v1.0.0 · Linux Hardening Auditor 
  _  _              _ _  _ _     
 | || |__ _ _ _ __| | \| (_)_ __
 | __ / _` | '_/ _` | .` | \ \ /
 |_||_\__,_|_| \__,_|_|\_|_/_\_\

System Hardening Auditor for Red Teams

107+ automated checks · 12 modules · JSON / HTML / Terminal output · Zero dependencies

⬡ GitHub → Quick Install ⬢ Live Demo
root@prod-server: ~/hardnix
root@prod-server:~/hardnix# sudo ./hardnix.sh -f html
// coverage

12 Security Modules.
Every attack surface.

Each module runs independently. Mix and match for targeted audits or run all at once for a full system baseline.

🧠
kernel
15 checks
ASLR, kptr_restrict, Spectre/Meltdown mitigations, NX bit, ptrace scope, eBPF
🔐
ssh
18 checks
Root login, PasswordAuth, weak ciphers & MACs, timeouts, AllowUsers policy
👤
users
11 checks
UID 0 accounts, empty passwords, NOPASSWD sudo, world-writable homes
💾
fs
11 checks
/tmp noexec/nosuid, world-writable files, /etc/shadow perms, unowned files
🌐
network
17 checks
IP forwarding, SYN cookies, rp_filter, ICMP redirects, firewall status
⚙️
services
4 checks
Telnet, FTP, rsh, xinetd, unnecessary daemons, excessive enabled services
🛡️
pam
4 checks
Password quality, account lockout policies, nullok, pam_limits
🐳
containers
7 checks
Docker socket, docker group membership, AppArmor/SELinux, Seccomp, escape vectors
🔑
crypto
5 checks
SSLv2/v3, weak TLS ciphers, GRUB password, SSH host key strength
📋
logging
5 checks
auditd rules, syslog daemon, auth log permissions, logrotate
☠️
suid
5 checks
SUID/SGID binaries, dangerous capabilities, GTFOBins detection, PwnKit
cron
5 checks
World-writable cron dirs, suspicious root crontabs (wget/curl/nc IOCs)
// scoring

Graded.
Not just
a checklist.

Every finding is weighted by severity and rolled up into a 0–100 score. Get actionable signal, not noise.

CRITICAL −10 pts per finding
HIGH −5 pts per finding
MEDIUM −2 pts per finding
LOW −1 pt per finding
A
90–100 · Hardened
B
75–89 · Good
C
60–74 · Fair
D
40–59 · Weak
F
0–39 · Critical Risk
// output

Three output formats.

━━━ SSH DAEMON ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
   [CRITICAL] [S-001]   Root login disabled
     ↳ PermitRootLogin = yes
   [HIGH ] [S-002]   Password authentication disabled
   [HIGH ] [S-014]   Weak SSH ciphers configured
     ↳ Weak cipher detected: arcfour,3des-cbc,blowfish-cbc
   [MEDIUM ] [S-010]   SSH Protocol 2 only

━━━ USERS & PRIVILEGES ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
   [CRITICAL] [U-001]   Non-root accounts with UID 0
     ↳ Accounts: hacker
  ⚠️ [HIGH ] [U-004]   NOPASSWD sudo entries found
     ↳ deploy ALL=(ALL) NOPASSWD: /usr/bin/docker

━━━ AUDIT SUMMARY ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Score       : 43 / 100
  Grade       : D — Weak
{   "meta": {     "tool": "HardNix", "version": "1.0.0",     "hostname": "prod-server",     "timestamp": "2025-01-15T14:23:11+00:00"   },   "score": 62,   "grade": "C — Fair",   "stats": { "total": 107, "passed": 79, "failed": 22 },   "findings": [     {       "module": "ssh",       "id": "S-001",       "severity": "CRITICAL",       "status": "FAIL",       "title": "Root login disabled",       "detail": "PermitRootLogin = yes"     },     ...   ] }
HardNix — System Hardening Report
Host: prod-server Score: 62/100 · C Checks: 107 total Date: 2025-01-15
CRITICAL Root login disabled
ssh · S-001 · PermitRootLogin = yes
HIGH Unprivileged eBPF disabled
kernel · K-007 · kernel.unprivileged_bpf_disabled = 0
MEDIUM No account lockout in PAM
pam · P-002 · pam_faillock not configured
PASS Docker not in rootless mode
containers · C-003 · Running rootless ✓
// install

Up in 30 seconds.

# Clone and run
$ git clone https://github.com/SiteQ8/hardnix.git
$ cd hardnix && chmod +x hardnix.sh
$ sudo ./hardnix.sh

# Or with options
$ sudo ./hardnix.sh -m ssh,kernel,suid -f html -v
// requirements
✓ Bash 4.0+
✓ Linux (any distro)
✓ Root for full scan
✓ Zero pip/npm/gem
// tested on
✓ Ubuntu 20.04 / 22.04 / 24.04
✓ Debian 11 / 12
✓ RHEL 8 / 9 / AlmaLinux
✓ Kali, Parrot, BlackArch
// use cases
✓ Post-deploy hardening checks
✓ Red team recon (scoped)
✓ CIS / STIG compliance gaps
✓ CI/CD pipeline gates