auditenv - Environment Audit Tool¶
Comprehensive environment analysis and security audit tool for system and user environments.
Overview¶
auditenv performs detailed audits of system and user environments, checking for security issues, configuration problems, and best practices compliance. It generates reports with actionable recommendations for environment hardening and optimization.
When to use: Security audits, environment validation, compliance checking, or troubleshooting environment-related issues.
Usage¶
auditenv [options] [audit-types]
```bash
### Options
- `-o FILE`: Output file (default: stdout)
- `-f FORMAT`: Output format (text, json, html)
- `-l LEVEL`: Audit level (basic, standard, thorough)
- `-c CONFIG`: Custom configuration file
- `-v`: Verbose output
- `-q`: Quiet mode
- `-h`: Show help
### Audit Types
- `security`: Security vulnerabilities and misconfigurations
- `permissions`: File and directory permissions
- `packages`: Installed packages and vulnerabilities
- `network`: Network configuration and security
- `users`: User accounts and privileges
- `services`: Running services and configurations
- `all`: All audit types
## Examples
### Basic Audits
```bash
# Full environment audit
auditenv all
# Security audit only
auditenv security
# Quick audit
auditenv -l basic all
```bash
### Targeted Audits
```bash
# Permission audit
auditenv permissions
# Network security
auditenv network
# User account audit
auditenv users
```bash
### Output Formats
```bash
# JSON for processing
auditenv -f json -o audit.json all
# HTML report
auditenv -f html -o audit-report.html security
# Save to file
auditenv -o environment-audit.txt all
```bash
### Scheduled Audits
```bash
# Daily security audit
0 2 * * * /usr/local/bin/auditenv -q security > /var/log/auditenv-daily.log
# Weekly full audit
0 3 * * 0 /usr/local/bin/auditenv all > /var/log/auditenv-weekly.log
```bash
## How It Works
### Audit Pipeline
1. **Discovery**: Identify system components and configuration
2. **Analysis**: Check against security best practices and policies
3. **Scoring**: Rate findings by severity and impact
4. **Reporting**: Generate structured reports with recommendations
5. **Remediation**: Provide fix commands and scripts
### Audit Categories
#### Security Audit
- **Password Policies**: Strength requirements, aging
- **SSH Configuration**: Key-based auth, root login, ports
- **Firewall Rules**: Unnecessary open ports, default policies
- **File Permissions**: World-writable files, sensitive file access
- **SUID/SGID**: Potentially dangerous executables
- **Package Vulnerabilities**: Known CVEs in installed packages
#### Permission Audit
- **File Ownership**: Incorrect ownership of system files
- **Directory Permissions**: Proper access controls
- **Executable Permissions**: Correct permissions on binaries
- **Configuration Files**: Secure config file permissions
- **User Directories**: Home directory security
#### Package Audit
- **Installed Packages**: Complete software inventory
- **Vulnerable Packages**: Known security issues
- **Orphaned Packages**: Unnecessary installed software
- **Package Integrity**: Modified package files
- **Update Status**: Outdated packages
#### Network Audit
- **Open Ports**: Listening services and exposure
- **Firewall Configuration**: Rule effectiveness
- **Network Services**: Running network daemons
- **DNS Configuration**: Resolver security
- **SSH Access**: Remote access security
#### User Audit
- **User Accounts**: Valid users, locked accounts
- **Privilege Escalation**: sudo configuration, wheel group
- **Password Security**: Password policies, expiration
- **Home Directories**: Proper permissions and contents
- **Login History**: Suspicious login patterns
#### Service Audit
- **Running Services**: Enabled and active services
- **Service Configuration**: Secure service settings
- **Auto-start Services**: Unnecessary startup services
- **Service Accounts**: Proper service user accounts
- **Log Configuration**: Secure logging practices
## Configuration
### Configuration File
```toml
# ~/.config/auditenv/config.toml
[audit]
level = "standard"
parallel_checks = true
timeout = 300
[security]
check_passwords = true
check_ssh_config = true
check_firewall = true
max_open_ports = 10
[permissions]
check_world_writable = true
check_suid_sgid = true
ignore_paths = ["/proc", "/sys"]
[packages]
check_vulnerabilities = true
check_updates = true
ignore_packages = ["kernel-debug"]
[reporting]
format = "text"
include_remediation = true
severity_levels = ["critical", "high", "medium", "low", "info"]
```bash
### Environment Variables
```bash
# Audit settings
export AUDITENV_LEVEL="thorough"
export AUDITENV_TIMEOUT="600"
# Output settings
export AUDITENV_FORMAT="json"
export AUDITENV_OUTPUT_FILE="/var/log/auditenv.log"
# Security settings
export AUDITENV_MAX_OPEN_PORTS="5"
export AUDITENV_CHECK_VULNS="true"
```bash
## Dependencies
### Required
- **bash**: Shell execution
- **find**: File system traversal
- **grep/awk**: Text processing
- **ps**: Process information
### Optional
- **nmap**: Network scanning
- **lynis**: Security auditing
