Enterprise-grade Bash diagnostic tool for Linux servers and workstations.
Comprehensive performance auditing, security analysis, and system health monitoring.
Features β’ Installation β’ Usage β’ Documentation β’ Contributing
The Linux System Audit Tool is a comprehensive, production-ready diagnostic solution designed for:
- π§ System Administrators - Troubleshoot performance bottlenecks
- βοΈ DevOps Engineers - Infrastructure health monitoring
- π Security Professionals - Compliance audits and vulnerability scanning
- π’ Enterprise IT - Server fleet management
- β 42+ Comprehensive Checks - CPU, Memory, Disk, Network, Security, Applications
- β Zero External Dependencies (core features) - Works with built-in Linux tools
- β Interactive Menu - Color-coded, user-friendly interface
- β
Detailed Reports - Export full audit logs to
/var/tmp - β Production-Tested - Battle-tested on Ubuntu, Debian, RHEL, CentOS, Rocky Linux
- β Security-Focused - Detects suspicious processes, open ports, weak configurations
- β Single Script - Self-contained, easy to deploy
| Function | Description | Key Metrics |
|---|---|---|
| CPU Usage Analysis | Real-time CPU metrics, load averages | mpstat, lscpu, load averages |
| Memory (RAM) Analysis | RAM usage, top consumers, swap pressure | free -h, top memory processes |
| Disk Performance & Space | I/O stats, space usage, inode analysis | iostat, df -h, df -i |
| Network Performance | Interface stats, connectivity tests | ip addr, ping tests |
| Top Resource Processes | CPU & memory hogs | ps aux sorted by usage |
| Systemd Services Status | Critical service health checks | systemctl --failed, service status |
| System Logs (24h) | Error/warning analysis from journalctl | journalctl -p err -S -24h |
| Startup / Boot Analysis | Boot time, startup services | systemd-analyze blame |
| Package Update Status | Available updates, last update date | apt/yum/dnf check-update |
| Hardware & Filesystems | Disk health, SMART status, block devices | lsblk, smartctl |
- Swap / Virtual Memory Analysis - Swap usage, pressure metrics
- Uptime & Boot History - Reboot tracking, last boot time
- Network Latency Test - Multi-target ping (Google DNS, Cloudflare)
- Security / AV Presence - Detect ClamAV, Sophos, CrowdStrike
- File Descriptor / Handle Usage - FD limits, processes with most open files
- Cron & Systemd Timers - Scheduled job analysis
- Power & Battery Status - Battery health (laptops), power management
- DNS Performance Test - Resolution speed with
digorgetent - Disk I/O Wait & Saturation -
iostat -xz, load vs CPU analysis - Critical System Events - Kernel panics, OOM kills, filesystem errors
- Filesystem Usage & Inodes - Space and inode exhaustion detection
- LVM / Snapshot Overview - Logical volume health, snapshot status
- Open Ports & Listening Services -
ss -tulpn, suspicious port detection - Firewall Status - iptables/nftables/ufw/firewalld rules audit
- TLS Certificate Expiry - Local certificate scanning (Nginx/Apache)
- SMB / NFS Share Check - Mounted network filesystems
- PostgreSQL / MySQL Health - Service status, basic connectivity
- Web Server Health - Nginx/Apache/httpd status
- Docker Container Monitor - Container status, resource usage
- KVM / Libvirt Hypervisor - VM presence detection
- Basic Security Baseline - World-writable dirs, SSH config, sudo policies
- Patch Compliance Snapshot - Last update date, missing patches
- Suspicious Processes & Binaries - Processes from
/tmp, executables in temp
- Logs & Disk Pressure Summary -
/vardisk usage - System File Integrity Hints - Guidance for
debsums,rpm -Va, AIDE - Kernel & Distro Info -
uname -a,/etc/os-release
| Distribution | Versions | Status |
|---|---|---|
| Ubuntu | 18.04, 20.04, 22.04, 24.04 | β Fully Tested |
| Debian | 10 (Buster), 11 (Bullseye), 12 (Bookworm) | β Fully Tested |
| RHEL | 7, 8, 9 | β Tested |
| CentOS | 7, 8, 9-Stream | β Tested |
| Rocky Linux | 8, 9 | β Tested |
| AlmaLinux | 8, 9 | β Tested |
| Fedora | 37, 38, 39 | β Compatible |
| Amazon Linux | 2, 2023 | β Compatible |
| Oracle Linux | 7, 8, 9 | β Compatible |
| openSUSE | Leap 15.x, Tumbleweed | |
| Arch Linux | Rolling |
- Bash: 4.0 or later
- Root/Sudo Access: Required for full functionality
- Systemd: Required for service/timer checks (most modern distros)
Install these for enhanced functionality:
# Debian/Ubuntu
sudo apt install -y sysstat smartmontools lsof bind9-utils
# RHEL/CentOS/Rocky/Alma
sudo yum install -y sysstat smartmontools lsof bind-utils
# Fedora
sudo dnf install -y sysstat smartmontools lsof bind-utils
# Arch Linux
sudo pacman -S sysstat smartmontools lsof bind-tools
# openSUSE
sudo zypper install sysstat smartmontools lsof bind-utilsTool Benefits:
sysstatβiostat,mpstat,sarfor detailed I/O/CPU statssmartmontoolsβsmartctlfor disk health (SMART)lsofβ File descriptor and open file analysisbind-utils/bind9-utilsβdigfor DNS performance tests
git clone https://github.com/NoneAvobeAll/Linux-System-Audit.git
