Linux Server Hardening and Auditing

Wazuh is an integrated security platform that combines endpoint detection and response, security information and event management, and cloud workload protection. It functions as a centralized system for collecting telemetry, aggregating logs, and correlating events across distributed infrastructure to maintain security and integrity. The platform distinguishes itself through its active response orchestration, which allows for the automated execution of scripts on remote endpoints to neutralize threats in real time. It provides deep visibility into system activity through file integrity monitoring and malware detection, while simultaneously evaluating configurations and software versions against established security benchmarks and threat databases. Beyond core detection, the platform supports comprehensive regulatory compliance auditing and user access management. It monitors both traditional endpoints and ephemeral cloud or containerized environments, providing a unified interface for security teams to identify patterns, enforce policies, and automate incident response actions.

This is an Ansible collection that automates security hardening for Linux operating systems, databases, web servers, and SSH services. It provides a declarative, modular architecture that enforces idempotent security configurations, ensuring that each task only applies changes when the current system state deviates from the desired security baseline. The collection organizes security configurations into reusable Ansible roles, each targeting a specific system component. It includes roles for hardening OpenSSH with key-only authentication and disabled root login, securing MySQL and MariaDB installations with strong authentication and local binding, and configuring Nginx and Apache web servers by disabling server tokens and restricting cipher suites. The roles are designed to work across multiple Linux families, using distribution-specific conditionals and package managers. The collection maps hardening tasks to established security standards such as CIS benchmarks, grouping controls into role-specific conditional logic. It generates configuration files from Jinja2 templates with variables, enabling customization across different Linux distributions without duplicating code. The final hardened state of a system is defined in YAML inventory variables, allowing Ansible to converge any machine toward that state through continuous application.

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting. Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide.

Vuls is an agentless vulnerability scanner and CVE intelligence aggregator. It identifies security flaws in operating systems, containers, and network devices without requiring the installation of permanent software agents on target machines. The project distinguishes itself by cross-referencing software versions against multiple vulnerability databases, security advisories, and known exploit catalogs. It utilizes platform-based enumeration and lockfile analysis to detect vulnerabilities in network hardware, programming libraries, and website plugins. The tool covers a broad range of security auditing capabilities, including Linux and FreeBSD system patching, container security analysis, and the verification of pending kernel reboots. It supports various data acquisition methods, including remote SSH scanning, local execution, and an HTTP-based scan server mode.

This project is an infrastructure as code framework and library of reusable playbooks designed for server configuration and DevOps workflow automation. It provides a Linux server configuration suite and specialized tools for provisioning multi-node Kubernetes clusters to support containerized applications. The library enables the automation of infrastructure tasks and the orchestration of multi-server workflows. It includes specific logic for deploying containerized workloads and managing application environments across different hosting platforms. The codebase covers broad capability areas including server provisioning, system security hardening, and SSL certificate management. It also incorporates infrastructure code testing to verify stability before deployment.

Fscan is an automated penetration testing tool designed for internal network reconnaissance and vulnerability assessment. It functions as a comprehensive security framework that maps network infrastructure, identifies active hosts and services, and detects security weaknesses across internal environments. The tool distinguishes itself through a modular plugin architecture that allows for extensible security checks and a stateful asset tracking system that maintains an in-memory registry of discovered infrastructure. It incorporates a dedicated credential brute-force engine for testing password strength and supports proxy-aware traffic routing to facilitate operations within segmented or restricted network segments. Beyond core discovery, the platform provides capabilities for post-exploitation security operations, including system information collection and remote access management. Users can control scan performance through configurable concurrency and rate limits, with options to manage tasks via both command-line execution and a graphical web interface.

fsnotify is a cross-platform filesystem notification library that provides a programming interface for tracking file and directory changes within Go applications. It utilizes native kernel notification interfaces to detect events such as file creation, deletion, and attribute updates, allowing developers to integrate real-time monitoring into their software. The library distinguishes itself by providing a unified abstraction layer that normalizes disparate kernel APIs into a consistent event stream. It manages high-volume activity through non-blocking event polling and internal memory buffering, which prevents data loss during periods of intense disk operations. Additionally, the library supports recursive directory traversal, enabling the monitoring of entire folder hierarchies by programmatically registering watches for nested structures. Beyond basic monitoring, the package facilitates the management of watcher lifecycles, allowing for the granular control of active paths to maintain system resource limits. It is designed to support the development of automated build systems, real-time file synchronization tools, and other utilities that require responsive system resource event handling.

Prowler is an automated cloud infrastructure security scanner and posture management tool. It evaluates cloud environments and infrastructure-as-code templates against security benchmarks to identify misconfigurations, vulnerabilities, and compliance gaps that could compromise system integrity. The platform distinguishes itself through graph-based attack path analysis, which identifies chains of misconfigurations that create exploitable routes for unauthorized access. It utilizes a plugin-based execution model to perform state-based assessments of live environments and static analysis of configuration files, ensuring security coverage across the entire development lifecycle. The tool provides comprehensive capabilities for continuous security integration, allowing teams to automate compliance reporting by mapping findings to regulatory frameworks. It supports risk prioritization and provides actionable remediation guidance, while enabling the integration of security data into external incident management and monitoring systems through automated reporting pipelines.