sh --check check_permissions --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Set Output Directory via Environment Variable Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Specifies the output directory for audit reports using an environment variable before executing the audit for the NIST framework. ```bash AUDIT_REPORT_DIR=/var/log/audits sudo ./ubuntu-sec-audit.sh --framework nist ``` -------------------------------- ### Inspect Control Mappings Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Use Python scripts to inspect the control mappings in `mappings/control-mapping.json`. View mappings for a specific check or list all checks with their NIST primary controls. ```python # Inspect the mapping for a specific check: python3 -c " import json m = json.load(open('mappings/control-mapping.json')) import sys check = sys.argv[1] if len(sys.argv) > 1 else 'check_ssh' entry = m.get(check, {}) for fw in ['nist', 'cis', 'iso27001', 'soc2']: print(f'{fw:12}: {entry.get(fw, [])}') print('description:', entry.get('description', '')) " check_ssh # nist : ['AC-17', 'IA-5', 'SC-8', 'AC-3', 'AC-7'] # cis : ['5.2.1', '5.2.2', '5.2.3', ..., '5.2.22'] # iso27001 : ['A.8.5', 'A.8.20'] # soc2 : ['CC6.1', 'CC6.2', 'CC6.6'] # description : SSH daemon hardening: root login, password auth, crypto, timeouts # List all check IDs and their NIST primary controls: python3 -c " import json m = json.load(open('mappings/control-mapping.json')) for k, v in m.items(): if k.startswith('_'): continue print(f'{k:40} {v.get("nist", [])}') " ``` -------------------------------- ### Run Ansible Playbook Against Remote Fleet Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes the generated Ansible playbook against a remote fleet of servers using a specified inventory file. ```bash ansible-playbook remediate-20250415-1030.yml \ -i inventory \ --become ``` -------------------------------- ### Run Interactive Security Audit Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Initiates an interactive wizard for security auditing when no flags are provided and the script is run in a TTY. ```bash sudo ./ubuntu-sec-audit.sh ``` -------------------------------- ### Disable IPv6 with Pre-flight Checks Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Disables IPv6 both immediately via sysctl and persistently via GRUB. Includes checks for current SSH session over IPv6 and services bound to ::1. ```bash sudo bash fix-audit-20250415-1030.sh --disable-ipv6 ``` -------------------------------- ### Verify Fixes After Remediation Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt After applying fixes, this mode re-runs only the previously failed checks to verify their effectiveness. Output is saved to a specified directory. ```bash sudo ./ubuntu-sec-audit.sh \ --verify \ --output-dir /var/log/audits ``` -------------------------------- ### Run Specific Checks and Skip APT Update Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes only the SSH and firewall checks, bypassing the APT package index update to save time. ```bash sudo ./ubuntu-sec-audit.sh \ --check check_ssh,check_firewall \ --skip-apt-update ``` -------------------------------- ### List Available OSCAL Profiles Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Lists the available pre-built OSCAL profiles in the oscal/profiles directory. These profiles define specific sets of controls for targeted audits. ```bash ls oscal/profiles/ ``` -------------------------------- ### Detect UID 0 Duplicates Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Identifies duplicate user accounts with UID 0 (root privileges) by parsing the /etc/passwd file. This helps in managing root access. ```bash awk -F: '$3==0 {print $1}' /etc/passwd ``` -------------------------------- ### Manual SUID/SGID Binary Scan Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Performs manual scans for SUID and SGID binaries across the entire filesystem, identifying potential privilege escalation vectors. Includes commands for removing SUID/SGID bits. ```bash # Manual SUID scan: sudo find / -xdev -perm -4000 -type f 2>/dev/null ``` ```bash # Manual SGID scan: sudo find / -xdev -perm -2000 -type f 2>/dev/null ``` ```bash # Generated fix (review EACH before removing — never remove from sudo/su/passwd): # sudo chmod -s /path/to/risky/binary # removes SUID bit # sudo chmod g-s /path/to/risky/binary # removes SGID bit ``` -------------------------------- ### Apply SSH Hardening Fix Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Applies the generated SSH hardening configuration, which includes setting secure parameters like PermitRootLogin and PasswordAuthentication. It validates the configuration with `sshd -t` before restarting the SSH service and includes a 5-minute rollback protection. ```bash sudo mkdir -p /etc/ssh/sshd_config.d sudo tee /etc/ssh/sshd_config.d/99-hardening.conf > /dev/null << 'SSHEOF' # PermitRootLogin prohibit-password # PasswordAuthentication no # PubkeyAuthentication yes # MaxAuthTries 4 # LoginGraceTime 60 # X11Forwarding no # AllowTcpForwarding no # ClientAliveInterval 300 # ClientAliveCountMax 2 # PermitEmptyPasswords no # HostbasedAuthentication no # IgnoreRhosts yes # MaxStartups 10:30:60 # Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,... # MACs hmac-sha2-512-etm@openssh.com,... # KexAlgorithms curve25519-sha256,... # SSHEOF # if sudo sshd -t; then sudo systemctl restart ssh; fi ``` ```bash sudo ./fix-audit-*.sh --ssh-safe ``` -------------------------------- ### Define and Use Custom OSCAL Profile Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Creates a custom OSCAL profile JSON file to specify a unique set of controls for an audit, then runs the audit using this custom profile. ```bash cat > oscal/profiles/my-custom.json << 'EOF' { "profile": { "imports": [ { "include-controls": [ { "with-ids": ["AC-17", "SC-8", "SI-2", "CM-6"] } ] } ] } } EOF ``` ```bash sudo ./ubuntu-sec-audit.sh \ --oscal \ --profile oscal/profiles/my-custom.json \ --output-dir /var/log/audits ``` -------------------------------- ### Deep Mode Scan Initiation Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Initiates an extended security audit using deep mode, which includes full-filesystem scans and optional tool prompts. ```bash sudo ./ubuntu-sec-audit.sh --deep --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Apply SSH Fixes with Rollback Safety Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Applies SSH-related fixes with a 5-minute auto-rollback timer. Includes pre-validation of SSH configuration and prompts for success confirmation. ```bash sudo bash fix-audit-20250415-1030.sh --ssh-safe ``` -------------------------------- ### Detect NOPASSWD Sudo Entries Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Searches for NOPASSWD entries in sudoers files. This is a security check to find potentially overly permissive sudo configurations. ```bash sudo grep -E '^\s*[^#].*NOPASSWD' /etc/sudoers /etc/sudoers.d/* 2>/dev/null ``` -------------------------------- ### RKHunter Rootkit Scan Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Performs a rootkit scan using rkhunter after updating its database. Includes commands for manual updates, checks, and updating the baseline after system changes. ```bash sudo ./ubuntu-sec-audit.sh --deep --skip-apt-update --output-dir /var/log/audits ``` ```bash # Manual rkhunter scan: sudo rkhunter --update --quiet sudo rkhunter --check --skip-keypress ``` ```bash # After updating system binaries, update rkhunter's baseline: sudo rkhunter --propupd ``` -------------------------------- ### Scan for Secrets and Credential Exposure Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Scans for world/group-readable SSH private keys, .env files with sensitive patterns, world-readable AWS credentials, and world-readable SSL/TLS private keys. Provides commands for manual scanning and fixing permissions. ```bash sudo ./ubuntu-sec-audit.sh --check check_secrets --skip-apt-update --output-dir /tmp/audit ``` ```bash # Manual scan equivalents: find /home /root -maxdepth 4 \( -name 'id_*' ! -name '*.pub' -o -name '*.pem' -o -name '*.key' \) \ ! -perm 600 2>/dev/null find /home /root /etc /opt /var/www -maxdepth 4 -name '.env' \ -exec grep -lE '(PASSWORD|SECRET|API_KEY|AWS_|TOKEN)=' {} \; ``` ```bash # Generated fix: # find /home /root -maxdepth 4 \( -name 'id_*' ! -name '*.pub' -o -name '*.pem' -o -name '*.key' \) \ # -exec chmod 600 {} \; # find /home /root -maxdepth 3 -path '*/.aws/credentials' -exec chmod 600 {} \; # find /etc/ssl -maxdepth 3 -not -path '/etc/ssl/certs/*' -name '*.key' -exec chmod o-r {} \; ``` -------------------------------- ### Apply All Auto-Generated Fixes Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Applies all fixes generated by the audit script. Failures are warned but do not halt the script execution due to 'set +e'. ```bash sudo bash fix-audit-20250415-1030.sh ``` -------------------------------- ### Send Audit Findings to Slack Webhook Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Configures the audit tool to post a summary of findings to a Slack webhook endpoint upon completion. Replace the placeholder with your actual Slack webhook URL. ```bash sudo ./ubuntu-sec-audit.sh \ --webhook https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK \ --output-dir /var/log/audits ``` -------------------------------- ### Run AppArmor Status Check Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Checks the current AppArmor status, specifically counting the number of profiles in enforce mode. It flags if AppArmor is not enforcing any profiles. ```bash sudo ./ubuntu-sec-audit.sh --check check_apparmor --skip-apt-update --output-dir /tmp/audit ``` -------------------------------- ### Run NIST, ISO 27001, SOC 2 Audits with OSCAL Output Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Executes security audits for NIST, ISO 27001, and SOC 2 frameworks, generating OSCAL Assessment Results and saving output to a specified directory. ```bash sudo ./ubuntu-sec-audit.sh \ --framework nist,iso27001,soc2 \ --oscal \ --output-dir /var/log/audits ``` -------------------------------- ### Generate Ansible Playbook for Remediation Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Generates an Ansible playbook (`remediate-*.yml`) during the audit process. The playbook is sorted by control severity and includes framework annotations. ```bash sudo ./ubuntu-sec-audit.sh \ --framework nist,iso27001 \ --ansible \ --output-dir /var/log/audits ``` -------------------------------- ### Lock User Accounts with Interactive Shells Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Generates a fix to change the shell of locked accounts that still have interactive login shells to `/usr/sbin/nologin`. This prevents unauthorized interactive access. ```bash # sudo usermod -s /usr/sbin/nologin ``` -------------------------------- ### Generate OSCAL Assessment Results from Findings File Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Generates an OSCAL 1.1.2 Assessment Results document directly from an existing JSONL findings file using the oscal_generate.py script. Requires specifying the findings file, mapping, catalog, and audit metadata. ```python # Generate OSCAL AR directly from an existing findings file: python3 oscal/oscal_generate.py \ --findings /var/log/audits/sec-audit-findings-20250415-1030.jsonl \ --mapping mappings/control-mapping.json \ --catalog nist \ --hostname myserver \ --ubuntu-version 24.04 \ --audit-start 2025-04-15T10:00:00Z \ --audit-end 2025-04-15T10:30:00Z \ --output /var/log/audits/oscal-ar-20250415.json ``` -------------------------------- ### Non-interactive Ubuntu Security Audit Execution Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Run the audit script non-interactively, specifying the compliance framework, output directory, and whether to skip the apt update. This is useful for automated or scripted executions. ```bash sudo ./ubuntu-sec-audit.sh --framework nist --output-dir /var/log/audits --skip-apt-update ``` -------------------------------- ### Check LUKS Disk Encryption Status Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Detects LUKS-encrypted block devices and determines if the root filesystem is on an encrypted volume. Provides commands to verify encryption status and guidance for encrypting non-root volumes. ```bash sudo ./ubuntu-sec-audit.sh --check check_disk_encryption --skip-apt-update --output-dir /tmp/audit ``` ```bash # Verify encryption status: sudo blkid | grep crypto_LUKS lsblk -o NAME,FSTYPE,MOUNTPOINT findmnt -n -o SOURCE / # Generated remediation guidance for non-root volumes: # sudo cryptsetup luksFormat /dev/sdXN # sudo cryptsetup open /dev/sdXN # sudo mkfs.ext4 /dev/mapper/ # echo ' /dev/sdXN none luks' | sudo tee -a /etc/crypttab # sudo update-initramfs -u ``` -------------------------------- ### Generate OSCAL Audit with Profile Filtering Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Generates an audit report filtered by a specific OSCAL profile, such as SSH hardening. Requires findings, mapping, catalog, and profile details. ```bash python3 oscal/oscal_generate.py \ --findings /var/log/audits/sec-audit-findings-20250415-1030.jsonl \ --mapping mappings/control-mapping.json \ --catalog nist \ --hostname myserver \ --ubuntu-version 24.04 \ --audit-start 2025-04-15T10:00:00Z \ --audit-end 2025-04-15T10:30:00Z \ --profile oscal/profiles/ssh-hardening.json \ --output /var/log/audits/oscal-ar-ssh.json ``` ```bash python3 oscal/oscal_generate.py \ --findings /var/log/audits/sec-audit-findings-20250415-1030.jsonl \ --mapping mappings/control-mapping.json \ --catalog cis \ --hostname myserver \ --ubuntu-version 24.04 \ --audit-start 2025-04-15T10:00:00Z \ --audit-end 2025-04-15T10:30:00Z \ --output /var/log/audits/oscal-ar-cis.json \ --validate ``` -------------------------------- ### Deep Mode Audit with Webhook Notification Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Enables deep scanning mode, which includes additional tools like ClamAV and rkhunter, and sends a webhook notification with the findings summary to a specified URL. ```bash sudo ./ubuntu-sec-audit.sh --deep --webhook https://hooks.example.com/sec-audit ``` -------------------------------- ### Skip Irrelevant Checks Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Runs the security audit while explicitly skipping checks related to Docker hardening and debsecan. ```bash sudo ./ubuntu-sec-audit.sh --skip check_docker_hardening,check_debsecan ``` -------------------------------- ### Check Current AppArmor Status Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Retrieves the current AppArmor status and extracts the count of profiles in enforce mode. ```bash aa-status 2>/dev/null | awk '/profiles are in enforce mode/ {print $1}' ``` -------------------------------- ### Generate OSCAL Assessment Results during Audit Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Generates an OSCAL 1.1.2 Assessment Results document by running the audit script with the --oscal flag. This is the recommended method for integrating OSCAL output. ```bash # Generate OSCAL AR during the audit run (recommended): sudo ./ubuntu-sec-audit.sh \ --oscal \ --catalog nist \ --output-dir /var/log/audits ``` -------------------------------- ### Generate OSCAL Report Source: https://github.com/secopsxsaiyan/ubuntu-sec-audit/blob/main/README.md Use the --oscal flag to generate an OSCAL 1.1.2 Assessment Results document. This command also specifies the catalog and output directory. ```bash sudo ./ubuntu-sec-audit.sh --oscal --catalog nist --output-dir /var/log/audits ``` -------------------------------- ### Send Audit Findings to SIEM/Custom Endpoint Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Sends audit findings to a specified HTTP/HTTPS endpoint, such as a SIEM or a custom logging service. Allows specifying frameworks for the report. ```bash sudo ./ubuntu-sec-audit.sh \ --webhook https://siem.example.com/api/audit/ubuntu \ --framework nist,cis \ --output-dir /var/log/audits ``` -------------------------------- ### Review Auto-Generated Fix Script Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Reviews the auto-generated bash fix script before execution. The script is named based on the audit date. ```bash less fix-audit-$(date +%Y%m%d)*.sh ``` -------------------------------- ### Filter Checks by OSCAL Profile Source: https://context7.com/secopsxsaiyan/ubuntu-sec-audit/llms.txt Applies security checks filtered by an OSCAL profile, specifically targeting SSH-related controls. Output is saved to a specified directory. ```bash sudo ./ubuntu-sec-audit.sh --oscal --profile oscal/profiles/ssh-hardening.json --output-dir /var/log/audits ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.