Interactive Linux hardening CLI — CIS Benchmark audit, scoring & remediation
HardenLinux audits your Linux server against CIS Benchmarks, gives you a security score from 0-100, and lets you fix issues interactively or automatically.
# Audit your server
hardenlinux audit
# Fix everything automatically
hardenlinux fix --all
# Interactive mode — choose what to fix
hardenlinux fix --interactive
# Generate PDF report
hardenlinux audit --report pdf
# Dry run — see what would change
hardenlinux fix --all --dry-run- CIS Benchmark scoring — 0 to 100 security score per category
- Interactive remediation — review each fix before applying
- Dry-run mode — see what would change without touching anything
- Multi-distro — Debian, Ubuntu, RHEL, CentOS, AlmaLinux, Rocky
- Idempotent — run it multiple times safely, only fixes what's needed
- PDF & HTML reports — shareable audit reports
- Compliance mapping — maps checks to CIS, NIST 800-53, ANSSI
- Rollback — automatic backup before changes, one-command undo
| Category | Checks | CIS Reference |
|---|---|---|
| System Info | Hostname, kernel, distro, uptime | — |
| Filesystem | Permissions, mounts, sticky bits | CIS 1.x |
| Network | Firewall, SSH, ports, IP forwarding | CIS 2.x, 3.x |
| Authentication | Password policy, PAM, sudo, users | CIS 4.x, 5.x |
| Services | Unnecessary services, xinetd | CIS 6.x |
| Kernel | Sysctl parameters, modules | CIS 7.x |
| Logging | Rsyslog, logrotate, auditd | CIS 8.x |
# Install
pip install hardenlinux
# Or run directly
curl -sL https://raw.githubusercontent.com/Mounik/HardenLinux/main/hardenlinux.sh | sudo bash
# Or clone and run
git clone https://github.com/Mounik/HardenLinux.git
cd HardenLinux
sudo ./hardenlinux audit╔══════════════════════════════════════════════════════════════╗
║ HardenLinux Audit ║
║ ubuntu22.example.com — 2026-04-12 ║
╠══════════════════════════════════════════════════════════════╣
║ ║
║ Filesystem ████████░░░░░░░░░░░░ 62% (8/13 passed) ║
║ Network ████████████░░░░░░░░ 78% (11/14 passed) ║
║ Auth ██████░░░░░░░░░░░░░░ 46% (6/13 passed) ║
║ Services ████████████████████ 100% (8/8 passed) ║
║ Kernel ██████████░░░░░░░░░░ 65% (9/14 passed) ║
║ Logging ██████████████░░░░░ 80% (8/10 passed) ║
║ ║
║ OVERALL ████████████░░░░░░░ 72/100 ║
║ ║
║ ⚠️ 21 checks need attention ║
║ Run: hardenlinux fix --interactive ║
╚══════════════════════════════════════════════════════════════╝
Create /etc/hardenlinux/config.yml or .hardenlinux.yml:
# HardenLinux Configuration
version: "1.0"
# Profiles: strict (CIS Level 2), moderate (CIS Level 1), minimal
profile: moderate
# Skip specific checks
skip_checks:
- 1.1.1 # filesystem specific to your setup
# Custom values
ssh:
port: 22
permit_root_login: "no"
password_authentication: "no"
max_auth_tries: 3
firewall:
backend: ufw # ufw | iptables | firewalld
allowed_ports: [22, 80, 443]
password:
max_days: 90
min_days: 7
min_length: 14
complexity: true
# Backup location before fixes
backup_dir: /var/backups/hardenlinux
# Report output
report:
format: html # html | pdf | json
output_dir: /var/log/hardenlinux/# Full audit with HTML report
hardenlinux audit --report html --output /tmp/audit.html
# Fix only authentication issues
hardenlinux fix --category auth
# Fix everything with automatic backups
hardenlinux fix --all --backup
# Dry run — show what would change
hardenlinux fix --all --dry-run
# Rollback last changes
hardenlinux rollback
# List available profiles
hardenlinux profiles
# Check specific CIS control
hardenlinux check 4.2.1# Run tests in Docker (safe, isolated)
docker-compose -f tests/docker-compose.yml up
# Run unit tests
pytest tests/
# Test against specific distro
docker-compose -f tests/docker-compose.yml up ubuntu22
docker-compose -f tests/docker-compose.yml up debian12
docker-compose -f tests/docker-compose.yml up almalinux9HardenLinux/
├── hardenlinux.sh # Bootstrap/entry point
├── src/hardenlinux/ # Python package
│ ├── __init__.py
│ ├── cli.py # CLI interface
│ ├── auditor.py # Audit engine
│ ├── fixer.py # Remediation engine
│ ├── scorer.py # Scoring system
│ └── rollback.py # Rollback manager
├── modules/
│ ├── audit/ # Audit check modules
│ │ ├── filesystem.py # CIS 1.x checks
│ │ ├── network.py # CIS 2.x/3.x checks
│ │ ├── auth.py # CIS 4.x/5.x checks
│ │ ├── services.py # CIS 6.x checks
│ │ ├── kernel.py # CIS 7.x checks
│ │ └── logging.py # CIS 8.x checks
│ ├── fix/ # Remediation modules
│ │ ├── filesystem.py
│ │ ├── network.py
│ │ ├── auth.py
│ │ ├── services.py
│ │ ├── kernel.py
│ │ └── logging.py
│ └── report/ # Report generators
│ ├── html_generator.py
│ ├── pdf_generator.py
│ └── json_generator.py
├── profiles/ # CIS profiles
│ ├── strict.yml # CIS Level 2
│ ├── moderate.yml # CIS Level 1
│ └── minimal.yml # Essential only
├── rules/ # CIS rule definitions
│ ├── ubuntu22.yml
│ ├── debian12.yml
│ ├── rhel9.yml
│ └── common.yml
├── config/
│ ├── config.yml # Default configuration
│ └── sshd_config_hardened # Hardened SSH config
├── tests/
│ ├── test_auditor.py
│ ├── test_fixer.py
│ ├── test_integration.py
│ └── docker-compose.yml
├── setup.py
├── pyproject.toml
├── LICENSE
└── README.md
- Freelance sysadmins — Run audit, deliver report, charge for remediation
- Security consultants — CIS compliance reports for clients
- DevOps teams — Harden servers before production deployment
- Compliance — Map findings to ANSSI, NIST 800-53, CIS controls
MIT License — use it, sell it, deploy it.
Built by Mounik — DevSecOps Engineer | SecurePipe | docker-stacks | devops-toolkit