Back
Config Audit
CIS Benchmarks
CIS BenchmarksProtect

Security Configuration Auditor

CIS Benchmark compliance checking for OS and network configurations

CM-6, CM-7, SC-7, AC-3NIST 800-53 (CM, SC, AC)

Overview

The Security Configuration Auditor performs automated compliance checks against CIS Benchmarks and NIST 800-53 security controls. It evaluates password policies, SSH hardening, filesystem permissions, network settings, logging configuration, running services, and file permissions. Each check produces a PASS/FAIL result mapped to specific NIST controls, enabling rapid gap identification and remediation prioritization.

Prerequisites

Python 3.8+ standard library (no external packages)
Root/sudo access for reading system configuration files
Target system running Linux (Ubuntu/Debian/RHEL/CentOS)
Access to /etc/ssh/sshd_config, /etc/login.defs, /proc/sys/net/

Capabilities

Password policy validation (length, complexity, aging)
SSH configuration hardening checks (30 sub-checks)
Filesystem mount options and permission auditing
Network stack security settings (IP forwarding, ICMP, SYN cookies)
Logging infrastructure verification (rsyslog, auditd)
Unnecessary service detection and status checking
File permission auditing (/etc/passwd, /etc/shadow, SUID)
NIST 800-53 control mapping for every check

Usage Guide

1

Prepare the Target System

Ensure you have root/sudo access on the target system. The auditor reads system configuration files directly.

bash
# Verify access
sudo cat /etc/ssh/sshd_config > /dev/null && echo 'Access OK'
2

Run the Configuration Audit

Execute the auditor script. It will automatically check all seven configuration categories and produce a comprehensive report.

bash
sudo python3 config_audit.py \
  --target localhost \
  --output /reports/config_audit.md
3

Review Pass/Fail Results

Examine the report organized by category. Each failed check includes the specific NIST control reference and recommended remediation.

4

Feed into Risk Assessment

Import critical failures into the risk assessment pipeline for consolidated scoring.

bash
python3 risk_report.py add-risk \
  --project my-audit \
  --title 'Weak Password Policy' \
  --source config-audit \
  --likelihood 4 --impact 4 \
  --control IA-5

CLI Commands

Run all 30 configuration checks across 7 categories on the local system.

bash
sudo python3 config_audit.py --target localhost --output config_report.md
Expected Output
Security Configuration Audit — localhost
════════════════════════════════════════
Category: Password Policy
  [FAIL] PWD-001: Min password length >= 14
  [FAIL] PWD-002: Password complexity enabled
  ...
Category: SSH Config
  [PASS] SSH-001: Protocol version 2 only
  [FAIL] SSH-002: Root login disabled
  ...
══════════════════════════════
Total: 30 checks | PASS: 19 | FAIL: 11
Compliance Rate: 63.3%

Sample Outputs

Audit Results Table

markdown
# Security Configuration Audit Report
**Target:** localhost | **Date:** 2026-03-01 | **Framework:** CIS Benchmarks

## Results Summary
| Category | Total | Pass | Fail | Compliance |
|----------|-------|------|------|------------|
| Password Policy | 4 | 0 | 4 | 0% |
| SSH Config | 5 | 1 | 4 | 20% |
| Filesystem | 3 | 1 | 2 | 33% |
| Network | 5 | 4 | 1 | 80% |
| Logging | 4 | 3 | 1 | 75% |
| Services | 5 | 5 | 0 | 100% |
| Permissions | 4 | 4 | 0 | 100% |
| **TOTAL** | **30** | **19** | **11** | **63.3%** |

Failed Check Detail

text
[FAIL] SSH-002: SSH root login disabled
  NIST Control: AC-17 (Remote Access)
  Current Value: PermitRootLogin yes
  Expected: PermitRootLogin no
  Remediation: Edit /etc/ssh/sshd_config, set PermitRootLogin to 'no'
  Risk: HIGH — Direct root access increases attack surface
  CIS Benchmark: 5.2.10

NIST Control Mappings

CM-6
Configuration Settings
Configuration Management

Establish and document configuration settings for system components.

CM-7
Least Functionality
Configuration Management

Configure systems to provide only mission-essential capabilities.

SC-7
Boundary Protection
System and Communications Protection

Monitor and control communications at external and key internal boundaries.

AC-3
Access Enforcement
Access Control

Enforce approved authorizations for logical access to information and system resources.

IA-5
Authenticator Management
Identification and Authentication

Manage system authenticators by verifying identity before issuing credentials.

AU-2
Event Logging
Audit and Accountability

Identify events that the system is capable of logging in support of the audit function.

Best Practices

Run configuration audits on a regular schedule (weekly or after changes)
Baseline your systems before hardening to track improvement over time
Prioritize failed checks by NIST control severity and business impact
Automate remediation for common failures using configuration management tools
Document exceptions for checks that cannot be remediated due to business requirements
Compare results across systems to identify configuration drift

Limitations

Currently supports Linux-based systems only (no Windows/macOS)
Checks are based on default CIS Benchmark profiles — custom profiles require modification
Cannot audit remote systems without SSH access and sudo privileges
Does not perform runtime security analysis (memory, process isolation)
Back to DashboardNIST SP 800-115 / 800-53 / CSF 2.0 / 800-61 / 800-37