linux-security-scanner

Linux security auditing tool that checks SSH configuration, open/listening ports, firewall rules (ufw/iptables/nftables), failed login attempts, sudoers permissions, world-writable files, and SUID binaries. Use when a user needs a security posture assessment, hardening audit, or compliance check on a Linux host — run individual checks or a full comprehensive audit with a formatted report.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "linux-security-scanner" with this command: npx skills add laolaoqi/linux-security-scanner

Linux Security Scanner

Script

scripts/security-audit.sh — the single entry point for all checks.

The script is self-contained, portable, and works on any modern Linux system. It auto-detects available tools (ss/netstat, ufw/iptables/nftables, journalctl) and gracefully skips unavailable ones.

Quick Start

Run a full audit:

bash scripts/security-audit.sh --all

Or with no arguments (same as --all):

bash scripts/security-audit.sh

Individual Checks

Run any single check by name:

CommandWhat it checks
--sshPermitRootLogin, PasswordAuthentication, Port, Protocol in sshd_config
--portsListening TCP ports (ss or netstat)
--firewallufw status, iptables filter rules, nftables ruleset
--failed-loginslastb output and journalctl SSH auth failures (last 24h)
--sudoersSudoers file permissions (must be 440), files present, NOPASSWD entries, full sudo access grants
--world-writableWorld-writable files in /etc, /tmp, /var, /home, /opt (depth 3)
--suidAll SUID binaries, risk assessment, unusual path detection

Example:

bash scripts/security-audit.sh --ssh --failed-logins

Full Audit Workflow

  1. Run bash scripts/security-audit.sh --all
  2. The script outputs a colorized report to stdout
  3. A structured markdown report is stored in the $REPORT variable (accessible within the same shell session)
  4. For programmatic use, redirect output to a file

Common Findings & Recommendations

  • SSH hardening: Disable root login, disable password auth, use key-only auth, change default port
  • Firewall: Ensure only necessary ports are open; prefer deny-by-default
  • Sudoers: Avoid NOPASSWD where possible; keep permissions at 440; audit who has full sudo access
  • SUID: Review unusual SUID paths; minimize SUID binaries; check for known CVEs on common ones (pkexec, sudo, etc.)
  • World-writable files: These are security risks — investigate why they're writable and restrict permissions

Notes

  • Requires root/sudo for some checks (failed-logins reads /var/log/btmp, ss shows process info)
  • Runs entirely in the shell — no external dependencies beyond standard Linux tools
  • Respects permission boundaries — non-accessible checks are noted, not forced

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Camera Memory Card Empty Case Tag

Create printable camera memory card case tags that show empty, ready, used, and return-to-bag states without data, formatting, backup, or security guidance.

Registry SourceRecently Updated
560Profile unavailable
Security

V19 Trust Manifesto

Agent Community认知治理协议公开受信声明v1.3.5。V8.1 TrustStack Protocol MVP(四阶段认知审计管道/冲突预测热度图/W3C数字信任凭证45天有效期)+8个新增端点(audit-4+credential-4)。合规对齐闭环+EventChainLog+AINativeI...

Registry SourceRecently Updated
6920Profile unavailable
Security

Desk Pen Cup Audit Card

Create a quick desk pen cup audit card that sorts working writing tools, removes dead pens, relocates stray supplies, and preserves privacy around personal n...

Registry SourceRecently Updated
750Profile unavailable
Security

agent-bom scan

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS, KEV), container...

Registry SourceRecently Updated
1.2K0Profile unavailable