- **chkrootkit/rkhunter**: Rootkit detection
- **debsecan**: Debian security analysis
- **yum-security**: RedHat security updates
- **sshd**: SSH configuration checking
## Troubleshooting
### Slow Audits
**Symptom:** Audit takes very long to complete
**Cause:** Thorough level or large system
**Fix:**
```bash
# Use basic level
auditenv -l basic all
# Increase timeout
export AUDITENV_TIMEOUT="1800"
# Run specific audits
auditenv security permissions
```bash
### Permission Errors
**Symptom:** Cannot access certain system files
**Cause:** Running without sufficient privileges
**Fix:**
```bash
# Run with sudo
sudo auditenv all
# Check specific permissions
ls -la /etc/shadow
ls -la /var/log/
# Add to sudoers
# Allow specific auditenv commands
```bash
### False Positives
**Symptom:** Audit reports non-issues as problems
**Cause:** Custom system configuration
**Fix:**
```bash
# Configure exceptions
# Edit ~/.config/auditenv/config.toml
[security]
ignore_paths = ["/custom/path"]
ignore_users = ["serviceuser"]
# Use custom config
auditenv -c my-config.toml all
```bash
### Missing Tools
**Symptom:** Some checks fail due to missing tools
**Cause:** Optional dependencies not installed
**Fix:**
```bash
# Install recommended tools
sudo apt install nmap lynis chkrootkit debsecan
# Check what tools are available
auditenv --check-tools
# Run without optional checks
export AUDITENV_SKIP_OPTIONAL="true"
```bash
## Performance
### Audit Times
| Level | System Size | Time | Memory |
| -------- | ----------- | ----- | ------ |
| Basic | Small | 30s | 50MB |
| Standard | Medium | 5min | 200MB |
| Thorough | Large | 20min | 500MB |
### Resource Usage
- **CPU**: 20-80% during intensive checks
- **Memory**: 50-500MB depending on audit scope
- **Disk**: Minimal (log files only)
- **Network**: For vulnerability database checks
## Integration
### With Security Monitoring
```bash
# Daily security audit
auditenv security > /var/log/security-audit.log
# Alert on critical issues
if grep -q "CRITICAL" /var/log/security-audit.log; then
mail -s "Security Audit Alert" admin@example.com < /var/log/security-audit.log
fi
```bash
### With Compliance
```bash
# CIS benchmark audit
auditenv -c cis-config.toml all
# Generate compliance report
auditenv -f html -o compliance-report.html all
```bash
### With Automation
```bash
# Automated remediation
auditenv security | grep "REMEDIATION:" | while read line; do
command=$(echo "$line" | sed 's/REMEDIATION: //')
echo "Running: $command"
eval "$command"
done
```bash
### With Monitoring Systems
```bash
# Export to monitoring system
auditenv -f json all | curl -X POST \
-H "Content-Type: application/json" \
-d @- \
http://monitoring.example.com/api/audit
```bash
## Output Formats
### Text Format (default)
```bash
AUDITENV Report - 2024-01-01 12:00:00
====================================
SECURITY ISSUES
---------------
[HIGH] SSH root login enabled
Description: Root login is permitted via SSH
Impact: Direct root access increases security risk
Remediation: Edit /etc/ssh/sshd_config: PermitRootLogin no
[MEDIUM] World-writable files found
Files: /tmp/test.txt, /var/tmp/cache.dat
Remediation: chmod o-w /tmp/test.txt
PERMISSIONS
-----------
[LOW] Incorrect ownership on /etc/passwd
Current: root:shadow
Should be: root:root
Remediation: chown root:root /etc/passwd
SUMMARY
-------
Critical: 0
High: 1
Medium: 1
Low: 1
Info: 3
```bash
### JSON Format
```json
{
"audit": {
"timestamp": "2024-01-01T12:00:00Z",
"level": "standard",
"system": "Ubuntu 22.04"
},
"findings": [
{
"category": "security",
"severity": "high",
"title": "SSH root login enabled",
"description": "Root login is permitted via SSH",
"impact": "Direct root access increases security risk",
"remediation": "Edit /etc/ssh/sshd_config: PermitRootLogin no"
}
],
"summary": {
"critical": 0,
"high": 1,
"medium": 1,
"low": 1,
"info": 3
}
}
```bash
## Technical Details
### Security Checks
- **Password Analysis**: Uses cracklib or similar for strength checking
- **SSH Config Parsing**: Validates sshd_config against security best practices
- **Firewall Analysis**: Checks iptables/ufw/firewalld configurations
- **File Permission Scanning**: Uses find for efficient permission checking
- **Vulnerability Scanning**: Integrates with system package managers
### Scoring System
- **Critical**: Immediate security risk, exploit available
- **High**: Significant security weakness
- **Medium**: Potential security issue
- **Low**: Best practice violation
- **Info**: Informational finding
### Remediation Commands
- **Safe Commands**: Automatically generated fix commands
- **Verification**: Commands include verification steps
- **Backup**: Suggests backup before changes
- **Testing**: Includes testing recommendations
### Privacy and Safety
- **Read-Only**: All checks are non-destructive
- **No Data Exfiltration**: Results stay local
- **Safe Commands**: Remediation commands are validated
- **Backup Recommendations**: Suggests backups before fixes
## See Also
- **[syssnap](syssnap.md)** - System snapshot tool
- **[diffenv](diffenv.md)** - Environment comparison
- **[Security Guide](../../README.md#security)** - Security best practices