cd Linux-System-Auditchmod +x linux_system_audit.shsudo ./linux_system_audit.shSelect option (0-42): 1 # Run CPU Usage Analysis
Select option (0-42): 11 # Run FULL AUDIT (all checks)
Select option (0-42): 12 # Export report to file
Select option (0-42): 0 # Exit
sudo ./linux_system_audit.shπ΅ Core Diagnostics (1-10)
| # | Function | Output Example |
|---|---|---|
| 1 | CPU Usage | Load averages, CPU model, per-core usage |
| 2 | Memory Analysis | RAM usage, swap, top memory processes |
| 3 | Disk Performance | df -h, iostat, inode usage |
| 4 | Network Performance | Interface status, ping tests |
| 5 | Top Processes | CPU/memory sorted process list |
| 6 | Services Status | Systemd service health |
| 7 | System Logs | journalctl errors (24h) |
| 8 | Boot Analysis | systemd-analyze blame |
| 9 | Updates | Available package updates |
| 10 | Hardware | SMART status, block devices |
π’ Advanced Diagnostics (13-22)
| # | Function | Key Checks |
|---|---|---|
| 13 | Swap Analysis | Swap usage, swappiness |
| 14 | Uptime History | Last boot, reboot count |
| 15 | Network Latency | Ping to 8.8.8.8, 1.1.1.1 |
| 16 | Security/AV | ClamAV, Sophos, SSH config |
| 17 | File Descriptors | Open FD count, limits |
| 18 | Cron/Timers | Scheduled jobs |
| 19 | Power/Battery | Battery health (laptops) |
| 20 | DNS Performance | dig timing tests |
| 21 | Disk I/O Wait | iostat -xz, await metrics |
| 22 | Critical Events | Kernel panics, OOM kills |
π΄ Network & Security (25-28)
| # | Function | Security Focus |
|---|---|---|
| 25 | Open Ports | ss -tulpn, suspicious ports |
| 26 | Firewall | iptables/nftables rules |
| 27 | TLS Certificates | Expiring certs in /etc/nginx, /etc/ssl |
| 28 | SMB/NFS | Mounted network shares |
/var/tmp/linux_system_audit_<timestamp>.log
# View full report
less /var/tmp/linux_system_audit_20251120_124530.log
# Search for errors
grep -i "error\|warning\|critical" /var/tmp/linux_system_audit_20251120_124530.log
# Extract specific section
sed -n '/CPU USAGE/,/MEMORY ANALYSIS/p' /var/tmp/linux_system_audit_20251120_124530.logThis script requires root/sudo for:
- Reading system logs (
/var/log,journalctl) - Accessing hardware info (
smartctl,/sys) - Network diagnostics (
ss, iptables) - Service status checks (
systemctl)
β DO:
- Review the script before running:
less linux_system_audit.sh - Run in test environment first
- Secure exported reports (contain sensitive info)
- Use version control (Git) to track changes
- Limit network exposure of reports
- Run untrusted scripts as root
- Share reports publicly (contain IPs, usernames, configs)
- Store credentials in reports
- Execute from untrusted sources
Reports may contain:
β οΈ Internal IP addressesβ οΈ Usernames and UIDsβ οΈ Open ports and servicesβ οΈ Filesystem pathsβ οΈ Installed packagesβ οΈ System configuration details
| Metric | Typical Impact | Notes |
|---|---|---|
| CPU | <5% peak | Brief spikes during ps, iostat |
| Memory | <50 MB | Bash interpreter + subprocesses |
| Disk I/O | Minimal | Read-only operations |
| Network | <1 Mbps | Only for ping/DNS tests |
| Runtime | 30-120 seconds | Full audit (42 checks) |
- β Read-Only - No system modifications
- β No Restarts - Doesn't restart services
- β Non-Invasive - Uses standard Linux tools
- β Fail-Safe - Errors don't crash script
Permission Denied
Error:
bash: ./linux_system_audit.sh: Permission denied
Solution:
chmod +x linux_system_audit.sh
sudo ./linux_system_audit.shCommand Not Found (iostat, mpstat, etc.)
Error:
iostat not found; install 'sysstat' for detailed I/O stats.
Solution:
# Debian/Ubuntu
sudo apt install sysstat
# RHEL/CentOS
sudo yum install sysstat
# Enable sysstat on RHEL-based systems
sudo systemctl enable sysstat
sudo systemctl start sysstatjournalctl: No Logs Available
Error:
No journal files were found.
Solution:
# Check journald status
sudo systemctl status systemd-journald
# If disabled, enable persistent logging
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journaldContributions are welcome and appreciated!
- Fork the repository
- Create a feature branch (
git checkout -b feature/awesome-check) - Make your changes and test on multiple distros
- Commit with clear messages (
git commit -m 'Add: PostgreSQL query latency check') - Push to your fork (
git push origin feature/awesome-check) - Open a Pull Request with description of changes
- π Bug fixes & error handling
- β¨ New audit functions (Kubernetes, cloud providers)
- π Documentation improvements
- π Multi-language support
- π§ͺ Unit tests (bats framework)
- π¨ Output formatting enhancements
This project is licensed under the MIT License - see the LICENSE file for details.
Abubakkar Khan
System Engineer | Cybersecurity Researcher
- π GitHub: @NoneAvobeAll
- π§ Contact: Open an Issue
- πΌ Repository: Linux-System-Audit
- Inspired by Brendan Gregg's USE Method
- Performance counter methodology from Linux Performance Tools
- Built with insights from r/linuxadmin and r/sysadmin communities
β If this tool helped you, please star the repository! β
Made with β€οΈ for the Linux community